E-Security and the Internet
This document is a fourth year dissertation on the above title. The author is Richard Joynson from The University of East London in England. Should you wish to raise any points, you may e-mail him on [email protected] Please click on any of the links below to take you to the appropriate part of the document:
The Current Position of E-Commerce
The Data Protection Act and Computer Misuse Act
Reasons to doubt the Implementation of Security Payment Methods over the Internet
Payment Methods over the Internet
Security Issues in respect of a Networked Computer System
Classes of Open System Interconnection (OSI) Security Services
An Introduction to Cryptography
Use of Algorithms and Functions
Authentication Exchange Mechanisms
The Current Position on Digital Certificates
Public Key Certificate and Infrastructure
Problems associated with Cryptography
Security of Protocols and Servers
Secure Electronic Transaction (SET)
A brief Introduction to Internet Fraud
Examples of Internet Fraud, Virus's and Sabotage
How much does Online Fraud cost?
Internet Security-Risk Assessment
How to discover a Hacker/Intruder
The six major steps in handling a Breach
New ways to prevent Internet Fraud
Steps an Online Customer can take to avoid Online Fraud
What Security Companies offer and their Advice
The Internet's reach is world wide, transactions are anonymous, it is difficult to authenticate identity and many sites require customers to reveal various personal details. It is no wonder, therefore, that Internet or Electronic (e) security has become a large concern in the field of electronic commerce. If the Internet is to become the huge market place it will undoubtedly become, e-businesses must address the question mark over the e-security problem. E-shoppers must be at ease with payment methods and the supply of their personal data. Customers/users require full security of this information.
The Internet attracts consumers since it is driving down the cost of purchases through the lack of need to have a bricks and mortar site. This allows e-businesses to pass on the associated cost savings to customers with the help of clicks and mortar sites. Logically, it should have been presumed that a problem would occur with e-security since in the past banks, shops, etc had to implement a good quality security system to ensure the safety of their stock and takings. Likewise, I am sure there was a cloud hanging over shops taking credit card details for the first time.
It comes as no surprise that the number of attacks against networks has increased with the popularity and growth of the Internet and the explosion of electronic business. Almost anyone with technical know-how and deceitful intentions can break into Internet sites and paralyse organisations. Just like bank robbers did in the past.
My dissertation will be of use to UK business since it will make reference to the most current security issues and suggest companies offering security implementation devices and the type of companies they implement security solutions for. The Times is the most referenced newspaper since it is the paper I read.
Tim Berners-Lee is the 44 year-old Englishman who is the father of the Internet (although he named it the World Wide Web) which now gives access to 327m users and allows $111b of e-commerce to take place. This figure is projected to rise to $1,300b or 20% of global GDP by the end of 2003.
In 1990 Berners-Lee on a budget of $80,000 started writing the Internet's software codes and designing the Universal Resource Locator, an address system to give each page a unique location. In 1991, he wrote the two protocols most recognisable by Internet users, Hypertext Transport Protocol (HTTP) which provided file access and Hypertext Mark-up Language (HTML) which became a format for displaying and linking documents. (1)
The Current Position of E-Commerce
According to research company, Deloitte & Touche, 85% of businesses that are using the Internet state that usage is still at an embryonic stage. The most common obstacle is customer conservatism although some companies are not confident that their e-commerce strategy is aligned with their overall strategy. The report also found that less than 10% of companies trade over the Internet but most are not greatly concerned with security-content management and Internet application development are more important factors. Another report by BDO Stoy Hayward found that 33% of companies had no plans to trade over the Net and 75% of these believe their business is not suited to this type of trading. The report also stated that, of the companies who do trade via the Net, 61% say it has made no difference, 6% say that business has increased significantly and 31% say that it has increased a little. (2)
KPMG's 1999 Electronic Commerce report says 23% of companies with sales of more than £200m already offer online transactions and the number is expected to rise to 83% in 3 years. Online transactions are dominated by business to business activity, which accounted for 76.8% of online sales last year and will grow to 85% by 2002. A BT spokesperson states that 500,000 Internet sites are operated in Britain and they expect the number to double in 4 years. About 5% of Internet sites carry out some form of transaction but this is expected to rise to 50% within 2 years providing security worries are overcome. (3)
A Canadian telecommunications equipment maker, Nortel, states that today's Internet is not fast enough for commercial operations and spending of £1,000b a year will be needed to support growth. E-commerce will grow annually at 86% with thousands of businesses shifting to the Internet from traditional methods. Europe will be the fastest growing region with a 118% annual growth rate. Consumers can already surf the Internet for the best deals, prices and quality. Support dealers will either fall in line and give service on purchases or vanish without trace. (4)
British shoppers spent a total of £175m on the Internet this Christmas:1.8m adults shopped online spending an average of £97 each. It is estimated that £70m was spent online last Christmas. 28% of the British population was connected to the Internet this Christmas as opposed to 11% last Christmas. However only 4% of Britain's population used the Internet for Christmas shopping. (5)
A computer is secure if you can depend on it and the software to behave as you expect. You TRUST the system to preserve and protect your data. Security can be compromised by a vengeful employee, an ignorant or untrained employee, a random virus, an unexpected bug or an act of god e.g. a lightning strike. (6) The aim of computer security is to preserve computing resources against unauthorised use and abuse, as well as to protect data that encode information from accidental or deliberate damage, disclosure and modification. The aim of communication security is to protect data that encodes information during its transmission in computer networks and distributed systems. (7)
The Data Protection Act and Computer Misuse Act
The Data Protection Act 1998 and The Computer Misuse Act 1990 are far too complicated to discuss. They would both be titles for other dissertations. Full details of the Acts can be found at http://www.hmso.gov.uk/acts/acts1998/19980029.htm#aofs and http://www.legislation.hmso.gov.uk/acts/summary/01990018.htm
Reasons to doubt the Implementation of Security
More than a third of UK businesses are not making use of easy-to-implement solutions to protect themselves against Internet crime and consumers' lack of confidence in security on the Internet is increasingly becoming the number one concern for online merchants. Another interesting issue is that 41% of online businesses fail to realise that they are financially liable when online fraud takes place. (8)
Payment Methods over the Internet
There are two payment methods used on the Internet, credit or charge/debit cards, which incorporate smart cards and electronic or digital cash. In both methods, cryptography is used to achieve security. This involves converting the transaction information from its unencrypted state called plaintext to an encrypted state called ciphertext. The ciphertext is transmitted and decrypted at the other end. Credit card details are not disclosed to online businesses but are stored in an encrypted form that is not accessible to the vendor. Only the bank and the credit card processor have access. (9)
Security Issues in respect of a Networked Computer System
There are many reasons why a networked system is more vulnerable than its stand-alone counterpart. These are:
Classes of Open System Interconnection (OSI) Security Services
The below services may be placed at the appropriate layers for Open System Interconnection (OSI)
An Introduction to Cryptography
Cryptography has been used for centuries to protect sensitive information from prying eyes, but it is really only in the last 20 years that it has become widely available. The traditional users of cryptography have been Governments and the Military and their main requirement has been to prevent unauthorised disclosure of information by means of encryption, using proprietary techniques.
In the mid-1970s, two remarkable developments took place in the world of cryptography, namely the introduction of a 'standard' encryption algorithm (i.e. the Data Encryption Standard (DES) Algorithm, as defined in the ANSI X3.92 standard) and the invention of public key cryptography. Thus, cryptography suddenly became public property and now, despite Government attempts to limit its use, many organisations regularly use cryptographic means to protect their data, both transmitted and stored.
The first companies to use cryptography in their everyday operations were those in the financial industry - banks, building societies, stock exchanges, credit card companies etc. Without the security offered by the DES Algorithm (the de facto standard within the financial world) the systems that nowadays we take for granted would be unusable because of fraud.
There are good reasons why symmetric (such as DES) are used. Specifically, most public key algorithms are slow in operation and therefore are not suitable for encryption of large amounts of data and also government restrictions tend to make it difficult to export equipment that can encrypt data with an asymmetric algorithm. (10)
The Internet is unregulated, wild and anarchic. Many businesses are too frightened to do business on the Internet and consumers are worried that their credit card details could fall out of the Internet and into the wrong hands. Vendors also worry that customers will not honour electronic contracts. Encryption solves both these problems, and makes electronic commerce a viable trading mechanism. (11)
Cryptographic Techniques are used to either protect the confidentiality of data units and traffic flow information or to support or complement other security mechanisms. There are three major cryptographic techniques used for encipherment:
An algorithm is called symmetric if it uses the same key as both the encryption key and the decryption key. The use of such an algorithm depends on the key being safely stored by the sending and receiving parties. Compromising the encryption key would allow outsiders to decrypt the message. The Data Encryption Standard (DES) is an example of a symmetric algorithm. DES was adopted by the US Federal Government in 1977 and was developed by IBM under contract to the National Bureau of Standards, now called National Institute of Standards and Technology (NIST). (12)
Asymmetric algorithms do not use the same key for encryption and decryption, but make use of a pair of different but mathematically related keys. One key is kept secret by the creator of the key pair (the private key) and the other key is made known to the correspondents of the key creator. A message encrypted with one key of the pair can only be decrypted by the other key of the pair. It is not possible to deduce one key from the other. Thus, a message encrypted by the sender with the receiver's public key can only be decrypted by the receiver using its private key. The Rivest-Shamir-Adleman (RSA) algorithm is an example of an asymmetric algorithm.
Asymmetric algorithms can also be used to provide authentication. If a message or part of a message is encrypted using the sender's private key and it can be decrypted using the sender's public key; the message can be authenticated, or assumed to have been sent by the sender. As asymmetric public keys can be held by many parties who may not know the holder of the private key, a certification authority is sometimes used to distribute public keys and to certify their relationship to the holder of the private key.
Generally, symmetric algorithms (such as DES) can be executed faster than asymmetric algorithms (such as RSA) because asymmetric algorithms require more processing time and resources. As a result, prices for computer hardware that can perform DES calculations are lower than those for hardware that can also execute the RSA algorithm. Consequently, those suppliers implementing encryption algorithms on IC chips concentrated first on implementing DES, but are now moving towards implementing RSA calculations. (12)
The most desirable review of security algorithms consists of a public review by as many cryptographic experts as possible in order to analyse and detect any weaknesses in the design of the encryption method. If an encryption algorithm has withstood this review (cryptanalysis) for a considerable time, one can be reasonably sure that it does not contain secret "trapdoors" or undetected weaknesses. The use of public and extensively reviewed algorithms is therefore an important security principle, and one that is often applied by suppliers of electronic money systems.
The strength of the encryption should not be based on the secrecy of the applied algorithm, but on the fact that the secret and private encryption and decryption keys are known only to the sender or receiver of the message. It is therefore very important to store these keys safely and to use encryption and decryption keys of sufficient length.
To assess the strength of encryption algorithms, it can be assumed that the algorithm and the ciphertext are known to an outsider. An outsider could try to discover the plaintext by testing all possible decryption keys. This type of attack is known as a brute-force attack or an exhaustive key search. The amount of processing resources needed to discover the correct decryption key through a brute-force attack for a given algorithm and a given key length can be calculated relatively easily.
A group of cryptographic experts recently concluded that technology currently available makes brute-force attacks against symmetric cryptographic systems with small key lengths both fast and cheap.
To provide adequate protection against the most serious threats, such as well-funded commercial enterprises or government intelligence agencies, key lengths of at least 90 bits are recommended for newly deployed systems. It is estimated that this key length will be adequate for the next 20 years. As far as asymmetric cryptographic systems are concerned, similar estimates are available, indicating that key lengths of 512 bits should be replaced by longer keys (768, 1,024 or 2,048 bits).
It should be noted, however, that key length itself is not a guarantee of a safe system. The complete spectrum of security measures (organisational, procedural and technical measures) will determine the security of a given system. The necessary key length will depend critically on the context in which the information must be secured. It is, therefore, not appropriate to presume that a system that applies the RSA algorithm with a key length of 768 bits is safer than a system for which a key length of 512 bits has been chosen.
Furthermore, developments within cryptography are directed not only at new algorithms but also at cryptanalysis of algorithms, an area in which significant improvements can be expected in the years to come. In particular, progress with respect to so-called differential and linear cryptanalysis could force system designers to re-evaluate the key management schemes and to update the security of the systems. (12)
A one-way hash function is a means by which a receiver of a message can verify that the message content has not been changed. The sender of the message uses the message text and the one-way hash function to generate a hash value. The receiver of the message repeats this action and compares the received hash value and the calculated hash value. If they are the same, it can be assumed that the message content has not been changed.
An essential characteristic of a one-way hash function is that it can only be computed in a single direction and cannot be reversed. Furthermore, it may not generate the same hash value for different messages. In order to limit the risk of generating the same hash value for different messages, an appropriate hash function and an appropriate length of the hash value (for example 128 bits) must be selected. Hash functions are also subject to public review by cryptographers and are treated in the same manner as encryption algorithms. Well-known hash functions include Message Digest 5 (MD-5) and the Secure Hash Algorithm (SHA).
Through the combination of a hash function with the use of cryptographic keys, only parties that possess the appropriate cryptographic key can be permitted to verify the hash value. This is a more complex process, depicted in Figure 3. The result of the function is called a Message Authentication Code (MAC). (12)
Challenge-response protocols are used to establish whether two entities involved in communication are indeed genuine entities and can thus be allowed to continue communication with each other. One entity would challenge the other with a random number, on which a predetermined calculation must be performed, often including a secret or a private key. In order to be able to generate the correct result for the computation, the other device must possess the correct private key and therefore can be assumed to be authentic.
The use of random or unpredictable numbers presents an attacker with an extra barrier, because past challenge and response values are not useful. The attacker will not be able to fraudulently authenticate a device by replaying an earlier recorded response because every response depends on a random input. (12)
Experience with key management is common amongst many payment system designers and operators as a result of their experience in executing and designing key management for point-of-sale environments. The relevance of sound key-management principles lies in the creation of extra barriers to attackers. For example, periodic changes of security keys (or different generations of keys) limit the usefulness of particular keys that an attacker might derive from an exhaustive key search.
Payment systems employing symmetric cryptography that use a single system-wide cryptographic key for encryption, decryption and authentication purposes are vulnerable to attackers, who only have to discover the single key to manipulate any aspect of the system. Designers of payment systems, therefore, abide by certain key-management practices that have been established in international standards on key management, such as ISO standards 10202, 11166 and 11568.
As a principle of sound key management, cryptographic keys are only used for one specific function. A load transaction is secured by a special load key, a purchase transaction is secured by a purchase key, a collect transaction is secured by a collect key, etc. Furthermore, keys are unique to a card or terminal, so that the compromising of a card or terminal key would contain the security breach primarily to this individual level. These card-specific keys are created by a process called key derivation. This process typically takes place during personalisation of the card and can be applied to generate all the card-specific keys (card load key, card purchase key, etc.).
In order to calculate a card-specific load key, for example, an arithmetic function is typically used that combines the system master key for load transactions with the card-specific identification number, for example the Integrated Circuit's (IC) serial number. The resulting value is used as the card-specific load key, which is stored in the IC chip. Whenever this particular card performs an online load transaction, the issuing bank reads the serial number of the IC card and recalculates the card's load key. In that way, both sides of the communication channel share the same individual key during the load transaction.
In addition to the use of derived keys, session keys are used as unique keys for every communication session. Session keys are special types of derived key that are based on the card's unique purchase keys, in combination with the transaction number of the card. The transaction number is derived from the card's transaction counter, which automatically increases for each transaction performed during the life of the card. A terminal holding the appropriate cryptographic key that receives the card's transaction number can recalculate the session key and use that key during a purchase transaction. The existence of these keys is limited to one session or transaction. New transactions will result in session keys with different values. The interception or possession of a session key will therefore not benefit an attacker for future use. (12)
Use of Algorithms and Functions
The cryptographic principles and building blocks described above are used to achieve security goals such as confidentiality, data integrity and authentication. Confidentiality is typically achieved by using DES as the encryption method. Although it can also be done by applying asymmetric algorithms, symmetric algorithms (both described above) are generally preferred due to performance and price considerations.
DES is also referred to as single-DES, to distinguish it from triple-DES. Triple-DES encryption consists of three consecutive operations (encryption, decryption, and encryption) in which two DES keys are used (or a double-length DES key). Triple-DES has been developed in response to the increasing processing capabilities of computers and ensures that an exhaustive key search would still demand a considerable amount of resources.
Several governments have established strict rules with respect to the commercial use and, in some cases, export of encryption algorithms, whether hardware or software-based. The main goal of these rules is to prevent the availability of powerful bulk-encryption processing capabilities, as these could be used for criminal purposes. As a result of these rules, the implementation of encryption in payment systems is often restricted to financial data only.
Data integrity and authentication (including non-repudiation) are achieved by using DES, triple-DES and public key algorithms such as RSA, and by applying well-known hashing and MAC algorithms, such as MD-5, SHA-1 and RSA. (12)
In addition to choosing appropriate cryptographic algorithms, payment system designers must ensure that secret and private cryptographic keys are stored safely and that tampering or eavesdropping will be detected or will result in the destruction of the remaining data. In practice, these keys are stored in security modules in host computers, payment terminals and payment modules, and on the IC chip. (12)
It can be stated that, in theory, cryptography allows payment systems to be designed in a safe and secure way. In order to breach the security of those systems, an attacker would need to steal the keys, to try all combinations of possible keys in sequence, or to apply the results of cryptanalysis using the discovered weaknesses or characteristics of the algorithms to break the algorithm. Depending on the key size used, the amount of time needed to succeed in such an attack can be calculated.
In symmetric cryptosystems, it would take a substantial effort to break a system with 56 bit keys such as DES, but this can be accomplished quite easily with special hardware. The cost of the special hardware is not insignificant, but is certainly not beyond the means of organised criminals, major companies and governments. Keys with 64 bits can probably be broken by major governments, and will be within the reach of organised criminals, major companies and other governments within a few years. Keys with 80 bits may become vulnerable in the near future. Keys with 128 bits will probably remain resistant to brute-force attacks for the foreseeable future.
The key lengths used in asymmetric cryptography are usually much longer than those used in symmetric ciphers. With asymmetric algorithms, the problem is not to determine the correct key, but to derive the matching secret key from the public key. In the case of RSA, this is equivalent to factoring a large integer that has two large prime factors. In the case of some other cryptosystems, the problem is equivalent to computing the discrete logarithm modulo for a large integer (which is believed to be roughly comparable to factoring). Other cryptosystems are based on yet other techniques.
For an RSA cryptosystem, a 256 bit modulus is easily factored by a computer user with average experience and resources. Keys with 384 bits can be broken by university research groups or companies; 512 bit keys are within the reach of major governments. Keys with 768 bits are probably not secure in the long term. Keys with 1,024 bits and more should be secure for a number of years unless major algorithmic advances are made in factoring; keys of 2,048 bits are considered by many to be secure for decades.
In practice, cost considerations will lead to design decisions with respect to the choice and application of certain cryptographic safeguards. These design decisions are not aimed at achieving the highest theoretical level of security, but at providing a level of security such that the cost of attacking a system will substantially exceed the possible financial gain to an attacker. The Task Force has not observed essentially different opinions among suppliers on issues such as the weaknesses and strengths of particular algorithms, necessary key lengths for symmetric and asymmetric algorithms, and the best key-management practices.
Although from a theoretical as well as a practical point of view it is possible to design sufficiently safe payment systems, it is critical to evaluate the actual execution of the security measures, in addition to the design of the systems. Such evaluations must take place periodically, as advances in cryptanalysis might expose weaknesses in the applied algorithms over time. Furthermore, it must be stressed that not only technical and cryptographic issues are a concern in these evaluations. The organisational and procedural design choices and execution of procedures must also be considered. (12)
Although the traditional users of cryptography (Governments and the Armed Forces) are mainly concerned with the prevention of disclosure of information via encryption, it turns out that many other users of cryptography are more interested in ensuring the integrity of information or that the origin of information is as claimed. Furthermore, whereas the privacy of the data is often provided by encryption within the communication system, the use of end-to-end cryptography, provided by the user applications themselves is often used to meet the other requirements. For cryptographic systems, the security requirements are usually defined in terms of Security Services. (10)
There are many such services, but the most common are:
So, for instance, whereas a government organisation may well be more interest in data confidentiality, a bank is much more likely to have a requirement for data integrity and non-repudiation. (10)
Access Control Mechanisms are used to authenticate identities of principals, information about these principals, or capabilities to determine and enforce access rights. If an unauthorised resource is attempted to be used by a principal or an improper type of access is used, the access control function rejects the attempt and may report the incident for the purposes of generating an alarm and storing it as part of a security audit trail. (7)
Data Integrity Mechanisms are used to protect the integrity of either single data units or sequences of data units and fields within these sequences of data units. (7)
Authentication Exchange Mechanisms
Authentication Exchange Mechanisms are used to verify the claimed identity of principals. Weak authentication exchange mechanisms are vulnerable to passive wiretapping and replay attacks. (7)
Traffic Padding Mechanisms are used to protect against traffic analysis attacks. They can only be effective if they are protected by some sort of data confidentiality service. (7)
Routing Control Mechanisms are used to either dynamically or by pre-arrangement chose specific routes for data transmission. If persistent attacks are noticed, the network service provider is instructed to establish a connection via a different route. (7)
Notarisation Mechanisms are used to assure certain properties of the data communicated between two or more entities, such as its integrity, origin, time or destination. The assurance is provided by a trusted third party in a testifiable manner. (7)
A Message Authentication Code (MAC) is a cryptographic checksum, calculated using a symmetric algorithm, which is appended to a message and which can be verified by the recipient of the message. As the MAC is dependent on the complete message, then any change to the message means that the MAC will fail to verify and so the received message will be rejected. The use of MAC is one method of providing the integrity and authentication services, but it is not appropriate for meeting the requirements for non-repudiation. (10)
Digital signatures prove identity. With public key cryptography, documents can be digitally signed. The recipient can check its validity by using the sender's public key to read the encrypted part of the message. As only the sender has their individual, private key, they must have sent the message. Digital signatures provide:
Digital Signatures are also cryptographic checksums, calculated using the private key of an asymmetric key pair, which is appended to a message and which can be verified by anyone with access to the corresponding public key. The digital signature is dependent on the complete message, so any change to the message will be detected. The real difference between MAC and a digital signature is that as well as providing integrity and authentication, the latter also provides non-repudiation. The reason for this is simple - only one party has access to the private key used to sign the message and so it would not be possible for a fraudster to generate a valid digital signature on a false message. The same cannot be said for a MAC, because the recipient of the message must have access to the same key as was used to generate the MAC.(10)
Digital signatures are not necessarily based on the mathematical problem of factoring. Signature schemes can also be based on other mathematical principles, such as the discrete logarithm problem. (12)
Because of the computational intensity of most public key systems, it is usual to sign only a hashed (condensed) version of the message. To prevent fraud, a hash function must be very carefully designed and must have, as a minimum, the following properties:
These simple-sounding requirements are extremely difficult to satisfy and very few suitable hash functions exist. The two most popular ones, at the moment, are the MD5 algorithm and the Secure Hash Algorithm, as defined in the FIPS 180-1 standard. (10)
The Current Position on Digital Certificates
BT estimates that the market for digital certificates will double in the next year. This will be augmented by improvements to standard software such as Windows 2000 which integrate digital certificates and PKI into the user interface and make it much more user-friendly. Royal Mail Viacode sold 100,000 electronic signatures in 1999 but expect to sell 4m this year caused by the growth in e-commerce, pressure from big companies on smaller ones. People can buy certificates from companies like Royal Mail, BT and some banks with the production of a driving licence etc and a means to confirm address. BT TrustWise charges £259 for its initial purchase and £199 for annual renewal. British courts will provide support for the adoption of new security technologies. The recipient of an electronically signed message can determine if the details have been altered in transit and The Electronic Communications Bill (ECB) will put it beyond doubt that courts can recognise electronic signatures. Trials are under way at Customs and Excise to establish the feasibility of filing VAT returns and making payments over the Net. However, the European Union has still not passed a bill itself.(3)
The market research company, Inteco says 72% of Internet users welcome government action to ensure security for online transactions. It says 64% would be willing to appear in person at a certification authority to verify their identity for a digital certificate. A member of the National Endowment for Science, technology and the Arts says that electronic systems would remove checking against a paper-based system. Letters would become legally binding documents. Many people would be able to hold conferences and agree on legal decisions over the Net without the need to meet physically.
However, a director of Licon, a systems integration house, states that most businesses would prefer payment by credit card which will prove sufficient identification. Standards must also be drawn up internationally.(3)
The ECB, should it be passed in May, would be the first document signed electronically by The Queen. She would also sign a paper form to keep up the unbroken filing record in the Lords library. There are 2 ways that she could sign. Firstly by running a stylus over a sensitive part of the computer screen or alternatively, by having her signature stores in a smart card within the machine which, at the press of a code, would deliver it to the screen. Stephen Byers, the Trade Secretary has already signed official documents on the Internet. (13)
Public Key Certificate and Infrastructure
A public key certificate is a link between a public key of an entity and a set of attributes relating to the identity of this entity. The main components of an X.509 cert are a public key, the identity and a Certification Authority (CA) signature. The CA is the entity that issues the digital certificates. The CA signature is made with the CA private key, which is strictly confidential.
The public key infrastructure (PKI) is the combination of infrastructure and procedures that allow for the creation, distribution and use of digital certificates. Technical aspects of the PKI are being standardised, whilst the procedures involved reflect legislation and practice. The PKI governs the life of a certificate.(14)
Public key cryptography is a software security technology that unlike previous schemes can be scaled to protect thousands or even millions of computer users. However, public key security can only achieve this remarkable coverage when underpinned by a suite of infrastructure software that enables it to be efficiently managed. The term Public Key Infrastructure describes this combination of public key cryptography and supporting infrastructure. Use of a PKI enables an organisation to move in safety away from paper-based business processes to fully electronic trading and administration. It provides computer users with a means of identity checking through the use of digital certificates - effectively cyber passports. It also enables computer files such as documents, graphics and forms to be digitally signed, as well as encrypted for safe storage or transmission. Many of the world largest banks and a growing number of governments have already implemented PKIs.
But PKI is a much-abused term. It is often incorrectly used to describe a stand-alone digital certificate issuing system for use by a Certification Authority. However, the ability to issue certificates is only one of ten PKI attributes.
The ten are:
1. Certification Authority Certification Authority because public-key cryptography isn't useful without an ability to issue certificates.
2. Certificate Repository Certificate repository (directory) so that applications can transparently get certificates on behalf of users.
3. Certificate Revocation System Without certificate revocation, it is impossible to know whether or not a particular certificate is still trustworthy and therefore of value.
4. Key Backup and Recovery system To ensure that information is not lost (FOREVER!), organisations must have a key backup and recovery system for encryption key pairs. This is a straightforward commercial need, regardless of government desires. It is a separate issue to key escrow.
5. Support for Non-Repudiation To support non-repudiation, however, the keys used for digital signature cannot be backed up. Therefore, every user requires two key pairs: one for encryption, which is backed up, and one for digital signature, which is generated by the user, never backed up, and is held under their control at all times.
6. Automatic Key Update Since key pairs must be updated over time, it is important that users' key pairs are updated automatically and transparently before they expire.
7. Management of Key Histories Users therefore end up with a history of key pairs over time. In particular, the history of encryption key pairs must be maintained: 1) by the key backup and recovery system, and 2) by the end users in their local key storage devices (e.g., profiles, smart cards) to ensure they can always decrypt anything encrypted for them in the past.
8. Cross-Certification To support interoperability with other domains of trusted users, the PKI must also support cross-certification.
9. Timestamping Trustworthy time is a required element of business in the paper-world; it is the same in the electronic-world. It is impossible, of course, to trust the time on users' machines; therefore, the PKI must provide a timestamping service.
10. Client-side software interacting with all of the above in a consistent, trustworthy manner
Finally, the PKI must provide client-side software that binds together all of the issues mentioned above. When you think about it, each of the items in the list requires infrastructure elements and client-side elements.
A PKI must provide all of these elements, otherwise it won't be valuable or usable. Take away any item from the list and the PKI's value either drops dramatically because it doesn't provide a fundamental service OR it is not usable by everyone (which, of course, drops its value). (10)
A new encryption system called E-larm has just been developed by William Johnson, which is based on a relatively straightforward idea based on a chaotic algorithm (a complex mathematical routine). The algorithm combines a shopper's credit card details and order information to create a unique coded number, which is then sent with a key over the Internet. Once received by the bank, etc, both code and key are passed through the same chaotic algorithm to decipher the message. The first code is checked against a database to ensure that it is a unique number to ensure secure encryption. It will be expensive since, if it takes off, each PC will need an E-larm chip. Williams is also working on a mouse that incorporates a finger print reader. The first tests could be carried out later this year. (4)
Problems associated with Cryptography
Cryptography provides privacy, authentication and non-repudiation. However, to be commercially secure, public key cryptography has to use keys that are 1024 or even 2048 bits long. With such big keys, encryption can be very slow. Even a fast computer can only perform a handful of public key encryptions per second.It is extremely demanding in terms of computer resources required to perform encryption, and can cause bottlenecks in the system. One such example came in October 1997 when US online brokerages were unable to keep up with customer demand for trades as the stock market crashed and recovered quickly. Internet servers can spend up to 90% of their time generating cryptographic keys. One solution is to transfer the cryptography onto a separate hardware accelerator, which can perform public key operations a hundred times faster than the average PC. (11)
Security of Protocols and Servers
The Transmission Control Protocol/Internet Protocol (TCP/IP), which is the core component of the Internet, has been designed to provide a high level of resiliency with a minimum level of overhead network information in the messages. As a result the TCP/IP protocol does not provide for a high level of security. The following measures have been aimed at providing additional security:
Normally, servers on the Internet, also called "hosts", use a Unix operating system. As a result of the security design of Unix (in which a super-user has considerable control to perform specific read and write operations) and the fact that it is impossible to control all the existing super-users of the Internet servers, it must be assumed that communications on the Internet can be overheard, deleted and possibly altered. (12)
A countermeasure is a feature or function that reduces or eliminates vulnerability. The use of cryptographic authentication at the network layer, for example, eliminates attacks based on machines spoofing other machines IP addresses and the use of strong authentication techniques reduces the vulnerability of transmitted passwords. (7)
A firewall creates a middle ground between networks. They are placed between an organisation's internal network and the external network, in this case, the Internet. They provide a simple way to control the amount and kinds of traffic that will pass between the two. The term firewall comes from the construction industry where a firewall is used to stop or slow the progress of fire. In the same way, the firewall limits the amount of damage: a hacker may break into one set of machines but it will protect others
A firewall is used for a number of purposes:
to automatically encrypt packets that are sent over between more than one of the company's physical locations. The Internet, therefore, is used as the company's own private Wide Area Network without compromising the data, often referred to as creating a Virtual Private Network
There are disadvantages associated with Firewalls
Management will decide which firewall mechanism is appropriate: blocking or permitting traffic. Firewalls cannot, however, protect against attacks that do not go through the firewall. A "helpful" employee might inadvertently end up giving modem pool access to an attacker. Should this happen, the attacker will be able to break into the enterprise's network by completely bypassing the firewall and leak company proprietary data through that route. Managers should be aware of this threat and have the appropriate security architecture.(15)
Firewalls come in different flavours: the most important classification is in the way the firewall works - some operate on the network or packet level, whilst others operate on the application level. Most current approaches combine the best characteristics of both approaches. A firewall is mandatory for any connection with a potentially hostile network, such as the Internet or any semi-public network. (14)
SSL is originally a Netscape driven but is now a widely available secure communications protocol. SSL provides a mutually authenticated, encrypted channel between the parties engaged in the communication. It operates at the session level, on top of TCP. Conceptually, an SSL connection is like a secure data channel. Other basic security functions, such as signing of the data for non-repudiation features are not part of the standard. They are used mainly between browser and Internet server, but can in principle also provide secure transport for any other application, such as telnet or ftp. (14)
An SSL is a protocol which will encrypt entire sessions between computers on the Internet. It is used widely on the Internet for dealing with financially sensitive information. SSL uses both public key encryption and private key encryption. (11)
Secure Electronic Transaction (SET)
Secure Electronic Transaction - is a standard for Internet transactions developed by VISA and Mastercard. American Express has also adopted SET. The SET protocols are designed to handle transactions between users, merchants and banks in which payment is made with some sort of payment card. SET comprises several protocols that handle different stages of a transaction. SET also uses a mixture of public and private cryptography. (11)
A probe is a device that constantly monitors traffic as it flows through the network. As soon as a suspicious traffic signature is detected, the probe will perform a predefined activity. Examples of activities are operator paging or even active termination of the suspicious connection. Probes are often placed in secure or semi-secure zones such as demilitarised zones. It makes little sense to place a probe in front of the firewall due to the amount of false alerts that may occur in the unscreened zone. (14)
Having good logs of all activities on your system is sound system administration practice. Particularly for exposed components, such as firewalls, routers or Internet servers, it makes sense to inspect and analyse the logs on a regular basis using an automated or semi-automated set-up. Ideally, the logs are centralised at a secure place, non- exposed to attackers. The logs should be kept for a reasonable amount of time; some loss of detail with ageing is acceptable. Besides security use, logs are also often used for other management purposes such as usage analysis.
Regular evaluation is crucial to keep security up to par with evolving technology. This evaluation can be lightweight and automated by a scanner, mainly a software program that will try predefined, well known attacks against your infrastructure. On the other side of the spectrum is the in-depth ethical hacking practice of the security expert that will try to leverage all available techniques to penetrate and provide corrective advice. Both approaches are complimentary - it is good practice to combine a daily-automated scan with a regular expert audit. (14)
Application layer security is essential since even the most advanced combinations of infrastructural security measures, such as SSL lack flexibility when it comes to application awareness. If you want to do specific things, like conditional encryption of the data or multiple signatures, then you will require some sort of security middleware. (14)
According to a NOP survey, 76% of large companies have Internet sites but 71% of them do not use the Net to send confidential or sensitive information.(3)
Businesses are spending huge amounts of money to make e-commerce safer. International Data Corporation says that sales of Net security software were worth £2.7b last year. In a Price Waterhouse Coopers survey of 1,600 IT staff from 50 countries, 73% reported some security breach or corporate espionage in the past year. IDC says that 22% of companies selling through the Internet reported data loss compared with 13% of companies that only provide information. Nearly half the companies surveyed could not even tell if they had lost revenues as a result of security breaches. The security risk is compounded by the growth of enterprise-wide technology solutions such as ERP and electronic supply chain management. But companies face a greater risk of losing revenue, data and trade secrets by becoming more exposed to computer viruses. The possibility of someone manipulating internal systems or software is also heightened. . KPMG state that 78% of companies have fears about the security of e-commerce and almost 25% consider security the biggest single barrier to it. On average, companies spend 12.4% of their budget on tackling the problem. Most Small and Medium enterprises are aware of the problems but not of the solutions that are out there in the market.(3)
The Consumer Association's Which Internet Trader logo vets companies and awards those that uphold high standards with a logo displayed on their sites to reassure customers about buying online. (8) If you have a problem with any of the recommended traders, Which offers you free legal assistance and will pay the first £50 of any outstanding bill. A full list of sites that have signed up can be found at www.which.net/Internettrader.(16)
Another scheme introduced by Trust On Line (www.trust-on-line.com) gives a badge to e-businesses that agree to a code of best practice. The terms compel them to clearly describe and include the full cost of the item, as well as agree to a privacy code and guaranteed delivery date.(17)
Clicksure also provide a certification service, which checks e-commerce sites against a set of criteria. Microsoft has also developed an electronic 'passport' which allows shoppers to enter their personal and financial details just once to purchase goods from a variety of online stores. (8)
This British Standard was developed as a result of industry, government and commerce demand for a common framework to enable companies to implement and measure effective information security management practice and to provide confidence in inter-company trading.
It is based on the best practices of leading British and International businesses and has met with international acclaim - it has been translated into French, German, Spanish and Japanese, and discussions are ongoing with a view to agreeing BS 7799 as an International (ISO) standard. BS 7799 consists of two parts; BS 7799: Part 1:1995 is The Code of Practice - providing guidance material to help companies to implement their own information security system; BS 7799: Part 2: 1998- is the requirements Specification - against which an organisation is assessed for compliance and subsequent certification.
BS 7799 relates to all information regardless of the media on which it is stored and transmitted, or where it is located. Every business needs a system to manage risks to its information in a systematic way and this standard provides guidance on the best controls available. (10)
A brief Introduction to Internet Fraud
Credit cards were first introduced in Britain in 1966 and with their introduction came fraud. This year, online transactions account for a mere 1% of daily card activity in the UK but make up to 50% of all complaints about unauthorised charges. Hackers are not normally to blame since they are more interested in defeating security systems of large companies than acquiring goods for personal gain and stolen or invented credit card numbers are risky since the thief has no idea whether he will defeat the security system until he presents them (21). In America, 7% or 6m people have been victims of online fraud according to the National Consumer League. In Europe according to recent tests by the Consumers International lobby group, 8% of online purchases never arrive. (3)
Examples of Internet Fraud and Sabotage
Thanks to consumer legislation virtually unique to the UK, the credit card owner does have some protection. No credit card company can demand payment for fraudulent charges or goods that you ordered but never received. However, it is not the credit card company that assumes the charges. They simply take the money straight out of the company's account that accepted the order in the first place even though it may have been approved by the card company's own verification system. (18)
There are very few examples of penalties given for hacking and the only references I have found are:
How much does Online Fraud cost?
Once again, there are few references to this since companies do not wish to disclose how much they have lost and it could also indicate that their site may be open for attack. No stock-market-quoted companies reveal any figures in their stock-market filings and the only company willing to talk about fraud was UK firm Trident Online (www.tridentonline.com) which sells electronic goods. The group director stated that since the beginning of November, 18 out of 77 orders have turned out to be fraudulent. Nearly all of these were authorised by their clearance services, which meant that the credit cards were not stolen. More likely the details were taken from a database or a discarded slip. One fraudulent transaction cost the company £10,000. (18)
Internet Security-Risk Assessment
Three basic questions need to be answered:
Security should consider:
An attack can occur on an individual host, which is called a host compromise, or a communication compromise can occur as the result of a subversion of a communication line within a computer network or distributed system. There are different types of attack:
There are a number of attack devices. Trojan Horses look like another program, worms go through your hard drive and bite chunks out of each file, wabbits multiply themselves and fill up the hard drive and logic bombs which are set to go off on a particular date. These can either be attached on e-mails as .exe files or put into a system after it has been hacked into.
How to discover a Hacker/Intruder
There are a number of ways to catch an intruder:
There are three major rules:
1. Don't panic-merely a human error or software failure may have occurred or the hacker may not have done any damage. However, it is important to obtain and protect evidence that may be needed in an investigation and it is necessary to get the system back into normal operation as soon as possible. Another thing to be considered is how can you tell for sure if changes have been made and can it happen again?
2. Document-record everything you find from an investigation into a notebook and try to record your entire session with the SCRIPT command if you are using UNIX.
3. Plan Ahead-the steps taken when a security breach occurs must be well rehearsed e.g. virus drills could be practiced. (6)
The six major steps in handling a Breach
1. Identify and understand the problem
2. Contain or stop the damage
3. Confirm your diagnosis and determine the damage
4. Restore your system
5. Deal with the cause
6. Perform related recovery-you may have to even rehearse the acceptance that you made a mistake (6)
Employees must be trained to ensure protection of the company's computer resources. They should report any problems to the system's administrator who manages Internet security. He should post warnings about security breaches and issue immediate solutions and software patches to problems immediately after they are discovered. (15)
New ways to prevent Internet Fraud
Banks are planning to launch special credit cards with lower spending limits probably below £500 for online shopping following a sharp hike in Internet-based fraud. Credit card fraud increased by 40% largely because of organised gangs such as Chinese triads and the eastern European Mafia targeting the Internet. Hundreds of fraudulent Internet sites have been set up offering non-existing goods and services. Online shoppers enter their credit card details which are then used to fund illegal shopping sprees and the online shoppers do not notice that anything is amiss until they do not receive their goods and receive their bills. MasterCard is working with several banks to launch these cards by the summer, HFC using www.marbles.com looking likely to be the first. Normal cards will still be accepted unless online fraud continues to escalate dramatically. The only difference between the new cards will be that they will not be accepted on the high street. MasterCard is also preparing to launch an online accreditation scheme for reputable sites. As well as stamping out fraud, the scheme is also aimed at unreliable retailers. Sites that generate a high number of complaints and disputes from credit card holders will not be accredited. In the meantime, experts suggest that you only shop online at well-known firms and, if in doubt, look for a telephone number. The Consumers' Association also runs an accreditation scheme. (26)
The trade body for banks that handle credit card transactions, the Association for Payment Clearance Services readily admits that it is the retailers who are taking the brunt of the cost of net fraud, largely because the plastic card is not up to the job. Over the coming year, the card industry plans to introduce new cards with extra security features that should make it impossible to place an online order without having physical access to the card itself. A new system for verifying the real address of the cardholder, fast becoming standard in America, will soon be in place. A digital world, however, demands digital money and not 16 number plastic cards designed in the sixties. Little-used smart cards and Internet currencies such as Beenz (www.beenz.com) are more the shape of the future. (18)
Steps an Online Customer can take to avoid Online Fraud
There are a number of policies to be considered
In a banking environment, integrity and auditability are usually the most critical concerns, while confidentiality and availability are the next in importance In a national defence system that processes classified information, confidentiality comes first and availability last. (6)
What Security Companies offer and their Advice
E-Security firms develop and sell security software to online businesses who wish to ensure that transactions made on their web site are secure.
In addition to identifying and examining vulnerabilities, security assessment services will determine the synergy and effectiveness of security policies, controls and technology. Security companies not only provide independent analysis of entire security infrastructures, but they also measure organisation against industry best practices in the following areas:
However, detection of unauthorised access is not the name of the game. Prevention is. Once a computer or network links to the Internet, it becomes open and vulnerable to an assortment of outside parties and some of those parties have less than honourable intentions.
Hackers are finding increasingly ingenious ways to break into networks and are getting through firewalls at the application layer. They are getting in through poorly secured branch office connections.
Although there's nothing that can guarantee 100% protection for networks or the confidentiality and integrity of the transactions moving across networks, there are security solutions that can substantially reduce the risk that valuable data will be lost or systems compromised. They also minimise the chance that business data will be disclosed to unauthorised parties and ensure that applications remain available and perform as designed.
According to the International Security Forum, the probability of a major security incident falls as effective security programs are implemented. Security experts advise that to provide a secure environment for electronic business, an effective security program must be integrated from the start into an enterprise-wide infrastructure. Otherwise, there will be gaping chasms for lurking intruders.
What can be done to thwart unauthorised access to an electronic business site?
Technology alone will not prevent unauthorised access. Common sense and strong enforcement of an integrated, enterprise-wide security program will go a long way to protect electronic commerce business. (29)
It seems strange but about 50% of security companies who are on the Internet do not include details of who they provide their E-security systems for. Never-the-less, here is a non-exhaustive list of E-security companies and types of business they implement security solutions for. Please note that all companies were e-mailed but few replied so I have included copies of those who did reply in order that they may be accredited for this
Baltimore Technologies
http://www.baltimore.com/
Customers: ABN-AMRO Bank, Australian Tax Office, Bank of England, Bank of Ireland, Belgacom, Digital Equipment, European Commission, Home Office (UK), IBM, Lehman Brothers, Ministry of Defence (UK), NatWest, NIST (USA), PTT Post (Netherlands), S.W.I.F.T., Tradelink (Hong Kong), TradeVan (Malaysia) and VISA International.
Certco
http://www.certco.com
Subject: RE: E*Security Date sent: Thu, 27 Apr 2000 11:54:23 -0400
Companies who need us are the ones that act as trusted third parties in the real world, and are seeking to play that role electronically. That means banks, on-line exchanges such as commodities exchanges, auction houses, clearing houses, and aggregators such as on-line marketplaces for auto parts. All of them are in the business of ensuring the identity and trustworthiness of mutually unknown parties. This is a different play on "security", since our customers are really vouching for the identity (and binding of key to identity) of their own customers. This requires extremely secure operations, but also business and legal relationships. Jim Hewitt CertCo Inc.
Checkpoint
http://www.checkpoint.com
Customers: Telecom Italia, Intel (R) Itanium (TM)Entrust http://www.entrust.com Customers: Chase Manhatten Bank, New York Life Insurance Company, U.S. Federal Government, Bank of Bermuda, Royal Mail, Scotiabank, RBS, JP Morgan
Certicom
http://www.certicom.com
Customers: Bank of Montreal, Montreal through 724 Solutions, BEA, Pitney Bowes, The Toronto Dominion Bank, Compaq, Motorola
Chrysalis
http://www.chrysalis-its.com
Customers: banking, government and healthcare
Content Technologies
http://www.mimesweeper.com
Customers: Mainly ISP's to protect against virus's, etc: Hiway ISP
Elock
http://www.elock.com
Subject: elock questions Date sent: Thu, 27 Apr 2000 15:19:00 -0400 you asked about what types of firms we deal with and the answer is anyone who is using or implementing PKI. PKI is mainly being used in financial, health care and insurance verticles with an increasing focus on Government accounts. If you have any more questions please feel free to e-mail me those questions.
Customers: Deloitte Consulting, Medical Data Service, Acrobat Collaboration Technologies, Government of Anguilla
F-Secure
http://www.f-Secure.com/corporate/
Customers: European Governments, Major International Airlines, NASA, US Air Force, IBM, Unisys, Siemens-Nixdorf
KyberPASS
http://www.kyberpass.com/
Subject: RE: Security Date sent: Fri, 5 May 2000 08:25:02 -0400 Hi Richard, KyberPASS implements its security solutions for governments, financial institutions, healthcare organziations, and small private businesses. Please let me know if you require further information. Regards, Marisa Marisa Marzano Account Executive High Road Communications
Ncipher
http://www.ncipher.com/
Customers: Online Brokerages - Many of the world's top online brokerage firms, including EQ Online, DLJdirect, Suretrade, National Discount Brokers, Firstrade.com, Brown & Company, among others, rely on nCipher to keep their online transactions secure while maximizing server performance. International Financial Institutions - Premier financial institutions such as Barclays Bank and Abbey National Bank depend on nCipher to help secure online transactions and create a scalable e-commerce infrastructure that willconsistently meet customer demand -- regardless of the transaction volume. Internet Hosting and Application Service Providers - Providing customers with a fast, secure environment is paramount to the success of any ISP or ASP. That's why leading service providers such as Microsoft Hotmail, Digital Insight and Adero use nCipher to optimize server performance and secure online transactions. Certification Authorities and Certification Services - Leading certificate authorities including Equifax, GlobalSign, and InterClear depend on nCipher's acceleration and security solutions. Technology Companies - Technology organizations including Microsoft, Netscape, E-stamp.com and Brodia, count on nCipher to keep their online business secure and running at peak efficiency. Government Agencies - From the US Navy to the US Department of Defense, government agencies around the world depend on nCipher's security and performance solutions to keep their online transactions safe and secure.
Subject: RE: [Fwd: E*Security] Date sent: Thu, 27 Apr 2000 10:43:28 +0100
Richard, Our primary target has been financial, Focused at the traditional bricks and mortar, for example Natwest and the other large multinationals. Online banking too is taking off, our most recent high profile UK account is Egg.com. Other online industries statring to take off in Europe are the online travel Industry. Last minute.com being our first high profile travel account. Look out for the press releases on our website. I believe the site already contains a ref. from the Finish online trading firm Online One. as well as natwest and soon Egg. hope this helps. Mark Abraham
RSA Security
http://www.rsasecurity.com
Customers: RSA Security customers span a wide range of industries, including an extensive presence in the e-commerce, banking, government, telecommunications, aerospace, university and healthcare arenas. Today, more that 5 million users across 4,500 organizations (including more than half of the Fortune 100) use RSA SecurID authentication products to protect corporate data, and over 500 companies embed RSA BSAFE software in some 1,000 applications, with a combined distribution of over 450 million units worldwide. No specific companies are mentioned on their site.
Tumbleweed
http://www.tumbleweed.com
Customers: (NASDAQ: TMWD) today announced that that more than 50 leading law firms worldwide have chosen Tumbleweed WorldSecure™ to secure and manage their business communications on the Internet. Companies that rely on Tumbleweed IME and WorldSecure products include American Express, Chase Manhattan Bank, Datek Online, the European Union's Joint Research Council, United Parcel Service, Pitney Bowes, and the United States Postal Service.
Unisys
http://www.unisys.com
Customers: a wide variety U.S. federal and state government agencies and local governments
Valicert
http://www.valicert.com/
Customers: As enterprises around the world move to paperless communications over public networks, ValiCert's customer list has grown to include a wide variety of Global 2000 organizations in the financial services, telecom, healthcare, e-Business, and government sectors. Whether the user is a web-based e-tailer doing commerce over the Internet, or a large corporation, sharing critical information over an intranet, or a government agency transmitting confidential data over an extranet, ValiCert's products and services provide security products and services that are adaptable and complete. Verisign http://www.verisign.com Customers: Smile Internet Bank, First-E Internet bank, QXL Auctions, Provides services for, amongst others, Arabtrust in the Middle East, BritishTelecommunications UK, CIBC Canada, CertiSur of Argentina, Certplus of France, eSign of Australia, HiTrust of Taiwan, KPN Telecom of the Netherlands, Roccade of the Netherlands, the South African Certification Agency in South Africa, and VPN Tech of Canada.
WorldPay
http://www.worldpay.com
13% owned by Natwest/RBS Strategic partnership with The Sage Group plc to accelerate the ability of Sage's 2.2 million corporate customers to become fully e-commerce enabled and transact business over the Internet. Strategic alliances with Cardservice International in the USA. Distribution partnerships with NatWest, Virginbiz.net and Freeserve in the UK, and PSINet, National Data Corporation, Cardservice International, USA.
Online fraud and hacking are widespread and, hence, many companies have delayed their e-commerce plans because of security worries. Companies are challenged with taking advantage of the business benefits the Internet has to offer while minimising the risk to their operations The Internet is inherently insecure because it is a public network that has no central management or control.
The primary concerns are:
The growth of E-Commerce is hindered by:
The main problems are:
Solutions
In a speech on May 9, 2000, Bill Gates called on the computer industry to follow Microsoft's lead and start building smart cards into their technology to resolve security concerns.
Smart cards hold personal information, such as computer passwords. Gates envisions a future where a person can simply slip a smart card into a computer--as opposed to remembering dozens of passwords--to access corporate networks. "Today the weakest link in security management is the fact that passwords are used to identify who is running the system. People are writing them down and using the same passwords on systems that are less secure," he said (32).
E-commerce will only take off when online customers feel at ease. E-commerce sites must deliver the highest levels of trust and security so customers can be certain that the site is real, and that the information they send via Internet browsers, mobile phones, and other devices stays private. Strong security policies and standards are the foundation on which any successful e-business is built. I actually believe that the strongest recommendation to be that all sites that trade goods/services and handle data must be compulsorily secure. Hackers must be given long sentences for crimes, which are punished more heavily for equivalent crimes in the real world. We are just at the start of the virus-spreading and breaking into sites and Governments must link with large IT and e-security firms to nip the problem whilst it is still in the bud stage. However, the problem will not disappear over night since systems and sites expose themselves and hackers love the opportunity to break in.
For site security, the standard is there: the letter 's' after 'http'. The Internet must be kept simplistic to cater for all types of users. If the letter 's' is there, it must be held as safe to pass details and the company which has provided the letter 's' should be liable if fraud occurs.
E-security is the major growth area in IT in terms of the number of jobs available and the number of firms wanting implementations and solutions. This dissertation will be of use to people wishing to find employment in this industry. Baltimore Technologies, a leading e-security company, reported that even though the company made an overall loss, first quarter revenues of £9.5m were double that of last year. (31) The problem with this dissertation is that it will be out of date tomorrow..
1. The Times,27 November 1999
2. The Times 22 February 2000
3. The Sunday Times 6 February 2000.
4. The Sunday Times 13 February 2000
5. The Times 7 January 2000
6. Practical UNIX & Internet Security, Garfinkel and Spafford, O'Reilly and Associates, 1996
7. Internet and Intranet Security, Rolf Oppliger, Artech House, Inc, 1998
8. E.Business Magazine, Crimson Publishing, February 2000
9. The Sunday Times 20 February 2000
10. http://www.infosecurity.co.uk/page.cfm
11. http://www.ncipher.com/products/index.html
12. http://cryptome.org/BIS_smart_security.html#6
13. The Times 19 February 2000
14. http://www.securitywatch.com
15. Building a Corporate Internet Strategy. Amit K. Maitra. Van Nostrand Reinhold 1996
16. Internet made easy, Paragon Publishing, Issue 5
17. The Times Interface 27 March 2000
18. The Sunday Times 23 January 2000
19. The Sunday Times 11 January 2000
20. The Times 25 March 2000
21. The Times 12 February 2000
22. The Times Interface 14 February 2000
23. The Times Interface 17 April 2000
24. The Times 9 February 2000
25. http://www.hackernews.com
26. The Sunday Times 30 January 2000
27. http://www.unisys.com/security/default-01.htm
28. http://www.unisys.com/security/default-02.htm
29. http://www.unisys.com/home/e-security
30. The Times Interface 8 May 2000
31. The Times 10 May 2000
32. http://news.cnet.com/news/0-1003-200-1845222.html?tag=st.ne.ron.lthd.ni
33. The Times 8 May 2000
34. The Times Interface 10 January 2000