SECURITY ISSUES

1. Smart Card is a credit card-sized device with an

embedded microchip to provide electronic money
and processing capability. It can store the users
financial facts, health insurance data, credit card
numbers and network identification codes anti
passwords.
2. Asymmetric encryption uses Public Key and
Private Key.
3. Public key encryption is asymmetric key
encryption.
4. RSA algorithm deals with encryption.
5. Which one is not related to on-line payment?
Delayed payment
6. Digital signature does not give us acquisition.
7. Firewalls operate by screening packets to/from
the Network and provide controllable
filtering of network traffic.
8. Trojan Horse is a program that performs not only a
desired task but also includes unexpected
malicious functions. True
9. While making payment using electronic check,
credit and debit cards, the server authenticates the
customers and verifies with the bank that funds
are adequate before purchase. True
10. Pretty Good Privacy (PGP) is an
implementation of public-key cryptography based
on RSA.
11. Kerberos is a popular 3rd party protocol.
12. Which one is not a security threat to the e-
commerce websites? Spooling
13. Which one is not a security tool available to
protect e-commerce? Buffering
14. Data Encryption Standard (DES) uses 64-bit
encryption key.
15. S-HTTP is Secure Hypertext Transfer
Protocol.
16. Which one of the following is a protocol for
secure messaging? PGP PEM S/MIME
17. SHA is more secured than MD5 by a factor of
232
18. By security in e-commerce we mean
Protecting an organizations data resource
from unauthorized access
Preventing disasters from happening
19. Public key encryption method is a system
In which each person who wants to
communicate has two keys: a private key
known to him only and a public key which is
publicized to enable others to send message
to him.
20. In electronic cash payment
A customer withdraws coins in various
denominations signed by the bank.
The bank has a database of issued coins.
The bank has a database of spent coins.
21. SET protocol is used for securing card
transaction.
22. If Z=160 and E=7, then for what value of D,
(ED mod Z=1) will be satisfied? 23
23. Flood Attack by attackers happens on
server.
24. Use the SHIFT CIPHER with key=17 to encrypt
the message WBUT. The cipher text will be NSLK
 1.A. What are the different modes of payment
in E-Commerce?
The various forms of payment for ecommerce are given
in the following paragraphs:
Credit cards The easiest form of electronic money
that is available and most widely used today. There are
several million credits cards that are being used to
make online payments in India.
Debit card The second largest e-commerce payment
medium in India Debit Cards and Net banking. Very
often, for customers who want to stay within their
spending capacity, paying for things online using a
debit card proves to be a preferred choice. With the
debit card, one can only pay for purchased goods with
the money that already exists in the current or savings
accounts as opposed to the credit card where the
amounts that the buyer spends are accumulated and
have to be paid for as a bill at the end of the billing
period.
Cash on delivery CoD has emerged as one of the
most sought after services for e-commerce entities and
it is reported that in some cases as high as 50 per cent
of orders are placed with various online retailers with
this payment option, while the remaining opt for credit
card or bank payments. In India, many customers tend
to prefer CoD as the online payment modes are yet to
catch up in many parts of the country.
Net banking Another easy way to make payments
for online transactions. It uses a similar method to the
debit card of paying from money that exists in the
users current or savings account but net banking does
not require the user to have a card for the payment
purposes. While completing the purchase the consumer
needs to put in their net banking id and pin.
Mobile Money Out of Indias 1.2 billion people, only
a small percentage have bank accounts. Amongst that
massive unbanked population, many hundreds of
millions have mobile phones, and for them, mobile
money is likely to be hugely beneficial. Even for smaller
transactions, where credit cards are not accepted, it
might be simpler to just hand over cash. But if you
dont have sufficient cash, then mobile money becomes
useful.
Reward Points Some other more indirect ways of
online payments are rewards points. On certain things
that are purchased by a person, a number of rewards
points will be awarded which will get added to the
buyers account. In the next transaction, the buyer can
choose to pay for their next purchase using the
accumulated rewards points, which will replace what
they would otherwise be paying as money.
Prepaid Cards this is a relatively new and fast
growing payment method. Typically, a consumer may
buy or be gifted a prepaid card that can be used online.
Usually this would be for a particular brand or for a
retailer. Some online retailers have their own gift cards
which are sold to their customers, who in turn may use
it for themselves or as give them as gifts. Gift cards
have their own authentication system and this may
vary from issuer to issuer.
1.B. What is SET Protocol?
Secure Electronic Transaction (SET) is a system for
ensuring the security of financial transactions on the
Internet.
It was supported initially by MasterCard, Visa, Microsoft,
Netscape, and others.
With SET, a user is given an electronic wallet (digital
certificate) and a transaction is conducted and verified
using a combination of digital certificates and digital
signatures among the purchaser, a merchant, and the
purchaser's bank in a way that ensures privacy and
confidentiality.
SET makes use of Netscape's Secure Sockets Layer
(SSL), Microsoft's Secure Transaction Technology (STT),
and Terisa System's Secure Hypertext Transfer Protocol
(S-HTTP).
SET uses some but not all aspects of a public key
infrastructure (PKI).
1.C. Describe the steps required to purchase
an item using SET Protocol.
Steps in Making a Purchase
1.Buyer indicates to merchant that she is
interested in making a credit card purchase.
2.The merchant's system sends the customer
an invoice and a unique transaction identifier.
3.The merchant's system sends the customer
the merchant's certificate which includes the
merchant's public key. The merchant's
system also sends the certificate of its bank,
which includes the bank's public key. Both of
these certificates are encrypted with the
private key of the certifying authority.
4.The customer uses the certifying authority's
public key to decrypt the two certificates. The
 customer now has the merchant's public key
and the bank's public key.
5.The customer generates two packages of
information: the order information (OI)
package and the purchase instructions (PI)
package. The OI, destined for the merchant,
contains the transaction identifier, brand of
card being used; it does not include the
customer's card number. The PI, destined for
the merchant's bank, contains the
transaction identifier, the card number,
purchase amount agreed to the buyer, and a
description of the order. The OI is encrypted
with the merchant's public key; the PI is
encrypted with bank's public key. (We are
bending the truth here in order to see the big
picture. In reality, the OI and PI are encrypted
with session keys.) The customer sends the
OI and the PI to the merchant.
6.The merchant generates an authorization
request for the card payment request, which
includes the transaction identifier.
7.The merchant sends to its bank a message
encrypted with the bank's public key.
(Actually, a session key is used.) This
message includes the authorization request,
the PI package sent from the buyer, and the
merchant's certificate.
8.The merchant's bank receives the message
and unravels it. The bank checks for
tampering. It also makes sure that the
 transaction identifier in the authorization
request matches the one in the customer's PI
package.
9.The merchant's bank then sends a request
for payment authorization to the customer's
credit card bank through traditional bankcard
channels -- just as the merchant's bank would
request authorization for any normal credit
card transaction.
10. Once the customer's bank authorizes the
payment, the merchant's bank sends a
response to the merchant, which is (of
course) encrypted. The response includes the
transaction identifier.
11. If the transaction was approved, the
merchant sends its own response message to
the customer. This message informs the
customer that the payment was accepted
and that the goods will be delivered.
The customer will have software to handle all of
its SET tasks. It is likely that this software will
be imbedded into the customer's Web browser.
2. What is Internet Banking? How is it
established?
A method of banking in which transactions are
conducted electronically over the Internet.
Online banking is the performance of banking
activities via the Internet.
Online banking is also known as "Internet
banking" or "Web banking."
A good online bank will offer customers just
about every service traditionally available
through a local branch, including accepting
deposits (which is done online or through the
mail), paying interest on savings and providing
an online bill payment system.
To access a financial institution's online banking
facility, a customer with internet access would
need to register with the institution for the
service, and set up a password and other
credentials for customer verification.
The credentials for online banking is normally
not the same as for telephone or mobile
banking.
Financial institutions now routinely allocate
customers numbers, whether or not customers
have indicated an intention to access their
online banking facility.
3. A. Explain the ways and means of
protecting on-line Website Operations
from hackers.
File uploads

Allowing users to upload files to your website can

be a big website security risk, even if its simply to
change their avatar. The risk is that any file
uploaded however innocent it may look, could
contain a script that when executed on your server
completely opens up your website.

Ultimately, the recommended solution is to prevent

direct access to uploaded files all together. This
way, any files uploaded to your website are stored
in a folder outside of the Webroot or in the
database as a blob.

SSL

SSL is a protocol used to provide security over the

Internet. It is a good idea to use a security
certificate whenever you are passing personal
information between the website and web server
or database. Attackers could sniff for this
information and if the communication medium is
not secure could capture it and use this information
to gain access to user accounts and personal data.

Website security tools

Netsparker - Good for testing SQL injection and
XSS

Server side validation/form validation

Validation should always be done both on the
browser and server side. The browser can catch
simple failures like mandatory fields that are empty
and when you enter text into a numbers only field.
These can however be bypassed, and you should
make sure you check for these validation and
deeper validation server side as failing to do so
could lead to malicious code or scripting code
being inserted into the database or could cause
undesirable results in your website.
 Passwords
Everyone knows they should use complex
passwords, but that doesnt mean they always do.
It is crucial to use strong passwords to your server
and website admin area, but equally also important
to insist on good password practices for your users
to protect the security of their accounts.

3.b. What is firewall?

A firewall is a network security system designed to
prevent unauthorized access to or from a private
network. Firewalls can be implemented in both
hardware and software, or a combination of both.

4.What is an online payment? Explain the

features that should be incorporated in
online payment system.

An e-commerce payment system facilitates the

acceptance of electronic payment for online
transactions.
Feature:
Good Atomicity
Money and goods are exchanged automatically
Non repudiation
No party can deny its role in the transaction
Digital Signature

5.What is the need for digital signature?

Digital signatures help establish the following

authentication measures:
 Authenticity
The digital signature helps ensure that the signer is
whom he or she claims to be. This helps prevent
others from pretending to be the originator of a
particular document (the equivalent of forgery on a
printed document).
Integrity
The digital signature helps ensure that the content
has not been changed or tampered with since it was
digitally signed. This helps prevent documents from
being intercepted and changed without knowledge of
the originator of the document.
Non-repudiation
The digital signature helps prove to all parties the
origin of the signed content. "Repudiation" refers to
the act of a signer's denying any association with the
signed content. This helps prove that the originator
of the document is the true originator and not
someone else, regardless of the claims of the signer.
A signer cannot repudiate the signature on that
document without repudiating his or her digital key,
and therefore other documents signed with that key.
6.How do SET transactions work? Explain with
proper diagram. OR
Discuss SET with suitable block diagram.
SET, short for Secure Electronic Transaction, is a
standard that will enable secure credit card
transactions on the Internet. SET has been endorsed by
virtually all the major players in the electronic
commerce arena, including Microsoft, Netscape, Visa,
and Mastercard.
By employing digital signatures, SET will enable
merchants to verify that buyers are who they claim to
be. And it will protect buyers by providing a mechanism
for their credit card number to be transferred directly to
the credit card issuer for verification and billing without
the merchant being able to see the number.