Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Objectives of Module
Lifecycles
PeopleInvolved
QualityAttributes
Differences
TypesOf
Systems
Definition
E-CommerceSystems
Introduction to E-Commerce Systems
Introduction
� “We live in an era of e-everything” – David Chaffey
� Everywhere we look, we are likely to see an e-something:
� E-Commerce
� E-Banking
� E-Dating
� E-Government
� E-Learning
� E-Logistics
� …
What are E-Commerce Systems?
� Viewing a product list online?� Ordering products online and paying by cheque or in
person?� Ordering and paying online plus having the product
delivered?� Getting information (e.g. share prices) from a
website for free?� Using your mobile to get online news or even
topping up your prepaid balance?
!!All of the above are examples of e-commerce systems!!
Definition of E-Commerce Systems
“the exchange of information across electronic networks, at any stage in the supply chain, whether within an organisation, between businesses, between businesses and consumers, or between the public and private sectors, whether paid or unpaid”
-The Prime Minister’s Strategy Officewww.number-10.gov.uk/su/ecomm/ec_body.pdf
Benefits of E-Commerce
� Businesses� 24-hour operation� High cost-savings� No geographical
boundaries� Potential access to millions
of customers
� Consumers� Conveniance� Easy to compare products
and prices� Easy to find reviews� Much more choice� …
What is being bought online?
80%
32%30%29%
26%25%24%
13%13%11%
9%8%8%5%4%
1%0%
10%
20%
30%
40%
50%
60%
70%
80%
Products
Books
Software
Hardware
Music
Holidays
Videos/DVDs
Electronics
Cinema/Theatre
IP Telephony
Clothes
Business Supplies
Business Travel
Toys/Games
Shares/Stocks
Food
Jewelry
Players in E-Commerce
� Business
� Typically provide products and/or services online
� Products available to consumers or even other businesses
� Consumers
� Interested in information/products/services and are willing to obtain them online
� Government
� E-Government Services
� Facilitates access to government services for both consumers and businesses
Main Types of E-Commerce Systems
E-Commerce Systems
Business-to-Business Business-to-Consumer Consumer-to-Consumer
Sell-Side Buy Side Marketplace Collaborative
Business to Business (B2B)
� Interdependent Businesses conduct business amongst themselves online
� Usually does not take the form of the traditional website e-Commerce system
� Usually fully (or almost fully) automated (e.g. automatic online ordering when stock levels are low)
Types of B2B Systems
� There are 4 main types of B2B Systems
� Sell-Side
� Buy-Side
� Electronic Marketplace (or Exchange)
� Collaborative
Sell-Side B2B Systems
Seller
Company A
Company B
Company C
Buyers
•One-to-Many Relationship
Buy-Side B2B Systems
Buyer
Company A
Company B
Company C
Sellers
•One-to-Many Relationship
Electronic Marketplace (or Exchange)
An Exchange
Company A
Company B
Company C
Sellers
Company X
Company Y
Company Z
BuyersServices
•Many-to-Many Relationship
•Exchange is usually owned and operated by a 3rd party
•Businesses meet to exchange goods/services
Collaborative B2B Systems
HubManager
GovernmentBuyers
Sellers
Universities Community
Others
IndustrialAssociations
•Many-to-Many Relationship
•Only business partners participate
•Facilitates communication, sharing of designs, planning information, etc
Business to Consumer (B2C)
� Businesses sell products/services to consumers
� Usually take on the form a website through which consumers can browse through products/services, order and pay online
� Typical Examples:
� Amazon.com
� Extending your internet subscription online
Consumer to Consumer (C2C)
� Consumers buying/selling products and services amongst themselves
� Typical Examples:
� E-Bay
� di-ve.com Classifieds
Differences between E-Commerce Systems and
Other Systems
Introduction
� A number of differences exist between e-commerce systems and other types of systems
� The most important ones are:
� They are content-driven
� They are exposed to the world
� They are Browser Based
� Enormous User Base
� They are likely to change quite often
Content Driven (1/2)
� Most e-commerce sites are connected to a database� View product lists
� Compare prices
� View orders
� …
� What information should my site display?
� Is it organised in the best possible way?
� Is it easy for a use to find what she wants
Content Driven (2/2)
� 72% of users know beforehand what they are looking for
� This indicates we should provide an easy means by which users can search for the product they need
� Usability and Navigability of websites are very important issues.
� A customer who has a bad first impression of a site is not likely to return
Importance of Navigability
43%
36%35%
33%
14%
4%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
Reasons
Decided agains buyingproduct
Website Error
Process too long
Site too slow
Delivery/Payment/PricingProblems
Browser CompatibilityProblems
Also more likely to
simply find another site
Why people abandon transactions online….
Exposed to the world
� The internet is an open network of networks
� E-Commerce sites require the transfer of private information� Customer details
� Credit card numbers
� E-Commerce systems need to be secure
� In security circles, it is always assumed that whatever you send online can be seen by everyone else on the internet
Enormous Userbase (1/3)
� Ideally, an e-commerce website will attract vasts amounts of visitors
� This is a mixed blessing
� Ideal scenario
� Thousands of people visit my e-commerce site daily
� They all see products they like and buy them
� I become very very rich
Enormous Userbase (2/3)
� Some bad scenarios:
� Thousands of people visit my website
� The website cannot cope with the load and starts crashing every few minutes
� I get it fixed
� People come back
� They order items but my business models have not been adapted to e-commerce
� How do I deliver products?
� How do I deal with potentially many customer problems and enquiries?
Enormous Userbase (3/3)
� 37% of users first judge a site by its reputation
� Only 18% of customers will remain loyal to a site if if becomes unstable or slow due to popularity
Browser-Based (1/2)
� Most e-commerce systems are accessed through browsers
� This is good because:
� They are accessible from everywhere
� Browsers are widely available for free
� Browser-based applications do present some disadvantages
� A web application does not have access to event-driven programming like applications writing in C++ or Java for example
Browser-Based (2/2)
� Scripting and Enhancing Technologies� Javascript
� CSS
� DHTML
� No standards
� Browsers interpret these technologies differently
� Websites may work fine on one browser but not on another
� Also the problem of different devices and OSs� Windows/LINUX
� Desktop PC, Laptop, PDA, Mobile phone
Likely to Change Quite Often
� E-Businesses are dynamic by nature
� They need to keep one step ahead of the competition
� Constant change to e-commerce sites is inevitable� Changing of prices (simple change)
� Introducing new offers/schemes (not so simple)
� Introducing new features to the site (complex)
� Is my site built well enough to absorb these changes?
� Systems should mature rather than grow old and frail
Important E-Commerce Quality Attributes
� Based on studies and the unique characteristics of e-commerce, one can say that the following quality attributes are important:
1. Security
2. Usability and Navigability
3. Performance and Scalability
4. Reliability
5. Portability
Security in E-Commerce
The Importance of Security
� Security is a very important consideration in e-commerce
� A major security incident would scare away many existing and potential customers
� Analogy: Imagine setting up a shop in a high-street and going home at night leaving it open with a sign saying “Owner not in”
Common Reasons for not using e-commerce
30%
36%
14%
7%
5%
8%
0%
5%
10%
15%
20%
25%
30%
35%
40%
Touch Security Delivery Browse Trust Other
How secure do online stores need to be before people use them?
44%42%
13%
1%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
Watertight
Security
Minor Risks Considerable
Risks
Security Not
Important
Possible security breaches (1/2)
� Fraud resuting in direct financial loss� Transfer of funds
� Destruction of financial records
� Theft of information� Confidential
� Proprietry
� Technological
� Risk of intruder passing this information on to a competing company or people with malicious intend
Possible security breaches (2/2)
� Disruption of service� E.g. Denial of Service Attacks
� Inconveniences to customers
� Loss of business
� Loss of customer confidence� Intrusions into customer files
� Dishonesty
� Human Mistakes
� Network Failures
Security in brick-and-mortar stores
In tradional businesses:
� Merchants expect to be paid with real money
� When they accept credit, they require signatures
� At the end of the day:
� Alarm is set
� Security Guards employed
� Police available in case of a break in
Can we replicate this online?
Paper-based Commerce vs E-Commerce
PaperPaper--Based CommerceBased Commerce Electronic CommerceElectronic Commerce
Signed paper documents
Person to person
Physical payment system
Merchant & Customer face-to-face
Easy detectability of modifications
Easy negotiability of documents
Digital signatures
Electronic via website
Electronic payment system
No face-to-face contact
Detectability is difficulty
Negotiablity via special protocols
Clear legal rules and protection Confusing legal issues
Experiment
Ask yourself:
� Would I attempt to steal something from a shop in Valletta?
Then ask yourself:
� Would I try to hack into a website or online store to gain access to unauthorised information?
Most people say no to the first question but yes to the second.
Why?
Identifying Security Principals
� Principals in online security are:
� People
� Processes
� Machines
� Keys, passwords, etc
� Principals participate in transactions
� Send, receive, access, update, delete, etc
Security Concerns
� Confidentiality / Secrecy
� Ensuring that data remains private
� Authentication
� Making sure that message senders are who they say they are
� Integrity
� Make sure the messages are not modified during transmission
� Nonrepudiation
� Ensuring that principals cannot deny that they sent a message
� Access Control
� Restricting the use of a resource to authorised principals only
Confidentiality / Secrecy (1/3)
PeterJames
Evil Hacker
sa@@!%&&dds#FFDE33@”:{}{PIHJGFs
InterceptsBut cannot Understand messages
aaTTyUIjhg^&bvv$%vDDDg*$$$csdad
Always assume that anyone can viewAlways assume that anyone can view
your electronic communications at will.your electronic communications at will.
????
Confidentiality / Secrecy (2/3)
� Data needs to be encrypted in order for secrecy to prevail
� There are various encryption techniques and algorithms
� Security algorithms should be updated over time.
� One early popular algorithm was DES.� It is now crackable in 3 hours.
� Latest popular encryption algorithm is AES
Confidentiality / Secrecy (3/3)
� SSL (Secure Sockets Layer) is the prevailing encryption mechanism for e-commerce today.
� Uses Public/Private Key Encryption Methods
� All major browsers support SSL
� SSL supports certificates and thus handles other aspects of security besides encryption
� It is beyond the scope of this course to enter into exactly how SSL works as this would require a whole course to trash out
Authentication (1/2)
PeterJames
Evil Hacker
Hello James, this is Peter I have information 4u
Intercepts
Hello Peter, I am James.Give me the information.
Authentication (2/2)
� Passwords are a weak form of authentication
� Current mainstream technique for ensuring authentication is the use of certificates
� Individuals (and organisations) can obtain certificates from a certificate authority and use the certificate to encrypt their messages
� Recipients can verify the sender’s certificate with a certification authority so as to ascertain the identity of the person
Integrity (1/2)
PeterJames
Evil Hacker
Hello James. Please give me your account num
InterceptsandModifiesMessage
Ok. My account number is 55421221
Ok. My account number is 332121221
Integrity (2/2)
� Certificates and Public Key Infrastructure also cater for integrity
� Recipients can detect if the original message has been changed and request the sender to resend the message
What needs to be secured? (1/2)
� Clients – They are vulnerable to � Viruses� Hackers
� Servers� Exposed to anothorised access� Intrusions could lead to a reducion in speed or worse� Server resourses may be used for purposes other than
those originally intended
What needs to be secured? (2/2)
� Networks� The entry point to computer systems
� Can become the root cause for infringment if not secured
� A weak network can allow data to be easily tampered with
� Common cases occuring due to a loophole in network security:� Fradulent Identities
� Eavesdropping
Common Threats on the Web (1/6)
� Accidental Threats
� Arise from human error
� Generally due to lack of awareness and training
� Poor password choices
� Accidental business transactions
� Accidental disclosure of information
� Use of incorrect software
� Physical accidents
� E.g. spilling of coffee, unplugging servers, etc
Common Threats on the Web (2/6)
� Malicious Threats
� Specially intended to cause harm to people, systems and networks
� Malicious Software
� Viruses
� Trojans
� Worms
� Social Engineering Threats
� E.g. pretending to be an employee of a company and asking for private information
Common Threats on the Web (3/6)
� Authorisation Threats� Hacker attempts to bypass security by posing as
an authorised user
� Needs to gain knowledge about a valid username and password combination
� Various techniques exist:� Dictionary Attacks
� Brute-Force Attacks
� Short Attacks
� …
Common Threats on the Web (4/6)
� Application Threats
� Exploit vulnerabilities in applications deployed as part of a web system
� Applications can include
� Web Servers
� FTP Servers
� DNS Servers
� The operating system
� …
� Always keep software updated with the latest version and fixes
Common Threats on the Web (5/6)
� Privacy Threats
� Two forms:
� Network Eavesdropping
� Monitor data being transmitted over networks
� Extract Information
� Radio Signal Evesdropping
� Listen to radio signals from computer hardware (e.g. computer monitors) and try to extract useful information from it
� Rarely used – Requires expensive equipment
Common Threats on the Web (6/6)
� Access Control Threats
� Intruder gains access to a system for which (s)heis not authorised to use
� However, (s)he does not do it by posing as an authorised user
� E.g. Gain access to an unsecured modem
� E.g. Exploit some sort of network flaw
Network Attacks (1/3)
� Denial of Service (DoS) Attacks
� Attempt to make a website or service unusable
� E.g. Uploading vast amounts of data to an FTP server so
as to take bandwidth away from other users
� SYN Flood Attacks
� Exploits the TCP 3-way handshake
� Attacker sends many SYN packets but never completes
the handshake
� Victim uses up a lot of resources and potentially crashes
Network Attacks (2/3)
� SMURF Attacks
� Many ICMP ping requests sent to different with a spoofed source address of
the victim
� Victim receives a large number of ICMP replies which it did not send
� A similar attackcalled Fraggle works in the same way but uses the UDP
protocol
Hacker’s PCSpoofed Ping Requests
Replies to Victim
Victim
Network Attacks (3/3)
� Ping of Death
� Hackers send thousands of ping requests per second to a victim
� They send data which is beyond the 64k ICMP limit
� Can cause a total system crash
� Other Attacks
� DNS Attacks
� Spoofing
� Host Overflow
� Length Overflow
� Zone Transfer
� Distributed Denial-of-Service (DDoS)
� Same as DoS but involves hundreds (or thousands) of simultaneous attacks
Security Counter-measures (1/5)
� Physical Security
� Make sure hardware is physcialy secure
� Security Guards
� Alarms
� Security Procedures
� Safety Procedures
Security Counter-measures (2/5)
� Secure Authentication and Messaging
� Use of public key cryptography
� Ensure that
� Messages received from a user are actually from that
user
� Messages received from a user have not been
tampered with
Security Counter-measures (3/5)
� Firewall Solutions� A firewall sits on the perimiter of your network
� Control network traffic flow
� System Administrator may close
� Ports / protocols
� Traffic from/to certain systems
� …
� Useful against
� Various network attacks
� Spyware
� Unauthorised usage
� Not the silver bullet of security
Security Counter-measures (4/5)
� Bandwidth Managers� Limit the use of bandwidth by different
� Protocols
� Applications
� Particular Sources and Destinations
� Useful against DoS attacks
� Example:� Give high bandwidth to secure ports
� Give low bandwidth to unsecured ports (prevents DoSattacks)
Security Counter-measures (5/5)
� Disaster Recovery and Backup
� Disaster recovery plan
� Everyone should know what to do if the worst-case scenario were to happen
� Regular backups are useful and essential
E-Payments
How payments are made online
Origins of Money and Payments
� Money began with the concept of bartering
� Economic System got more complicated and tokensstarted being used.� Items carried an intrinsic value
� E.g. Precious stones, shells, etc
� E.g. Silver dollar was made of $1 worth of silver
� After tokens, were detached from inherent value, notational money was adopted
� Credit system developed� People pay without actually having the money
� Credit cards
Real-world Cash
� Medium of exchange to simplify transactions� Has a standard value and helps decide worth of goods� Electronic money must fulfill this criteria as well� Benefits of cash
� Convenience� Wide acceptance� Anonymity� No hidden or other cost of use� No audit trail
� Disadvantage of cash is in the cost of holding it� Loss of potential interest in bank� Cost of security� Cost of transport
Electronic Money (E-Money)
� E-Money is an electronic medium for making payments
� Includes� Credit cards
� Smart cards
� Debit cards
� Electronic funds transfer
� Automated Clearinghouse (ACH) systems
� It is notational and can be� Online or Off-line
� Identified of Anonymous
Types of E-Money (1/2)
� Identified and Online (+I+L)
� Unique to credit card and debit cards transactions
� Customer is easily identifiable
� Card is validated against a bank’s computer before payment is made
� Identified and Offline (+I-L)
� Purchasing by cheque, travelers cheques, money orders, etc
� Merchant asks for ID to make sure the identity of the purchaser is known
� No verification is made
Types of E-Money (2/2)
� Anonymous and Online (-I+L)
� Cash transactions where the purchaser is anonymous
� Depositing money in an online account
� Purchase made on the spot for cash
� Anonymous and Offline (-I-L)
� Unique to electronic cash
� E.g. Transfering funds from a credit card to another account using an ATM which does not have a direct connection to the VISA/MasterCard network
Analysing Cash, Cheques and Credit Cards
� Regardless of the form of money, two distinct sets of properties should be considered in a money transfer
� These are� The ACID Test
� Atomicity� Consistency� Isolation� Durability
� The ICES Test� Interoperability� Conservation� Economy� Scalability
The ACID Test (1/2)
� Atomicity
� Transaction must occur completely or not at all
� E.g. A transfer €100 must result in the amount being credited from one account and debited to another. If one action fails, the whole transaction should be aborted.
� Consistency
� All parties involved must agree to the exchange
� E.g. Before a Joe buys a product from Mel, Joe must agree to buy it for €x and Mel must agree to sell it for €x
The ACID Test (2/2)
� Isolation
� Each transaction is independent of any other transaction
� Treated as a stand-alone episode
� Durability
� Always possible to recover to a consistent state or reverse the state of an exchange
� E.g. Customer is not happy with the product so you refund him
The ICES Test (1/2)
� Addresses four important properties of Money Transfer
� Interoperability� Ability to move back and forth between different
systems
� Conservation� How well money holds its value over time
(temporal consistency)
� How easy it is to store and access (temporal durability)
The ICES Test (2/2)
� Economy� Processing a transaction should be inexpensive
and affordable
� Relative to size of transaction
� E.g. Paying a €1 charge to process a €10,000 transaction is acceptable. However, it is not acceptable if you are processing a €5 transaction
� Scalability� Ability of the system to handle multiple users at
the same time
Comparing different systems
YN-NYNYY
Credit
Card
YNYNYNYYCheque
YYNYYYYYCash
ScalabilityEconomyConservationInteroperabilityDurabilityIsolationConsistencyAtomicity
Internet-Based Payments
� Electronic payments are financial transactions made without the use of paper documents such as cheques.
� E.g. Having your stipends credited to your account, paying for a product with your smartcard
� Internet-based payment systems are a form of electronic payment
Important Properties for E-Payments
� Besides, the ACID and ICES tests, other properties are important for e-payment systems
� Acceptability
� Ease of Integration
� Customer base
� Ease of use and ease of access
Internet-Based Payment Systems Models
� There are four main models for processing payments on the internet:
� Electronic Currency
� Credit Cards
� Debit Cards
� Smart Cards
Electronic Currency
� The network equivalent of cash
� E.g. Electronic funds transfer (EFT) moves cash from one account (e.g. employer’s account) to another (e.g. employees bank account). This happens regardless of the bank type, location, etc.
Credit Cards (1/2)
� Credit cards are the most popular form of payment online
� Bank issues credit card to people
� Can be topped up
� Has an associated credit limit
� To sell things on the web, merchants must accept credit cards
� Merchants need to open a merchant account
� Allows them to process credit card transactions
� Merchant pays charges depending on the amount of money processed in a time period.
� If users are unhappy with product/service received, they can generate a charge-back
Credit Cards (2/2)
� Credit cards leave a complete audit trail
� Can be a very insecure way of payment if the right security precautions are not taken
� No signatures required
� No face-to-face clues to interpret
� Third-party credit card processing services are available� Very useful when merchants fail to obtain a
merchant account
Credit Cart Laundering
� Merchants sometimes let other merchants use their merchant account
� They do this for a commission
� This is a violation of the merchant agreement with banks
� The risk is enormous, even if your commission rates are very good
� Why couldn’t your ‘client’ merchant get his own merchant account?
� Bad credit history
� Bad management practices� Typical scenario: Merchant processes payments, closes down
account and does not sent his clients any products. All clientsgenerate charge-backs to YOUR merchant account.
Debit Cards
� Similar to credit cards but the card holder is not borrowing money to purchase a product
� Processed through the issuing bank’s card network (as opposed to the global VISA or Mastercard Network)
� Safer for client if (s)he controls the amount of money in the account linked to the debit card.
� In case of theft, a thief cannot run up debts for the card owner.
Smart Card (1/2)
� Card with a built-in chip capable of storing information in its memory
� Contains programmable chip, RAM and ROM storage
� Handles a variety of applications
� Encrypts digital cash on chip
� Can be refilled by connecting to a bank
� Digital Key to an office
� Prescription authorisation
� Voting purposes
Smart Card (2/2)
� In e-commerce can be used for:
� Digital Cash
� Authenticating access to secured encrypted transactions
� Digital signatures
� Key storage
� Authenticating user by use of special devices
� Safer when compared to the credit-card number system
� Devices not yet popular so smart cards cannot really be as
successful as credit cards for the time being
Electronic Funds Transfer (EFT)
Computer-based system that:
� facilitates the transfer of money or the processing of financial transactions
� between two financial institutions
� same day or overnight
� one of the earliest forms of electronic payment systems on private networks
Automated Clearinghouse (ACH)
� Routes bank transactions involving more than one financial institution
� Ensures the correct accounts held by the correct institutions can be debited and credited
� Consider an example where you go to your bank (e.g. BOV) and deposit a cheque of €300 which originated from another bank (e.g. HSBC) to your bank account which previously had a €100 balance� Bank teller will give you a receipt saying your new balance
is €400� However, the new balance will not be available until that
cheque clears through an ACH system
ACH Example
Cheque’s Account
100,000
3001Cheque deposited
Your Account
100
300
On hold until cleared via ACH
Bank A
2“Not on Us”
Deposit
ACH
3. Cheque goes to ACH for
processing
Bank B
4. ACH Queries Bank B
5. Bank B Approves
6. ACH Credits Bank A with €300
7. Bank B Debits Account
with €300
8. Bank A
releases “Hold”
Secure Electronic Transactions (SET)Protocol (1/2)
� An emerging standard protocol for handling transactions on the Internet
� Administered jointly by VISA and MasterCard
� Covers all aspects of online commerce
� Various services� Cardholder and merchant registration
� Purchase request
� Payment authorisation
� Payment Capture
� Autorisation Reversal
� Credit Reversal
Secure Electronic Transactions (SET)Protocol (2/2)
� Authenticates parties involved using cryptography systems and trust hierarchies of digital certificates
� Based on 4 important goals
� Confidentiality
� Integrity of transmitted data
� Authentication of the card holder and merchant
� Interoperability across network providers
� Very complex and detailed protocol
� Not economical for small payments (micro payments)
SET Example
SETPaymentGateway
Merchant Bank
Customer with SET Wallet Issuing Bank
Acquiring Bank
SecureCardholderCertificate
Network Interchange usingVISA, Mastercard,
American Express, etc
1. OrderDetails 2. Request for
Payment
3. Authorisation
4. ElectronicReceipt
5. Payment
Examples of payment systems
� BankNet(http://mkn.co.uk/bank)
� CheckFree(www.checkfree.com)
� Credit Card Network (http://creditnet.com)
� CyberCents(www.cybercents.com)
� Ecash(www.ecashtechnologies.com)
� PayPal (www.paypal.com)
� QuickCommerce(www.qc123.com)
� WebMoney(www.webmoney.ru)
� Millicent (http://research.compaq.com/SRC/articles/199705/Millicent.html)
� Ziplock(www.portsoft.com.au)
Conclusions
� E-Payments are an essential component of e-commerce systems
� By now, you should
� understand the origins of money and how payment systems evolved
� appreciate different types of e-payment systems
� know how to analyse payment systems using tests such as ACID and ICES
� be familiar with different types of internet payment systems
� be familiar with various e-payment terms, concepts and protocols such as SET and ACH