TOPIC

Value interchange relies on the secure exchange of encrypted symbols discuss how this statement describes the financial flow of e-commerce Describe and discuss the need for encryption and look at PKI, SSL, man in the middle attacks, key loggers, shoulder surfing, social engineering and phishing. By Marelize Grobbelaar

This Assignment is submitted in partial fulfilment of the requirements of the Module: Logistics Decision Support Systems
In the

FACULTY OF MANAGEMENT
At the

UNIVERSITY OF JOHANNESBURG Place: Krugersdorp Month / Year: 15 April 2011 Student No.: 200703718 Current Contact Tel. No. (Work): 011 955 4489 (Cell No.): 083 379 1493 I HEREBY CERTIFY THAT THE ASSIGNMENT IS MY OWN ORIGINAL WORK.
_________________________ STUDENT SIGNATURE ___________________ DATE

Table of Contents
1. 2. Written Declaration................................................................................. 4 Introduction ............................................................................................. 5

3. The secure exchange of encrypted symbols in the Financial Flow of e-commerce ..................................................................................................... 5 4. 5. The need for Encryption ........................................................................ 6 Types of Data Encryption ...................................................................... 6

5.1 Public Key Infrastructure (PKI) .......................................................... 6 5.2 Secure Socket Layer (SSL)................................................................ 7 6. Types of Attacks to obtain information................................................. 7

6.1 Man in the Middle Attacks .................................................................. 7 6.2 Key Loggers ......................................................................................... 7 6.3 Shoulder Surfing .................................................................................. 8 6.4 Social Engineering .............................................................................. 8 6.5 Phishing ................................................................................................ 8 7. 8. Conclusion .............................................................................................. 8 Bibliography ............................................................................................ 9

2|Page

Table of Figures
Figure 1: Data encryption process................................................................. 6 Figure 2: Man in the Middle Attacks .............................................................. 7

3|Page

1.

Written Declaration
I understand that plagiarism means presenting the ideas and words of
someone else as my own, without appropriate recognition of that source;

I confirm that the work I submit for assessment is my own, except

where I explicitly indicate otherwise:

I have fully acknowledged all words, ideas and results from other
sources that I have used in this assignment through a generally accepted style of quotes, references and bibliography:

I am aware that the university views plagiarism as a serious offence

that can be punished by a disciplinary committee;

Source: The University of Cape Town

Marelize Grobbelaar

_____________________

4|Page

2.

Introduction
We send data across various networks for business and personal purposes that carries valuable information, such as personal information, business contracts, sensitive financial details and so forth. Businesses use the internet as a channel to move goods, services and money in order to gain competitive advantage, achieve increased profits, reduce costs and increase the speed of transactions is by making use the internet and e-commerce. It is of utmost importance that all the transactions and communications through the internet have strong and extensive security that can provide individuals and companies the necessary confidence to do business online. This is achieved through the implementation of various security programs and relying on these programmes to exchange information in a secure manner by encryption the information. Within this thesis the following matters will be discussed: 1.1. The secure exchange of encrypted symbols in the financial flow of ecommerce and 1.2. The need for encryption with specific reference to Public Key Infrastructure (PKI), Secure Socket Layer (SSL), man in the middle attacks, key loggers, shoulder surfing, social engineering and phishing.

3.

The secure exchange of encrypted symbols in the Financial Flow of e-commerce

In the world we live in today we full rely on technology, such as the internet and e-commerce. A part of technology which has grown extensively is the financial flow of e-commerce. Online banking is the main channel through which businesses and individuals do most of their financial transactions. Another channel that is used for the means of financial flow is through credit card purchases online. Customers will supply their credit card details (or any personal information) only when they are convinced that their information, especially financial data, is secure. To minimize risk and to ensure customers are confident enough to submit their personal information, a business needs to implement a complete and secure trust infrastructure. A trust infrastructure is based on encrypting the data that is being transmitted through e-commerce.

5|Page

4.

The need for Encryption

Encryption very important for business use because it is protects data that is stored and processed on computer systems as well as data that is transmitted electronically through various networks from hackers or competitors. The message or data that is being transmitted gets scrambled and the only way to decrypt the message or data is by means of a secret code or key. Encryption minimizes the risk of data being captured, transformed or abused by outsiders. The process of data encryption is illustrated in the figure 1 below.

Figure 1: Data encryption process (Source: Digital Signature and PKI Available at: http://www.scribd.com/doc/6928677/17-Digital-Signature-and-PKI (Accessed 12 April 2011)

5.

Types of Data Encryption

There are various types of data encryption that can be use to secure data transmissions. The two types of encryption data encryption that will be discussed is Public Key Infrastructure (PKI) and Secure Socket Layer (SSL).

5.1

Public Key Infrastructure (PKI)

Public Key Infrastructure is a vital tool that allows users to exchange data and money in a safe, secure and private manner through the use of a private and public cryptographic key pair. This key pair is shared by the by the sender and receiver and should be obtained through a trusted source. The PKI tool is most commonly used by online banking services.

6|Page

5.2

Secure Socket Layer (SSL)

Secure Socket Layer (SSL) protocol is the second type of encryption to be discussed in this section. SSL is based on the implementation of digital signatures and PKI. It is used within the web as to facilitate the authentication of web sites and the encryption of communication channel between web servers and users, thus establishing e-commerce trust.

6.

Types of Attacks to obtain information

6.1 Man in the Middle Attacks Man in the middle attacks is where the communication between two users is intercepted and being secretly monitored by an unauthorised third party (the middle man). Figure 2 illustrates this definition perfectly:

Figure 2: Man in the Middle Attacks (Source: Man-in-the-middle attack. Available at: (Accesed

https://www.owasp.org/index.php/Man-in-the-middle_attack 12 April 2011)

6.2

Key Loggers
A Key logger is a type of Trojan virus that gets downloaded and installed to a users computer without noticing it. Once this virus is installed it picks up and records keystrokes, clicking patterns and then transfers the information a host computer. It can gather information

7|Page

such as personal information, credit card information, user names and passwords.

6.3

Shoulder Surfing
Shoulder surfing when someone is being secretively observed from behind while entering personal information such as passwords and PINs. For example attackers observe a person while drawing money from an ATM in order to obtain their PIN before they steal the bank card.

6.4

Social Engineering Social engineering is where information is obtained through the means of manipulation, thus convincing the targeted person to reveal their personal information.

6.5

Phishing Phishing is almost like social engineering where the attacker sends spam or uses malicious websites or pop ups within a website to obtain personal information from the user. E.g. an email is sent from the attacker claiming to be a financial institution that requires you
to change your account information.

7.

Conclusion
Given the fast growing rate of technology it is important for businesses to engage in e-commerce, however all of the above mentioned attack methods should be monitored closely and security methods should be upgraded frequently to ensure the secure flow of communication, data and finance across the internet. Companies and individuals should make sure that they have a secure and trusted infrastructure in place so that they do not become a victim of an attacker resulting in the loss of personal information. 8|Page

8.

Bibliography
Allen M. Social Engineering: A Means To Violate A Computer System.
[Online] Available at: http://www.sans.org/reading_room/whitepapers/ engineering/social-engineering-means-violate-computer-system_529

(Accessed 12 April 2011)

Binder JC. Introduction to PKI - Public Key Infrastructure. [Online] Available at: http://www.scribd.com/doc/40437802/PKI-V11 (Accessed 12 April 2011).

Johnson M. A new approach to Internet banking. [Online] Available at: http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-731.pdf (Accessed 12 April 2011)

Phishing.

[Online]

Available

at:

http://www.onguardonline.gov/topics/phishing.aspx (Accessed 12 April 2011)

Rajagopalan

R.

Digital

Signature

and

PKI.

[Online]

Available

at:

http://www.scribd.com/doc/6928677/17-Digital-Signature-and-PKI 12 April 2011).

(Accessed

Schuldt

W.

What

Is

Keylogger

Virus?

[Online]

Available

at:

http://www.ehow.com/facts_5021925_keylogger-virus.html#ixzz1JIs44nyh (Accessed 12 April 2011).

Understanding Public Key Infrastructure (PKI). [Online] Available at: http://www.scribd.com/doc/44602358/Understanding-Pki (Accessed 12 April 2011).

Walter C. What is the Point of Encription if you Dont Know Who For? [Online] Available at: http://www.securitydocs.com/library/3301 (Accessed 12 April 2011).

9|Page