What is Ecommerce security? What are the elements of a secured Ecommerce System? What are the security risks of an Ecommerce installation? How can these risks be avoided or reduced?

                    Basically, e-Commerce Security provides protection from different attacks between the client and web server.

      A secured e-Commerce System must have the following Security Features:

Authentication: Verifies who you say you are. It enforces that you are the only one allowed to logon to your Internet banking account.

Authorization: Allows only you to manipulate your resources in specific ways. This prevents you from increasing the balance of your account or deleting a bill.

Encryption: Deals with information hiding. It ensures you cannot spy on others during Internet banking transactions.

Auditing: Keeps a record of operations. Merchants use auditing to prove that you bought a specific merchandise.

      Security risks of an e-Commerce installation:

THREATS

These are things that can go wrong or that can 'attack' the system. Examples might include fire or fraud. Threats are ever present for every system.

VULNERABILITIES

These make a system more prone to attack by a threat or make an attack more likely to have some success or impact. 

       To avoid security risks:

•   keeping secure passwords
•   changing passwords often for administrative access to system (root access)
•   granting the most limited access needed to employees
•   having procedures in place to revoke privileges when employees leave the company

       To reduce security risks:

Step 1: Identify security threats and risks in the organization.

Step 2: Prepare specific organizational requirements and controls.

Step 3: Quantitative and qualititative approach.

Case: Assume that John wants to buy some CD from an online shop called MusicPlus.

(a)How John should encrypt the information and send via the Internet so that the information will be sent securely to MusicPlus.

•  To send information securely to MusicPlus via online, John must provide a digital certificate and encrypt the information that will be sent through Asymmetric encryption which provides a private key (for the owner/sender) and public key (for the receiver).

 

(b)How MusicPlus can ensure the information received is not being altered during the transmission process.

• To ensure that the information has not been altered, MusicPlus must (1) verify the digital certificate like using Microsoft Internet Explorer for it uses Authenticode technology which verifies that the program has a valid certificate and (2) try to call the customer for further verifications and to ensure the transaction.

 

What are the differences between key distribution centre and certification authority?

•      Key distribution centre simply identifies the key of who is the owner/sender of the encrypted message.

•      Certification authority just authenticates the encrypted message by providing a digital certificate.