Benefits of Ecommerce

E Commerce is one of the most important facets of the Internet to have emerged in the recent times. Ecommerce or electronic
commerce involves carrying out business over the Internet with the assistance of computers, which are linked to each other forming
a network. To be specific ecommerce would be buying and selling of goods and services and transfer of funds through digital
communications.

The benefits of Ecommerce:

• Ecommerce allows people to carry out businesses without the barriers of time or distance. One can log on to the Internet at
any point of time, be it day or night and purchase or sell anything one desires at a single click of the mouse.
• The direct cost-of-sale for an order taken from a web site is lower than through traditional means (retail, paper based), as
there is no human interaction during the on-line electronic purchase order process. Also, electronic selling virtually
eliminates processing errors, as well as being faster and more convenient for the visitor.
• Ecommerce is ideal for niche products. Customers for such products are usually few. But in the vast market place i.e. the
Internet, even niche products could generate viable volumes.
• Another important benefit of Ecommerce is that it is the cheapest means of doing business.
• The day-to-day pressures of the marketplace have played their part in reducing the opportunities for companies to invest in
improving their competitive position. A mature market, increased competitions have all reduced the amount of money
available to invest. If the selling price cannot be increased and the manufactured cost cannot be decreased then the
difference can be in the way the business is carried out. Ecommerce has provided the solution by decimating the costs,
which are incurred.
• From the buyer’s perspective also ecommerce offers a lot of tangible advantages.
1. Reduction in buyer’s sorting out time.
2. Better buyer descisions
3. Less time is spent in resolving invoice and order discrepancies.
4. Increased opportunities for buying alternative products.
• The strategic benefit of making a business ‘ecommerce enabled’, is that it helps reduce the delivery time, labour cost and
the cost incurred in the following areas:
1. Document preparation
2. Error detection and correction
3. Reconciliation
4. Mail preparation
5. Telephone calling
6. Data entry
7. Overtime
8. Supervision expenses
• Operational benefits of e commerce include reducing both the time and personnel required to complete business processes,
and reducing strain on other resources. It’s because of all these advantages that one can harness the power of ecommerce
and convert a business to ebusiness by using powerful turnkey ecommerce solutions made available by ebusiness solution
providers.

Secure Electronic Transaction

- Secure Electronic Transaction (SET) is a system for ensuring the security of financial transactions on the Internet. It was
supported initially by Mastercard, Visa, Microsoft, Netscape, and others. With SET, a user is given an electronic wallet (digital
certificate) and a transaction is conducted and verified using a combination of digital certificates and digital signatures among
the purchaser, a merchant, and the purchaser's bank in a way that ensures privacy and confidentiality. SET makes use of Netscape's
Secure Sockets Layer (SSL), Microsoft's Secure Transaction Technology (STT), and Terisa System's Secure Hypertext Transfer
Protocol (S-HTTP). SET uses some but not all aspects of a public key infrastructure (PKI).

Here's how SET works:

Assume that a customer has a SET-enabled browser such as Netscape or Microsoft's Internet Explorer and that the transaction
provider (bank, store, etc.) has a SET-enabled server.

1. The customer opens a Mastercard or Visa bank account. Any issuer of a credit card is some kind of bank.
2. The customer receives a digital certificate. This electronic file functions as a credit card for online purchases or other
transactions. It includes a public key with an expiration date. It has been through a digital switch to the bank to ensure
its validity.
3. Third-party merchants also receive certificates from the bank. These certificates include the merchant's public key and the
bank's public key.
4. The customer places an order over a Web page, by phone, or some other means.
5. The customer's browser receives and confirms from the merchant's certificate that the merchant is valid.
 6. The browser sends the order information. This message is encrypted with the merchant's public key, the payment
information, which is encrypted with the bank's public key (which can't be read by the merchant), and information that
ensures the payment can only be used with this particular order.
7. The merchant verifies the customer by checking the digital signature on the customer's certificate. This may be done by
referring the certificate to the bank or to a third-party verifier.
8. The merchant sends the order message along to the bank. This includes the bank's public key, the customer's payment
information (which the merchant can't decode), and the merchant's certificate.
9. The bank verifies the merchant and the message. The bank uses the digital signature on the certificate with the message and
verifies the payment part of the message.

The bank digitally signs and sends authorization to the merchant, who can then fill the order.

The SET Scene

SET involves interaction among credit card holders, merchants, issuing banks, payment processing organizations, and public-key
certificate authorities. SET is a complex specification defined in three "books" issued in May 1997, and running to nearly 1,000
pages. SET incorporates important features needed for secure credit-card transactions over the Internet:

• Confidentiality of information: Cardholder account and payment information is secured as it travels across the network.
An interesting and important feature of SET is that it prevents the merchant from learning the cardholder's credit card number;
this is provided only to the issuing bank. Conventional encryption by DES is used to provide confidentiality.

• Integrity of data: Payment information sent from cardholders to merchants includes order information, personal data, and
payment instructions. SET guarantees that these message contents are not altered in transit. RSA digital signatures, using SHA-
1 hash codes, provide message integrity. Certain messages are also protected by the message authentication code HMAC, using
SHA-1.

• Cardholder account authentication: SET enables merchants to verify that a cardholder is a legitimate user of a valid card
account number. SET uses X.509v3 digital certificates with RSA signatures for this purpose.

• Merchant authentication: SET enables cardholders to verify that a merchant has a relationship with a financial institution
allowing it to accept payment cards. SET uses X.509v3 digital certificates with RSA signatures for this purpose.

SET Participants

Figure 1 shows the participants in the SET system:

• Cardholder: In the electronic environment, consumers and corporate purchasers interact with merchants from personal
computers over the Internet. A cardholder is an authorized holder of a payment card (MasterCard, Visa, and so on) that has been
issued by an issuer.

• Merchant: A merchant is a person or organization with goods or services to sell to the cardholder. Typically, these goods
or services are offered via a web site or by electronic mail. A merchant that accepts payment cards must have a relationship
with an acquirer.

• Issuer: This is a financial institution, such as a bank, that provides the cardholder with the payment card. Typically,
accounts are applied for and opened by mail or in person. Ultimately, the issuer is responsible for the payment of the debt of the
cardholder.

• Acquirer: This is a financial institution that establishes an account with a merchant and processes payment card
authorizations and payments. Merchants will usually accept more than one credit card brand but don't want to deal with multiple
bankcard associations or with multiple individual issuers. The acquirer provides authorization to the merchant that a given card
account is active and that the proposed purchase does not exceed the credit limit. The acquirer also provides electronic transfer
of payments to the merchant's account. Subsequently, the acquirer is reimbursed by the issuer over some sort of payment
network for electronic funds transfer.

• Payment Gateway: This is a function operated by the acquirer or a designated third party that processes merchant payment
messages. The payment gateway interfaces between SET and the existing bankcard payment networks for authorization and
payment functions. The merchant exchanges SET messages with the payment gateway over the Internet, while the payment
gateway has some direct or network connection to the acquirer's financial processing system.

• Certification Authority (CA): This is an entity that is trusted to issue X.509v3 public-key certificates for cardholders,
merchants, and payment gateways. The success of SET will depend on the existence of a CA infrastructure available for this
purpose. A hierarchy of CAs is used, so that participants need not be directly certified by a root authority.
Figure 1 Secure electronic commerce components.

SET in Action

SET is a dynamic, automated scheme that allows a customer with a credit card to order items over the Internet from merchants, in a
secure fashion. A typical scenario goes like this:

1. The customer opens an account. The customer obtains a credit card account, such as MasterCard or Visa, with a bank that
supports electronic payment and SET.

2. The customer receives a certificate. After suitable verification of identity, the customer receives an X.509v3 digital
certificate, which is signed by the bank. The certificate verifies the customer's RSA public key and its expiration date. It also
establishes a relationship, guaranteed by the bank, between the customer's key pair and his or her credit card.

Merchants Have Their Own Certificates

A merchant who accepts a certain brand of card must be in possession of two certificates for two public keys owned by the
merchant: one for signing messages, and one for key exchange. The merchant also needs a copy of the payment gateway's
public-key certificate.

3. The customer places an order. This is a process that may involve the customer first browsing through the merchant's web
site to select items and determine the price. The customer then sends a list of the items to be purchased from the merchant, who
returns an order form containing the list of items, their individual prices, a total price, and an order number.

4. The merchant is verified. In addition to the order form, the merchant sends a copy of its certificate, so that the customer
can verify that he or she is dealing with a valid store.

5. The order and payment are sent. The customer sends both an order and payment information to the merchant, along with
the customer's certificate. The order confirms the purchase of the items in the order form. The payment contains credit card
details. The payment information is encrypted in such a way that it cannot be read by the merchant. The customer's certificate
enables the merchant to verify the customer.

6. The merchant requests payment authorization. The merchant sends the payment information to the payment gateway,
requesting authorization that the customer's available credit is sufficient for this purchase.

7. The merchant confirms the order. The merchant sends confirmation of the order to the customer.

8. The merchant provides the goods or service. The merchant ships the goods or provides the service to the customer.

9. The merchant requests payment. This request is sent to the payment gateway, which handles all of the payment
processing.

Dual Signature

Before looking at the details of the SET protocol, let's discuss an important innovation introduced in SET: the dual signature. The
purpose of the dual signature is to link two messages that are intended for two different recipients. In this case, the customer wants
to send the order information (OI) to the merchant and the payment information (PI) to the bank. The merchant doesn't need to know
the customer's credit card number, and the bank doesn't need to know the details of the customer's order. The customer is afforded
extra protection in terms of privacy by keeping these two items separate. However, the two items must be linked in a way that can
be used to resolve disputes if necessary. The link is needed so that the customer can prove that this payment is intended for this
order and not for some other goods or services.

To see the need for the link, suppose that the customer sends the merchant two messages: a signed OI and a signed PI, and the
merchant passes the PI to the bank. If the merchant can capture another OI from this customer, the merchant could claim that this OI
goes with the PI, rather than the original OI. The linkage prevents this. Figure 2 shows the use of a dual signature to meet this
requirement.

Figure 2 Construction of dual signature.

The customer takes the hash (using SHA-1) of the PI and the hash of the OI. These two hashes are then concatenated and the hash of
the result is taken. Finally, the customer encrypts the final hash with his or her private signature key, creating the dual signature. The
operation can be summarized as shown in Figure 3, where KRc is the customer's private signature key:
Figure 3

Now suppose that the merchant is in possession of the dual signature (DS), the OI, and the message digest for the PI (PIMD). The
merchant also has the public key of the customer, taken from the customer's certificate. Then the merchant can compute the two
quantities shown in Figure 4, where KUc is the customer's public signature key:

Figure 4

If these two quantities are equal, the merchant has verified the signature. Similarly, if the bank is in possession of DS, PI, the
message digest for OI (OIMD), and the customer's public key, the bank can compute the following (see Figure 5):

Figure 5

Again, if these two quantities are equal, the bank has verified the signature. In summary,

1. The merchant has received OI and verified the signature.

2. The bank has received PI and verified the signature.

3. The customer has linked the OI and PI and can prove the linkage.

For example, suppose the merchant wants to substitute another OI in this transaction, to its advantage. It would then have to find
another OI whose hash matches the existing OIMD. With SHA-1, this is deemed not to be feasible. Thus, the merchant cannot link
another OI with this PI.
Internet Intruders:
Spyware, Adware, Hijackers and Other Pests

Definitions

One of the first definitions of "Spyware" came from Steve Gibson: "any software which employs a user's Internet connection in the
background (the so-called "backchannel") without their knowledge or explicit permission. Silent background use of an Internet
"backchannel" connection must be preceded by a complete and truthful disclosure of proposed backchannel usage, followed by the
receipt of explicit, informed, consent for such use. Any software communicating across the Internet absent these elements is guilty
of information theft and is properly and rightfully termed: Spyware."

Today, the word has broadened and shifted in meaning. "Spyware" is an emotionally charged word, and often means different things
to different people. Sometimes the term is used to mean Adware, or Browser Helper Object or Hijacker or Trojan, but in all cases,
the user of the word is referring to software that they did not intend to introduce to their machine, do not want, and are having
trouble removing.

Here are definitions for these common terms.

• Adware: "Software that brings targeted ads to your computer, after you provide initial consent for this task. Some Adware
may hijack the ads of other companies, replacing them with its own. Adware typically will track your browsing habits and
report this info to a central ad server."
• Browser Helper Object (BHO): "A component that Internet Explorer will load whenever it starts, shares IE's memory
context, can perform any action on the available windows and modules. A BHO can detect events, create windows to
display additional information on a viewed page, monitor messages and actions. Microsoft calls it "a spy we send to
infiltrate the browser's land." There are many exploits of this technology which search all pages you view in IE and replace
banner advertisements with other ads, monitor and report on your actions, change your home page, etc."
• Hijacker: "A trojan that may reset your browser's home page and/or search settings to point to other sites. Such sites are
sometimes porn sites, often loaded with advertisting. Homepage Hijackers may prevent you from changing your browser's
homepage or from visiting a particular site."
• Spyware: "Any product that employs a user's Internet connection in the background without their knowledge, and
gathers/transmits info on the user or their behavior. Many spyware products will collect referrer info (information from
your web browser which reveals what URL you linked from), your IP address (a number that is used by computers on the
network to identify your computer), system information (such as time of visit, type of browser used, the operating system
and platform, and CPU speed.) Spyware products sometimes wrap other commercial products, and are introduced to
machines when those commercial products are installed."
• Trojan: "Unwanted software which runs in a user's machine, as an agent of the attacker, without user awareness. Unlike
viruses and worms, trojans do not replicate (make copies of themselves.)"

Internet Intruders are here defined as unwanted software that is installed while surfing the Internet, and that typically uses the
Internet in the process of exploiting the user and the user's machine. Typically such software is installed without the user's full
awareness of the consequences of such an install (although the user might have been given some notice of what would happen).
Such software is typically difficult to manually detect, and difficult to remove. It usually compromises some combination of the
user's privacy, the confidentiality of the user's information, or the user's productivity. Productivity is compromised when frequent
ads popup, when bandwidth and storage space is consumed, when pages load more slowly, etc. In this tabulation, 'Internet Invaders'
are the aggregate of pests that are categorized elsewhere as Adware, AOL Pest, Browser Helper Object, Dialer, Downloader,
Firewall Killer, Hijacker, Hostile ActiveX, Hostile Java, Hostile Script, IRC War, Key Logger, Notifier, Password Capture, P2P,
RAT, and Spyware. Definitions.