1. Smart Card is a credit card-sized device with an
embedded microchip to provide electronic money and processing capability. It can store the users financial facts, health insurance data, credit card numbers and network identification codes anti passwords. 2. Asymmetric encryption uses Public Key and Private Key. 3. Public key encryption is asymmetric key encryption. 4. RSA algorithm deals with encryption. 5. Which one is not related to on-line payment? Delayed payment 6. Digital signature does not give us acquisition. 7. Firewalls operate by screening packets to/from the Network and provide controllable filtering of network traffic. 8. Trojan Horse is a program that performs not only a desired task but also includes unexpected malicious functions. True 9. While making payment using electronic check, credit and debit cards, the server authenticates the customers and verifies with the bank that funds are adequate before purchase. True 10. Pretty Good Privacy (PGP) is an implementation of public-key cryptography based on RSA. 11. Kerberos is a popular 3rd party protocol. 12. Which one is not a security threat to the e- commerce websites? Spooling 13. Which one is not a security tool available to protect e-commerce? Buffering 14. Data Encryption Standard (DES) uses 64-bit encryption key. 15. S-HTTP is Secure Hypertext Transfer Protocol. 16. Which one of the following is a protocol for secure messaging? PGP PEM S/MIME 17. SHA is more secured than MD5 by a factor of 232 18. By security in e-commerce we mean Protecting an organizations data resource from unauthorized access Preventing disasters from happening 19. Public key encryption method is a system In which each person who wants to communicate has two keys: a private key known to him only and a public key which is publicized to enable others to send message to him. 20. In electronic cash payment A customer withdraws coins in various denominations signed by the bank. The bank has a database of issued coins. The bank has a database of spent coins. 21. SET protocol is used for securing card transaction. 22. If Z=160 and E=7, then for what value of D, (ED mod Z=1) will be satisfied? 23 23. Flood Attack by attackers happens on server. 24. Use the SHIFT CIPHER with key=17 to encrypt the message WBUT. The cipher text will be NSLK 1.A. What are the different modes of payment in E-Commerce? The various forms of payment for ecommerce are given in the following paragraphs: Credit cards The easiest form of electronic money that is available and most widely used today. There are several million credits cards that are being used to make online payments in India. Debit card The second largest e-commerce payment medium in India Debit Cards and Net banking. Very often, for customers who want to stay within their spending capacity, paying for things online using a debit card proves to be a preferred choice. With the debit card, one can only pay for purchased goods with the money that already exists in the current or savings accounts as opposed to the credit card where the amounts that the buyer spends are accumulated and have to be paid for as a bill at the end of the billing period. Cash on delivery CoD has emerged as one of the most sought after services for e-commerce entities and it is reported that in some cases as high as 50 per cent of orders are placed with various online retailers with this payment option, while the remaining opt for credit card or bank payments. In India, many customers tend to prefer CoD as the online payment modes are yet to catch up in many parts of the country. Net banking Another easy way to make payments for online transactions. It uses a similar method to the debit card of paying from money that exists in the users current or savings account but net banking does not require the user to have a card for the payment purposes. While completing the purchase the consumer needs to put in their net banking id and pin. Mobile Money Out of Indias 1.2 billion people, only a small percentage have bank accounts. Amongst that massive unbanked population, many hundreds of millions have mobile phones, and for them, mobile money is likely to be hugely beneficial. Even for smaller transactions, where credit cards are not accepted, it might be simpler to just hand over cash. But if you dont have sufficient cash, then mobile money becomes useful. Reward Points Some other more indirect ways of online payments are rewards points. On certain things that are purchased by a person, a number of rewards points will be awarded which will get added to the buyers account. In the next transaction, the buyer can choose to pay for their next purchase using the accumulated rewards points, which will replace what they would otherwise be paying as money. Prepaid Cards this is a relatively new and fast growing payment method. Typically, a consumer may buy or be gifted a prepaid card that can be used online. Usually this would be for a particular brand or for a retailer. Some online retailers have their own gift cards which are sold to their customers, who in turn may use it for themselves or as give them as gifts. Gift cards have their own authentication system and this may vary from issuer to issuer. 1.B. What is SET Protocol? Secure Electronic Transaction (SET) is a system for ensuring the security of financial transactions on the Internet. It was supported initially by MasterCard, Visa, Microsoft, Netscape, and others. With SET, a user is given an electronic wallet (digital certificate) and a transaction is conducted and verified using a combination of digital certificates and digital signatures among the purchaser, a merchant, and the purchaser's bank in a way that ensures privacy and confidentiality. SET makes use of Netscape's Secure Sockets Layer (SSL), Microsoft's Secure Transaction Technology (STT), and Terisa System's Secure Hypertext Transfer Protocol (S-HTTP). SET uses some but not all aspects of a public key infrastructure (PKI). 1.C. Describe the steps required to purchase an item using SET Protocol. Steps in Making a Purchase 1.Buyer indicates to merchant that she is interested in making a credit card purchase. 2.The merchant's system sends the customer an invoice and a unique transaction identifier. 3.The merchant's system sends the customer the merchant's certificate which includes the merchant's public key. The merchant's system also sends the certificate of its bank, which includes the bank's public key. Both of these certificates are encrypted with the private key of the certifying authority. 4.The customer uses the certifying authority's public key to decrypt the two certificates. The customer now has the merchant's public key and the bank's public key. 5.The customer generates two packages of information: the order information (OI) package and the purchase instructions (PI) package. The OI, destined for the merchant, contains the transaction identifier, brand of card being used; it does not include the customer's card number. The PI, destined for the merchant's bank, contains the transaction identifier, the card number, purchase amount agreed to the buyer, and a description of the order. The OI is encrypted with the merchant's public key; the PI is encrypted with bank's public key. (We are bending the truth here in order to see the big picture. In reality, the OI and PI are encrypted with session keys.) The customer sends the OI and the PI to the merchant. 6.The merchant generates an authorization request for the card payment request, which includes the transaction identifier. 7.The merchant sends to its bank a message encrypted with the bank's public key. (Actually, a session key is used.) This message includes the authorization request, the PI package sent from the buyer, and the merchant's certificate. 8.The merchant's bank receives the message and unravels it. The bank checks for tampering. It also makes sure that the transaction identifier in the authorization request matches the one in the customer's PI package. 9.The merchant's bank then sends a request for payment authorization to the customer's credit card bank through traditional bankcard channels -- just as the merchant's bank would request authorization for any normal credit card transaction. 10. Once the customer's bank authorizes the payment, the merchant's bank sends a response to the merchant, which is (of course) encrypted. The response includes the transaction identifier. 11. If the transaction was approved, the merchant sends its own response message to the customer. This message informs the customer that the payment was accepted and that the goods will be delivered. The customer will have software to handle all of its SET tasks. It is likely that this software will be imbedded into the customer's Web browser. 2. What is Internet Banking? How is it established? A method of banking in which transactions are conducted electronically over the Internet. Online banking is the performance of banking activities via the Internet. Online banking is also known as "Internet banking" or "Web banking." A good online bank will offer customers just about every service traditionally available through a local branch, including accepting deposits (which is done online or through the mail), paying interest on savings and providing an online bill payment system. To access a financial institution's online banking facility, a customer with internet access would need to register with the institution for the service, and set up a password and other credentials for customer verification. The credentials for online banking is normally not the same as for telephone or mobile banking. Financial institutions now routinely allocate customers numbers, whether or not customers have indicated an intention to access their online banking facility. 3. A. Explain the ways and means of protecting on-line Website Operations from hackers. File uploads
Allowing users to upload files to your website can
be a big website security risk, even if its simply to change their avatar. The risk is that any file uploaded however innocent it may look, could contain a script that when executed on your server completely opens up your website.
Ultimately, the recommended solution is to prevent
direct access to uploaded files all together. This way, any files uploaded to your website are stored in a folder outside of the Webroot or in the database as a blob.
SSL
SSL is a protocol used to provide security over the
Internet. It is a good idea to use a security certificate whenever you are passing personal information between the website and web server or database. Attackers could sniff for this information and if the communication medium is not secure could capture it and use this information to gain access to user accounts and personal data.
Website security tools
Netsparker - Good for testing SQL injection and XSS
Server side validation/form validation
Validation should always be done both on the browser and server side. The browser can catch simple failures like mandatory fields that are empty and when you enter text into a numbers only field. These can however be bypassed, and you should make sure you check for these validation and deeper validation server side as failing to do so could lead to malicious code or scripting code being inserted into the database or could cause undesirable results in your website. Passwords Everyone knows they should use complex passwords, but that doesnt mean they always do. It is crucial to use strong passwords to your server and website admin area, but equally also important to insist on good password practices for your users to protect the security of their accounts.
3.b. What is firewall?
A firewall is a network security system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both.
4.What is an online payment? Explain the
features that should be incorporated in online payment system.
An e-commerce payment system facilitates the
acceptance of electronic payment for online transactions. Feature: Good Atomicity Money and goods are exchanged automatically Non repudiation No party can deny its role in the transaction Digital Signature
5.What is the need for digital signature?
Digital signatures help establish the following
authentication measures: Authenticity The digital signature helps ensure that the signer is whom he or she claims to be. This helps prevent others from pretending to be the originator of a particular document (the equivalent of forgery on a printed document). Integrity The digital signature helps ensure that the content has not been changed or tampered with since it was digitally signed. This helps prevent documents from being intercepted and changed without knowledge of the originator of the document. Non-repudiation The digital signature helps prove to all parties the origin of the signed content. "Repudiation" refers to the act of a signer's denying any association with the signed content. This helps prove that the originator of the document is the true originator and not someone else, regardless of the claims of the signer. A signer cannot repudiate the signature on that document without repudiating his or her digital key, and therefore other documents signed with that key. 6.How do SET transactions work? Explain with proper diagram. OR Discuss SET with suitable block diagram. SET, short for Secure Electronic Transaction, is a standard that will enable secure credit card transactions on the Internet. SET has been endorsed by virtually all the major players in the electronic commerce arena, including Microsoft, Netscape, Visa, and Mastercard. By employing digital signatures, SET will enable merchants to verify that buyers are who they claim to be. And it will protect buyers by providing a mechanism for their credit card number to be transferred directly to the credit card issuer for verification and billing without the merchant being able to see the number.