Unit-3

3.1 DIGITAL CURRENCY

Electronic money (also known as e-money, electronic cash, electronic currency, digital
money, digital cash or digital currency) refers to money or scrip which is exchanged
only electronically. Typically, this involves use of computer networks, the internet and
digital stored value systems. Electronic Funds Transfer (EFT) and direct deposit are
examples of electronic money. Also, it is a collective term for financial cryptography
and technologies enabling it.
While electronic money has been an interesting problem for cryptography, to date, use
of digital cash has been relatively low-scale. One rare success has been Hong Kongs
Octopus card system, which started as a transit payment system and has grown into a
widely used electronic cash system. Singapore also has an electronic money
implementation for its public transportation system (trains, bus, etc), which is very
similar to Hong Kongs Octopus card and based on the same type of card. A very
successful implementation is in the Netherlands, known as Chipknip.
ALTERNATIVES
Technically electronic or digital money is a representation, or a system of debits and
credits, used (but not limited to this) to exchange value, within another system, or itself
as a standalone system, online or offline. Also sometimes the term electronic money is
used to refer to the provider itself. A private currency may use gold to provide extra
security, such as digital gold currency. An e-currency system may be fully backed by
gold (like e-gold and c-gold), non-gold backed, or both gold and non-gold backed (like
e-Bullion and Liberty Reserve). Also, some private organizations, such as the US
military use private currencies such as Eagle Cash.
Many systems will sell their electronic currency directly to the end user, such as Paypal
and WebMoney, but other systems, such as e-gold, sell only through third party digital
currency exchangers.
In the case of Octopus Card in Hong Kong, deposits work similarly to banks. After
Octopus Card Limited receives money for deposit from users, the money is deposited
into banks, which is similar to debit-card-issuing banks re-depositing money at central
banks. Some community currencies, work with electronic transactions. Cyclos Software
allows creation of electronic community currencies. Ripple monetary system is a project
to develop a distributed system of electronic money independent of local currency.
OFF-LINE ANONYMOUS ELECTRONIC MONEY
In off-line electronic money the merchant does not need to interact with the bank before
accepting a coin from the user. Instead he can collect multiple coins Spent by users and
Deposit them later with the bank. In principle this could be done off-line, i.e. the
merchant could go to the bank with his storage media to exchange e-cash for cash.
Nevertheless the merchant is guaranteed that the users e-coin will either be accepted
by the bank, or the bank will be able to identify and punish the cheating user. In this
way a user is prevented from spending the same coin twice (double-spending). Off-line
e-cash schemes also need to protect against cheating merchants, i.e. merchants that want
to deposit a coin twice (and then blame the user).
Using cryptography, anonymous ecash was introduced by David Chaum. He used blind
signatures to achieve unlinkability between withdrawal and spend transactions. In
cryptography, e-cash usually refers to anonymous e-cash. Depending on the properties
of
the payment transactions, one distinguishes between on-line and off-line e-cash. The
first
off-line e-cash system was proposed by Chaum and Naor. Like the first on-line scheme,
it
is based on RSA blind signatures.
FUTURE EVOLUTION
The main focuses of digital cash development are
1) being able to use it through a wider range of hardware such as secured credit cards;
and
2) linked bank accounts that would generally be used over an internet means, for
exchange with a secure micropayment system such as in large corporations (PayPal).

3.2 CREDIT CARDS AND SMART CARDS

Over the years, credit cards have become one of the most common forms of payment
for e-commerce transactions. In the early years of B2C, many consumers were
apprehensive of using their credit cards over the internet because of fear that their credit
card numbers would get stolen. However, due to increased security with credit card
companies such as VISA, American Express, and MasterCard there is widespread use
of credit card use over the internet, especially in North America.
Despite this widespread use in North America, there are still a number of countries such
as China, India and Pakistan that have some problems to overcome in regard to credit
card security. In the meantime, the use of smartcards has become extremely popular.
A Smartcard is similar to a credit card; however it contains an embedded 8-bit
microprocessor and uses electronic cash which transfers from the consumers card to
the sellers device. A popular smartcard initiative is the VISA Smartcard. Using the
VISA Smartcard you can transfer electronic cash to your card from your bank account,
and you can then use your card at various retailers and on the internet.
CREDIT CARD BASICS
A credit card is part of a system of payments named after the small plastic card issued
to users of the system. The issuer of the card grants a line of credit to the consumer (or
the user) from which the user can borrow money for payment to a merchant or as a cash
advance to the user. A credit card is different from a charge card, which requires the
balance to be paid in full each month. In contrast, credit cards allow the consumers to
revolve their balance, at the cost of having interest charged. Most credit cards are
issued by local banks or credit unions, and are the same shape and size, as specified by
the ISO 7810 standard.
How credit cards work?
Credit cards are issued after an account has been approved by the credit provider, after
which cardholders can use it to make purchases at merchants accepting that card. When
a purchase is made, the credit card user agrees to pay the card issuer. The cardholder
indicates his/her consent to pay, by signing a receipt with a record of the card details
and indicating the amount to be paid or by entering a Personal identification
number(PIN). Also, many merchants now accept verbal authorizations via telephone
and electronic authorization using the Internet, known as a Card/Cardholder Not
Present (CNP) transaction.
Interest Chagres
Credit card issuers usually waive interest charges if the balance is paid in full each
month, but typically will charge full interest on the entire outstanding balance from the
date of each purchase if the total balance is not paid.
Benefits to Customers
Because of intense competition in the credit card industry, credit card providers often
offer incentives such as frequent flyer points, gift certificates, or cash back (typically
up to 1 percent based on total purchases) to try to attract customers to their programs.
Grace Period
A credit cards grace period is the time the customer has to pay the balance before
interest is charged to the balance. Grace periods vary, but usually range from 20 to 40
days depending on the type of credit card and the issuing bank. Some policies allow for
reinstatement after certain conditions are met.
FITS TO MERCHANTS
An example of street markets accepting credit cards. For merchants, a credit card
transaction is often more secure than other forms of payment, such as checks, because
the issuing bank commits to pay the merchant the moment the transaction is authorized,
regardless of whether the consumer defaults on the credit card payment (except for
legitimate disputes, which are discussed below, and can result in charges back to the
merchant). In most cases, cards are even more secure than cash, because they discourage
theft by the merchants employees and reduce the amount of cash on the premises. Prior
to credit cards, each merchant had to evaluate each customers credit history before
extending credit. That task is now performed by the banks which assume the credit risk.
PARTIES INVOLVED
Cardholder: The holder of the card used to make a purchase; the consumer.
Card-issuing bank: The financial institution or other organization that issued the credit
card to the cardholder. This bank bills the consumer for repayment and bears the risk
that the card is used fraudulently. American Express and Discover were previously the
only card-issuing banks for their respective brands, but as of 2007, this is no longer the
case.
Merchant: The individual or business accepting credit card payments for products or
services sold to the cardholder
 Acquiring bank: The financial institution accepting payment for the products or
services on behalf of the merchant. Independent sales organization: Resellers (to
merchants) of the services of the acquiring bank.
Merchant account: This could refer to the acquiring bank or the independent sales
organization, but in general is the organization that the merchant deals with.
Credit Card association: An association of card-issuing banks such as Visa,
MasterCard, Discover, American Express, etc. that set transaction terms for merchants,
card-issuing banks, and acquiring banks.
Transaction network: The system that implements the mechanics of the electronic
transactions. May be operated by an independent company, and one company may
operate multiple networks. Transaction processing networks include: Cardnet,
Nabanco, Omaha, Paymentech, NDC Atlanta, Nova, TSYS, Concord EFSnet, and
VisaNet.
Affinity partner: Some institutions lend their names to an issuer to attract customers
that have a strong relationship with that institution, and get paid a fee or a percentage
of the balance for each card issued using their name. Examples of typical affinity
partners are sports teams, universities, charities, professional organizations, and major
retailers.
TRANSACTION STEPS
Authorization: The cardholder pays for the purchase and the merchant submits the
transaction to the acquirer (acquiring bank). The acquirer verifies the credit card
number, the transaction type and the amount with the issuer (Card-issuing bank) and
reserves that amount of the cardholders credit limit for the merchant. An authorization
will generate an approval code, which the merchant stores with the transaction.
Batching: Authorized transactions are stored in batches, which are sent to the
acquirer. Batches are typically submitted once per day at the end of the business day. If
a transaction is not submitted in the batch, the authorization will stay valid for a period
determined by the issuer, after which the held amount will be returned back to the
cardholders available credit. Some transactions may be submitted in the batch without
prior authorizations; these are either transactions falling under the merchants floor limit
or ones where the authorization was unsuccessful but the merchant still attempts to force
the transaction through.
(Such may be the case when the cardholder is not present but owes the merchant
additional money, such as extending a hotel stay or car rental.)
Clearing and Settlement: The acquirer sends the batch transactions through the credit
card association, which debits the issuers for payment and credits the acquirer.
Essentially, the issuer pays the acquirer for the transaction.
Funding: Once the acquirer has been paid, the acquirer pays the merchant. The
merchant receives the amount totaling the funds in the batch minus the discount rate,
which is the fee the merchant pays the acquirer for processing the transactions.
Chargebacks: A chargeback is an event in which money in a merchant account is
held due to a dispute relating to the transaction. Chargebacks are typically initiated by
the cardholder. In the event of a chargeback, the issuer returns the transaction to the
acquirer for resolution. The acquirer then forwards the chargeback to the merchant, who
must either accept the chargeback or contest it.
Security
Credit card security relies on the physical security of the plastic card as well as the
privacy of the credit card number. Therefore, whenever a person other than the card
owner has access to the card or its number, security is potentially compromised.
Merchants often accept credit card numbers without additional verification for mail
order purchases.
They however record the delivery address as a security measure to minimise fraudulent
purchases. Some merchants will accept a credit card number for in-store purchases,
whereupon access to the number allows easy fraud, but many require the card itself to
be present, and require a signature. Thus, a stolen card can be cancelled, and if this is
done quickly, no fraud can take place in this way. For internet purchases, there is
sometimes the same level of security as for mail order (number only) hence requiring
only that the fraudster take care about collecting the goods, but often there are additional
measures. The main one is to require a security PIN with the card, which requires that
the thief have access to the card, as well as the PIN.
An additional feature to secure the credit card transaction and prohibit the use of a lost
credit card is the MobiClear solution. Each transaction is authenticated through a call
to the user mobile phone. The transaction is released once the transaction has been
confirmed by the cardholder pushing his/her pincode during the call.

3.3 Digital Signature:

Rather than a written signature that can be used by an individual to authenticate the
identity of the sender of a message or of the signer of a document; a digital signature is
an electronic one. E-check technology also allows digital signatures to be applied to
document blocks, rather than to the entire document. This lets part of a document to be
separated from the original, without compromising the integrity of the digital signature.
This technology would also be very useful for business contracts and other legal
documents transferred over the Web. A digital signature includes any type of electronic
message encrypted with a private key that is able to identify the origin of the message.
The followings are some functions of digital signature.

The authentication function: The term digital signature in general is relevant to the
practice of adding a string of characters to an electronic message that serves to identify
the sender or the originator of a message.

The seal function: Some digital signature techniques also serve to provide a check
against any alteration of the text of the message after the digital signature was appended.

The integrity function: This function is of great interest in cases where legal
documents are created using such digital signatures.

The privacy function: Privacy and confidentiality are of significant concerns in many
instances where the sender wishes to keep the contents of the message private from all
hut the intended recipient

3.4 Online and Offline Transactions.

In general direct commerce solutions that use Internet directly to transmit transaction
information protect that information with some kind of encryption method. It is not
strictly necessary to transmit any sensitive information over open network when there
are much more secure channels that can be used to carry sensitive information.
Telephone conversations, sending fax, postal mails are chances for illegal taps. Barring
the relatively extreme instances of those whose business is under government scrutiny,
personal conversations inspire a high level of confidence that no one is listening in
eavesdroppers in most cases would most likely be noticed. The result is that there are
other channels across which sensitive information can be sent. Some Internet commerce
solutions take advantage of the relatively security of these alternative media to eliminate
the need for software security solutions. These solutions require that the consumer make
a telephone call, send a fax, or send a hard copy with sensitive information like credit
card numbers, consumer names and billing and shipping addresses.

Secure online transaction models

The simplest method of doing direct business online on Internet is to set up a secure
world wide web server then create content pages and program forms to take orders.

Secure web servers

A secure web server must by definition support some type of security protocol. The two
most important are secure hypertext transfer protocol (S-HTTP) and secure sockets
layer (SSL), which was initially developed by Netscape and offered to the Internet
community as a proposed standard in 1995. However, one of their primary advantages
is their relative unobtrusiveness to the consumer using an SSL or S-HTTP enabled
browser.

Secure server purchasing

The consumer browses through graphical and textual descriptions of the merchants
products selects a purchase and usually clicks on a button that says buy now to make
a purchase. If consumer is using a secure browser supported by secure server, that
button will produce a form on consumers screen which the consumer must complete.
Delivery and payment information has been provided the product will be delivered. If
the customer is using a browser that is not secure or that uses a protocol not supported
by the server, then some other method must be employed to consummate the
transaction. Delivery information represents name, address, delivery address, email
address and any other information necessary to deliver the product.

If product is a physical item, then a physical destination, preferred shipper and telephone
number may be necessary.If product is a digital item, then it may be transmitted directly
to consumer via the browser by e-mail or through some other application such as file
transfer.

Secure server selling

- First the merchant needs to publish product offerings on Internet with secure server.
Servers are available that support SSL, S-HTTP and both. Because the Internet is an
open network based strictly on proper and widespread implementation of standards, it
doesnt make sense for merchants to limit their potential customers by using only one
standard.

The merchant must go beyond merely setting up the server. As with mail orders there
must be a mechanism for processing the information contained on an order form. Most
often the merchant will use interfaces of some type to automate transactions. Companies
selling physical products over Internet use email confirmations and shipping notices to
keep customers up to date on status of orders and all merchants can use network
applications to notify their internal organization of orders.

Required facilities

The merchant must understand that purchasing products over Internet requires a
significant investment in software, hardware and services. The majority of Internet
merchants will be unlikely to set up their own secure servers, because doing so can be
complicated for the Internet novice, and also because there are so many companies now
offering such services. However, merchants who are aware of what their options are can
be smarter consumers of these services, and customers who are aware of how their
online orders are processed can be smarter online consumers.

Hardware

Any computer that can run an implementation of TCP/IP and that can be connected to
Internet can be a www server. The system should have more processing power, should
have sufficient hard disk to store all information fast, Internet connection to support
maximum expected load, security features to protect system from unauthorized access.

Some organizations using Internet may prefer to simply get a server and an Internet
connection and leave their internal networks out of the loop. Some kind of firewalls is
necessary to protect their network from intruders.

Software

TCP/IP implementation is necessary for web server. This may be built in to the
operating system, or it may be a part of web server package. System administrators
make sure that there is no other software on Internet servers. This guarantees that if an
intruder should compromise that system, no network is available to intruder for further
mischief. This is the software that responds to requests from browsers on the Internet
and sends out the desired information. Security should be a part of the operating system.

Services

The raw materials are relatively cheap, but the knowledge of how to put it all together
is expensive. And there are quite a handful of different things that need to get done to
set up a server.

Obtain Internet service

Administer Internet link and servers
Create web server content
Process transactions
Obtaining Internet services is simply the process of getting connected to Internet and
keeping that access up and running. In some ways it is comparable to getting a telephone
connection the ISP simply offers connectivity, not content.

Some Internet service providers will also manage your link and your server hardware.
This should mean they will keep the systems up and running and manage access to and
from those systems. This often includes security and firewall services.

Creating and managing web server content is critical and is a task often formed out to
consultants. While this approach may be effective for getting a web site online quickly,
maintaining and updating content must be an ongoing task.

Transactions using credit cards must be settled. Most people will be familiar with the
swipe machines used in stores where credit cards are accepted.

Electronic malls

Setting up a web site for buying and selling can be complicated and expensive, it is not
for everyone. However some companies have been setting up electronic or vital or
online malls. The shopping mall is a familiar and comfortable model for consumers and
merchants and it is relatively straightforward to simulate using the World Wide Web.
Mall operators allow individual merchants to rent space on the mall. The financial
arrangements may vary but include some monthly charge, charge for storage space
required and charge for each transaction. As part of the ability to sell products
electronically, the online commercial environment should provide at least some of the
following abilities:

Automatically process transactions received through the Internet and send

payment information to credit card authentication services also via the Internet.
Automatically process responses from the credit card authentication service.
Get digital signatures or other proof of approval of the order from the customer
Generate necessary transaction tracking information, including electronic
receipts, customer statements and internal documentation of orders.
For non electronic material. Have a link to the delivery company for delivery
status between the vendor and the customer.
 Be able to handle occasional telephone or fax transactions as well as online
transactions.
payment method (credit card, checking account or some other source of funds)
to an online identity, managed by service provider. The difference is that the
payment system usually requires participants to register in some way with the
payment system sponsor while commerce environments usually permit customer
to use credit card or a payment system. The payment method may also become
merged into applications themselves as how protocols are introduced which
define procedures for translating business using existing non digital payment
methods.

Digital checking can also take advantage of same technique, in much the same
way that debit cards are used the same way as credit cards-consumers present the
card to the merchant who must get an authorization for purchase. The charges
are paid immediately out of consumers checking account, rather than at the end
of monthly billing cycle.
A different approach is used for actual digital currencies as opposed to payment
systems. Usually anyone can participate by opening an account with a financial
institution offering digital currency service. Client software is used to withdraw
money from account, check on balances and maintain a digital wallet that holds
the value on participants computer. Cash exchanges between a user and the bank
use same types of cryptographic technologies. Digital signatures guarantee cash
transfers and transactions may be encrypted.

3.5 Protocols for public transport of private information

The electronic commerce community has taken great steps to adopt security
protocols and standards which are necessary to make traditionally unsecured
channels such as Internet attractive to the average consumer.
 Security protocols
People wish to secure communication server the Internet had to find products
implementing security at application level. Only when security is built into
Internet applications and requires an absolute minimum of interaction by user
will it become acceptable to a mass market. The secure hypertext transfer
protocol(S-HTTP) an extension of www protocol address security features just
below application layer. The secure socket layer (SSL) protocol was originally
proposed and implemented by Netscape communications and also been
implemented by other web browser vendors. SSL operates at the transport layer,
which means it can be used for private Internet transmissions between systems
and programs supporting it.
Master Card International and Visa International are cooperating in support of
secure credit card transactions on the Internet, and companies involved with
electronic commerce have generally pledged to comply with the standards they
produce.
Secure Hypertext Transfer Protocol
The Secure Hypertext Transfer Protocol (S-HTTP) is the logical extension of the
Hypertext Transfer Protocol (HTTP), Which is the basis of the World Wide Web.
HTTP defines the interactions between web browsers and web servers,
determining how requests from browsers are handled by web servers.
Digital Signature
Digital signature is used for the authentication of senders by applying public key
cryptography in reverse. To make a digital signature a sender encrypts a message
with her private key. In this case any receivers with her public key can read it,
but the receiver can be sure that the sender is really the author of the message. A
digital signature is usually attached to the sent message just like the handwritten
signature.
Message Digest
To make the digital signature the base message needs to be normalized to a
predetermined length of 160 bits, regardless of the length of the original
 message. This normalization process can be achieved by hashing the original
message. This hashed message is called a message digest.
Certificates
A certificate usually implies an identifying certificate that is issued by a trusted
third=party certificate authority (CA). A certificate includes records such as a
serial number, name of owner, owners public keys (one for secret key exchange
as receivers and one for digital signature as sender) an algorithm that uses these
keys, certificate type (cardholder, merchant, or payment gateway), name of CA,
and CAs digital signature.
Certificate Authority
Certificate authority is a body, either public or private, that seeks to fill the need
for trusted third-party services in EC. A CA accomplishes this by issuing digital
certificates that attest to certain facts about the subject of the certificate.
In the context of credit cards, the cardholder certificate authority (CCA) issues
the certificates to the cardholders, the merchant certificate authority (MCA) to
merchants who operate e-stores, and the payment gateways certificate authority
(PCA) to payment gateway service providers.
The CA should get their own certificate from a nationally designated CA, which
is called a Geopolitical Certificate Authority (GCA).
Digital Envelope
Digital envelope is a process of encrypting a secret key with the receivers public
key. The DES key encrypted in this manner is called a digital envelope. Because
the DES key should be opened first to decrypt the message contents with the key.
Secret Key Cryptography
Secret key encryption is also known as symmetric encryption, or private key
encryption, the same key is used by the sender(encryption) and the receiver
(decryption).
 The most widely accepted algorithm for secret key encryption is the Data
Encryption Standard (DES). DES is secure en ough because penetration would
take several years at a cost of millions of dollars. The SET protocol has adopted
the DES algorithm with its 64-bit key.
Public Key Cryptography
Public key encryption also known as asymmetric encryption uses two different
keys: a public key and a private key. All authorized users know the public key,
but only one person its owner, knows the private key.
The private key is generated at the owners computer and is not sent to anyone.
To send a message safely using public key cryptography, the sender encrypts the
message with the receivers public key. This requires the public key be delivered
in advance.

The message decrypted in this manner can be decrypted with the receivers
private key. The most popular algorithm with public key cryptography is the
RSA (Rivest, Shamir, Adelman) with various keys sizes like 1024 bits.
This algorithm is never been broken by the hackers hence this is considered as
the safest algorithm.

Secure Sockets Layer (SSL):

Secure Sockets Layer transmits private documents via the Internet. SSL uses a
cryptographic system that uses two keys to encrypt data - a public key known to
everyone and a private or secret key known only to the recipient of the message. It
operates between the transport and the application layers in the network stack and uses
both public and private key cryptography. SSL provides a relatively secure method to
encrypt data that are transmitted over a public network such as the Internet, also offers
security for all Web transactions, including file transfer protocol (FTP), HTTP, and
Telnet-based transactions. It provides an electronic wrapping around the transactions
that go through the Internet. The open and non-proprietary nature of SSL is what makes
it the preferred choice for TCP/IP application developers for securing sensitive data.
The protocol is vulnerable to attacks on the SSL server authentication. Despite its
vulnerabilities, when properly implemented, SSL can be a powerful tool for securing
Web-sensitive data. SSL offers comprehensive security by offering authentication and
encryption at the client and server sides.

Authentication begins when a client requests a connection to an SSL server. The client
sends its public key to the server, which in turn generates a random message and sends
it back to the client. Then, the client uses its private key to encrypt the message from
the server and sends it back. All the server has to do at this point is decrypt the message
using the public key and compare it to the original message sent to the client. If the
messages match, then the server knows that it is from the client communicating with
the intended client.

To implement SSL in a web server, the following steps are followed:

1. Create a key pair on the server.

2. Demand a certificate from a certification authority.

3. Set up the certificate.

4. Activate SSL on a security folder or directory. It is not a good idea to activate SSL
on all the directories because the encryption overhead created by SSL decreases system
performance.
Advantages of SSL : Some of the advantages of SSL contain the following:

Authentication: Permits Web-enabled browsers and servers to authenticate each other.

Access Limit: Permits controlled access to servers, directories, files, and services.

Data Protection: Guarantees that exchanged data cannot be corrupted without

detection.

Information Share: Permits information to be shared by browsers and servers while

remaining out of reach to third parties.