Google Answers Logo
View Question
 
Q: e-commerce ( Answered 4 out of 5 stars,   0 Comments )
Question  
Subject: e-commerce
Category: Computers > Security
Asked by: ziani-ga
List Price: $100.00
Posted: 02 Feb 2004 16:56 PST
Expires: 03 Mar 2004 16:56 PST
Question ID: 302961
how to implement security in e-commerce for both the e-commerce
provider and customer?
Answer  
Subject: Re: e-commerce
Answered By: umiat-ga on 02 Feb 2004 23:52 PST
Rated:4 out of 5 stars
 
Hello, ziani-ga!

Thank you for you question. Ecommerce is becoming an increasingly
viable method for companies to transact business. However, security
still remains a very big concern both to the company and the consumer.

I have provided the following information to addresses each aspect of
your question.


WHY THE NEED FOR ECOMMERCE SECURITY?
=====================================
One of the primary concerns with ecommerce is security. Whenever
transactions are being processed between a vendor and a customer,
private information exchanges hands. One of the major worries cited by
ecommerce customers is the privacy of their personal and financial
information. Therefore, the implementation of security measures by
ecommerce vendors is a top priority for maintaining a viable business.
In fact, security issues have served as a major thrust in initiating
the development of businesses that center solely on ecommerce security
solutions.


"With new threats constantly cropping up -- ranging from hacking
threats to new viruses and identity thievery -- the number of security
companies getting into the game also has been rising steadily."
From "Sultans of E-Commerce Security," by Lou Hirsh. E-Commerce Times.
(April 5, 2002)http://www.ecommercetimes.com/perl/story/17074.html

=

The nature of the online business determines how much and what type of
security measures are necessary. Obviously, large financial
institutions and government entities that handle secure customer
transactions will demand greater security protection than, perhaps, a
small online gift store that handles a small range of transactions in
comparison.
  

"...the needs of an online bank, for instance, are completely
different from those of a site that sells books. Giga Information
Group research director Michael Rasmussen noted that while one seller
might be focused on server  security, another could be more worried
about content security. He said each company must address the issue by
looking at all pieces of the hardware and software puzzle, including
firewalls, routers and authentication systems. "It's no different from
the issues pertaining to internal security," Rasmussen told the
E-Commerce Times. "There are so many things to look into, because
there are so many areas for vulnerability."
From "Sultans of E-Commerce Security," by Lou Hirsh. E-Commerce Times.
(April 5, 2002) http://www.ecommercetimes.com/perl/story/17074.html

=


MEASURES THAT CAN BE IMPLEMENTED TO HEIGHTEN ECOMMERCE SECURITY 
================================================================

The Canadian Revenue Service highlights a range of important ecommerce
security concerns  and the steps that can be implemented to address
them. Encryption, Digital Signatures, Digital Certificates, Passwords,
Virus Protection and Firewalls are some of the measures that can
increase security for both the vendor and the customer.

The following is excerpted from the Canadian Revenue Service website at:
http://www.ccra-adrc.gc.ca/notices/security_concerns-e.html 

* Confidentiality - "Sensitive information sent over the Internet is
to be kept private, and only the person the information was sent to
can read it. No one else can read the messages to view your personal
information.  Using encryption is an effective way to keep information
confidential."
 
* Authenticity - "Those participating in a transaction over the
Internet must be able to prove they are who they claim to be. We must
be able to verify the identity of each participant to avoid fraud.
This can be done by using passwords, digital certificates, digital
signatures or shared secrets (information only you and CRA know)."

* Non-repudiation - "Participants cannot complete a transaction over
the Internet and later deny it happened. Digital signatures can be
used for this purpose."

* Integrity - "Integrity implies that the information sent over the
Internet or accessible on the Internet cannot be altered. In the case
of a message sent over the Internet, the content of the message
received must be the same as the content of the message sent, with no
changes made. Digital signatures can prove data integrity by detecting
changes. In the case of information such as stored data available on
Internet connected computers (such as your personal computer),
precautions must be taken to prevent anyone from making unauthorized
deletions or changes. Safety measures include anti-virus software and
encryption. Data backups can be used to restore data in cases where
stored information is damaged."

* Access control - "Only authorized people can access the information,
computer, and network. Firewalls, access rights, passwords, and
authorization certificates are tools used to control access."

* Availability - "When information or a service is needed, it can be
accessed reliably. Information sent over the Internet must have
dependable channels and equipment that stores data, and that are
operational when needed. Computer equipment must be physically
protected from harm but also protected from power outages, system
failures, and overloads. Steps that ensure availability include
monitoring, data backups, anti-virus software, and adequate computer
resources. CRA endeavours to maintain a very high level of
availability for the services it offers."



FURTHER DESCRIPTIONS OF INDIVIDUAL SECURITY MEASURES
=====================================================

What is Encryption?
-------------------
"Encryption has been used to transmit messages in various formats for
hundreds of years; it is not a new concept created just for the
Internet. As technology has evolved, so have the methods of encryption
- from manually coding text to using complex computer programs."

"Encryption uses a mathematical formula and an encryption key to
scramble information so that an unauthorized person cannot understand
the information. The scrambled information is decoded - or converted
back - into the original format using the same mathematical formula
and a decryption key so an authorized person can understand it. While
the information is encrypted, it cannot be viewed."
http://www.ccra-adrc.gc.ca/notices/security_tools-e.html#P203_20952 
   

What are Digital Certificates and Digital Signatures?
-------------------------------------------------------
"A digital certificate is an electronic credential that verifies the
identity of its holder. The digital certificate is issued by a
certification authority and contains information on the identity of
the holder. It cannot be forged. The digital certificate ties the
holder's identity to a public key. Digital certificates are critical
tools for the secure and trusted use of electronic networks, as they
enable protected information to be sent, received, and accessed
securely. If a digital certificate is suspected of being compromised,
it is revoked."

"A digital signature is a type of electronic identification that can
confirm the identity of the sender of a message, whether the message
is encrypted or not. Digital signatures can only be generated by the
signer. They can be verified, are tamperproof, cannot be forged or
repudiated, and ensure that the information contained in the message
is not changed during transmission."
http://www.ccra-adrc.gc.ca/notices/security_tools-e.html#P218_25059
 

What are Firewalls?
-------------------
"A firewall acts as a barrier between internal and external computers
in a network, controlling the flow of information between the two.
When a computer outside the firewall tries to communicate with a
computer inside, it must first communicate with the firewall, which
drops, allows or denies requests before it passes them to the
destination computer. This process protects the destination computer
from unauthorized access."
http://www.ccra-adrc.gc.ca/notices/security_tools-e.html#P56_9882


What is Anti-Virus Software?
----------------------------
"Anti-virus software scans your computer and email messages for
viruses. You have to regularly update your anti-virus software to be
able to detect new viruses. Your anti-virus software helps protect the
data on your computer software and your operating system."
http://www.ccra-adrc.gc.ca/notices/security_tools-e.html#P52_9303



WHAT ABOUT PROTECTING INFORMATION FROM EMPLOYEES WITHIN THE COMPANY?
=====================================================================
Customers often worry about the security of their payment information
as transactions are processed online. But what about when their
personal information has safely reached the company? What about the
protection of their private information from the ecommerce company's
own employees?

=

"According to Entrepreneur Magazine, "current employees and
disgruntled ex-workers are the most common violators of company data"
(Page, 1998, 14). Beyond taking measures to avoid attacks from
disgruntled employees, businesses can utilize access control software
that tracks or blocks employee access to sites. Businesses should also
develop a written security policy that prohibits threats to the
network's stability (Kawamoto, 2002). Another threat can come from
hackers entering a network through abandoned employee access accounts
(Eads, 2000). Security consultants suggest hiring "white hat" hackers,
or professional software experts, to test the system's security and
fix network weak spots (Chadderdon, 2001, 4)."

From "Internet Security Concerns Affect E-Commerce and Small
Businesses," by Edana Sarty. Kauffman Center for Entrepreneurial
Leadership (Last updated 02/21/2003)
http://www.celcee.edu/publications/digest/Dig02-02.html



DO CURRENT ECOMMERCE SECURITY MEASURES MAKE CONSUMERS FEEL PROTECTED?
======================================================================
Research shows that it will take time, persistence and diligent
implementation of advanced security measures by ecommerce companies to
win over the wariest customers. Security concerns are often mentioned
as the primary reason that potential customers shy away from internet
transactions.

Read the following:

"In 2001, a survey by Forrester, an independent research firm focusing
on technology and business, predicted that $15 billion in potential
e-commerce would be lost due to concerns about online privacy security
(Regan, 2001). A nationwide public opinion poll released by the ITAA a
year earlier found 67% of those surveyed were concerned about
cyber-security, and 61% were less likely to do business on the
Internet as a result of cyber-crime (Burton, 2000). Because businesses
often collect personal information about their clients, there is
particular concern over the safety of customer databases. Sixty
percent of consumers surveyed by the Forrester survey of 2001 reported
concern over the possibility of their personal information reaching a
third party, even via a trusted company (Regan, 2001). While the
Internet can be a useful tool to cheaply collect customer profile
information, many consumers fear becoming targets of unsolicited
commercial e-mail."

"Credit card fraud is a big concern when it comes to online
transactions. In 1999, Visa International reported that half of all
credit card disputes were over Internet transactions, while e-commerce
made up only 2% of the company's total business ("The Growing Threat
of Internet Fraud,"1999). Visa also found that throughout the European
Union (EU), only 5% of consumers trust e-commerce and "even when there
is no credit card fraud, goods correctly ordered and paid for never
arrive" ("The Growing Threat of Internet Fraud", 1999, 11)."

"In an attempt to encourage economic growth via the Internet, the
number of government and private organizations trying to track and
fight electronic crimes has been growing (Feder, 2002). However, legal
action over Internet concerns has been limited because many businesses
are reluctant to provide law-enforcement officials with sufficient
information to pursue cyber criminals. Officials from the FBI suggest
companies "often fear that they will lose business if security
breaches become public or that they will become the target of revenge
attacks"(Feder, 2002, 3)."

"Despite advancements in web host security and encryption, consumer
fear continues to stifle the ability of companies to facilitate
transactions and documentation via the Internet. An ITAA survey in
June, 2000 found that 72% of respondents would not feel safe using a
secure digital signature to sign a legal document (Burton, 2001). New
fears of terrorism have also increased concern over Internet security.
After the terrorist attacks of September 11th, another ITAA survey in
December, 2000 found that an overwhelming 70% of respondents were
concerned about cyber security and 74% worried that their personal
information could be stolen online (Burton, 2001). According to ITAA
President Harris N. Miller, the terrorist attacks have created
uncertainty and anxiety over internet security."

Read "Internet Security Concerns Affect E-Commerce and Small
Businesses," by Edana Sarty. Kauffman Center for Entrepreneurial
Leadership (Last updated 02/21/2003)
http://www.celcee.edu/publications/digest/Dig02-02.html

=

For further information and an extensive list of statistics and links
regarding security concerns and ecommerce, refer to:

"Most Americans have Internet-security concerns," by Jon Surmacz. CSO
online. (December 13, 2001)
http://www.csoonline.com/metrics/viewmetric.cfm?id=302



WHAT SHOULD CONSUMERS LOOK FOR ON AN ECOMMERCE VENDOR'S WEBSITE?  
=================================================================

The following tips are included in the article "Ecommerce: How to Keep
Your Transaction Safe." University of Washington Computing &
Communications. Windows on Computing, No. 22, (Winter 1999)
http://www.washington.edu/computing/windows/issue22/ecommerce.html


Use Secure Technology
---------------------
"Probably the most important thing you can do is to verify that the
merchant uses secure ecommerce technology. Look on your merchant's Web
site for information on how their use of technology will protect your
transaction. Some merchants provide some sort of guarantee."


Connect to Correct Web Address
------------------------------
"Verify that you are connected to the Web site of the business to
which you intend to send private information. Examine the address you
think you should be connected to and if it looks questionable,
investigate further." (For further information on this topic, see 
"What Is Web Spoofing?"
http://www.washington.edu/computing/windows/issue22/spoofing.html)

 
Use an Encrypted Session
------------------------
"Before sending any private information, make certain your session is
encrypted. This means you will see the prefix "https:" instead of
"http:" in the URL in your browser's address window. The "s" in the
"https:" prefix shows that the communications channel is being
encrypted with a protocol called SSL (Secure Sockets Layer), and
therefore cannot be sniffed."


Check for Security Symbols
---------------------------
"Some browsers have a padlock or key displayed in the lower left-hand
corner. These are security symbols that tell you if your data is being
encrypted before it is sent to the server. If it is encrypted, then
the padlock will be locked, or the key will be solid. If it is not
encrypted, then the padlock will be open, or the key will be broken.
If you are entering private information into a Web form, you will want
to check to be sure your transaction is encrypted."


Keep a Record
------------- 
"Print screens after you fill them out and just before you submit them
so you have a paper record of your transaction. This will be useful if
you need to contact the credit card company or merchant and are asked
to provide evidence of your transaction."

  
======


I hope this information is clear, complete and provides a helpful
answer to your question. Again, if you are unclear about any of the
information I have provided, please don't hesitate to ask in a
clarification and I will be happy to help if I can!


Sincerely,

umiat-ga 

Google Search Strategy
internet security concerns
security for ecommerce providers
is ecommerce safe?
ziani-ga rated this answer:4 out of 5 stars

Comments  
There are no comments at this time.

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  


Google Home - Answers FAQ - Terms of Service - Privacy Policy