Upload
khangminh22
View
0
Download
0
Embed Size (px)
Citation preview
INTEGRATING PASSPHRASES AS AN AUTHENTICATION
MECHANISM IN E-COMMERCE.
BY
SANDRA YUCABETT A. ODERA
UNITED STATES INTERNATIONAL UNIVERSITY- AFRICA
FALL 2016
ii
INTEGRATING PASSPHRASES AS AN AUTHENTICATION
MECHANISM IN E-COMMERCE.
BY
SANDRA YUCABETT A. ODERA
ID. 642029
A Project Submitted to the School of Science and Technology in Partial Fulfillment of the
Requirement for the Degree of Master of Science in Information Systems and Technology.
UNITED STATES INTERNATIONAL UNIVERSITY-AFRICA
FALL 2016
iii
STUDENT’S DECLARATION
I, Sandra Yucabett A. Odera, declare that this is my original work and has not been submitted to
any other college, institution or university other than the United States International University in
Nairobi for academic credit.
Signed ____________________________ Date _______________________________
Sandra Yucabett A. Odera Adm. No: 642029
This project has been presented for examination with my approval as the appointed supervisor.
Signed ____________________________ Date _______________________________
Joshua Rumo A. Ndiege, PhD.
Signed ____________________________ Date _______________________________
Dean, School of Science and Technology
iv
COPYRIGHT
All rights reserved. No part of this dissertation report may be photocopied, recorded or otherwise
reproduced, stored in retrieval system or transmitted in any electronic or mechanical means
without prior permission of USIU-Africa or the author.
Sandra Yucabett A. Odera © 2016.
v
Abstract
E-commerce has brought drastic changes in the way business transactions are conducted
prompting banks and other businesses to adopt electronic payment systems. It not only offers the
banking industry and other businesses a great opportunity, but also creates risks and vulnerabilities.
A number of studies continue to reveal that Information Security is an essential management and
technical requirement for any efficient payment transaction activities over the internet. This study
sought to contribute to the development of a secure e-commerce system by employing the use of
passphrases. These are important in e-commerce security since they are hard to crack because most
of the highly-efficient password cracking tools break down at around 10 characters. Therefore, it
would be difficult to be able to guess, brute-force or pre-compute these passphrases.
The main objective of this research was to address security issues related with password-based
authentication mechanism in e-commerce websites such as password cracking. The research
intended to design a system that had the capabilities to mitigate password guessing and brute force
attack since passphrases allow special characters like space. Following a detailed systematic
literature review and the application of design science as the research design, a passphrase system
was developed on the basis of Object Oriented Programming (OOP) approach using PHP as the
coding language with MySQL database engine at the backend. A prototype was developed and its
validity tested by security experts for more credibility. Expert feedback was accommodated to
enhance the security measures put in place for online transactions. The researcher used focus group
discussions to collect data and feedback from the participants. They were asked questions during
the focused group discussions and they gave feedback that would be useful in improving the
prototype developed. Convenience sampling was used due to time and cost constraints. A sample
size of 7 security experts was drawn from the ICT department of Jhpiego Corporation from a
population size of 20. Thematic analysis was used to analyze the data; codes were then developed
to represent identified themes and applied to raw data as summary markers for later analysis.
It is recommended that passphrases should be designed to be user-selected since they have better
usability than system generated passwords. Users should also exercise extreme caution when
writing down or storing passphrases. The passphrase policy should contain composition rules and
recommendations, such as minimum length, character variations and avoidance of dictionary and
pop culture words. More research should be carried out on how best passphrases can be
vi
implemented in not only e-commerce websites but also other systems that require a lot
confidentiality.
The results of this study will benefit e-commerce website owners since this enhanced security
measure added to the website will give shoppers more confidence even as they do business
transactions online.
vii
ACKNOWLEGEMENT
This project would not have been possible without the guidance, help and support of many great
people. First, I would like to give thanks to the almighty God for giving me patience, determination
and ability to complete this project. Without Him, I could not have come this far. I would like to
thank my supervisor Dr. Joshua Rumo for his support and guidance throughout this project writing.
I greatly appreciate his countless hours of supervision and reading through drafts of my research
proposal and final project. Without his guidance, this project would never have been completed.
My appreciation goes to all my lecturers who prepared me for this study. I do thank Charity
Wanjiru, Eric Githaiga and all my classmates for their encouragement and discussions at various
stages of the study. Special thanks goes to my parents, Bonn and Dorothy Jonyo, who supported
me financially and also gave me necessary advice. To my brothers, Elvis and Austin who gave me
technical assistance during system development. Lastly, I thank my colleagues Martin Simiyu,
Lawrence Kimani and other Jhpiego IT staff who helped me during the data collection, whom I
interviewed and filled in the questionnaires. God bless you all!
viii
DEDICATION
I dedicate this project to my father Bonn Odera Jonyo and my mother Dr. Dorothy Akinyi Jonyo
who inspired me to grow and gave me all the support, the thirst for knowledge and encouragement
throughout my studies. I also thank my siblings Elvis Jonyo and Austin Odera for believing in me
and giving their inputs to my project all through. God bless you.
ix
TABLE OF CONTENTS
STUDENT’S DECLARATION .................................................................................................... iii
COPYRIGHT ................................................................................................................................. iv
Abstract ........................................................................................................................................... v
ACKNOWLEGEMENT ............................................................................................................... vii
DEDICATION ............................................................................................................................. viii
TABLE OF CONTENTS ............................................................................................................... ix
LIST OF ABBREVIATIONS ...................................................................................................... xiv
CHAPTER ONE ............................................................................................................................. 2
1.1 Background of the Problem. ..................................................................................................... 2
1.2 Statement of the Problem .......................................................................................................... 4
1.3 Purpose of the Study ................................................................................................................. 5
1.4 Objectives of the Study. ............................................................................................................ 5
1.5 Justification of the Study .......................................................................................................... 5
1.6 Scope of the Study .................................................................................................................... 6
1.7 Limitations of the Study............................................................................................................ 6
1.8 Definition of Terms................................................................................................................... 6
1.9 Chapter Summary ..................................................................................................................... 7
CHAPTER TWO ............................................................................................................................ 8
2.0 LITERATURE REVIEW ......................................................................................................... 8
2.1 Introduction ............................................................................................................................... 8
2.2 Key Trends in e-commerce. ...................................................................................................... 8
2.2.1 E-commerce Studies in Kenya ......................................................................................... 10
2.3 Password Based Authentication Mechanisms ........................................................................ 12
2.3.1 Security Concerns for Password Bases Authentication Mechanism ................................ 13
2.4 Passphrase based Authentication Mechanisms ....................................................................... 15
2.4.1 Passphrase Creation Strategies ......................................................................................... 16
2.4.1.1 Using the Diceware ....................................................................................................... 17
2.4.1.2 Modified Diceware Method .......................................................................................... 20
2.4.2 Attempts to Crack Passphrases. ........................................................................................... 20
x
2.5 Existing Passphrase Based Authentication Systems ............................................................... 21
2.4.3 Why Passphrases are friendlier than Passwords. ................................................................. 21
2.6 Chapter Summary ................................................................................................................... 23
CHAPTER THREE ...................................................................................................................... 25
3.0 RESEARCH METHODOLOGY............................................................................................ 25
3.1 Introduction ............................................................................................................................. 25
3.2 Research Design...................................................................................................................... 25
3.3 Population and Sampling Design ............................................................................................ 28
3.4 Data Collection Methods ........................................................................................................ 29
3.5 Data Analysis Methods. .......................................................................................................... 32
3.6 Ethical considerations in research ........................................................................................... 33
3.7 Chapter summary .................................................................................................................... 34
CHAPTER FOUR ......................................................................................................................... 35
4.0 IMPLEMENTATION ............................................................................................................. 35
4.1 Introduction ............................................................................................................................. 35
4.2 Analysis................................................................................................................................... 35
4.3 Modelling and Design ............................................................................................................. 35
4.4 Proof of Concept ..................................................................................................................... 41
4.5 System Testing ........................................................................................................................ 42
4.5.1 General Tests .................................................................................................................... 42
4.5.2 Error Tests ........................................................................................................................ 42
4.5.3 Database Tests ..................................................................................................................... 43
4.5.4 Security Tests ....................................................................................................................... 44
4.6 System implementation ........................................................................................................... 45
4.6.1 Current System Description ............................................................................................. 45
4.7 Screenshots of the system ....................................................................................................... 46
CHAPTER FIVE .......................................................................................................................... 50
5.0 RESULTS AND FINDINGS .................................................................................................. 50
5.2Feedback from security experts. .............................................................................................. 52
5.2 Challenges of password based authentication mechanisms. ................................................... 53
5.3 Determining use of passphrases challenges: .......................................................................... 54
xi
5.4 Implementing a passphrase system . ....................................................................................... 55
CHAPTER 6 ................................................................................................................................. 56
6.0 DISCUSSIONS, CONCLUSIONS AND RECOMMENDATIONS ..................................... 56
6.3 DISCUSSIONS ....................................................................................................................... 58
6.2 Conclusion .............................................................................................................................. 59
6.3 Recommendations ................................................................................................................... 59
REFERENCES ............................................................................................................................. 60
APPENDIX A: CONSENT FORM .............................................................................................. 65
APPENDIX B: QUESTIONNAIRE ............................................................................................. 70
APPENDIX C: SOURCE CODE ................................................................................................. 75
xii
LIST OF FIGURES
Figure 2.1 Share of B2C websites in the European Union: 2014 ................................................... 9
Figure 2.2: Diceware passphrase wordlist .................................................................................... 19
Figure 3.1: Research process flow diagram .................................................................................. 31
Figure 4.1: Prototype model ......................................................................................................... 36
Figure 4.2: Flow Chart Diagram for proposed system ................................................................. 38
Figure 4.3: ERD Diagram for the Proposed System ..................................................................... 39
Figure 4.4: Use Case diagram for the Proposed System ............................................................... 40
Figure 4.5: Screenshots of Error Tests .......................................................................................... 43
Figure 4.6: Database Screenshot ................................................................................................... 44
Figure 4.7: Home page screenshot ................................................................................................ 46
Figure 4.8: Screenshot of passphrase ............................................................................................ 47
Figure 4.9: Screenshot of passphrase ............................................................................................ 47
Figure 4.10: Registration page ...................................................................................................... 48
Figure 4.11: Catalogue page ......................................................................................................... 49
xiii
LIST OF TABLES
Table 3.1: Research Design Steps and Application to Study. ....................................................... 26
Table 3.2: Advantages and Disadvantages of Focus Group ......................................................... 32
Table 5.1: Profile of Focus Group Participants ............................................................................ 51
Table 5.2: Feedback from Experts ................................................................................................ 52
xiv
LIST OF ABBREVIATIONS
ATM Automated Teller Machine
CEH Certified Ethical Hacker
CISM Certified Information Security Manager
CISSP Certified Information Systems Security Professional
CCK Communication Commission of Kenya
EDGE Enhanced Data Rated for GSM Evolution
ICT Information Communication and Technology
IT Information Technology
PCs Personal Computers
SMBs Small and Medium Size Businesses
UNCTAD United Nations Conference on Trade and Development
2
CHAPTER ONE
INTRODUCTION
1.1 Background of the Problem.
In the age of faceless e-commerce, authentication provides crucial online identity. Identity and
authentication are vital concepts in every marketplace (Sinan & Sahin, 2010). In traditional
commerce, physical credentials such as a business license or letter of credit were relied on to prove
identities. Sinan and Sahin (2010) describes e-commerce as the use of telecommunications and
computers to facilitate the trade of goods and services. It also referred to as a wide range of online
business activities for products and services; and is always associated with the buying and selling
over the internet (Zorayda, 2003). Authentication and security technology supports e-commerce
transactions and provide transaction security for e-commerce applications. Information is a critical
asset to any business and it is important to ensure the integrity and safety of this information. The
data received should be from a trustworthy source and one should be able to identify who he/she
is dealing with. Authentication can help establish trust between parties involved in transactions
(Thwarte, 2012).
According to Cazier and Dawn (2011), the internet continues to grow at an ever-increasing rate,
and secure e-commerce transactions are becoming a necessity for both consumers and businesses.
Despite the advances in security technology, passwords still play a central role in system security.
The problem with passwords is that all too often they are the easiest security mechanism to defeat.
They are ubiquitous and most users understand how to use them. System administrators are also
very familiar with how they operate. There are also many robust frameworks existing that simplify
password deployment. White and Shaw (2014) argue that much of formal research has focused on
other alternatives to password-based mechanisms and this has forced administrators to use ad-hoc
methods to improve security.
A report by Merchant (2014) on illusion of personal data security in e-commerce ranked the top
100 e-retailers password policies. He assessed the password policies of the top 100 e-commerce
sites in the US by examining 24 different password criteria identified as important to online
security, and awarded points depending upon whether a site meets a criterion or not. Each criterion
is given a +/- point value, leading to a possible total score between -100 and 100 for each site. The
3
Key findings were: 55% still accept notoriously weak passwords such as “123456” or “password”
and 51% make no attempt to block entry after 10 incorrect password entries (including Amazon,
Dell, Best Buy, Macy’s and Williams-Sonoma). 61% of the websites do not provide any advice
on how to create a strong password during signup and 93% do not provide an on-screen password
strength assessment (Merchant, 2014).They suggest that some of the top e-commerce sites in the
US fail to implement basic password policies that could adequately protect their users’ personal
data.
Passphrases is an example of an ideal alternative mechanism that would strengthen password-
based authentication. According to Payne and Edwards (2008), the first attempt to design a user
authentication system around usability was from Sigmund Porter in 1982.Porter argued that
passphrases were more usable because they are more memorable, especially compared to system-
generated passwords. Additionally, they are longer than passwords and offer a larger key space
and thus more security (20-40 characters or more).While being longer, passphrases tend to be
easier to remember due to their language syntactical structure. Unlike a single word password, the
phrase that is used as a passphrase can communicate or contain a special meaning. With this in
mind, a user-chosen passphrase that a person chooses can have a personal meaning to the
individual. This helps improve the memorability and therefore usability of the passphrase (Payne
& Edwards, 2008).
According to Bonk (2014), the level of security of passphrases is closely related to the policy
which guided the user during creation. Users tend to pick passphrases which are known from
famous phrase such as movie quotes, titles, song lyrics and other pop culture sources. Passphrases
have the potential to be much more random than passwords. The total space which must be
enumerated by an attacker to cover the majority of passphrases is much larger than for passphrases.
If we give users good passphrase creation policies, passphrases have the potential to be very secure.
Passphrases have been adopted in a few websites globally. For instance, Buckinghamshire New
University adopted use of passphrases and developed a user authentication and passphrase policy.
All Bucks New University Service Users including contractors and vendors with access to systems
are responsible for taking the appropriate steps to select and secure their Passphrases. A poorly
chosen passphrase may result in compromising the entire university’s network. The passphrases
4
must be changed on a regular basis; administrator and student passphrases must be changed every
90 days, and employee passphrases after 120 days. All user-level and system-level Passphrases
must conform to the guidelines set by the university (Buckinghamshire New University, 2015).In
Africa, there has been use of passphrases in countries such as South Africa. Vodacom, a mobile
operator in South Africa have introduced a voice password for customers using My Vodacom app.
Instead of a string of security questions and lengthy pins, the app allows voice biometrics such that
customers can speak a simple passphrases to verify their identity (Craig & Crouse, 2006).
Password security research has dramatically increased over the past 20 years (Ives & Walsh, 2004).
Despite the increased awareness on the topic of password protection, password vulnerabilities
remain significant. Many current e-commerce sites allow access to both data and the networked
system by granting permissions through use of passwords. The increased usage of passwords and
logins has revealed several issues associated with users’ difficulty in developing and remembering
passwords. For most e-commerce sites, consumers have the responsibility of creating their own
passwords and often do so without guidance from the system administrator. Most Customers do
not create long or complicated passwords because that would be difficult to remember. Cazier and
Dawn (2011) also add that many of the deficiencies of password authentication systems arise from
the limitations of human cognitive ability. The goal of this project to mitigate password based
authentication problems through use of passphrases.
1.2 Statement of the Problem
In today’s e-commerce environment where more users are participating in online shopping,
banking, and other electronic transactions, it is much easier for hackers to gain entrance into
networked systems than one would think (Cazier & Dawn, 2011). However, password based
authentication mechanisms have several disadvantages that may compromise security of
ecommerce websites (Cazier & Dawn, 2011). Unfortunately, many security systems are designed
such that security relies entirely on a secret password. Cheswick and Bellovin (2011) point out that
weak passwords are the most common cause for system break-ins.
Passwords are vulnerable to dictionary attacks; hackers take a list of dictionary words, run them
against the hashing algorithm used to hash passwords and find the matches. Dictionary lists are
created by using an automated program that includes a text file of words that are common in a
5
dictionary. The program repeatedly attempts to log on to the target system, using a different word
from the text file on each attempt. System generated passwords that were a technique to strengthen
passwords are also hard for the user to remember and can be cracked in a day using brute force
attack. When users write these complex passwords on a piece of paper, they create a loop hole
since a malicious person can steal this and access the system easily. Another concern would be
that, as much as these passwords would be hard for humans to remember, it is easy for computers
to guess. Applications such as Brutus have been built that would crack these easily.
It is therefore important to put in place more secure authentication mechanisms in the e-commerce
industry (Merchant, 2014) . The proposed system will mitigate one major challenge of password-
based authentication password which is password cracking. Passphrases are more memorable and
are more secure than the traditional passwords (Bonk, 2014). Studies have been done on the
advantages and disadvantages of passphrases in terms of security. However, this has not been
translated down into the ecommerce industry. This study sought to develop a secure e-commerce
system through use of passphrases.
1.3 Purpose of the Study
The purpose of the study was to create a secure authentication mechanism that would be integrated
in e-commerce websites. This study proposed the use of passphrases as a security measure when
users engage in online transactions.
1.4 Objectives of the Study.
The research objectives in this study were:
1. To identify the challenges experienced when using password based authentication
mechanisms.
2. To determine how passphrases can be used to address password based authentication
challenges through implementation of passphrase policies.
3. To implement a passphrase system that will be integrated in ecommerce websites.
1.5 Justification of the Study
The study aims to provide a more secure authentication mechanism that would enhance e-
commerce security. This would reduce the success of dictionary and brute force attacks. The study
also contributes to better understanding on the importance of securing ecommerce systems when
6
conducting online transactions as well as proposing a system that can be adopted. Ecommerce
website owners as well as its users can refer to written literature on importance of ecommerce
security as well as adopt the proposed system to improve security.
1.6 Scope of the Study
The study was conducted within the ecommerce environment. The study involved looking into
existing technologies to secure e-commerce transactions, the gaps and challenges and solutions for
these challenges. The study primarily focuses on employing use of passphrase to secure e-
commerce systems.
1.7 Limitations of the Study
There are aspects that can easily influence the results negatively. Some data can be outdated since
the data published on internet can become outdated very quickly due to the changes in industry.
This data collected through secondary research may not exactly tell current happenings but can be
effectively used in time-series analysis. (To identify historical patterns and trend cycles to forecast
the future developments.) Some researchers may also be biased and this would compromise the
reliability and the validity of data. However, this can be corrected by comparison of different
authors’ views on the same topic .Due to the fact that ecommerce security is important, the research
will strive to find out what can be done to improve the security controls in place.
1.8 Definition of Terms
Authentication- The process of determining that the person requesting a resource is the one who
he claims to be. It provides access control and user accountability (Kumar & Bilandi, 2014).
Brutus- An online brute force password cracker that is used to crack File Transfer Protocol
(FTP), Hypertext Transfer Protocol (HTTP) and Telnet.
E-commerce- A wide range of online business activities for products and services; and is always
associated with the buying and selling over the internet (Zorayda, 2003)
Human cognitive ability- A selection method used to test knowledge and capabilities of a person
(Bonk, 2014)
Passphrases- These are an enhancement of passwords and are superior to passwords both in
terms of usability and security strength (Andersson & Saeden, 2013).
7
Passwords- An unspaced sequence of characters used to access a computer system or network.
They are used for authentication, validation and verification in e-commerce (Cazier & Dawn,
2011).
1.9 Chapter Summary
This chapter discussed the overview of this study with an introduction to e-commerce and some
of the security concerns of password. The problem statement, background and justification of the
study are also discussed here. There are three main objectives of this project that require a complete
understanding if they’re to be achieved successfully. In the next chapter, literature review
providing theoretical base for this study is presented. The problem content and the themes under
which the literature was reviewed are discussed in details.
8
CHAPTER TWO
2.0 LITERATURE REVIEW
2.1 Introduction
The purpose of this chapter is to review the literature related to the problem content .The themes
under which the following literature will be reviewed are: Key trends in e-commerce; challenges
of password based authentication, techniques used to create passphrases. The section ends with a
chapter summary.
2.2 Key Trends in e-commerce.
According to Quinn, Biondi and Penmetcha (2014) the United States has experienced high e-
commerce growth rates and is one of the fastest and most promising growth areas for businesses
that want to expand to international markets. Growth in markets like the U.K., Japan, and Western
Europe is slowing to make way for emerging markets in Latin America, Eastern Europe, and also
Asia Pacific, which has had the strongest market base over the past three years. The global e-
commerce industry saw impressive growth in 2014 with goods and services worth $1.5 trillion
purchased by online shoppers via tablets, smartphones and other smart devices. Advertisers are
now spending more of their marketing budgets on Internet advertising. This expenditure is
anticipated to surpass $160 billion in 2015, of which more than$58 billion will be spent on Display
advertising (Criteo, 2015).
It is essential to have an adequate legal environment in order to create trust online and to secure
electronic interactions between enterprises, consumers and public authorities. United Nations
Conference on Trade and Development (UNCTAD) research shows that the availability of relevant
laws in four legal areas that are essential for increasing users’ confidence in e-commerce – e-
transaction laws, consumer protection, privacy and data protection, and cybercrime – is generally
high in developed countries, but inadequate in many other parts of the world (UNCTAD , 2015).
9
A report from UNCTAD (2016) shows the share of (Business to Customer) B2C websites in the
European Union in 2014; security concerns in New Zealand in 2012:
Figure 2.1 Share of B2C websites in the European Union: 2014
Source: UNCTAD (2016)
Vantiv (2016) report mentions mention things to watch out for in 2016:
Small and Medium Sized Business (SMBs) will be at the greatest risk for fraud. Currently,
71 percent of cyber-attacks are targeted toward small businesses, according to a Trust wave
report, and this is expected to grow as Europay, MasterCard and Visa (EMV) takes a firmer
Denmark
Sweden
Netherlands
Germany
Lithuania
Slovenia
Belgium
Ireland
Austria
Croatia
Estonia
Finland
Slovakia
Malta
Hungary
France
Poland
Luxembourg
Spain
Romania
Latvia
10
hold. To mitigate these attacks, SMBs will need to focus on ensuring that all customer data
is encrypted and thus more secure throughout the transaction process.
Customers will prefer security over simplicity: In 2015, more than 178 million consumer
records were lost or stolen, according to a credit.com report (Vantiv, 2016). This drove
consumers to be more conscious about where they share their personal information.
Customers will be willing to accept some extra steps during the checkout process in return
for higher security. With that in mind, there is anticipation that to see e-commerce
merchants who do not meet these expectations will begin to lose business. They will need
to build security tactics into their payments acceptance strategies to plan for cyber-attacks,
keeping in mind the value consumers place on security.
2.2.1 E-commerce Studies in Kenya
Gikandi and Bloor (2010) conducted a study to investigate factors that inhibit e-commerce
adoption in Kenya. The findings were, lack of resources which has caused banks to resort to
alliances in order to pool resources, constant change in technology and time availability for system
development, lack of internet accessibility by most people especially in the rural areas,
introduction of online banking introduced risks requiring new risk management strategies,
including Internet security, customer and legal related issues. There was also emphasis on the
Kenyan Government to acquire a secure environment for e-banking activities.
Kaburia (2004) looked into alternatives online payments that existed in Kenya and the world. The
objectives of the study were to find out if the lack of suitable online payment alternatives in Kenya
was a barrier to organizations and their customers, to examine the challenges faced by providers
and consumers of e-Payment and e-commerce services in Kenya. It found out that lack of these
Payment alternatives posed as an impediment to the growth of e-commerce in Kenya.
Many researchers conclude that developing countries’ firms can increase and improve their
performance especially when it comes to international trade by use of e-commerce. This is because
it will increase the availability of relevant and timely information and reduce transactions costs
and time. This will improve developing country’s’ access to international markets. It is therefore
expected they invest in ecommerce especially for distant customers and suppliers (Kinyanjui &
McCormick, 2002).
11
Kanyaru and Kyalo (2015) state that e-commerce platforms are rapidly increasing in Kenya and
there is need for appropriate security measures to put in place to ensure confidentiality, integrity
of sensitive information. They suggest the follow recommendations for organizations operating e-
commerce platforms in Nairobi. First, the need for enterprise risk management and governance for
e-commerce platforms. Organizations need to identify and address threats related to protecting
sensitive data in ecommerce transactions. They should also focus on governing and managing
enterprise risks related to confidential data in e-commerce transactions.
Organizations need to perform internal and external audits to establish assurance that the risk
management activities associated with the security of e-commerce transactions is guided by best
practices. There should be a robust data security and information management in e-commerce
transactions. Encryption is also necessary to ensure the integrity of sensitive information shared in
e-commerce transactions (Kanyaru & Kyalo, 2015).
Weza Tele and iHub Research (Kitonyi, 2015) conducted a two-month study in Nairobi from
March 2012 to understand consumers’ ordering and vendors’ distribution habits. With the new
trends arising in the supply and distribution sector (e-commerce and m-commerce)the study set
out to understand the current habits in this sector; challenges experienced by both consumers and
sellers; preferred methods of ordering and distribution of goods and services; the demand for an
online mobile commerce solution. The findings of the research would inform Weza Tele and other
e-commerce companies on the opportunities that lie in the management of the supply and
distribution chains in the area of m-commerce. There were 28 customers and 21 seller respondents
who were interviewed in various places in and around the Nairobi Central Business District.
The major findings from this research were:
Ordering Trends: 82% of consumers making their orders manually and 87.5% of sellers
(85.7%) process manually placed orders. Despite the fact that 62% of sellers have a Point
of Sales System (POS), 95% still received orders manually by writing on paper then later
recording these sales in their system.90.4% of payments by customers are by cash, then
mobile money; MPESA payments are also becoming popular in most business settings.
12
Distribution Trends: The findings showed that 71.4% of customers that were interviewed
currently either queue for their orders to be prepared and take them with them after
payment. Delivery of ordered goods is not so common; in fact, only 3.6% of them waited
for goods ordered to be delivered to them. These are mostly those orders placed online or
via phone call.
Preference for a Mobile commerce solution: 71.4% of the consumers and 81% of sellers
use mobile commerce in carrying out business transactions.
According to statistics from Communications Commission of Kenya (CCK) there was a significant
increase in the number of mobile subscribers in the country, from 26.49 million subscriptions
recorded during the previous quarter, to 28.08 million mobile subscriptions as of January 2012.
Data services and usage continues to increase remarkably with 6,152,687 Internet subscriptions up
from 5.4 million during the previous quarter. This represents an estimated number of 17.38 million
Internet users in the country. These numbers show that there is potential for adoption and increased
usage of ecommerce transactions in the market. In addition, mobile commerce is also presented
with a great market as 98% of the Internet access is driven through 3G/EDGE/GPRS, essentially,
a mobile device (Kitonyi, 2012). The CCK‘s report focused on mobile payment and related
statistics. They reported that there were 18.9 million mobile money transfers recorded from about
70% of total mobile subscriptions (also subscribed to mobile money services.) Among the key
players and stakeholders in the industry is M-PESA (M for mobile, Pesa is Swahili for money), an
electronic payment system that is accessible from ordinary mobile phones. (Not necessarily a smart
phone) M-PESA has seen exceptional growth since its introduction by Safaricom in Kenya in
March 2007 (Kitonyi, 2012).
2.3 Password Based Authentication Mechanisms
With the exponential growth of the Internet and e-commerce, the need for secure transactions has
become a necessity for both consumer and business. Despite the advances in security technology,
passwords still play a central role in system security. The difficulty with passwords is that all too
often they are the easiest security mechanism to defeat (Cazier & Dawn, 2011).Strong password
authentication has remained a hard problem in cryptography despite advances in both symmetric
(secret-key) and asymmetric (public-key) cryptosystems. Here are the major categories of
13
password authentication systems, along with some example implementations illustrating their
flaws: Password-based authentication is vulnerable to attack if used on insecure communication
channels like the internet. Researchers have come up with several protocols to prevent attacks, but
there is still need for models to analyze and aid in the effective design of acceptable password
protocols geared to prevent dictionary attacks (Chakrabarti & Singhal, 2007).
According to Chakrabati and Singhal (2007), passwords have become the most popular
authentication technique because they’re cheap and convenient. However, password-based
authentication is vulnerable to several forms of attack. Users tend to select short and easily
memorized passwords without considering the vulnerability. Meanwhile, complex passwords
might get lost or stolen when users write them down, defeating the purpose of constructing secure
password-based authentication mechanisms. According to Bonk (2014), passwords have been
studied for decades and are known to be vulnerable to a number of malicious attacks. Password
policies are usually implemented poorly which makes it easier for malicious users to crack
passwords. He further mentions that passwords are easy for developers and organizations to
deploy, but require users to make sacrifices in terms of security.
2.3.1 Security Concerns for Password Bases Authentication Mechanism
Passwords for computer use date back to at least the 1960s. The first mention of computer
passwords in literature was on the Massachusetts Institute of Technology (MIT) Compatible Time
Sharing System (CTSS), which was one of the first multi-user operating systems. At that time,
passwords were used to separate and identify users, in order to control users’ use of limited
resources such as CPU time (Anderson & Singer, 2013) Attempts to compromise passwords has
been around about as long. A graduate student on the CTSS system, who needed more compute
time than allocated, admitted to have taken advantage of a bug in the system to obtain a copy of
the password file, which was not hashed.
Transmitting a password in plaintext from the user to the server is the simplest and most insecure
method of password-based authentication. To validate a user password, the server compares it with
a password stored in a file. However, this method lets an adversary passively eavesdrop on the
communication channel to learn the password (Chakrabarti & Singhal, 2007).
14
To secure against passive eavesdropping, researchers have developed challenge-response
protocols. To initiate this, Entity A sends a message containing its identity to Entity B. Then B
sends a random number, which is called a challenge. A then uses the challenge and its password
to perform some computation and sends the result, called a response, to B. Then B uses A’s stored
password to perform the same computation and verify the response. Since B chooses a different
challenge for every run of the protocol, an adversary can’t simply eavesdrop or record messages
(Chakrabarti & Singhal, 2007). The challenge-response protocol is vulnerable to a password-
guessing attack. In this kind of attack, there’s the assumption that hacker has already built a
database of possible passwords. He eavesdrops on the channel and records the transcript of a
successful run of the protocol to learn the random challenge and response. Then the adversary
selects passwords from the dictionary and tries to generate a response that matches the recorded
one. If there’s a match, the adversary has successfully guessed A’s password.
Another concern is the ease with which passwords can be changed. Password resets often rely on
the user’s personal information, and this can be vulnerable to social engineering. A hacker can
pretend to call a user from a financial institution to verify his/her identity. The security questions
asked are usually weak and could be revealed by users through their profiles. Another danger is
once a hacker accesses a user’s email, they may also get access to other accounts if he/she used
the same e-mail address to sign up. This is referred to as the single-point-of-failure vulnerability
which puts one at a big risk. Users will try to decrease the burden of having to remember passwords
at the expense of security. They user will down passwords, raising the potential of compromise of
the passwords. In the case of many systems, users may choose a single password for all systems
(Cazier & Dawn, 2011).
According to Cazier and Dawn (2011), it is unfortunate that consumers do not always practice the
recommended password actions. Consumers as well as organizations at times exhibit a casual
attitude toward security crimes. They may feel that they are insignificant and that an attacker has
no reason to target them. Another common attitude displayed by consumers is that their account
might be vulnerable, but it would not affect the entire system. Most e-commerce sites allow the
consumer to create a password and do not force them to change it. This is also a security problem,
since the whole point of a regular password change is to limit the time available for an intruder to
15
crack a consumer's password. If an old password is reused, attackers would have more time to
crack them.
2.4 Passphrase based Authentication Mechanisms
A password is a sequence of characters from a pool of allowed characters and authenticates users.
It can be of any length and content; however, the normal computer password is short has about 5-
16 character and consists of random characters and symbols. On the contrary, a passphrase consists
of 3-4 natural language words, with or without spaces and forms a sort of sentence. (Anderson &
Saeden, 2013). Selection of words with personal meanings may also help one to memorize the
passphrase. Passphrases are longer than passwords for security and prevent unauthorized people
from accessing confidential files and resources. Kini, Jha and Rao (2013) describe a passphrase as
a kind of password, and the distinction between the two is not very definite.
A strong passphrase should have the following characteristics (Microsoft Corporation, 2010):
20 to 30 characters.
Should be a series of words that create a phrase.
Should not contain common phrases or words in the dictionary
Should be different from previous passwords or passphrases used.
A user should be able to use an acronym from the passphrase to make it easy to
remember.
Passphrase have the potential to help improve the usability and security of text-based
authentication (Bonk, 2014). They take advantage of mnemonics because they are comprised of a
phrase or sentence, which is more familiar than numbers and symbols. Bonk further suggest that
passphrases can be made more memorable if they are approached like a story and written like a
regular phrase or sentence. This will in turn render it more usable.
Keith, Shao and Steinbart (2007) delved into the issue of how well users can remember longer
passphrases, the strength of the passphrase against attacks, and the satisfaction of users using
passphrases. The main finding was that passphrases lead to more typographical errors. These are
errors that occur when typing in the passphrase. Users perceived passphrases as more difficult but
study results proved that they were no more difficult to remember than other password methods.
Upon the 6th week of the experiment, there was a significant learning curve; difference in typos
16
between passwords and passphrases had disappeared. By week 10, users rate authentication with
passphrases higher than passwords. The research further showed that while users may have had
trouble typing in their passphrase, it was because of typographical errors, not memory errors.
Before accounting for typographical errors, the login rates for the freeform password, stringent
password, and passphrase were 85.61%, 80.38%, and 71.58% respectively. After accounting for
typographical errors, they were 87.50%, 84.21% and 85.86% respectively (Keith, Shao, &
Steinbart, 2007). Nielsen and Vedel (2009) designed a prototype that stored user selected
passphrases securely on Linux based systems. The prototype allowed error tolerance during login
attempts. The only challenge with this is that there is need to have plain-text passphrases to
determine edit distance the user-supplied passphrase and the one that the server keeps on record.
Passphrases are more usable when designed properly because they have memory cognition
advantages. There is need for security benefits of passphrases need to be analyzed too.
Traditionally, security was measured using entropy. Entropy refers to is the randomness collected
by an application for use in cryptography (Bonneau & Shutova, 2014). Calculating the randomness
of user chosen-passphrases is difficult since users don’t uniformly pick them. To simplify it, Bonk
(2014) assumed that every character has an equal chance of being put in a password. This would
help in determining a theoretical estimate for the number of guesses it would take to determine the
password. For instance, if there is an 8 character password constrained within the policy of upper
and lower case letters and numbers. The formula for calculating the entropy according to National
Institute of Standards and Technology (NIST) of a randomly generated 8-character password is:
Shannon's entropy in Bits = log2 648 = 48 bits
The entropy calculation has an assumption that there are 8 possible characters in the password and
each of them can be one of the 64 different characters. This is an over estimate as language models
can used to determine the probabilities of characters since languages are not random (Bonk, 2014).
2.4.1 Passphrase Creation Strategies
Passphrases are more memorable than passwords while potentially providing more security than a
traditional password. They are composed more like a phrase or sentence. One of the most common
techniques for creating passphrases is known as diceware; this used to generate cryptographically
strong passphrases. It is based on the principle that random selection of words from a wordlist, can
17
result in easily memorable passwords that are also resistant to attack. Traditional Diceware uses
rolls of physical dice, this application uses a strong random number generator in place of the dice.
Passphrases that are six words or longer are thought to be more secure for very high security
applications (Carnut & Hora , 2011). The Diceware Passphrase Generator is a word list indexed
so that words can be randomly selected by tossing five dice. The list contains 7776 short English
words, abbreviations and easy to remember character strings. The average length of each word is
about 4.2 characters. The longest words are six characters.
2.4.1.1 Using the Diceware
To use the Diceware list one will require one or more dice which can be easily purchased in a
sports store. Download the Diceware list and print it out if a hard copy is needed. Decide how
many words you want in your passphrase. A five word passphrase provides a level of security
much higher than the simple passwords most people use (Carnut & Hora , 2011) .
The dice is then rolled and the results written on a paper. The numbers are written in groups of
five. Make as many of these five-digit groups as you want words in your passphrase. The dice can
be rolled five times. Look up each five digit number in the Diceware list and find the word next to
it. For example, 21124 means your next passphrase word would be "clip"
Once you are done, the words that you have found are your new passphrase. Memorize them and
then destroy the paper or keep it in a really safe place.
18
Example of passphrase Generation using Diceware:
For a six-word passphrases (recommended). You will need 6 times 5 or 30 dice rolls. Let's say
they come out as:
1, 6, 6, 6, 5, 1, 5, 6, 5, 3, 5, 6, 3, 2, 2, 3, 5, 6,
1, 6, 6, 5, 2, 2, 4, 6, 4, 3, 2, and 6.
Write down the results on a scrap of paper in groups of five rolls:
1 6 6 6 5
1 5 6 5 3
5 6 3 2 2
3 5 6 1 6
6 5 2 2 4
6 4 3 2 6
You then look up each group of five rolls in the Diceware word list by finding the number in the
list and writing down the word next to the number:
1 6 6 6 5 cleft
1 5 6 5 3 cam
5 6 3 2 2 synod
3 5 6 1 6 lacy
6 5 2 2 4 yr
6 4 3 2 6 wok
Your passphrase would then be: cleft cam synod lacy yr wok
19
Figure 2.2: Diceware passphrase wordlist
Source: Carnut and Hora (2011)
Nielsen and Vedel (2009) give guidelines on how to create strong passphrases in order to protect
the privacy of the user when authorizing through an access control system. These guidelines are
as follows:
I. The passphrase should at least consist of 5-6 words. A longer passphrase will usually be more
secure because it will be harder to use brute force attacks against it. This also means that the
security is improved if long words are used in the passphrase. At best the passphrase should consist
of 7-9 words (Nielsen & Vedel, 2009).
II. Different kinds of character substitution could be included in the passphrase to increase security.
'1' could for example be substituted with ' !' and 'S' with '$'. Misspellings could also be included to
20
increase the level of security of the passphrase even further. Inclusion of both lower and uppercase
letters will also contribute to security (Nielsen & Vedel, 2009)
III The passphrase does not have to represent a real sentence in a natural Language. In fact the
security level of the passphrase will be better if the phrase is nonsense or random words A
passphrase created from random words can be made even stronger by using character substitutions
as described in the second point.
2.4.1.2 Modified Diceware Method
A few modifications were made to the traditional to the diceware method to address its
shortcomings (Carnut & Hora , 2011). These changes include:
Smaller dictionary: a wordlist with 64=1,296 word, yielding log2 64 ≈ 10.34 entropy bits per
word is used. The smaller number of words makes it a lot easier for dictionary designers to select
more common, familiar words, not only in English but any other language as well.
Fixed-length words: as a result of the smaller dictionary, words could have only four characters.
This make the full passphrases always 24 characters long, for a fixed entropy of 62.04 bits –
slightly more than the best entropy of 61.94 from the traditional method.
Other advantages are that it helps memorization: when the user is in doubt whether how a particular
word is spelled or whether it is in singular or plural form, he/she choose the version with four
characters. Secondly, since the words are purely alphabetic, there is more proficiency in typing
and this helps in mitigating “over-the-shoulder attack” since users can type the passphrases quickly
(Carnut & Hora , 2011).
2.4.2 Attempts to Crack Passphrases.
A study conducted by Sparell and Simovits (2015) focused on cracking linguistically correct
passphrases, to determine to what extent it was advisable to base a password policy on such phrases
for data protection. Passphrases were generated for further processing by available cracking tools
and the language of the phrases were modeled using a Markov process. In this process, phrases
were built up by using the number of observed instances of subsequent characters in a source text,
known as n-grams, to determine the possible character in the phrases. The study showed that
correct passphrases can be broken in a practical way compared to an exhaustive search. In the tests,
passphrases consisting of up to 20 characters were broken (Sparell & Simovits, 2015). To obtain
21
a low entropy, or high linguistic correctness, in the modeling of a language, it must be based on a
good language model, and the Markov model was one proposed by Shannon in his previous work
In the conference paper "Effect of Grammar on Security of Long Passwords" Rao, Jha and Kini
(2013) made an attempt to use grammar to crack passphrases. The results showed a slight increase
in the number of cracked passwords using grammatical rules compared to other methods. It also
discusses user behavior regarding the selection of number of words in a passphrase and
shortcomings of available cracking applications regarding passphrases. Bonneau and Shutova
(2012) did a study on the patterns in user choice of passphrases based on Amazons now
discontinued Pay Phrase service. Conclusions drawn were that a 4-words long passphrase probably
has less than 30 bits of security because users tend to choose linguistically correct phrases.
2.5 Existing Passphrase Based Authentication Systems
Passphrases have been adopted in a few websites globally. For instance, Buckinghamshire New
University adopted use of passphrases and developed a user authentication and passphrase policy.
All Bucks New University Service Users including contractors and vendors with access to systems
are responsible for taking the appropriate steps, as outlined below, to select and secure their
Passphrases. A poorly chosen passphrase may result on the compromise the entire university’s
network. The passphrases must be changed on a regular basis; administrator and student
passphrases must be changed every 90 days, and employee passphrases after 120 days. All user-
level and system-level Passphrases must conform to the guidelines set by the university
(Buckinghamshire New University, 2015). In Africa, there has been use of passphrases in countries
such as South Africa. Vodacom, a mobile operator in South Africa have introduced a voice
password for customers using My Vodacom app. Instead of a string of security questions and
lengthy pins, the app allows voice biometrics such that customers can speak a simple passphrases
to verify their identity (Craig & Crouse, 2006).
2.4.3 Why Passphrases are friendlier than Passwords.
Passwords and passphrases are important aspects of computer security and are also the front line
of protection for user accounts in most websites. A poorly chosen password or passphrase would
compromise systems data and also the entire network of a constitution (Sinan & Ayse, 2011).
22
On most websites, users have to register and create accounts to do more than browse. They will
create many passwords in their lifetime which would be hard to remember considering the many
passwords they would have to memorize from different websites. This can be frustrating especially
when a user is locked out of an account after trying more password than the threshold. Some would
opt to use the same password for accounts. However, that makes them vulnerable to attacks.
Another option would be using easy to remember but this is an easy target for brute-force attacks.
Other could even write in down on a piece of paper but once someone with malicious intentions
gets hold of it, then their accounts are compromised. Password created by users with usability in
mind end up compromising security. Another issue is that users are prone to error when they hold
the shift key to type symbols or even capital letters; a password that is secure but not usable would
not be considered ideal (Sinan & Ayse, 2011).
A solution created for this is the use of password managers. These are apps that store all passwords
in a database. All a user has to memorize by heart is the master password instead of all the
passwords for each of their accounts. The setback with these is that they do not have a reset or
recovery process. They are also cost money. A research study done in Carleton University, found
that many users are uncomfortable and not so familiar with using the software and don’t trust it
too (Chiasson & Van Oorschot, 2005).
There’s need to balance security and usability; websites need to upgrade from passwords to
passphrases. Passphrases are more secure because they have a minimum requirement of 16
characters while most passwords have a minimum of 8. The greater the length, the longer it takes
to crack and thus giving it more security. A complex password will not have numbers, special
characters and capital letters; all this would make it stronger. However, compared a weak
passphrase, it is impossible to use brute force. Passphrases allow special characters like space
which is not in passphrases. It is very difficult to use brute force or even dictionary attack when
the passphrases has the space character. The longer character-length requirement of a passphrase
prevents users from using their personal information. Since a single word string is not enough to
meet the requirement so the users add more word strings to their passphrase, making it harder to
guess (Saranga & Kelley, 2011).
Passphrases are meaningful and are phrases that the users can relate to. More often than not, users
create passwords and put the special characters to meet the registration form policy. There is
23
likelihood of randomness in the password which makes it also hard to remember. Passphrase
Policies are less strict on registration forms than password policies. The only requirement a
passphrase needs is to be 16 character or longer. The researchers found that “a 16-character
minimum with no additional requirements provides the most entropy while proving more usable
on many measures than the strongest alternative.” This helps users to create accounts more easily
while maintaining security (Saranga & Kelley, 2011: pg 9) Users normally get stuck on registration
pages when they can’t create a password that meets the website’s policy. This happens especially
when the policies have too many requirements, creating frustration in users and they may abandon
the registration.
2.6 Chapter Summary
The literature review has entailed studies related to, Key trends in e-commerce; challenges of
password based authentication, techniques used to create passphrases, Analysis of passwords and
passphrases.
The literature review covered studies on trends in ecommerce globally and in Sub Saharan Africa.
The above trends are set to increase customer growth, customer loyalty and increased profit. This
is due to the increased sense of security of customers as they shop. These themes have been
discussed by: UNCTAD (2015); Criteo (2015); Bethlahmy and Schottmiller (2011); Singh (2014);
and Quinn et al. (2014).
Studies on ecommerce in Kenya were also covered. It was found out that e-commerce faced
challenges due to the several constraints that arose and hence it was minimally used. There was
also an increased skepticism of customers who were reluctant to embrace e-commerce. Another
important talking point is the fact that e-commerce depends solely on internet connectivity and as
it may be feasible currently, there are still several infrastructural policies that need to be put in
place to make it a success in a third world setting. They were discussed by: Kaburia (2004);
Gikandi and Bloor (2010); Kinyajui and McCormick (2002) and Kanyaru and Kyalo (2015).
The role of passphrases in e-commerce was also discussed. The importance of the passphrase was
that its longevity made it even safer and normally it had to be something that is very memorable
to the user; could be a mixture of a certain important dates and a birthday. This eliminates any
form of social engineering that may come into place to gain unauthorized access hence ensuring
24
security. The thematic concerns have been discussed by: Anderson and Saeden (2013); Kini, Jha
and Rao (2013). From the above studies, it is evident that there are several concerns that are related
to e-commerce penetration, strength and sustainability and security in Kenya. Studies have been
done on the pros and cons of passphrases in terms of security. However, this has not been translated
down into the ecommerce industry. This study will therefore set to find out the security gap in e-
commerce and possibly fill it.
The next chapter will mention the research methodology used for this study. The research design,
population and sampling, data collection methods, data analysis methods and conclude with ethical
considerations in research.
25
CHAPTER THREE
3.0 RESEARCH METHODOLOGY
3.1 Introduction
Research Methodology refers to the systematic way of finding out the result of a given problem
on a specific matter that is also referred as research problem (Kothari, 2004). In methodology,
researcher uses different criteria for solving the given research problem. In this chapter research
design, data collection methods, data analysis and ethical consideration in research are covered.
3.2 Research Design
Design science was used in this study; it offers specific guidelines for evaluation and iteration
within research projects. Design Science is an Information System research paradigm that is a
major component of research. This form of research has been diffused into the mainstream of
Information System research in the past fifteen years and much of it has been published in
engineering journals (Peffers, Tuunathen & Rothenberger, 2007; Ping & Scialdone, 2011).
The reason why this design approach is appropriate for this study is because Engineering
disciplines accept design as a valid and valuable research methodology (Peffers, Tuunanen, &
Rothenberger, 2007). The engineering research culture places explicit value on incrementally
effective applicable solutions to problems. Considering the explicitly applied character of
Information System practice and the implicitly applied character of Information Systems research,
its methodology should be approached in the same way (Peffers, Tuunanen, & Rothenberger,
2007). It also supports a pragmatic research paradigm that calls for the creation of innovative
artifacts to solve real-world problems. This type of research focuses on the IT artifact with a high
priority on the relevance of application domain.
The chapter includes the seven steps of design science; design as an Artifact, problem relevance,
design evaluation, research contributions, research rigor, design as a search process and
Communication of research. The study put in consideration all the seven steps of design science
into consideration and will show how they were put to use (Ping & Scialdone, 2011; Hevner,
2007).
26
Table 3.1: Research Design Steps and Application to Study.
Research Design Principles How applied in the study
1. Design as an artifact: An IT artifact is an
entity or an object engineered to benefit
particular people with certain purposes and
goals in particular contexts. Design science
research must produce a viable artifact in
either the form of a model or a method.
Capabilities of IT artifacts are created,
developed, applied, implemented, integrated,
and administered to support certain human
endeavors. IT artifacts also have different
forms and can be configured in many ways to
compose develop hardware, software,
applications, and innovations.
In this study, a prototype was developed and
tested by five IT security experts for
credibility. The researcher also looked at
existing framework before coming up with one
for this particular study.
2. Problem Relevance: Design science also
focuses at developing technology based
solutions and relevant business challenges as
one of its objectives. Once the problem is
defined, the researcher is able to develop an
effective artefactual solution. . A solution to
the problem is to be found in the course of the
research. The problem should be in the domain
of information systems research.
In Chapter one, the problem at hand is clearly
stated; most people are paranoid when it comes
to online shopping. There are also issues of
cybercrime during online transactions such as
masquerading, password sniffing and other
forms of hacking.
27
Research Design Principle How applied in the study
3. Design Evaluation: The design artifact
must be rigorously demonstrated through
properly executed evaluation methods. The
output from the design science research must
be returned into the environment for study and
evaluation in the application domain. The field
study of the artifact can be executed by means
of appropriate technology transfer methods
such as action research.
In this study, the prototype was evaluated by a
team of IT security experts during a focused
group discussion. This was done for purposes
for credibility and the feedback was used to
enhance the security features put in place to
secure online transactions.
4. Research Contributions: There must be
clear and verifiable contributions in the areas
of design methodologies and artifacts.
Literature research is used to identify a
problem or a gap in research. Some of these
gaps could be mentioned in some academic
publications as well as corporate reports.
Literature review helps to analyze possible
obstacles and difficulties for its solution.
In this study, chapter two covers research done
by authors about ecommerce security. It
mentions global ecommerce trends,
ecommerce in Sub-Saharan Africa and also
ecommerce in Kenya. There is also a mention
of current technologies used to secure
ecommerce transactions and their
disadvantages.
28
Research Design Principle How applied in the study
5. Research vigor: There was application of
rigorous methods in the construction and
evaluation of the design artifact. The rigor
cycle provides past knowledge to the research
project to ensure that there is no re-invention
of the wheel in research. It is important that
researchers thoroughly research and reference
the knowledge base in order to guarantee that
the designs produced are research
contributions and not routine designs based
upon the application of well-known processes.
Additions to the knowledge base as results of
design science research will include any
extensions to the original theories and methods
made during the research, the new design
products and processes, and all experiences
gained from performing the research and field
testing the artifact in the application
environment.
In this study, the gap was realized after looking
at all the solutions that other researchers had
come up with, all the technologies that were
being used to secure ecommerce transactions.
A detailed systematic literature review was
done and the proposed system tested by
Security Experts for credibility.
6.Design as a Research Process: The search
for an effective solution also requires that
available resources are utilized while
satisfying laws in the problem solution
A systematic approach was employed in the
development of the proposed system.
7. Communication: Communication must be
presented effectively to both technology-
oriented and management-oriented audiences.
The study involved security experts who
critiqued the proposed system and gave
feedback after the researcher introduced it to
them.
3.3 Population and Sampling Design
A population is as a complete set of individuals, cases or objects with some common observable
characteristics (Mugenda & Mugenda, 2003). According to Denomie, (2007) a population frame
is “an objective list of the population from which the researcher can make his or her selection.
However in this study the population comprised of 7 IT security experts that will be involved in a
focused group discussion. ETA (2008) defines Focus Groups as a group interview of
29
approximately six to twelve people who share similar characteristics or common interests. A
facilitator guides the group based on a predetermined set of topics. The facilitator creates an
environment that encourages participants to share their perceptions and points of view. These are
form of qualitative data collection method, meaning that the data is descriptive and cannot be
measured numerically. Convenience sampling was used due to time and cost constraints. Instead
of taking random samples, the 7 IT security experts from Jhpiego Corporation out a total
population of 20 staff were chosen for the Focus Group Discussions were readily available.
Convenience sampling also helps one to gather useful data and information that would not have
been possible using probability sampling techniques which would require more formal access to
people.
The main goal was to get feedback for the prototype for credibility. The focus group discussion
also aimed to establish challenges in password based authentication techniques and verify that
passphrases would be a better alternative for secure e-commerce transactions.
3.4 Data Collection Methods
The main method used to collect data needed was through focus group discussions. Participants
were asked questions during the focused group discussions and they gave feedback that would be
useful in improving the prototype developed. The study put into consideration the seven steps of
design science how they are applied in the study. Freitas (2000) says that Focus Group permits
flexibility of data collection that is not usually achieved when applying one data collection
instrument individually. There is also spontaneity of interaction among the participants. She also
went ahead and looked at advantages and disadvantages of Focus Group discussions as shown in
the Table 3.2.
3.5 Research Procedures
A systematic approach was used to conduct this study. The researcher developed three research
objectives for the study:
1. To identify the challenges experienced when using password based authentication
mechanisms.
2. To determine how passphrases can be used to address password based authentication
challenges through implementation of passphrase policies.
30
3. To implement a passphrase system that will be integrated in ecommerce websites.
Literature Review was conducted on the three research objectives and the researcher compared
what different authors and scholars had written on use of passphrases. Little research had been
done on use of passphrases in e-commerce websites. The researcher adopted Design science in the
study; engineering disciplines accept the design as a valid and valuable research methodology. The
seven steps of design science were put in consideration and the researcher looked at how each step
was applicable to the study. The study population comprised of 7 out 20 IT security experts of
Jhpiego Corporation. These were people with experience and expertise and whose inputs would
contribute towards enhancing the proposed system. Convenience sampling was done due to time
and cost constraints. The main data collection method was through Focus Group Discussions;
participants were given access to the prototype developed by the researcher and thereafter gave
feedback for system credibility. The participants signed consent forms before participating; the
consent forms which articulated the objectives of the study and also informed them that whatever
they said at that forum would be confidential. The Focus Group Discussion also aimed at
establishing challenges in password based authentication techniques and to verify that passphrases
would be a better alternative for secure e-commerce transactions. Data was analyzed using
Thematic Analysis; the Focus Group data involved reading the transcripts, coding the distinctive
themes, then developing the codes to present identified themes. A systematic procedure was
followed during data analysis to ensure the results were as error-free as possible.
31
Figure 3.1: Research process flow diagram
Source: Researcher
Develop Research Objectives
Conducting Literature Review
Decide appropriate research study design
-Design Data Collection instruments
-Identify participants (IT Security
Experts)
Analysis of data and interpretation of findings
-Thematic Analysis
Conclusion, Recommendations and Dissemination
32
Table 3.2: Advantages and Disadvantages of Focus Group
Advantages
Disadvantages
It is comparatively easier to drive or
conduct
It allows to explore topics and to
generate hypotheses
It generates opportunity to collect data
from the group interaction, which
concentrates on the topic of the
researcher’s interest
It has high “face validity” (data)
It has low cost in relation to other methods
It gives speed in the supply of the results
(in terms of evidence of the meeting of
the group)
It allows the researcher to increase the
size of the sample of the qualitative
studies
It is not based on a natural atmosphere
The researcher has less control over
the data that are generated
It is not possible to know if the
interaction in group he/she
contemplates or not the individual
behavior
The data analysis are more difficult to be
done. The interaction of the group
forms a social atmosphere and the
comments should be interpreted inside
of this context
It demands interviewers carefully trained
It takes effort to assemble the groups
The discussion should be
conducted in an atmosphere that
facilitates the dialogue
Source: Adapted from Krueger (1994) and Morgan (1988).
In spite of the disadvantages above, this method facilitates the collection of interesting data. This
data contributes to a stronger conviction on the part of the researcher or analyst, as it is a good
source of information for the formulation of hypotheses or for the construction of frameworks.
These in turn allow further investigation (Freitas & M, 2000).
3.5 Data Analysis Methods.
The data was analysis using Thematic Analysis. A theme is a pattern found in the information that
describes and organizes observations and at maximum interprets aspects of the phenomenon
(Boyatzis, 1998). It may be identified at the manifest level or at the latent level. This, requires
more involvement and interpretation from the researcher. This type of analysis focuses on
33
describing both implicit and explicit ideas within the data, that is, themes. A thematic analysis of
the focus group data involved reading and rereading the transcripts, coding the distinctive themes
the discussion and coming up with distinct themes. Codes were then developed to represent
identified themes and applied to raw data as summary markers for later analysis. In this type of
analysis, reliability is of greater concern because interpretation goes to defining data items (Ryan,
2010).
A systematic procedure was followed in analyzing the qualitative data collected during the focus
group. This ensured that the results were as error-free as possible. The first step in making sense
of focus group data was to transcribe the interview to preserve integrity of the data. During
analysis, the researcher was careful not clean up the data if it meant distorting what the participants
said.
The data analyzed specifically attempted to answer the following questions:
1. What are the challenges experienced when using password based authentication
mechanisms?
2. How can passphrases be used to solve the challenges of password based authentication
techniques?
3. Will integration of passphrases in e-commerce have benefits?
3.6 Ethical considerations in research
There were a number of ethical issues that were addressed in the course of the study. The most
important being the voluntary nature of focus groups. The participants were not compelled to
participate in the focus group and were not forced to remain in the event that they wanted to leave.
Consent was obtained from each participant even before the focus group began. The participants
were also provided with a clear statement of purpose so that they could make an informed decision.
No use was made of the information provided in the focus group discussion other than for the
purpose for which consent was given. Respect and anonymity was also considered such that no
information would be revealed to identify the participants and also no comments made were
reported in any form.
34
3.7 Chapter summary
This chapter discusses the research methodology that was used in the study. The chapter includes
the seven steps of research design, sampling of study participants and also ethical considerations
in research. The next chapter describes implementation of the system, system analysis, modeling
and design
35
CHAPTER FOUR
4.0 IMPLEMENTATION
4.1 Introduction
In this Chapter system analysis, modelling and design are covered. System testing was also done
testing to check the behaviour of a complete and fully integrated software product based on the
software requirements specification (SRS) document. Finally, the chapter describes how the
system was implemented and what was done to ensure that the system was credible and would be
accepted once it was rolled out for ecommerce businesses to adopt and integrate into their websites
4.2 Analysis
Requirements gathering is an essential part of a project. It is important to understand the
deliverables of the project since this is critical to its success. According to Gale, (2013) project
managers break down stakeholder requests, examine the timeline and budget—and then identify
any incompatibilities that might exist between expectations and reality. This kind of deep dive
helps avoid unwelcome surprises later. Yet too often project teams don’t take analysis far enough,
they formulate a general idea of what stakeholders want but don’t quantify those outcomes. In this
study, systematic literature review conducted to inform the system need and requirements.
4.3 Modelling and Design
The researcher adopted the prototype model for this particular system. A prototype is a model or
a program which is not based on strict planning, but is an early approximation of the final product
or software system. A prototype acts as a sample to test the process. From this sample we learn
and try to build a better final product. Coughlan et al.,2007 while making the model, user keeps
giving feedbacks from time to time and based on it, a prototype is made. Completely built sample
model is shown to user and based on his feedback, the System Requirements Specifications (SRS)
document is prepared. After completion of this, a more accurate SRS is prepared, and now
development work can start using Waterfall Model.
36
Figure 4.1: Prototype model
Some of the benefits of this model is that users are actively involved in the development and also
get a better understanding of the system being developed. Errors can also be detected much earlier,
missing functionality identified easily and quick user feedback is available leading to better
solutions.
According to Coughlan, Fulton & Canales (2007), prototyping plays many important roles in the
development of a new product, service, environment, or experience. They also mention that the
realm of organizational change, prototyping helps with three primary objectives:
1. Building to think—rather than discussing, analyzing, or hypothesizing in abstract terms before
acting, creating tangible expressions of ideas early enables organizational thinking to develop
concretely through action.
2. Learning faster by failing early (and often)—making things tangible allows many small, low-
impact failures to occur early, resulting in faster learning about what does and does not work and
why.
3. Giving permission to explore new behaviors—the tangible presence of a new thing, the
prototype, itself encourages new behaviors, relieving individuals of the responsibility to
consciously change what they do.
Design is the structured creation of artifacts (such as software components) to implement specific
functionality. It refers to the technical specifications that will be applied in implementing the
37
proposed system. It also specifies how a system will accomplish the desired functionality.
Requirements for system design include thinking of the right way to decompose functionality and
how to create small set of abstractions that can be re-used and re-combined to provide the needed
functionality.
This phase is the most creative and challenging phase of the system life cycle. The term design
describes a final system and the process by which it is developed. It also includes the construction
of programs and program testing.
The first step is to determine how the output is to be produced and in what particular format.
Samples of the output and input are also presented. Second, input data and the database have to be
designed to meet the requirements of the proposed system. The operational phases are handled
through program construction and testing including a list of the programs needed to meet the
system’s objectives and complete documentation. Finally, justification of the system and an
estimate of the impact of the proposed system on the user are documented and evaluated by a team
of experts as a step toward implementation (Jawahar, 2012).
The final report prior to the implementation phase includes dataflow diagrams, report layouts and
a workable plan for implementing the proposed system. Information on personnel, funds required,
hardware, facilities, and their-estimated cost must also be available. At this point, projected costs
must be close to actual costs of implementation (Jawahar, 2012).
41
4.4 Proof of Concept
E-commerce in Africa is lowly taking up root in developing cities and Nairobi is not an exception.
However, there is so much attention and excitement on the concept of e-commerce. This has left
security concerns of e-commerce still unanswered and not forgetting the fact there is still so much
skepticism of the idea towards first time users. This creates a gap to address the situation
considering that studies on ecommerce security in the region is scarce.
The researcher developed a prototype that would be integrated into e-commerce websites. This
step in software development is the design verification phase of product development. A
systematic approach was used to develop the prototype. The researcher designed the prototype on
paper as part of planning and get ideas from the head to paper before starting the actual
implementation. Requirements for the project were then identified and project goals defined. The
researcher also came up with flowcharts and data flow diagrams to develop a good understanding
of the application flow by dividing the application into pieces. Some of the merits of prototyping
that it saves on money, decreases development time and ultimately results in a better product.
To prove the value of the design to skeptical investors, it is important to develop a functional
design that exists in and interacts with the real world. Therefore, the researcher integrated the use
of passphrases as an authentication mechanism into e-commerce websites. Throughout the world,
online shopping/ transactions have grown exponentially. Consumers may still be concerned about
security of online shopping but more and more are prepared to buy online. Many sites offering free
shipping have also increased desirability of online buying. The internet is only going to become
popular as time goes by and it would be ideal if online purchasers are confident as they do these
transactions. Passphrases is one of the solutions to this online security challenge and if adopted by
e-commerce sites, security risks such as password cracking will be mitigated.
There were several issues that came during the implementation of this project. The researcher was
able to understand better what passphrases were all about and where they had been implemented
successfully by going through several sources of literature. Systematic prototyping worked well
and reduced the risk of project failure. The researcher was able to understand better the capabilities
and limitations of the system. She also made recommendations that other experts would take up
and add to the body of knowledge. For credibility, the researcher presented the prototype
developed to a team of 7 IT experts who gave their feedback. This was useful and helped the
42
researcher to draw conclusions on the usability and functionality of the prototype. The researcher
accommodated feedback from the experts such as improving the graphical user interface, she also
ensured that the passphrases were encrypted. Some of the feedback could not be accommodated
right away but was put into consideration. This included using grammatically correct, different
languages as passphrases and compare the strength when both are subjected to password cracking
attack. The researcher resorted to doing that as a different paper at a later date.
4.5 System Testing
System testing was conducted on the system to evaluate its compliance with its specified
requirements. System testing fall within the scope of black-box testing, and as such, should require
no knowledge of the inner design of the code or logic. In order to check the correct functions of
the system, the different modules of the system were tested.
The intent of System Test is to find defects and correct them before go-live. There is no approach
or method to guarantee a system completely free of defects. However, following a System Test
approach will assist in mitigating risks and ensuring a successful project.
4.5.1 General Tests
It is important to conduct general system tests to ensure that the final product presented to users is
complete base on the system requirements specification.
Some of these test include:
Error messages should be displayed properly according to the error experienced.
Refreshing page should set default values for all fields.
Input fields should be checked for required field values.
Input values greater than the required maximum limit should not be accepted.
Proper validation messages should appear.
Functionality of all the buttons should be checked.
4.5.2 Error Tests
The system was developed in such a way that:
The error description is understandable by users.
The error noted corresponds to the error encountered.
43
The description of the error makes it easy for the user to determine the cause of the
error.
Screen shots of Error Tests
Figure 4.5: Screenshots of Error Tests
The users found this error upon typing the wrong passphrase.
4.5.3 Database Tests
Some of the database test done were to check that:
The correct data is being saved in the database.
The data is recorded properly in the correct fields.
As the data is being recorded, it is not shortened.
The database fields are designed with the correct data type and length.
All fields are in a format that can be read by the website.
44
Figure 4.6: Database Screenshot
This is a screenshot of the database. It shows the people that have registered on the website.
4.5.4 Security Tests
Security testing reveal flaws in the security mechanisms in the ecommerce website to ensure data
protection and also system functionality. Due to the logical limitations of security testing, passing
security testing is not an indication that there are no flaws in the system or that the system satisfies
all the security requirements. Some of the security test done were:
Ensuring authorized users were allowed to log in. (only users who had entered a valid
passphrase)
Access Control measures are in place such that a normal user does not have the same view
as a super user or an administrator.
BlackboxTesting: assessing the system for security issues from the end users’ perspective
White box Testing: This involves assessing an application by reviewing its code. This will
allow the security experts to be more efficient and give better feedback; thus, mitigating
the fundamental handicap of being time-limited versus a real attacker who faces fewer time
constraints.
Grey box testing: performed on someone with detailed insider information but no access
to source code.
45
This section contains all the software requirements at a level of detail, that when combined with
the system context diagram, data flow diagram (DFD), and DFD descriptions, is sufficient to
enable any designer to design a system to satisfy those requirements, and testers to test that the
system satisfies those requirements.
4.6 System implementation
This system is implemented using a content management system known as Joomla. This is an open
source solution that is freely accessible online and is easy to use. Joomla's powerful application
framework makes it easy for developers to create sophisticated add-ons that extend the power of
Joomla into virtually unlimited directions since some organizations have requirements that go
beyond the basic Joomla package. This Content Management is also based on PHP and MySQL
which is ideal for powerful, robust and dynamic websites. They are also compatible with any
operating system and has multi-language support.
4.6.1 Current System Description
The proposed system will be a module integrated into ecommerce website. The users are prompted
to enter a passphrase when checking out. The passphrase is user selected and follows certain
passphrase guidelines that had been set. Once the users have entered the correct passphrases, they
are now able to check out the item that was in their shopping cart.
For demonstration purposes, the researcher used an example of an online shoe shop. Apart from
the new module being brought on board, other functionalities will be same as a regular online shop.
The shoes on sale have the prices and the sizes available. A user can buy immediately and give his
shipping address. If they are not ready to buy it, they can put it on the shopping cart and check it
out when they are ready. Afterwards, they indicate their preferred mode of payment.
A focus group discussion was held for 7 security experts to give feedback and for also for more
credibility of the system. This kind of forum provide a great opportunity to conduct a free-form
discussion with potential users or developers. The participants were allowed to interact with the
system before giving their insights into the usability of the interface of the prototype. This makes
it easier for the developer to draw conclusions about the usability and functionality of the
prototype. This focus group was conducted after having a functional prototype.
46
The participants were then given questionnaires where they would give recommendations and
opinions of the prototype.
4.7 Screenshots of the system
Figure 4.7: Home page screenshot
Figure 4.7 above shows a screenshot of the homepage of the e-commerce system.
47
Figure 4.8: Screenshot of passphrase
Figure 4.8 shows the dialogue box that appears prompting the user to enter the passphrase before
registering in the e-commerce site.
Figure 4.9: Screenshot of passphrase
48
The system prompts the user to enter passphrase in order to register or checkout.
Figure 4.10: Registration page
Once the passphrase has been correctly entered, the user can register and check out items in the
shopping cart.
49
Buying a shoe
Figure 4.11: Catalogue page
This Figure 4.11 shows the catalogue page where a shopper chooses his/her desired item. There
is provision to choose the shoe size, colour and type. The shopper can also choose how many
pairs he/she wants.
50
CHAPTER FIVE
5.0 RESULTS AND FINDINGS
5.1 Introduction
This chapter presents a summary of the research process starting with the problem statement,
purpose, objectives, literature review, methodology and interpretation. The focus of this chapter is
the presentation of feedback from the participants of the focus group discussions. There’s also
summary of the findings of each objective.
5.1 Profile of the Focus Group Participants
Selection criteria for the focus group participants was that they had experience of at least 2 years
in the Information Security Field. 29% of the participants had specialized in Software Engineering
but with background in IT Security, 18% had a background in Management Information Systems
and 53% had a background in IT Security. It was impressive to find out that all the participants
had done an IT Security Certification Course. 14% had done Certified Ethical Hacking (CEH)
Certification, 82% had done Certified Information Systems Security Professional (CISSP) and the
other 4% had done the Certified Information Security Manager (CISM). This gave the researcher
confidence that the participants had the technical know-how.
Convenience sampling was used due to time and cost constraints. Instead of taking random
samples, the 7 IT security experts chosen for the Focus Group Discussions were readily available.
It also helps one to gather useful data and information that would not have been possible using
probability sampling techniques which would require more formal access to people. Demographic
details of the focus group participants was analyzed and presented in the table below:
51
Table 5.1: Profile of Focus Group Participants
Variable Percentages
Gender
Male 57%
Female 43%
Age
26-30 43%
31-35 28%
36 and above 29%
Education
Certificate 0
Diploma 0
Bachelor’s Degree 43%
Masters Degree 43%
PhD 14%
Speciality in IT
Software Engineering 29%
Information Security 43%
Telecommunications 0
Management Information Systems 18%
Security Certifications
Certified Ethical Hacking 14%
CISSP 72%
CISM 14%
52
5.2 Feedback from security experts.
The Experts who were engaged in the focus group discussions were able to review and critique the
prototype. Their feedback would be used to enhance functionality and security of the proposed
system.
Table 5.2: Feedback from Experts
Theme Illustration of Theme Feedback Summary Comment
System
Usability
How easy was it to
navigate through the
system; was it easy to
fix errors messages
got
The team of experts found it easy
to get to most sections of the
system. They also mentioned that
a normal user would easily
understand how the passphrase is
used.
-The participants also thought that
the graphics would be improved.
This bit of the system
was found to be
satisfactory.
-Researcher took
note of this and
would work on the
graphics of the
system.
Theme Illustration of Theme Feedback Summary Comment
System
design/A
ppearanc
e
Was the organization
of information on the
system clear
The system was designed in a
simple way and that the user
interface was appealing to online
buyers. The images on the home
page should be resized.
The researcher
resized images at the
homepage so that
one did not have to
scroll when viewing
the home page.
System
Security
Is the system secure
enough to avoid any
unauthorized person
from accessing the
registration forms
-They appreciated the concept of
passphrases being integrated into
the system and that it was not
possible to check out without
entering the correct passphrase.
-No user could
checkout an item
without having a
correct passphrase.
53
without getting the
passphrase?
-Does it follow the
standard passphrase
policies?
-They identified a loophole in
users creating plain text
passphrases.
-The researcher was
able to incorporate
the changes and
encrypt the
passphrases.
General
comment
s/feedbac
k
Any recommendation
or weakness
The participants recommended
implementation of passphrases as
a security measure.
They also pointed out some
weakness of the system: There
was no algorithm for system
generated passphrases.
They also gave recommendations
such as; using grammatically
correct, different languages as
passphrases and compare the
strength when both are subjected
to cracking tools
The researcher
appreciated this
feedback but could
not add the algorithm
for system generated
passphrases.
-The researcher took
note of this but could
not accommodate
testing strength of
different passphrases
of different
languages in this
study due to time
constraints.
5.2 Challenges of password based authentication mechanisms.
Some of the focus group questions related to research objective one were:
1. What are the impacts of one system password being compromised in an organization?
2. What is the main cause for lack of assured security in passwords?
3. What can be done to mitigate some of these challenges?
54
On objective one, on challenges of password based authentication mechanisms, the participants
agreed that passwords are the most common security authentication mechanism. However, they
all agreed that compromising of one password can cause an organization to lose millions of
shillings in a day. It was reported that 43% of the participants had been victims of over-the shoulder
attack in their work place. This compromised the integrity of the systems whose password was
stolen by the unauthorized party. Another participant reported that lack strong password policies
in most e-commerce sites are the main cause for lack of security. The user can attempt to login as
many times as possible without being locked out of the system. They also choose easy passwords
and more often than not, these are the things they can related to such as; pet name, children,
spouse, maiden name and many other common names that any attacker can easily get even from
their user profiles. The participants also felt that it was important for users to be made aware of
the importance of using strong passwords and website owners should invest in secure systems/
technologies that prevent the users from attacks. Much security focus has been on composition and
length, but these foremost protect against offline attacks, which are comparatively rare. Social
engineering and insider attacks must also be considered.
5.3 Determining how use of passphrases can be used to address password based
authentication challenges:
Some of the focus group questions related to research objective two were:
1. What do you understand by the term passphrases?
2. Is it easy to remember a passphrase or a password based on your experience?
3. How best can the researcher implement passphrases in e-commerce website?
On objective two, the findings of the study clearly indicated that passphrases are less vulnerable
to security attacks and are more memorable than passwords. They are therefore recommended as
a better authentication mechanism in e-commerce as well as other websites. One participant felt
that biometrics should be used in addition to passphrases in other websites other than e-commerce.
The team also agreed from their own personal experience that use of self-generated passphrases
will experience fewer login failures due to memory errors than will users of system-generated
55
random passwords. The passphrases created were memorable since they were phrases that they
could easily remember and still maintain security. They suggested the next phase of the system
would be testing use of passphrases with different languages and see whether the strength would
differ.
5.4 Implementing a passphrase system that will be integrated in e-commerce.
Some of the focus group questions related to research objective three were:
1. Was the system easy to navigate through?
2. Did the system give you error messages that clearly told how to fix these mistakes
3. Would you consider integrating this module to an e-commerce website?
4. Would the design and appearance of the website be appealing to the user?
5. Was the organization of information on the system screens was clear?
6. Were you able to get to the registration page without entering the correct passphrase?
7. Any other security loophole that can be addressed in the system?
8. Would you Recommend use of passphrases to an e-commerce website owner?
On objective three, a prototype was developed with the aim of enhancing security in e-commerce
transactions. This module involved integration of passphrases into e-commerce websites during
checkout. This would mitigate the challenges faced when using password based authentication.
The researcher found that use of passphrases would be less vulnerable to dictionary and brute force
attacks. It would take thousands of years to crack the passphrases.
The participants felt that users should try out the system before it is commercialized or rather
integrated in functioning e-commerce websites. This would give the researcher a feel of how the
users perceive the use of passphrases and how easy it is for them to remember these same
passphrase after some time. They also recommended use of a well thought out passphrase policy
that would guide users even as they created their own passphrases. There was a suggestion to have
a hyperlink where users can click to get more information on passphrases.
The general findings of the study were that passphrases that were a stronger authentication
mechanism compared to passwords. They would be a great addition to the techniques already used
to secure e-commerce websites. The participants felt that more websites with sensitive information
should integrate the use of passphrases and that more research be conducted on use of passphrases
and best practices.
56
CHAPTER 6
6.0 DISCUSSIONS, CONCLUSIONS AND RECOMMENDATIONS
6.1 INTRODUCTION
This chapter presents summary of the research process starting with the problem statement,
purpose, objectives, literature review, methodology and data analysis. In addition, this chapter
contains conclusions and recommendations.
6.2 SUMMARY
The principal purpose of this study was to create a secure authentication mechanism that would be
integrated in e-commerce websites. To accomplish this objective, it became necessary to identify
the challenges experienced when using password based authentication mechanisms. A prototype
was developed with the aim of enhancing security in e-commerce transactions. This module
involved integration of passphrases into e-commerce websites .This would mitigate the challenges
faced when using password based authentication.
Data was collected through focus group discussions (FGDs). Participants of the FGD who had
expertise on Information Technology (IT) Security were asked questions and they gave feedback
that would be useful in improving the prototype developed. The study put into consideration the
seven steps of design science how they are applied in the study. FGDs permits flexibility of data
collection that is not usually achieved when applying one data collection instrument individually.
There is also spontaneity of interaction among the participants. The data collected addressed the
research problems posed in the first chapter of this thesis. The tools were designed to meet the
objectives of the study which were:
To identify the challenges experienced when using password based authentication
mechanisms.
To determine how passphrases can be used to address password based authentication
challenges through implementation of passphrase policies.
To implement a passphrase system that will be integrated in e-commerce websites.
57
The researcher reviewed literature on key trend in e-commerce, password based authentication
mechanisms and their security concerns, existing passphrase based authentication mechanisms and
how they are created. She went ahead and looked at literature on the attempts to crack passphrases
and the advantages of passphrases over passwords. Most literature reviewed indicated that
passphrases are more secure and memorable. The role of passphrases in e-commerce was also
discussed. The importance of the passphrase was that its longevity made it even safer and normally
it had to be something that is very memorable to the user; could be a mixture of a certain important
dates and a birthday. This eliminates any form of social engineering that may come into place to
gain unauthorized access hence ensuring security. The thematic concerns have been discussed by:
Anderson and Saeden (2013); and Kini et al (2013).
The target population was 7 IT Security Experts out of a total population of 20. These were people
with experience and expertise and whose inputs would contribute towards enhancing the proposed
system. Convenience sampling was done due to time and cost constraints. The main data collection
method was through Focus Group Discussions; participants were given access to the prototype
developed by the researcher and thereafter gave feedback for system credibility. The participants
signed consent forms before participating; the consent forms which articulated the objectives of
the study and also informed them that whatever they said at that forum would be confidential. The
Focus Group Discussion also aimed at establishing challenges in password based authentication
techniques and to verify that passphrases would be a better alternative for secure e-commerce
transactions. Data was analyzed using Thematic Analysis; the Focus Group data involved reading
the transcripts, coding the distinctive themes, then developing the codes to present identified
themes. A systematic procedure was followed during data analysis to ensure the results were as
error-free as possible.
The proposed system will be a module integrated into ecommerce website. The users are prompted
to enter a passphrase when checking out. The passphrase is user selected and follows certain
passphrase guidelines that had been set. Once the users have entered the correct passphrases, they
are now able to check out the item that was in their shopping cart.
For demonstration purposes, the researcher used an example of an online shoe shop. Apart from
the new module being brought on board, other functionalities will be same as a regular online shop.
The shoes on sale have the prices and the sizes available. A user can buy immediately and give his
58
shipping address. If they are not ready to buy it, they can put it on the shopping cart and check it
out when they are ready. Afterwards, they indicate their preferred mode of payment.
6.3 DISCUSSIONS
Internet fraud is increasing at a rapid rate both locally and globally. Although the introduction of
digital and internet technologies have transformed businesses and provided tools for daily
communication, they have also provided opportunities for cyber-crime and online fraud. A
comparison of internet fraud in Kenya and other developed countries such as the USA, and UK
show critical differences in terms of scope. For instance, the amount of financial losses associated
with internet fraud in Kenya is low at only $9.4 million (Kanyaru & Kyalo, 2015). However, cases
of online fraud are expected to rise in Kenya due to the growing adoption of e-commerce services.
Therefore, critical success factors have to be considered to reduce online fraud in Kenya. First,
online businesses need to adopt new security measures since the traditional methods of
authentication through passwords and usernames are not enough (Kanyaru & Kyalo, 2015)
According to the Kenya Cyber Security Report (2014) Cyber insecurity is the growing concern
about the rise of cyber threats and the ability to mitigate risks in cyberspace. This occurs when
system vulnerabilities are exposed, including weaknesses in both hardware and software, and
individuals with access to them. It take the forms of cyber warfare, espionage, crime, attacks on
cyber infrastructure, and exploitation of computer systems. Everyone is exposed to these if proper
mechanisms and procedures are not in place to protect them .The consequences of cyber insecurity
include loss of sensitive information, violation of privacy, lack of access to online services and
also loss of revenue.
The Report further discussed top cyber threats in 2013.The fast-growing digital operating
ecosystem in Kenya is characterized by increasingly sophisticated insiders and outsiders launching
more frequent and targeted attacks. The attackers use clever means to penetrate inherent
weaknesses in information security systems, rendering standard methods of detection and incident
response obsolete (Kigen, Kisutsa, & Muchai, 2014 ).
Use of more advanced techniques such as random knowledge based authentication where users
answer random security questions to confirm their identity are also ideal. Online businesses also
59
need to put controls to prevent online fraud by employees exploiting vulnerabilities in the e-
commerce platform. Insider misuse attack is common in many organizations. Fraud committed by
employees can be detected through internal security audits. Consumers should also be made aware
of security when carrying out online transactions. They should be educated on suspicious activities
during online transactions to ensure that they are well informed to prevent unauthorized access to
credit card information or accounts (Kanyaru & Kyalo, 2015).
6.2 Conclusion
The results demonstrate that passphrases can be used place of passwords in information systems.
It is also important to note that passphrases can protect against technical attacks, but not against
social engineering. Therefore, it is essential that there is emphasis on user awareness, attitude and
education. There are various ways of improving security and usability. However, improving one
may affect the other negatively. Strict security policies may also render the system to be user
unfriendly. All systems have different security requirements; thus, policy makers should find a
balance by considering both security and usability.
6.3 Recommendations
The researcher therefore advances the following recommendations:
Passphrases should be designed to be user-selected since they have better usability than
system generated passwords
Users should exercise extreme caution when writing down or storing passphrases.
It is critical for an organization to have a security policy that would make the users aware
of its rules and to enforce its usage.
The passphrase policy should contain composition rules and recommendations, such as
minimum length, character variations and avoidance of dictionary and pop culture words.
More research should be carried out on passphrases usage in e-commerce.
60
REFERENCES
(n.d.).
Anderson , D., & Saeden, D. (2013). Authentican with Paswords and Passphrases.
Anderson, W., & Singer, A. (2013). Re-thinking Password policies. Wisconsin, USA: Linux
Journal.
Andersson, D., & Saeden, D. (2013). Authentication with passwords and passphrases. Lunds
Universitet.
Anton, A., & Earp, J. (2010). Strategies for Developing Policies and Requirements for Seure
Electronic Commerce Systems. CCS2000, (pp. 1-12). North Carolina.
Ben-Shabat, H., Moriarty, M., & Yuen, C. (2015). The 2012 Global Retail Ecommerce Index.
New York: A.T Kearney.
Bethlahmy, J., & Schottmiller, P. (2011). Advanced Multichannel Expectations in Highly
Developed Markets. Carlifonia: CISCO.
Bonk, C. (2014). A System and Study of Memorable and Secure Passphrases. (Masters Thesis,
University of Ontario Institute of Technology) Retrieved from https://ir.library.dc-
uoit.ca/handle/10155/480.
Bonneau, J., & Shutova, E. (2014). Linguistic properties of multi-word passphrases. London:
University of Cambridge.
Buckinghamshire New University. (2015). User Authentication and Passphrase Policy. London:
Bucks New Univerisity.
Carnut, M., & Hora , E. (2011). Improving the Diceware memorable passphrase generation
system.
Cazier, J., & Dawn, M. (2011). How Secure is your Password? An Analysis of E-Commerce
Passwords and their Crack Times. North Carolina: Appalachian State University.
CDC. (2008). Data Collection Methods for Program Evaluation: Focus Groups .
Chakrabarti , S., & Singhal, M. (2007). Password based Authentication: Preventing Dictionary
Attacks. Kentucky: IEEE Computer Society.
Cheok, L., Huiskamp, W., & Malinowski, A. (2012). E-Commerce Trends and Payment
Challenges for Online Merchants: Beyond Payment. USA: Modus Link.
61
Chiasson, S., & Van Oorschot, P. (2005). A Usability Study and Critique of Two Password
Managers. Canada: Carleton University.
Coughlan, P., Fulton, J., & Canales, K. (2007). Prototypes as (Design) Tools for Behavioral and
Organizational Change. A Design-Based Approach to Help Organizations Change work
Behaviours, 43, 1-13.
Craig, A., & Crouse, L. (2006). A Culture of Mobility. Johannesburg: Vodacom.
Criteo. (2015). eCommerce Industry Outlook 2015. Chicago: Criteo.
Curry, S. (2003). An Inside look at E-commerce Fraud. New York: Fraudchick.
EAC. (2014). EAC Trade Report. Arusha, Tanzania: EAC Secretariat.
Esselaar, P., & Miller, J. (2010). Towards Electronic Commerce in Africa:A Perspective from
Three Country Studies. Journal of Information and Communication.
(2014). Evolution or Revolution in the fast moving consumer goods world. New York: Nielsen .
Federal Communications Authority. (2015). Cyber Security Planning Guide. USA.
Freitas, H., & M, O. (2000). The Focus Group, A qualitative Research Method. Maryland:
University of Baltimore.
G, K., B, J., & A, R. (2013). Effect of grammar on security of long passwords. In Proc. 3rd ACM
Conference.
Gale, F. S. (2013). Setting The Course. Wahington DC: PM Network.
Gikandi, J. W., & Bloor, C. (2010). Adoption and effectiveness of electronic banking in Kenya.
277-282.
Halaweh, M., & Fidler, C. (2008). Security Perception in E-commerce: Conflict between
Customer and. Proceedings of the International Multiconference on Computer Science
and Information Technology,, 443 – 449.
Hevner, R. A. (2007). A Three Cycle View of Design Science Research. Scandinavian Journal
of Information System, 19(2).
Inria, N., & Caramel, E. (2013). Crack Me I’m Famous: cracking weak passphrases using
publicly-available sources. University of Calgary.
Jimenez, S. (2012). A digital Savannah: Africa's ecommerce promise. Johanesburg: Amadeus.
62
Kanyaru, P., & Kyalo, J. (2015). Factors Affecting the Online Transactions in the Developing
Countries: A Case of E-Commerce Businesses in Nairobi County,Kenya. Journal of
Educational Policy and Entrepreneurial Research (JEPER), 2, 1-7.
Keith, M., Shao, B., & Steinbart, J. P. (2007). The usability of passphrases for authentication: an
empirical field study. International Journal of Human-Computer Studies, 17-28.
Kigen, P., Kisutsa, C., & Muchai, C. (2014 ). Kenya Cyber Security. Nairobi.
Kinuthia, J., & Akinnusi, J. (2014). The magnitude of barriers facing e-commerce. Journal of
Internet and Information, 4, 12-27.
Kinyanjui, M., & McCormick, D. (2002). Ecommerce in the garment industry in Kenya. E-
commerce for developing countries: Building an evidence base .
Kitonyi, S. (2012). An Exploratory Study on Kenyan Consumer Ordering Habits. Nairobi: iHUB
Research.
Kothari, C. R. (2004). Research Methodology Methoda and Techniques. New Delhi: New Age
International Limited Publishers.
Kumar, A., & Bilandi, N. (2014). A Graphical Password Based Authentication System for
Mobile Devices. International Journal of Computer Science and Mobile Computing2,
744-754.
Medlin, D., & Cazier, J. (2006). Password Security issues in an Ecommerce Website. USA:
Appachalian State University.
Merchant, R. (2014). The Illusion of Personal Data Security in E-Commerce:Dashlane Q1 2014
Personal Data Security Roundup. New york: Dashlane.
Nielsen, G., & Vedel, M. (2009). Improving usability of passphrase authentication. PHD Thesis.
Niranjanamurthy, M., & Dharmendra, C. (2013). The study of E-Commerce Security Issues and
Solutions. International Journal of Advanced Research in Computer and Communication
Engineering, 2(7), 2319-5940.
Payne, B., & Edwards, K. (2008). A brief Introduction to Usable Security. Georgia: Georgia
Institute of Technology.
Peffers, K., Tuunanen, T., & Rothenberger, M. (2007). A Design Science Research Methodology
for Information Systems Research. 24, 45-78.
Ping, Z., & Scialdone, M. (2011). IT Artifacts and The State of IS Research. International
Conference on Information Systems 2011, 1-14.
63
Quinn, T. F., Biondi, J.-E., & Penmetcha, A. (2014). Generating global growth through
eCommerce expansion. New York: Deloitte.
Sandhana, P. (2005). e-Commerce security – A life cycle approach. 30, 119-140.
Saranga, K., & Kelley , P. (2011). Of Passwords and People:Measuring the Effect of Password-
Composition Policies. Pittsburgh: Carnegie Mellon University.
Saranga, K., & Kelley, P. (2011). Of passwords and people: Measuring the Effect of Password-
Composition Policies. 9.
Schneider, P. (2011). Eletronic Commerce (Vol. 9). Boston: Course Technology, CENAGE
Learning.
Seth, G., & Podar, C. (2013). The study of E-Commerce Security Issues and. International
Journal of Advanced Research in Computer and Communication Engineering, 2, 2885-
2895.
Sinan, N., & Ayse , S. (2011). Ethical Issues in E-Commerce on the Basis of Online Retailing.
Journal of Social Sciences, 7, 1549-3652.
Sinan, N., & Sahin, A. (2010). Ethical Issues in E-Commerce on the Basis of Online Retailing.
Journal of Social Sciences, 190-198.
Singh, H. (2014). Review of e-Commerce Security Challenges. International Journal of
Innovative Research in Computer and Communication Engineering, 2(2), 2850-2858.
Sparell, P., & Simovits, M. (2015). Linguistic Cracking of Passphrases using Markov Chains.
Stockholm.
Thwarte. (2012). Securing your Apache Web Server with a thwarte Digital Certificate. Cape
Town: Thwarte.
UNCTAD . (2015). Cyberlaws and regulations for enhancing e-commerce:. Geneva: UNCTAD
secretariat.
UNCTAD. (2016). UNCTAD B2C E-commerce Index 2016. Geneva: UNCTAD.
Vantiv. (2016). E-commerce Trends to watch in 2016. Arizona: Vantiv.
Wang, D., & Ma, C.-g. (n.d.). On the Security of an Improved Password Authentication Scheme
Based on ECC.
White, A., & Shaw, C. (2014). Security, Linguistic and Usability; Challenges of Pronounceable
Tokens. North Carolina: University of North Carolina.
65
APPENDIX A: CONSENT FORM
Information Leaflet for Focus Group Participants
Title of Study: Integrating passphrases as an authentication mechanism in e-commerce.
Sandra Yucabett Odera
Unites States International University-Africa.
This inform consent has two parts:
Information form (to share about the study with you.
Inform consent (for signature if you choose to enrol in the study)
You will be given a copy of complete inform consent form
Part I: Information form
Introduction
Hallo! My name is Sandra Yucabett Odera. I am a student at United States International
University- Africa. I am conducting a study to try and find out the challenges of using passwords
and how passphrases will mitigate these challenges. I am going to tell you about the study and
invite you to participate. Before you make up your mind to participate or not, you can talk to
anyone you feel comfortable with about this study.
You are being invited to participate in a research study. Thank you for taking time to read this
information leaflet.
66
RESEARCH TEAM: This research project is being led by Sandra Yucabett Odera. My contact
details are included at the end of this document.
WHAT ARE THE OBJECTIVES OF THIS STUDY? The purpose of the study is:
I. To identify the challenges experienced when using password based authentication
mechanisms.
II. To determine how passphrases can be used to address password based authentication
challenges through implementation of passphrase policies.
III. To implement a passphrase system that will be integrated in ecommerce websites.
PARTICIPATION SELECTION: You have been approached to participate in this research as
you are an expert in IT security profession.
VOLUNTARY PARTICIPATION: Your participation in this focus group is entirely voluntary.
This interview/focus group will be audio-recorded to facilitate analysis. You will not be asked
about specific people and we ask that you do not name any individual or provide any details on
third parties that may be identifiable.
CONFIDENTIALITY: I will be responsible for overseeing the transcription and the anonymity
of the interview/focus. All information collected in this session will be stored securely on password
protected computers.
PROCEDURES: We will sit in a comfortable private place and I will ask you some questions.
After we begin, if you do not want to answer any of the questions, just say so and i will move on
to the next question. Even after giving your consent, you can stop the interview at any time. No
one else will be present unless you want them to be present. I will be taking notes during the
interview and if at any point you have any question about the study, I will be glad to answer them.
RISKS: We are asking you to share some personal information, and you may feel uncomfortable
talking about some of these information. You do not have to answer any question or take part in
67
the interview if you don’t wish. You also do not have to give any explanation for not answering
any question.
BENEFITS: There is no direct benefit in your participation. The information we get from you and
other may benefit other people in future.
REIMBURSEMENT: There is no monetary benefits however if you agree to participate, you will
get a gift of appreciation.
RIGHT TO WITHDRAW: You can decide to withdraw from the study at any point without any
consequence. You can contact the researcher to request this.
HOW WILL MY INFORMATION BE USED? Your views will be combined those of others
and used to develop an understanding of existing problem in password-based authentication
mechanisms and also your feedback on the functionality of the prototype will be useful to enhance
the system.
FURTHER INFORMATION & CONTACT DETAILS: If you wish to ask questions later, you
may contact: Sandra Yucabett Odera, United States International University-Africa, P.O. Box
66119-00800, Nairobi, Kenya; telephone number: +254 726974374; email:
NEXT STEPS: If you are willing to take part in the study we would ask you to please return the
attached consent form to the researcher (a scanned copy can be sent to the email address:
68
PARTICIPANT CONSENT FORM
By signing and returning this consent form you are indicating your agreement with the following
statements:
I have read and understood the attached Participant Information Leaflet for this study.
I have had the opportunity to ask questions and discuss the study. (Note you can contact
..................).
I have received satisfactory answers to all my questions, where I have had a query.
I have received enough information about this study.
I understand that the interview/focus group will be audio recorded
I understand I am free to withdraw from the study at any time until the transcripts are
anonymized.
I understand anonymized data will be archived for future research
I agree to take part in the study.
Signature of Participant________________________
Date :__________________( dd/mmm/yyyy)
If participant cannot read and write
I have witnessed the accurate reading of the consent form to the potential participant, and the
individual has had the opportunity to ask questions. I confirm that the individual has given consent
freely.
Signature of Witness____________________________
Date :______________________( dd/mmm/yyyy)
69
Thumb print of the participant:
Statement from person administering consent
I have accurately read out the information sheet to the potential participant, and to the best of my
ability made sure that the participant understands that the following will be done:
1. An interview will be done with the participant
2. Data collected will be kept confidential and used only for research purposes
I confirm that the participant was given an opportunity to ask questions about the study, and all
questions asked by the participants have been answered correctly and to the best of my ability. I
confirm that the individual has not been coerced into giving consent, and the consent has been
given freely and voluntarily.
A copy of this Informed consent form has been provided to the participant.
Printed Name person administering consent: __________________________
Signature person administering consent: ___________________________
Date: ________________ (dd/mm/yyyy)
70
APPENDIX B: QUESTIONNAIRE
Part A: DEMOGRAPHIC DETAILS
Kindly provide the information requested by ticking or filling in on the
spaces provided.
a) Age.
16- 20yrs 21-25yrs 26-30yrs 31-35 yrs 36yrs and above
b) Gender
Male Female
c) Educational Qualification
High School
Certificate
Diploma
Under graduate
Bachelor’s Degree
Masters
d) Please indicate your speciality in IT:
Software and Engineering
IT Security and Cyber Crime
Networking
71
Telecommunication
Any other____________________________-
e) Please indicate the security certification course you have taken
Certified Ethical Hacking
Certified Information Systems Security Professional.Networking
Certified Information Security Manager
Any other____________________________-
f) Work Experience
0-1 years [ ] 1-3 yrs [ ] 3-5 yrs [ ] >5yrs [ ]
PART B: PAST EXPERIENCE
a) Have you worked in IT Security Department before?
Yes [ ] No [ ]
b) If Yes, for how long? _______________
PART C: FEEDBACK ON THE PROTOTYPE
Based on your opinion, after interacting with the prototype, please indicate the most appropriate
response on the sections below:
Your feedback will be help enhance the prototype and make it more credible and user friendly.
72
SYSTEM USABILITY
1. Was the system easy to navigate through?
_______________________________________________________________________
2. Did the system give you error messages that clearly told how to fix these mistakes
________________________________________________________________________
3. Did the system have functions and capabilities you expected it to have?
__________________________________________________________________________
4. Would you consider integrating this module to an e-commerce website?
DESIGN
1. Would the design and appearance of the website be appealing to the user?
________________________________________________________________________
2. Was the organization of information on the system screens was clear?
_____________________________________________________________________________
SECURITY
1. Were you able to get to the registration page without entering the correct passphrase?
______________________________________________________________________
2. Can a normal viewer have the same view or rights as the administrator in this system?
______________________________________________________________________
3. Any other security loophole that can be addressed in the system?
_____________________________________________________________________
73
RECOMMENDATIONS
Please state you recommendations and what should be improved on:
a) Usability
_____________________________________________________
_____________________________________________________
______________________________________________________.
______________________________________________________.
b) System appearance
______________________________________________________
______________________________________________________
_______________________________________________________
c) User friendliness of the system
_________________________________________________________________
___________________________________________________________________.
____________________________________________________________________.
d) Another comment/feedback:
74
_________________________________________________________________
_________________________________________________________________.
THANK YOU!
75
APPENDIX C: SOURCE CODE
<? php
defined('_JEXEC') or die('Restricted access');
JHtml::_('behavior.keepalive');
JHtml::_('bootstrap.tooltip');
ob_start(); ?>
<STYLE type="text/css">
</STYLE>
<?PHP
$mainframe = &JFactory:getApplication();
$redirect_url = 'index.php?option=com_users&view=registration' ;
if (isset($_POST['submitted'])) { //if submit button clicked
$passphrase = $_POST['passphrase']; //text from submit box
$syms= array(" ","\r\n","\n\r","\r","\n","\l","\t",chr(13),chr(10)); // carriage returns &
spaces
$passphrase = str_replace($syms, '', $passphrase); // remove carriage returns & spaces
$passphrase = trim(strtolower($passphrase)); //lower case, remove spaces
$pass = "&pass=".$passphrase; //append passphrase
ob_end_clean();
$mainframe->redirect($redirect_url . $pass, '');
}
?>
76
<form action="" method="post" name="passphrase" id="form-JRpassphrase" >
<?php echo $params->def('pre_text'); ?>
<fieldset class="input">
<p id="form-JRpassphrase">
<input id="modJRPassphrase" type="text" name="passphrase" class="input-<?php echo
$params->def('box_width'); ?>" alt="passphrase" size="18" />
</p>
<?php $cnt=$params->def('button_space');
for ($i=0; $i<$cnt; $i++)
{ echo '<br />' ; }
?>
<input type="submit" name="Submit" class="button" value="<?PHP echo $params-
>def('button_text'); ?>" />
</fieldset>
<input type="hidden" name="submitted" value="true" >
<input type="hidden" name="return" value="<?php echo $return; ?>" />
<?php echo JHTML::_( 'form.token' ); ?>
<?php echo $params->def('post_text'); ?>
</form>
77
<?php
/**
* @package Joomla.Site
*
* @copyright Copyright (C) 2005 - 2016 Open Source Matters, Inc. All rights reserved.
* @license GNU General Public License version 2 or later; see LICENSE.txt
*/
/**
* Define the application's minimum supported PHP version as a constant so it can be referenced
within the application.
*/
define('JOOMLA_MINIMUM_PHP', '5.3.10');
if (version_compare(PHP_VERSION, JOOMLA_MINIMUM_PHP, '<'))
{
die('Your host needs to use PHP ' . JOOMLA_MINIMUM_PHP . ' or higher to run this
version of Joomla!');
}
// Saves the start time and memory usage.
$startTime = microtime(1);
$startMem = memory_get_usage();
/**
* Constant that is checked in included files to prevent direct access.
78
* define() is used in the installation folder rather than "const" to not error for PHP 5.2 and lower
*/
define('_JEXEC', 1);
if (file_exists(__DIR__ . '/defines.php'))
{
include_once __DIR__ . '/defines.php';
}
if (!defined('_JDEFINES'))
{
define('JPATH_BASE', __DIR__);
require_once JPATH_BASE . '/includes/defines.php';
}
require_once JPATH_BASE . '/includes/framework.php';
// Set profiler start time and memory usage and mark afterLoad in the profiler.
JDEBUG ? $_PROFILER->setStart($startTime, $startMem)->mark('afterLoad') : null;
// Instantiate the application.
$app = JFactory::getApplication('site');
// Execute the application.
$app->execute();
79
<?php
class JConfig {
public $offline = '0';
public $offline_message = 'This site is down for maintenance.<br />Please check back
again soon.';
public $display_offline_message = '1';
public $offline_image = '';
public $sitename = 'Sandy Shoe Shop';
public $editor = 'tinymce';
public $captcha = '0';
public $list_limit = '20';
public $access = '1';
public $debug = '0';
public $debug_lang = '0';
public $dbtype = 'mysqli';
public $host = 'localhost';
public $user = 'root';
public $password = '';
public $db = 'ell';
public $dbprefix = 'wo9c4_';
public $live_site = '';
public $secret = '4UtE16m9HK23ABpb';
public $gzip = '0';
public $error_reporting = 'default';
80
public $helpurl =
'https://help.joomla.org/proxy/index.php?option=com_help&keyref=Help{major}{minor}:{keyr
ef}';
public $ftp_host = '';
public $ftp_port = '';
public $ftp_user = '';
public $ftp_pass = '';
public $ftp_root = '';
public $ftp_enable = '0';
public $offset = 'UTC';
public $mailonline = '1';
public $mailer = 'smtp';
public $mailfrom = '[email protected]';
public $fromname = 'Sandy Shoe Shop';
public $sendmail = '/usr/sbin/sendmail';
public $smtpauth = '1';
public $smtpuser = '[email protected]';
public $smtppass = 'Alexandria';
public $smtphost = 'smtp.gmail.com';
public $smtpsecure = 'ssl';
public $smtpport = '465';
public $caching = '0';
public $cache_handler = 'file';
public $cachetime = '15';
public $cache_platformprefix = '0';
public $MetaDesc = 'abc';
81
public $MetaKeys = '';
public $MetaTitle = '1';
public $MetaAuthor = '1';
public $MetaVersion = '0';
public $robots = '';
public $sef = '1';
public $sef_rewrite = '0';
public $sef_suffix = '0';
public $unicodeslugs = '0';
public $feed_limit = '10';
public $feed_email = 'none';
public $log_path = 'C:\\xampp\\htdocs\\joomla/logs';
public $tmp_path = 'C:\\xampp\\htdocs\\joomla/tmp';
public $lifetime = '15';
public $session_handler = 'database';
public $memcache_persist = '1';
public $memcache_compress = '0';
public $memcache_server_host = 'localhost';
public $memcache_server_port = '11211';
public $memcached_persist = '1';
public $memcached_compress = '0';
public $memcached_server_host = 'localhost';
public $memcached_server_port = '11211';
public $redis_persist = '1';
public $redis_server_host = 'localhost';
82
public $redis_server_port = '6379';
public $redis_server_auth = '';
public $redis_server_db = '0';
public $proxy_enable = '0';
public $proxy_host = '';
public $proxy_port = '';
public $proxy_user = '';
public $proxy_pass = '';
public $massmailoff = '0';
public $MetaRights = '';
public $sitename_pagetitles = '0';
public $force_ssl = '0';
public $session_memcache_server_host = 'localhost';
public $session_memcache_server_port = '11211';
public $session_memcached_server_host = 'localhost';
public $session_memcached_server_port = '11211';
public $frontediting = '1';
public $cookie_domain = '';
public $cookie_path = '';
public $asset_id = '1';
}
83
<?php
/**
* @package Joomla.Site
* @subpackage Templates.protostar
*
* @copyright Copyright (C) 2005 - 2016 Open Source Matters, Inc. All rights reserved.
* @license GNU General Public License version 2 or later; see LICENSE.txt
*/
defined('_JEXEC') or die;
$app = JFactory::getApplication();
$doc = JFactory::getDocument();
$user = JFactory::getUser();
$this->language = $doc->language;
$this->direction = $doc->direction;
// Output as HTML5
$doc->setHtml5(true);
// Getting params from template
$params = $app->getTemplate(true)->params;
// Detecting Active Variables
$option = $app->input->getCmd('option', '');
84
$view = $app->input->getCmd('view', '');
$layout = $app->input->getCmd('layout', '');
$task = $app->input->getCmd('task', '');
$itemid = $app->input->getCmd('Itemid', '');
$sitename = $app->get('sitename');
if($task == "edit" || $layout == "form" )
{
$fullWidth = 1;
}
else
{
$fullWidth = 0;
}
// Add JavaScript Frameworks
JHtml::_('bootstrap.framework');
$doc->addScriptVersion($this->baseurl . '/templates/' . $this->template . '/js/template.js');
// Add Stylesheets
$doc->addStyleSheetVersion($this->baseurl . '/templates/' . $this->template . '/css/template.css');
// Use of Google Font
if ($this->params->get('googleFont'))
85
{
$doc->addStyleSheet('//fonts.googleapis.com/css?family=' . $this->params-
>get('googleFontName'));
$doc->addStyleDeclaration("
h1, h2, h3, h4, h5, h6, .site-title {
font-family: '" . str_replace('+', ' ', $this->params->get('googleFontName')) . "',
sans-serif;
}");
}
// Template color
if ($this->params->get('templateColor'))
{
$doc->addStyleDeclaration("
body.site {
border-top: 3px solid " . $this->params->get('templateColor') . ";
background-color: " . $this->params->get('templateBackgroundColor') . ";
}
a {
color: " . $this->params->get('templateColor') . ";
}
.nav-list > .active > a,
.nav-list > .active > a:hover,
.dropdown-menu li > a:hover,
.dropdown-menu .active > a,
.dropdown-menu .active > a:hover,
86
.nav-pills > .active > a,
.nav-pills > .active > a:hover,
.btn-primary {
background: " . $this->params->get('templateColor') . ";
}");
}
// Check for a custom CSS file
$userCss = JPATH_SITE . '/templates/' . $this->template . '/css/user.css';
if (file_exists($userCss) && filesize($userCss) > 0)
{
$doc->addStyleSheetVersion('templates/' . $this->template . '/css/user.css');
}
// Load optional RTL Bootstrap CSS
JHtml::_('bootstrap.loadCss', false, $this->direction);
// Adjusting content width
if ($this->countModules('position-7') && $this->countModules('position-8'))
{
$span = "span6";
}
elseif ($this->countModules('position-7') && !$this->countModules('position-8'))
{
87
$span = "span9";
}
elseif (!$this->countModules('position-7') && $this->countModules('position-8'))
{
$span = "span9";
}
else
{
$span = "span12";
}
// Logo file or site title param
if ($this->params->get('logoFile'))
{
$logo = '<img src="' . JUri::root() . $this->params->get('logoFile') . '" alt="' . $sitename .
'" />';
}
elseif ($this->params->get('sitetitle'))
{
$logo = '<span class="site-title" title="' . $sitename . '">' . htmlspecialchars($this-
>params->get('sitetitle'), ENT_COMPAT, 'UTF-8') . '</span>';
}
else
{
$logo = '<span class="site-title" title="' . $sitename . '">' . $sitename . '</span>';
}
88
?>
<!DOCTYPE html>
<html lang="<?php echo $this->language; ?>" dir="<?php echo $this->direction; ?>">
<head>
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<jdoc:include type="head" />
<!--[if lt IE 9]><script src="<?php echo JUri::root(true);
?>/media/jui/js/html5.js"></script><![endif]-->
</head>
<body class="site <?php echo $option
. ' view-' . $view
. ($layout ? ' layout-' . $layout : ' no-layout')
. ($task ? ' task-' . $task : ' no-task')
. ($itemid ? ' itemid-' . $itemid : '')
. ($params->get('fluidContainer') ? ' fluid' : '');
echo ($this->direction == 'rtl' ? ' rtl' : '');
?>">
<!-- Body -->
<div class="body">
<div class="container<?php echo ($params->get('fluidContainer') ? '-fluid' : '');
?>">
<!-- Header -->
<header class="header" role="banner">
<div class="header-inner clearfix">
<a class="brand pull-left" href="<?php echo $this-
>baseurl; ?>/">
89
<?php echo $logo; ?>
<?php if ($this->params->get('sitedescription')) : ?>
<?php echo '<div class="site-description">' .
htmlspecialchars($this->params->get('sitedescription'), ENT_COMPAT, 'UTF-8') . '</div>'; ?>
<?php endif; ?>
</a>
<div class="header-search pull-right">
<jdoc:include type="modules" name="position-0"
style="none" />
</div>
</div>
</header>
<?php if ($this->countModules('position-1')) : ?>
<nav class="navigation" role="navigation">
<div class="navbar pull-left">
<a class="btn btn-navbar collapsed" data-
toggle="collapse" data-target=".nav-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</a>
</div>
<div class="nav-collapse">
<jdoc:include type="modules" name="position-1"
style="none" />
</div>
</nav>
90
<?php endif; ?>
<jdoc:include type="modules" name="banner" style="xhtml" />
<div class="row-fluid">
<?php if ($this->countModules('position-8')) : ?>
<!-- Begin Sidebar -->
<div id="sidebar" class="span3">
<div class="sidebar-nav">
<jdoc:include type="modules"
name="position-8" style="xhtml" />
</div>
</div>
<!-- End Sidebar -->
<?php endif; ?>
<main id="content" role="main" class="<?php echo $span; ?>">
<!-- Begin Content -->
<jdoc:include type="modules" name="position-3"
style="xhtml" />
<jdoc:include type="message" />
<jdoc:include type="component" />
<jdoc:include type="modules" name="position-2"
style="none" />
<!-- End Content -->
</main>
<?php if ($this->countModules('position-7')) : ?>
<div id="aside" class="span3">
<!-- Begin Right Sidebar -->
91
<jdoc:include type="modules" name="position-7"
style="well" />
<!-- End Right Sidebar -->
</div>
<?php endif; ?>
</div>
</div>
</div>
<!-- Footer -->
<footer class="footer" role="contentinfo">
<div class="container<?php echo ($params->get('fluidContainer') ? '-fluid' : '');
?>">
<hr />
<jdoc:include type="modules" name="footer" style="none" />
<p class="pull-right">
<a href="#top" id="back-top">
<?php echo
JText::_('TPL_PROTOSTAR_BACKTOTOP'); ?>
</a>
</p>
<p>
© <?php echo date('Y'); ?> <?php echo $sitename; ?>
</p>
</div>
</footer>
<jdoc:include type="modules" name="debug" style="none" />
92
</body>
</html>
<?php
/**
* @package HikaShop for Joomla!
* @version 2.6.2
* @author hikashop.com
* @copyright (C) 2010-2016 HIKARI SOFTWARE. All rights reserved.
* @license GNU/GPLv3 http://www.gnu.org/licenses/gpl-3.0.html
*/
defined('_JEXEC') or die('Restricted access');
?><?php
class plgHikashopMassaction_address extends JPlugin
{
var $message = '';
function onMassactionTableLoad(&$externalValues){
$obj = new stdClass();
$obj->table ='address';
$obj->value ='address';
$obj->text =JText::_('ADDRESS');
$externalValues[] = $obj;
}
93
function __construct(&$subject, $config){
parent::__construct($subject, $config);
$this->massaction = hikashop_get('class.massaction');
$this->massaction->datecolumns = array();
$this->address = hikashop_get('class.address');
}
function onProcessAddressMassFilterlimit(&$elements, &$query,$filter,$num){
$query->start = (int)$filter['start'];
$query->value = (int)$filter['value'];
}
function onProcessAddressMassFilterordering(&$elements, &$query,$filter,$num){
if(!empty($filter['value'])){
if(isset($query->ordering['default']))
unset($query->ordering['default']);
$query->ordering[] = $filter['value'];
}
}
function onProcessAddressMassFilterdirection(&$elements, &$query,$filter,$num){
if(empty($query->ordering))
$query->ordering['default'] = 'address_id';
$query->direction = $filter['value'];
94
}
function
onProcessAddressMassFilteraddressColumn(&$elements,&$query,$filter,$num){
if(empty($filter['type']) || $filter['type']=='all') return;
if(!isset($this->massaction))$this->massaction = hikashop_get('class.massaction');
if(count($elements)){
foreach($elements as $k => $element){
$in = $this->massaction->checkInElement($element, $filter);
if(!$in) unset($elements[$k]);
}
}else{
$db = JFactory::getDBO();
if(!empty($filter['value']) || (empty($filter['value']) &&
in_array($filter['operator'],array('IS NULL','IS NOT NULL')))){
if($filter['type'] == 'address_state' || $filter['type'] ==
'address_country'){
$type = str_replace('address_','',$filter['type']);
$nquery = 'SELECT zone_namekey FROM
'.hikashop_table('zone').' WHERE ';
$key = str_replace($filter['type'],'',$this->massaction-
>getRequest($filter));
$nquery .= 'zone_name '.$key.' OR zone_name_english
'.$key.' OR zone_namekey '.$key;
$nquery .= ' AND zone_type = '.$db->quote($type);
$db->setQuery($nquery);
$result = $db->loadResult();
95
$query->where[] = 'hk_address.'.$filter['type'].' = '.$db-
>quote($result);
}else{
$query->where[] = $this->massaction-
>getRequest($filter,'hk_address');
}
}
}
}
function onCountAddressMassFilteraddressColumn(&$query,$filter,$num){
$elements = array();
$this-
>onProcessAddressMassFilteraddressColumn($elements,$query,$filter,$num);
return JText::sprintf('SELECTED_PRODUCTS',$query-
>count('hk_address.address_id'));
}
function onProcessAddressMassFilteruserColumn(&$elements,&$query,$filter,$num){
if(empty($filter['type']) || $filter['type']=='all') return;
if(!isset($this->massaction))$this->massaction = hikashop_get('class.massaction');
if(count($elements)){
foreach($elements as $k => $element){
$userClass = hikashop_get('class.user');
$result = $userClass->get($element->address_user_id);
$filter['type'] = str_replace('hk_user.','',$filter['type']);
96
$filter['type'] = str_replace('joomla_user.','',$filter['type']);
$in = $this->massaction->checkInElement($result, $filter);
if(!$in) unset($elements[$k]);
}
}else{
$db = JFactory::getDBO();
if(!empty($filter['value']) || (empty($filter['value']) &&
in_array($filter['operator'],array('IS NULL','IS NOT NULL')))){
$query->leftjoin['user'] = hikashop_table('user').' as hk_user ON
hk_address.address_user_id = hk_user.user_id';
$query->leftjoin['joomla_user'] = hikashop_table('users',false).' as
joomla_user ON joomla_user.id = hk_user.user_cms_id';
$query->where[] = $this->massaction->getRequest($filter);
}
}
}
function onCountAddressMassFilteruserColumn(&$query,$filter,$num){
$elements = array();
$this->onProcessAddressMassFilteruserColumn($elements,$query,$filter,$num);
return JText::sprintf('SELECTED_PRODUCTS',$query-
>count('hk_address.address_id'));
}
function onProcessAddressMassFilteraccessLevel(&$elements,&$query,$filter,$num){
if(empty($filter['type']) || $filter['type']=='all') return;
if(count($elements)){
97
foreach($elements as $k => $element){
if($element->$filter['type']!=$filter['value']) unset($elements[$k]);
}
}else{
$db = JFactory::getDBO();
if(!HIKASHOP_J16){
$db->setQuery('SELECT user.id FROM
'.hikashop_table('users',false).' AS user LEFT JOIN
'.hikashop_table('core_acl_aro_groups',false).' AS group ON user.gid = group.name WHERE
group.id = '.(int)$filter['group']);
}else{
$db->setQuery('SELECT user_id FROM
'.hikashop_table('user_usergroup_map',false).' WHERE group_id = '.(int)$filter['group']);
}
if(!HIKASHOP_J25)
$users = $db->loadResultArray();
else
$users = $db->loadColumn();
if(!empty($users))
$query->where[] = 'hk_user.user_cms_id'.' '.$filter['type'].'
('.implode(',',$users).')';
}
}
function onCountAddressMassFilteraccessLevel(&$query,$filter,$num){
$elements = array();
$this->onProcessAddressMassFilteraccessLevel($elements,$query,$filter,$num);
98
return JText::sprintf('SELECTED_PRODUCTS',$query-
>count('hk_address.address_id'));
}
function onProcessAddressMassActiondisplayResults(&$elements,&$action,$k){
$params = $this->massaction->_displayResults('address',$elements,$action,$k);
$params->action_id = $k;
$js = '';
$app = JFactory::getApplication();
if($app->isAdmin() && JRequest::getVar('ctrl','massaction') == 'massaction'){
echo hikashop_getLayout('massaction','results',$params,$js);
}
}
function onProcessAddressMassActionexportCsv(&$elements,&$action,$k){
$formatExport = $action['formatExport']['format'];
$path = $action['formatExport']['path'];
$email = $action['formatExport']['email'];
if(!empty($path)){
$url = $this->massaction->setExportPaths($path);
}else{
$url = array('server'=>'','web'=>'');
ob_get_clean();
}
$app = JFactory::getApplication();
if($app->isAdmin() || (!$app->isAdmin() && !empty($path))){
99
$params->action['address']['address_id'] = 'address_id';
unset($action['formatExport']);
$params = $this->massaction-
>_displayResults('address',$elements,$action,$k);
$params->formatExport = $formatExport;
$params->path = $url['server'];
$params = $this->massaction->sortResult($params->table,$params);
$this->massaction->_exportCSV($params);
}
if(!empty($email) && !empty($path)){
$config = hikashop_config();
$mailClass = hikashop_get('class.mail');
$content = array('type' => 'csv_export');
$mail = $mailClass->get('massaction_notification',$content);
$mail->subject = JText::_('MASS_CSV_EMAIL_SUBJECT');
$mail->html = '1';
$csv = new stdClass();
$csv->name = basename($path);
$csv->filename = $url['server'];
$csv->url = $url['web'];
$mail->attachments = array($csv);
$mail->dst_name = '';
$mail->dst_email = explode(',',$email);
$mailClass->sendMail($mail);
100
}
}
function onProcessAddressMassActionupdateValues(&$elements,&$action,$k){
$db = JFactory::getDBO();
$current = 'address';
$current_id = $current.'_id';
$ids = array();
foreach($elements as $element){
$ids[] = $element->$current_id;
if(isset($element->$action['type']))
$element->$action['type'] = $action['value'];
}
$action['type'] = strip_tags($action['type']);
$alias = explode('_',$action['type']);
$queryTables = array($current);
$possibleTables = array($current);
if(in_array($action['type'],array('address_state','address_country'))){
$db->setQuery('SELECT zone_namekey FROM '.hikashop_table('zone').'
WHERE zone_name = '.$db->quote($action['value']).' OR zone_name_english = '.$db-
>quote($action['value']));
$action['value'] = $db->loadResult();
}
$value = $this->massaction-
>updateValuesSecure($action,$possibleTables,$queryTables);
JArrayHelper::toInteger($ids);
101
$max = 500;
if(count($ids) > $max){
$c = ceil((int)count($ids) / $max);
for($i = 0; $i < $c; $i++){
$offset = $max * $i;
$id = array_slice($ids, $offset, $max);
$query = 'UPDATE '.hikashop_table($current).' AS hk_'.$current.'
';
$query .= 'SET hk_'.$alias[0].'.'.$action['type'].' = '.$value.' ';
$query .= 'WHERE hk_'.$current.'.'.$current.'_id IN
('.implode(',',$id).')';
$db->setQuery($query);
$db->query();
}
}else{
$query = 'UPDATE '.hikashop_table($current).' AS hk_'.$current.' ';
$query .= 'SET hk_'.$alias[0].'.'.$action['type'].' = '.$value.' ';
$query .= 'WHERE hk_'.$current.'.'.$current.'_id IN ('.implode(',',$ids).')';
$db->setQuery($query);
$db->query();
}
}
function onProcessAddressMassActiondeleteElements(&$elements,&$action,$k){
$ids = array();
$addressClass = hikashop_get('class.address');
102
foreach($elements as $element){
$result = $addressClass->delete($element->address_id);
}
}
function onProcessAddressMassActionsendEmail(&$elements,&$action,$k){
if(!empty($action['emailAddress'])){
$config = hikashop_config();
$mailClass = hikashop_get('class.mail');
$content = array('elements' => $elements, 'action' => $action, 'type' =>
'address_notification');
$mail = $mailClass->get('massaction_notification',$content);
$mail->subject =
!empty($action['emailSubject'])?JText::_($action['emailSubject']):JText::_('MASS_NOTIFICAT
ION_EMAIL_SUBJECT');
$mail->body = $action['bodyData'];
$mail->html = '1';
$mail->dst_name = '';
if(!empty($action['emailAddress']))
$mail->dst_email = explode(',',$action['emailAddress']);
else
$mail->dst_email = $config->get('from_email');
$mailClass->sendMail($mail);
}
}
function onBeforeAddressCreate(&$element,&$do){
103
$elements = array($element);
$this->massaction->trigger('onBeforeAddressCreate',$elements);
}
function onBeforeAddressUpdate(&$element,&$do){
$address = $this->address->get($element->address_id);
foreach($address as $key => $value){
if(isset($element->$key) && $address->$key != $element->$key){
$address->$key = $element->$key;
}
}
$addresses = array($address);
$this->massaction->trigger('onBeforeAddressUpdate',$addresses);
}
function onAfterAddressCreate(&$element){
$elements = array($element);
$this->massaction->trigger('onAfterAddressCreate',$elements);
}
function onAfterAddressUpdate(&$element){
$address = $this->address->get($element->address_id);
foreach($address as $key => $value){
104
if(isset($element->$key) && $address->$key != $element->$key){
$address->$key = $element->$key;
}
}
$addresses = array($address);
$this->massaction->trigger('onAfterAddressUpdate',$addresses);
}
function onAfterAddressDelete(&$ids){
$this->massaction->trigger('onAfterAddressDelete',$this->deletedAdress);
}
function onBeforeAddressDelete($elements,$do){
$addresses = array();
if(!is_array($elements)) $clone = array($elements);
else $clone = $elements;
foreach($clone as $id){
$addresses[] = $this->address->get($id);
}
$this->deletedAdress = &$addresses;
$this->massaction->trigger('onBeforeAddressDelete',$addresses);
}
}
105
<?xml version="1.0" encoding="utf-8"?>
<extension type="module" version="3.1" client="site" method="upgrade">
<name>mod_login</name>
<author>Joomla! Project</author>
<creationDate>July 2006</creationDate>
<copyright>Copyright (C) 2005 - 2016 Open Source Matters. All rights
reserved.</copyright>
<license>GNU General Public License version 2 or later; see LICENSE.txt</license>
<authorEmail>[email protected]</authorEmail>
<authorUrl>www.joomla.org</authorUrl>
<version>3.0.0</version>
<description>MOD_LOGIN_XML_DESCRIPTION</description>
<files>
<filename module="mod_login">mod_login.php</filename>
<folder>tmpl</folder>
<filename>helper.php</filename>
</files>
<languages>
<language tag="en-GB">en-GB.mod_login.ini</language>
<language tag="en-GB">en-GB.mod_login.sys.ini</language>
</languages>
<help key="JHELP_EXTENSIONS_MODULE_MANAGER_LOGIN" />
<config>
<fields name="params">
<fieldset name="basic">
106
<field
name="pretext"
type="textarea"
label="MOD_LOGIN_FIELD_PRE_TEXT_LABEL"
description="MOD_LOGIN_FIELD_PRE_TEXT_DESC"
filter="safehtml"
cols="30"
rows="5"
/>
<field
name="posttext"
type="textarea"
label="MOD_LOGIN_FIELD_POST_TEXT_LABEL"
description="MOD_LOGIN_FIELD_POST_TEXT_DESC"
filter="safehtml"
cols="30"
rows="5"
/>
<field
name="login"
type="menuitem"
label="MOD_LOGIN_FIELD_LOGIN_REDIRECTURL_LABEL"
107
description="MOD_LOGIN_FIELD_LOGIN_REDIRECTURL_DESC"
disable="separator,alias,heading,url"
>
<option value="">JDEFAULT</option>
</field>
<field
name="logout"
type="menuitem"
label="MOD_LOGIN_FIELD_LOGOUT_REDIRECTURL_LABEL"
description="MOD_LOGIN_FIELD_LOGOUT_REDIRECTURL_DESC"
disable="separator,alias,heading,url"
>
<option value="">JDEFAULT</option>
</field>
<field
name="greeting"
type="radio"
label="MOD_LOGIN_FIELD_GREETING_LABEL"
description="MOD_LOGIN_FIELD_GREETING_DESC"
class="btn-group btn-group-yesno"
default="1"
108
>
<option value="1">JYES</option>
<option value="0">JNO</option>
</field>
<field
name="name"
type="list"
label="MOD_LOGIN_FIELD_NAME_LABEL"
description="MOD_LOGIN_FIELD_NAME_DESC"
default="0"
showon="greeting:1"
>
<option
value="0">MOD_LOGIN_VALUE_NAME</option>
<option
value="1">MOD_LOGIN_VALUE_USERNAME</option>
</field>
<field
name="usesecure"
type="radio"
label="MOD_LOGIN_FIELD_USESECURE_LABEL"
description="MOD_LOGIN_FIELD_USESECURE_DESC"
class="btn-group btn-group-yesno"
109
default="0"
>
<option value="1">JYES</option>
<option value="0">JNO</option>
</field>
<field
name="usetext"
type="list"
label="MOD_LOGIN_FIELD_USETEXT_LABEL"
description="MOD_LOGIN_FIELD_USETEXT_DESC"
default="0"
>
<option
value="0">MOD_LOGIN_VALUE_ICONS</option>
<option
value="1">MOD_LOGIN_VALUE_TEXT</option>
</field>
</fieldset>
<fieldset name="advanced">
<field
name="layout"
type="modulelayout"
label="JFIELD_ALT_LAYOUT_LABEL"
description="JFIELD_ALT_MODULE_LAYOUT_DESC"
110
/>
<field
name="moduleclass_sfx"
type="textarea"
label="COM_MODULES_FIELD_MODULECLASS_SFX_LABEL"
description="COM_MODULES_FIELD_MODULECLASS_SFX_DESC"
rows="3"
/>
<field
name="cache"
type="list"
label="COM_MODULES_FIELD_CACHING_LABEL"
description="COM_MODULES_FIELD_CACHING_DESC"
default="0"
>
<option
value="0">COM_MODULES_FIELD_VALUE_NOCACHING</option>
</field>
</fieldset>
</fields>
</config>
</extension>
111
<?php
/**
* @package J2Store
* @copyright Copyright (c)2014-17 Ramesh Elamathi / J2Store.org
* @license GNU GPL v3 or later
*/
/** ensure this file is being included by a parent file */
defined('_JEXEC') or die('Restricted access');
require_once(JPATH_ADMINISTRATOR.'/components/com_j2store/library/plugins/app.php');
class plgJ2StoreApp_diagnostics extends J2StoreAppPlugin
{
/**
* @var $_element string Should always correspond with the plugin's filename,
* forcing it to be unique
*/
var $_element = 'app_diagnostics';
/**
* Overriding
*
* @param $options
* @return unknown_type
*/
function onJ2StoreGetAppView( $row )
{
if (!$this->_isMe($row))
{
112
return null;
}
$html = $this->viewList();
return $html;
}
/**
* Validates the data submitted based on the suffix provided
* A controller for this plugin, you could say
*
* @param $task
* @return html
*/
function viewList()
{
$app = JFactory::getApplication();
$option = 'com_j2store';
$ns = $option.'.tool';
$html = "";
JToolBarHelper::title(JText::_('J2STORE_APP').'-
'.JText::_('PLG_J2STORE_'.strtoupper($this->_element)),'j2store-logo');
JToolBarHelper::back('J2STORE_BACK_TO_DASHBOARD',
'index.php?option=com_j2store');
$vars = new JObject();
$this->includeCustomModel('AppDiagnostics');
113
$this->includeCustomTables();
//$model = F0FModel::getTmpInstance('ToolDiagnostics', 'J2StoreModel');
$vars->info = $this->getInfo();
$id = $app->input->getInt('id', '0');
$vars->id = $id;
$form = array();
$form['action'] = "index.php?option=com_j2store&view=app&task=view&id={$id}";
$vars->form = $form;
$html = $this->_getLayout('default', $vars);
return $html;
}
public function getInfo()
{
$info = array();
$version = new JVersion;
$platform = new JPlatform;
$db = JFactory::getDbo();
if (isset($_SERVER['SERVER_SOFTWARE']))
{
114
$sf = $_SERVER['SERVER_SOFTWARE'];
}
else
{
$sf = getenv('SERVER_SOFTWARE');
}
$info['php'] = php_uname();
$info['dbversion'] = $db->getVersion();
$info['dbcollation'] = $db->getCollation();
$info['phpversion'] = phpversion();
$info['server'] = $sf;
$info['sapi_name'] = php_sapi_name();
$info['version'] = $version->getLongVersion();
$info['platform'] = $platform->getLongVersion();
$info['useragent'] = isset($_SERVER['HTTP_USER_AGENT']) ?
$_SERVER['HTTP_USER_AGENT'] : "";
$info['j2store_version'] = $this->getJ2storeVerion();
$info['is_pro'] = J2Store::isPro();
$info['curl'] = $this->_isCurl();
$info['json'] = $this->_isJson();
$config = JFactory::getConfig();
$info['error_reporting'] =$config->get('error_reporting');
$caching = $config->get('caching');
$info['caching'] = ($caching) ? JText::_('J2STORE_ENABLED') :
JText::_('J2STORE_DISABLED') ;
$cache_plugin = JPluginHelper::isEnabled('system', 'cache');
$info['plg_cache_enabled'] = $cache_plugin;
$info['memory_limit'] = ini_get('memory_limit');
115
return $info;
}
function _isCurl(){
return (function_exists('curl_version')) ? JText::_('J2STORE_ENABLED'):
JText::_('J2STORE_DISABLED') ;
}
function _isJson(){
return (function_exists('json_encode')) ? JText::_('J2STORE_ENABLED'):
JText::_('J2STORE_DISABLED') ;
}
public function getJ2storeVerion(){
$version ='';
$db = JFactory::getDbo();
$query = $db->getQuery(true);
$query->select($db->quoteName('manifest_cache'))->from($db-
>quoteName('#__extensions'))->where($db->quoteName('element').' = '.$db-
>quote('com_j2store'));
$db->setQuery($query);
$result = $db->loadResult();
if($result) {
$manifest = json_decode($result);
$version = $manifest->version;
}
return $version;
}
}
116
<?php
/*------------------------------------------------------------------------
# com_j2store - J2Store
# ------------------------------------------------------------------------
# author Ramesh Elamathi - Weblogicx India http://www.weblogicxindia.com
# copyright Copyright (C) 2014 - 19 Weblogicxindia.com. All Rights Reserved.
# @license - http://www.gnu.org/licenses/gpl-2.0.html GNU/GPL
# Websites: http://j2store.org
# Technical Support: Forum - http://j2store.org/forum/index.html
-------------------------------------------------------------------------*/
/** ensure this file is being included by a parent file */
defined('_JEXEC') or die('Restricted access');
require_once
(JPATH_ADMINISTRATOR.'/components/com_j2store/library/plugins/payment.php');
class plgJ2StorePayment_banktransfer extends J2StorePaymentPlugin
{
/**
* @var $_element string Should always correspond with the plugin's filename,
* forcing it to be unique
*/
var $_element = 'payment_banktransfer';
117
function __construct(& $subject, $config)
{
parent::__construct($subject, $config);
$this->loadLanguage( 'com_j2store', JPATH_ADMINISTRATOR );
}
function onJ2StoreCalculateFees($order) {
// is customer selected this method for payment ? If yes, apply the fees
$payment_method = $order->get_payment_method ();
if ($payment_method == $this->_element) {
$total = $order->order_subtotal + $order->order_shipping + $order-
>order_shipping_tax;
$surcharge = 0;
$surcharge_percent = $this->params->get ( 'surcharge_percent', 0 );
$surcharge_fixed = $this->params->get ( 'surcharge_fixed', 0 );
if (( float ) $surcharge_percent > 0 || ( float ) $surcharge_fixed > 0) {
// percentage
if (( float ) $surcharge_percent > 0) {
$surcharge += ($total * ( float ) $surcharge_percent) / 100;
}
if (( float ) $surcharge_fixed > 0) {
$surcharge += ( float ) $surcharge_fixed;
118
}
$name = $this->params->get ( 'surcharge_name', JText::_ (
'J2STORE_CART_SURCHARGE' ) );
$tax_class_id = $this->params->get ( 'surcharge_tax_class_id', '' );
$taxable = false;
if ($tax_class_id && $tax_class_id > 0)
$taxable = true;
if ($surcharge > 0) {
$order->add_fee ( $name, round ( $surcharge, 2 ), $taxable,
$tax_class_id );
}
}
}
}
/**
* Prepares the payment form
* and returns HTML Form to be displayed to the user
* generally will have a message saying, 'confirm entries, then click complete order'
*
* @param $data array form post data
* @return string HTML to display
*/
function _prePayment( $data )
{
119
// prepare the payment form
$vars = new JObject();
$vars->order_id = $data['order_id'];
$vars->orderpayment_id = $data['orderpayment_id'];
$vars->orderpayment_amount = $data['orderpayment_amount'];
$vars->orderpayment_type = $this->_element;
$vars->bank_information = $this->params->get('bank_information', '');
$vars->display_name = $this->params->get('display_name', JText::_(
"PLG_J2STORE_PAYMENT_BANKTRANSFER"));
$vars->onbeforepayment_text = $this->params->get('onbeforepayment', '');
$vars->button_text = $this->params->get('button_text', 'J2STORE_PLACE_ORDER');
$html = $this->_getLayout('prepayment', $vars);
return $html;
}
/**
* Processes the payment form
* and returns HTML to be displayed to the user
* generally with a success/failed message
*
* @param $data array
* form post data
* @return string HTML to display
120
*/
function _postPayment($data) {
// Process the payment
$app = JFactory::getApplication ();
$vars = new JObject ();
$html = '';
$order_id = $app->input->getString( 'order_id' );
F0FTable::addIncludePath ( JPATH_ADMINISTRATOR .
'/components/com_j2store/tables' );
$order = F0FTable::getInstance ( 'Order', 'J2StoreTable' )->getClone ();
if ($order->load ( array (
'order_id' => $order_id
) )) {
$bank_information = $this->params->get ( 'bank_information', '' );
if (JString::strlen ( $bank_information ) > 5) {
$html = '<br />';
$html .= '<strong>' . JText::_ (
'J2STORE_BANK_TRANSFER_INSTRUCTIONS' ) . '</strong>';
$html .= '<br />';
$html .= $bank_information;
$order->customer_note = $order->customer_note . $html;
}
121
$order_state_id = $this->params->get ( 'payment_status', 4 ); //
DEFAULT: PENDING
if ($order_state_id == 1) {
// set order to confirmed and set the payment process complete.
$order->payment_complete ();
} else {
// set the chosen order status and force notify customer
$order->update_status ( $order_state_id, true );
// also reduce stock
$order->reduce_order_stock ();
}
if ($order->store ()) {
$vars->onafterpayment_text = $this->params->get (
'onafterpayment', '' );
$order->empty_cart();
$html = $this->_getLayout ( 'postpayment', $vars );
// append the article with cash payment information
$html .= $this->_displayArticle ();
} else {
$html = $this->params->get ( 'onerrorpayment', '' );
$html .= $order->getError ();
}
} else {
122
// order not found
$html = $this->params->get ( 'onerrorpayment', '' );
}
return $html;
}
/**
* Prepares variables and
* Renders the form for collecting payment info
*
* @return unknown_type
*/
function _renderForm( $data )
{
$user = JFactory::getUser();
$vars = new JObject();
$vars->onselection_text = $this->params->get('onselection', '');
$html = $this->_getLayout('form', $vars);
return $html;
}
}
123
<?xml version="1.0" encoding="utf-8"?>
<extension version="2.5" type="plugin" group="j2store" method="upgrade">
<name>SagePay Direct</name>
<version>2.3</version>
<creationDate>October 2014</creationDate>
<author>j2store.org</author>
<authorEmail>[email protected]</authorEmail>
<authorUrl>http://j2store.org</authorUrl>
<copyright>2013-2018 Weblogicx India Private Limited </copyright>
<license>GNU General Public License v2 or later</license>
<description>J2STORE_SAGEPAY_PLUGINDESC</description>
<files>
<filename plugin="payment_sagepay">payment_sagepay.php</filename>
<folder>payment_sagepay</folder>
</files>
<languages>
<language tag="en-GB">languages/en-GB.plg_j2store_payment_sagepay.ini</language>
</languages>
<config>
<fields name="params">
<fieldset name="basic">
<field name="display_name" type="text" size="30" default=""
label="j2store_plugin_display_name" description="j2store_plugin_display_name_desc"/>
<field name="display_image" type="media"
label="j2store_plugin_display_image" description="j2store_plugin_display_image_desc"/>
124
<field name="merchant_email" type="text" size="50" default=""
label="j2store_sagepay_vendor_name" description="j2store_sagepay_vendor_name_desc"/>
<field name="enc_password" type="text" size="50" default=""
label="j2store_sagepay_encryption_password"
description="j2store_sagepay_encryption_password_desc"/>
<field type="spacer" />
<field name="card_types" type="list" multiple="multiple"
default="Visa,Mastercard" label="j2store_sagepay_card_type"
description="j2store_sagepay_card_type_desc">
<option value="Visa">J2STORE_SAGEPAY_VISA</option>
<option value="Mastercard">J2STORE_SAGEPAY_MASTERCARD</option>
<option value="Discover">J2STORE_SAGEPAY_DISCOVER</option>
<option
value="AmericanExpress">J2STORE_SAGEPAY_AMERICANEXPRESS</option>
<option value="JCB">J2STORE_SAGEPAY_JCB</option>
<option value="DinersClub">J2STORE_SAGEPAY_DINERSCLUB</option>
</field>
<field name="sandbox" type="radio" default="0" label="j2store_sagepay_test_server"
description="j2store_sagepay_test_server_desc">
<option value="0">J2STORE_NO</option>
<option value="1">J2STORE_YES</option>
</field>
<field type="spacer" />
<field name="articleid" type="text" size="10" default=""
label="J2STORE_PAYMENT_THANKS_MSG"
description="J2STORE_PAYMENT_THANKS_MSG_DESC"/>
<field type="spacer" />
125
<field name="onselection" type="textarea" cols="10" rows="5" default=""
label="j2store_on_selection_label" description="j2store_on_selection_desc"/>
<field name="onbeforepayment" type="textarea" cols="10" rows="5" default=""
label="j2store_on_before_payment_label" description="j2store_on_before_payment_desc"/>
<field name="onafterpayment" type="textarea" cols="10" rows="5" default=""
label="j2store_on_after_payment_label" description="j2store_on_after_payment_desc"/>
<field name="onerrorpayment" type="textarea" cols="10" rows="5" default=""
label="j2store_on_error_payment_label" description="j2store_on_error_payment_desc"/>
<field name="oncancelpayment" type="textarea" cols="10" rows="5" default=""
label="j2store_on_cancel_payment_label" description="j2store_on_cancel_payment_desc"/>
<field type="spacer" />
<field name="button_text" type="text" size="50"
default="J2STORE_PLACE_ORDER" label="j2store_button_text_label"
description="j2store_button_text_desc" />
<field type="spacer" />
<field name="debug" type="radio" default="0" label="j2store_debug"
description="j2store_debug_desc">
<option value="0">No</option>
<option value="1">Yes</option>
</field>
</fieldset>
</fields>
126
</config>
</extension>
<?php
/**
* @package J2Store
* @copyright Copyright (c)2014-17 Ramesh Elamathi / J2Store.org
* @license GNU GPL v3 or later
*/
/** ensure this file is being included by a parent file */
defined('_JEXEC') or die('Restricted access');
require_once(JPATH_ADMINISTRATOR.'/components/com_j2store/library/plugins/report.php'
);
class plgJ2StoreReport_itemised extends J2StoreReportPlugin
{
/**
* @var $_element string Should always correspond with the plugin's filename,
* forcing it to be unique
*/
var $_element = 'report_itemised';
/**
* Overriding
*
* @param $options
127
* @return unknown_type
*/
function onJ2StoreGetReportView( $row )
{
if (!$this->_isMe($row))
{
return null;
}
$html = $this->viewList();
return $html;
}
/**
* Validates the data submitted based on the suffix provided
* A controller for this plugin, you could say
*
* @param $task
* @return html
*/
function viewList()
{
$app = JFactory::getApplication();
128
$option = 'com_j2store';
$ns = $option.'.report';
$html = "";
JToolBarHelper::title(JText::_('J2STORE_REPORT').'-
'.JText::_('PLG_J2STORE_'.strtoupper($this->_element)),'j2store-logo');
$vars = new JObject();
$this->includeCustomModel('Reportitemised');
$this->includeCustomTables();
$model = F0FModel::getTmpInstance('ReportItemised', 'J2StoreModel');
$model->setState('limit',$app->input->getInt('limit',0));
$model->setState('limitstart',$app->input->getInt('limitstart',0));
$model->setState('filter_search', $app->input->getString('filter_search'));
$model->setState('filter_orderstatus', $app->input->getString('filter_orderstatus'));
$model->setState('filter_order', $app->input->getString('filter_order'));
$model->setState('filter_order_Dir', $app->input->getString('filter_order_Dir'));
$list = $model->getData();
//$list = $model->getList();
$vars->state=$model->getState();
$vars->list = $list;
$vars->total = $model->getTotal();
$vars->pagination = $model->getPagination();
129
$vars->orderStatus =F0FModel::getTmpInstance('OrderStatuses','J2StoreModel')-
>enabled(1)->getList();
$id = $app->input->getInt('id', '0');
$vars->id = $id;
$form = array();
$form['action'] = "index.php?option=com_j2store&view=report&task=view&id={$id}";
$vars->form = $form;
$html = $this->_getLayout('default', $vars);
return $html;
}
function onJ2StoreGetReportExported($row){
$app = JFactory::getApplication();
$ignore_column =array('sum','count','orderitem_quantity','product_source_id','id');
$this->includeCustomModel('Reportitemised');
if (!$this->_isMe($row))
{
return null;
}
$model = F0FModel::getTmpInstance('ReportItemised', 'J2StoreModel');
$items = $model->getData();
foreach($items as &$item){
$item->orderitem_options ='';
130
if(isset($item->orderitem_attributes) && $item->orderitem_attributes){
foreach($item->orderitem_attributes as $attr){
unset($item->orderitem_attributes);
$item->orderitem_options.=$attr->orderitemattribute_name
.' : '.$attr->orderitemattribute_value;
}
}
$item->qty = $item->sum;
$item->total_purchase = $item->count;
foreach($ignore_column as $key =>$value){
unset($item->$value);
}
}
return $items;
}
}
131
<?php
/**
* @package Joomla.Plugin
* @subpackage Twofactorauth.totp
*
* @copyright Copyright (C) 2005 - 2016 Open Source Matters, Inc. All rights reserved.
* @license GNU General Public License version 2 or later; see LICENSE.txt
*/
defined('_JEXEC') or die;
/**
* Joomla! Two Factor Authentication using Google Authenticator TOTP Plugin
*
* @since 3.2
*/
class PlgTwofactorauthTotp extends JPlugin
{
/**
* Affects constructor behavior. If true, language files will be loaded automatically.
*
* @var boolean
* @since 3.2
*/
protected $autoloadLanguage = true;
132
/**
* Method name
*
* @var string
* @since 3.2
*/
protected $methodName = 'totp';
/**
* Constructor
*
* @param object &$subject The object to observe
* @param array $config An optional associative array of configuration settings.
* Recognized key values include 'name', 'group', 'params', 'language'
* (this list is not meant to be comprehensive).
*
* @since 3.2
*/
public function __construct(&$subject, $config = array())
{
parent::__construct($subject, $config);
// Load the Joomla! RAD layer
if (!defined('FOF_INCLUDED'))
133
{
include_once JPATH_LIBRARIES . '/fof/include.php';
}
}
/**
* This method returns the identification object for this two factor
* authentication plugin.
*
* @return stdClass An object with public properties method and title
*
* @since 3.2
*/
public function onUserTwofactorIdentify()
{
$section = (int) $this->params->get('section', 3);
$current_section = 0;
try
{
$app = JFactory::getApplication();
if ($app->isAdmin())
{
134
$current_section = 2;
}
elseif ($app->isSite())
{
$current_section = 1;
}
}
catch (Exception $exc)
{
$current_section = 0;
}
if (!($current_section & $section))
{
return false;
}
return (object) array(
'method' => $this->methodName,
'title' =>
JText::_('PLG_TWOFACTORAUTH_TOTP_METHOD_TITLE')
);
}
/**
135
* Shows the configuration page for this two factor authentication method.
*
* @param object $otpConfig The two factor auth configuration object
* @param integer $user_id The numeric user ID of the user whose form we'll display
*
* @return boolean|string False if the method is not ours, the HTML of the
configuration page otherwise
*
* @see UsersModelUser::getOtpConfig
* @since 3.2
*/
public function onUserTwofactorShowConfiguration($otpConfig, $user_id = null)
{
// Create a new TOTP class with Google Authenticator compatible settings
$totp = new FOFEncryptTotp(30, 6, 10);
if ($otpConfig->method == $this->methodName)
{
// This method is already activated. Reuse the same secret key.
$secret = $otpConfig->config['code'];
}
else
{
// This methods is not activated yet. Create a new secret key.
$secret = $totp->generateSecret();
136
}
// These are used by Google Authenticator to tell accounts apart
$username = JFactory::getUser($user_id)->username;
$hostname = JFactory::getUri()->getHost();
// This is the URL to the QR code for Google Authenticator
$url = $totp->getUrl($username, $hostname, $secret);
// Is this a new TOTP setup? If so, we'll have to show the code validation field.
$new_totp = $otpConfig->method != 'totp';
// Start output buffering
@ob_start();
// Include the form.php from a template override. If none is found use the default.
$path = FOFPlatform::getInstance()-
>getTemplateOverridePath('plg_twofactorauth_totp', true);
JLoader::import('joomla.filesystem.file');
if (JFile::exists($path . '/form.php'))
{
include_once $path . '/form.php';
}
137
else
{
include_once __DIR__ . '/tmpl/form.php';
}
// Stop output buffering and get the form contents
$html = @ob_get_clean();
// Return the form contents
return array(
'method' => $this->methodName,
'form' => $html
);
}
/**
* The save handler of the two factor configuration method's configuration
* page.
*
* @param string $method The two factor auth method for which we'll show the config
page
*
* @return boolean|stdClass False if the method doesn't match or we have an error, OTP
config object if it succeeds
*
* @see UsersModelUser::setOtpConfig
138
* @since 3.2
*/
public function onUserTwofactorApplyConfiguration($method)
{
if ($method != $this->methodName)
{
return false;
}
// Get a reference to the input data object
$input = JFactory::getApplication()->input;
// Load raw data
$rawData = $input->get('jform', array(), 'array');
if (!isset($rawData['twofactor']['totp']))
{
return false;
}
$data = $rawData['twofactor']['totp'];
// Warn if the securitycode is empty
if (array_key_exists('securitycode', $data) && empty($data['securitycode']))
{
139
try
{
$app = JFactory::getApplication();
$app-
>enqueueMessage(JText::_('PLG_TWOFACTORAUTH_TOTP_ERR_VALIDATIONFAILED'
), 'error');
}
catch (Exception $exc)
{
// This only happens when we are in a CLI application. We cannot
// enqueue a message, so just do nothing.
}
return false;
}
// Create a new TOTP class with Google Authenticator compatible settings
$totp = new FOFEncryptTotp(30, 6, 10);
// Check the security code entered by the user (exact time slot match)
$code = $totp->getCode($data['key']);
$check = $code == $data['securitycode'];
/*
* If the check fails, test the previous 30 second slot. This allow the
* user to enter the security code when it's becoming red in Google
140
* Authenticator app (reaching the end of its 30 second lifetime)
*/
if (!$check)
{
$time = time() - 30;
$code = $totp->getCode($data['key'], $time);
$check = $code == $data['securitycode'];
}
/*
* If the check fails, test the next 30 second slot. This allows some
* time drift between the authentication device and the server
*/
if (!$check)
{
$time = time() + 30;
$code = $totp->getCode($data['key'], $time);
$check = $code == $data['securitycode'];
}
if (!$check)
{
// Check failed. Do not change two factor authentication settings.
return false;
}
141
// Check succeedeed; return an OTP configuration object
$otpConfig = (object) array(
'method' => 'totp',
'config' => array(
'code' => $data['key']
),
'otep' => array()
);
return $otpConfig;
}
/**
* This method should handle any two factor authentication and report back
* to the subject.
*
* @param array $credentials Array holding the user credentials
* @param array $options Array of extra options
*
* @return boolean True if the user is authorised with this two-factor authentication
method
*
* @since 3.2
*/
142
public function onUserTwofactorAuthenticate($credentials, $options)
{
// Get the OTP configuration object
$otpConfig = $options['otp_config'];
// Make sure it's an object
if (empty($otpConfig) || !is_object($otpConfig))
{
return false;
}
// Check if we have the correct method
if ($otpConfig->method != $this->methodName)
{
return false;
}
// Check if there is a security code
if (empty($credentials['secretkey']))
{
return false;
}
// Create a new TOTP class with Google Authenticator compatible settings
$totp = new FOFEncryptTotp(30, 6, 10);
143
// Check the code
$code = $totp->getCode($otpConfig->config['code']);
$check = $code == $credentials['secretkey'];
/*
* If the check fails, test the previous 30 second slot. This allow the
* user to enter the security code when it's becoming red in Google
* Authenticator app (reaching the end of its 30 second lifetime)
*/
if (!$check)
{
$time = time() - 30;
$code = $totp->getCode($otpConfig->config['code'], $time);
$check = $code == $credentials['secretkey'];
}
/*
* If the check fails, test the next 30 second slot. This allows some
* time drift between the authentication device and the server
*/
if (!$check)
{
$time = time() + 30;
$code = $totp->getCode($otpConfig->config['code'], $time);