Security Issues

Security is an essential part of any transaction that takes place over the internet.
Customer will loose his/her faith in e-business if its security is compromised. Following
are the essential requirments for safe e-payments/transactions –

 Confidential − Information should not be accessible to unauthorized person. It

should not be intercepted during transmission.
 Integrity − Information should not be altered during its transmission over the
network.
 Availability − Information should be available wherever and whenever
requirement within time limit specified.
 Authenticity − There should be a mechanism to authenticate user before giving
him/her access to required information.
 Non-Repudiabiity − It is protection against denial of order or denial of payment.
Once a sender sends a message, the sender should not able to deny sending
the message. Similary the receipient of message should not be able to deny
receipt.
 Encryption − Information should be encrypted and decrypted only by authorized
user.
 Auditability − Data should be recorded in such a way that it can be audited for
integrity requirements.

Measures to ensure Security

Major security measures are following −
 Encryption − It is a very effective and practical way to safeguard the data being
transmitted over the network. Sender of the information encrypt the data using a
secret code and specified receiver only can decrypt the data using the same or
different secret code.
 Digital Signature − Digital signature ensures the authenticity of the information.
A digital signature is a e-signature authentic authenticated through encryption
and password.
 Security Certificates − Security certificate is unique digital id used to verify
identity of an individual website or user.

Security Protocols in Internet

Following are the popular protocols used over the internet which ensures security of
transactions made over the internet.
Secure Socket Layer (SSL)
It is the most commonly used protocol and is widely used across the industry. It meets
following security requirements −
 Authentication
 Encryption
 Integrity
 Non-reputability
"https://" is to be used for HTTP urls with SSL, where as "http:/" is to be used for HTTP
urls without SSL
.
Secure Hypertext Transfer Protocol (SHTTP)
SHTTP extends the HTTP internet protocol with public key encryption, authentication
and digital signature over the internet. Secure HTTP supports multiple security
mechanism providing security to end users. SHTTP works by negotiating encryption
scheme types used between client and server.

Secure Electronic Transaction

It is a secure protocol developed by MasterCard and Visa in collaboration. It has
following components −
 Card Holder's Digital Wallet Software − Digital Wallet allows card holder to
make secure purchases online via point and click interface.
 Merchant Software − This software helps merchants to communicate with
potential customers and financial institutions in secure manner.
 Payment Gateway Server Software − Payment gateway provides automatic
and standard payment process. It supports the process for merchant's certificate
request.
 Certificate Authority Software − This software is used by financial institutions
to issue digital certificates to card holders and merchants and to enable them to
register their account agreements for secure electronic commerce.

Digital signatures
The digital equivalent of a handwritten signature or stamped seal, but offering far more
inherent security, a digital signature is intended to solve the problem of tampering and
impersonation in digital communications. Digital signatures can provide the added
assurances of evidence to origin, identity and status of an electronic document,
transaction or message, as well as acknowledging informed consent by the signer.
In many countries, including the United States, digital signatures have the same legal
significance as the more traditional forms of signed documents. The United States
Government Printing Office publishes electronic versions of the budget, public and
private laws, and congressional bills with digital signatures.
How digital signatures work
Digital signatures are based on public key cryptography, also known as asymmetric
cryptography. Using a public key algorithm such as RSA, one can generate two keys
that are mathematically linked: one private and one public. To create a digital signature,
signing software (such as an email program) creates a one-way hash of the electronic
data to be signed. The private key is then used to encrypt the hash. The encrypted hash
-- along with other information, such as the hashing algorithm -- is the digital signature.
The reason for encrypting the hash instead of the entire message or document is that a
hash function can convert an arbitrary input into a fixed length value, which is usually
much shorter. This saves time since hashing is much faster than signing.
The value of the hash is unique to the hashed data. Any change in the data, even
changing or deleting a single character, results in a different value. This attribute
enables others to validate the integrity of the data by using the signer's public key to
decrypt the hash. If the decrypted hash matches a second computed hash of the same
data, it proves that the data hasn't changed since it was signed. If the two hashes don't
match, the data has either been tampered with in some way (integrity) or the signature
was created with a private key that doesn't correspond to the public key presented by
the signer (authentication).
A digital signature can be used with any kind of message -- whether it is encrypted or
not -- simply so the receiver can be sure of the sender's identity and that the message
arrived intact. Digital signatures make it difficult for the signer to deny having signed
something (non-repudiation) -- assuming their private key has not been compromised --
as the digital signature is unique to both the document and the signer, and it binds them
together. A digital certificate, an electronic document that contains the digital signature
of the certificate-issuing authority, binds together a public key with an identity and can
be used to verify a public key belongs to a particular person or entity.
 Encryption
The primary purpose of encryption is to protect the confidentiality of digital data stored
on computer systems or transmitted via the Internet or other computer networks.
Modern encryption algorithms play a vital role in the security assurance of IT systems
and communications as they can provide not only confidentiality, but also the following
key elements of security:
 Authentication: the origin of a message can be verified.
 Integrity: proof that the contents of a message have not been changed since it was sent.
 Non-repudiation: the sender of a message cannot deny sending the message.
The word encryption comes from the Greek word kryptos, meaning hidden or secret.
The use of encryption is nearly as old as the art of communication itself. As early as
1900 BC, an Egyptian scribe used non-standard hieroglyphs to hide the meaning of an
inscription. In a time when most people couldn't read, simply writing a message was
often enough, but encryption schemes soon developed to convert messages into
unreadable groups of figures to protect the message's secrecy while it was carried from
one place to another. The contents of a message were reordered (transposition) or
replaced (substitution) with other characters, symbols, numbers or pictures in order to
conceal its meaning.
Until the arrival of the Diffie-Hellman key exchange and RSA algorithms, governments
and their armies were the only real users of encryption. However, Diffie-Hellman and
RSA led to the broad use of encryption in the commercial and consumer realms to
protect data both while it is being sent across a network (data in transit) and stored,
such as on a hard drive, smartphone or flash drive (data at rest). Devices like modems,
set-top boxes, smartcards and SIM cards all use encryption or rely on protocols like
SSH, S/MIME, and SSL/TLS to encrypt sensitive data. Encryption is used to protect
data in transit sent from all sorts of devices across all sorts of networks, not just the
Internet; every time someone uses an ATM or buys something online with a
smartphone, makes a mobile phone call or presses a key fob to unlock a car,
encryption is used to protect the information being relayed. Digital rights management
systems, which prevent unauthorized use or reproduction of copyrighted material, are
yet another example of encryption protecting data.

How encryption works

Data, often referred to as plaintext, is encrypted using an encryption algorithm and an
encryption key. This process generates ciphertext that can only be viewed in its original
form if decrypted with the correct key. Decryption is simply the inverse of encryption,
following the same steps but reversing the order in which the keys are applied. Today's
encryption algorithms are divided into two categories: symmetric and asymmetric.
Symmetric-key ciphers use the same key, or secret, for encrypting and decrypting a
message or file. The most widely used symmetric-key cipher is AES, which was created
to protect government classified information. Symmetric-key encryption is much faster
than asymmetric encryption, but the sender must exchange the key used to encrypt the
data with the recipient before he or she can decrypt it. This requirement to securely
distribute and manage large numbers of keys means most cryptographic processes use
a symmetric algorithm to efficiently encrypt data, but use an asymmetric algorithm to
exchange the secret key.
Asymmetric cryptography, also known as public-key cryptography, uses two different
but mathematically linked keys, one public and one private. The public key can be
shared with everyone, whereas the private key must be kept secret. RSA is the most
widely used asymmetric algorithm, partly because both the public and the private keys
can encrypt a message; the opposite key from the one used to encrypt a message is
used to decrypt it. This attribute provides a method of assuring not only confidentiality,
but also the integrity, authenticity and non-reputability of electronic communications and
data at rest through the use of digital signatures.
Cryptographic hash functions
A cryptographic hash function plays a somewhat different role than other cryptographic
algorithms. Hash functions are widely used in many aspects of security, such as digital
signatures and data integrity checks. They take an electronic file, message or block of
data and generate a short digital fingerprint of the content called a message digest or
hash value. The key properties of a secure cryptographic hash function are:
 Output length is small compared to input
 Computation is fast and efficient for any input
 Any change to input affects lots of output bits
 One-way value-- the input cannot be determined from the output
 Strong collision resistance -- two different inputs can't create the same output
In 2012, the National Institute of Standards and Technology (NIST) announced Keccak
as the winner of its Cryptographic Hash Algorithm Competition to select a next-
generation cryptographic hash algorithm. The Keccak (pronounced "catch-ack")
algorithm will be known as SHA-3 and complement the SHA-1 and SHA-2 algorithms
specified in FIPS 180-4, Secure Hash Standard. Even though the competition was
prompted by successful attacks on MD5 and SHA-0 and the emergence of theoretical
attacks on SHA-1, NIST has said that SHA-2 is still "secure and suitable for general
use."
The ciphers in hash functions are built for hashing: they use large keys and blocks, can
efficiently change keys every block and have been designed and vetted for resistance to
related-key attacks. General-purpose ciphers used for encryption tend to have different
design goals. For example, the symmetric-key block cipher AES could also be used for
generating hash values, but its key and block sizes make it nontrivial and inefficient.
 Electronic Payment System
E-Commerce or Electronics Commerce sites use electronic payment where electronic
payment refers to paperless monetary transactions. Electronic payment has
revolutionized the business processing by reducing paper work, transaction costs,
labour cost. Being user friendly and less time consuming than manual processing,
helps business organization to expand its market reach / expansion. Some of the
modes of electronic payments are following.
 Credit Card
 Debit Card
 Smart Card
 E-Money
 Electronic Fund Transfer (EFT)

Credit Card
Payment using credit card is one of most common mode of electronic payment. Credit card is
small plastic card with a unique number attached with an account. It has also a magnetic strip
embedded in it which is used to read credit card via card readers. When a customer purchases
a product via credit card, credit card issuer bank pays on behalf of the customer and customer
has a certain time period after which he/she can pay the credit card bill. It is usually credit card
monthly payment cycle. Following are the actors in the credit card system.
 The card holder - Customer
 The merchant - seller of product who can accept credit card payments.
 The card issuer bank - card holder's bank
 The acquirer bank - the merchant's bank
 The card brand - for example , visa or mastercard.

Credit card payment process

Step Description
Bank issues and activates a credit card to customer on his/her
Step 1
request.
Customer presents credit card information to merchant site or to
Step 2
merchant from whom he/she want to purchase a product/service.
Merchant validates customer's identity by asking for approval from
Step 3
card brand company.
Card brand company authenticates the credit card and paid the
Step 4
transaction by credit. Merchant keeps the sales slip.
Merchant submits the sales slip to acquirer banks and gets the
Step 5
service chargers paid to him/her.
Acquirer bank requests the card brand company to clear the credit
Step 6
amount and gets the payment.
Now card brand company asks to clear amount from the issuer bank
Step 6
and amount gets transferred to card brand company.

Debit Card
Debit card, like credit card is a small plastic card with a unique number mapped with the bank
account number. It is required to have a bank account before getting a debit card from the
bank. The major difference between debit card and credit card is that in case of payment
through debit card, amount gets deducted from card's bank account immidiately and there
should be sufficient balance in bank account for the transaction to get completed. Whereas in
case of credit card there is no such compulsion.
Debit cards free customer to carry cash, cheques and even merchants accepts debit card more
readily. Having restriction on amount being in bank account also helps customer to keep a
check on his/her spendings.

Smart Card
Smart card is again similar to credit card and debit card in apperance but it has a small
microprocessor chip embedded in it. It has the capacity to store customer work related/personal
information. Smart card is also used to store money which is reduced as per usage.
Smart card can be accessed only using a PIN of customer. Smart cards are secure as they
stores information in encrypted format and are less expensive/provides faster
processing.Mondex and Visa Cash cards are examples of smart cards.

E-Money
E-Money transactions refers to situation where payment is done over the network and amount
gets transferred from one financial body to another financial body without any involvement of a
middleman. E-money transactions are faster, convenient and saves a lot of time.
Online payments done via credit card, debit card or smart card are examples of e-money
transactions. Another popular example is e-cash. In case of e-cash, both customer and
merchant both have to sign up with the bank or company issuing e-cash.

Electronic Fund Transfer

It is a very popular electronic payment method to transfer money from one bank account to
another bank account. Accounts can be in same bank or different bank. Fund transfer can be
done using ATM (Automated Teller Machine) or using computer.
Now a day, internet based EFT is getting popularity. In this case, customer uses website
provided by the bank. Customer logins to the bank's website and registers another bank
account. He/she then places a request to transfer certain amount to that account. Customer's
bank transfers amount to other account if it is in same bank otherwise transfer request is
forwarded to ACH (Automated Clearing House) to transfer amount to other account and amount
is deducted from customer's account. Once amount is transferred to other account, customer is
notified of the fund transfer by the bank.
E-COMMERCE LAWS IN THE INDIAN PERSPECTIVE

A facilitative and legal framework is sine qua non for the promotion and development of
technology like electronic commerce. Besides developing the e- infrastructure in the
country through effective Telecom Policy measures, the Indian Government is taking
appropriate steps as confidence building measures for the growth
of e-commerce. It has created the necessary legal and administrative framework
through the enactment of Information Technology Act 2000, which combines the e-
commerce transactions and computer misuse and frauds rolled into an Omnibus Act.
While on the one hand it seeks to create the Public Key Infrastructure for electronic
authentication through the digital signatures, on the other hand, it seeks to build
confidence among the public that the frauds in the cyber space will not go unpunished.
The Controller of Certifying Authority (CCA) has been put in place for the effective
implementation of the IT Act, 2000. The Act also enables e-governance applications for
the electronic delivery of services to the public, business and government.

The Information Technology Act, 2000 and E-Commerce

The Information Technology Act 2000 is based on the Model Law on Ecommerce
adopted by the United Nations Commission on International Trade Law (UNCITRAL)
and pioneering e-commerce enabling legislations such as the Utah Digital Signatures
Act, 1995; the Singapore Electronic Transactions Act, 1999 and the Malaysian
Electronic Signatures Act. The main objective behind the introduction of IT Act, 2000 is
to encourage the environment in which the laws are simple and transparent and in
which the advantages of e-commerce can be tapped . The Act aims to provide legal
recognition for the transactions carried out by the means of electronic data interchange
and other means of communications, commonly referred to as “Electronic Commerce”,
which involve the use of alternatives to paper based methods of the communication and
storage of information, to facilitate electronic filing of document with the government
agencies7. The Act comprises of the three significant aspect of e-commerce:
Legal recognition of electronic records and communications- contractual framework,
evidentiary aspects, digital signatures as the method of authentication, rules for
determining time and place of dispatch and receipt of electronic records.
Regulation of Certification Authorities- appointment of a Controller of CAs, grant of
license to CAs, duties vis-à-vis subscribers of digital signature certificates, recognition of
foreign CAs.
Cyber contraventions- civil and criminal violations, penalties, establishment of the
Adjudicating Authority and the Cyber Regulatory Appellate Tribunals As the Act
establishes the legal validity and enforceability of the digital signature and electronic
records as well as the secure digital signatures and secure electronic records, it will
enable the growth of e-commerce in India, because the secure computer based
signatures will:
Minimize the incidence of electronic forgeries.
Enable and foster authentication of computerized communications.
Facilitating commerce by the means of electronic communications.
Further, electronic filing of records and retention of information in electronic formats,
enabled by the IT Act, 2000 will help in saving costs, time and manpower for the
corporate.
By virtue of the recognition given to the electronic records, electronic documents and
electronic signature, consequal amendments have been made in some existing laws.
The Act amends the Indian Panel Code, 1860, the Indian Evidence Act, 1872, Banker’s
Book Evidence Act, 1891 and the Reserve Bank of India Act, 1934, and for the matters
connected therewith or incidental thereto. The main purpose of these amendments is to
address the related issues of electronic commerce, electronic crimes and evidence, and
to enable further regulation as regards electronic fund transfer.

Security Provisions of the IT Act, 2000

One of the most important issues in the context of e-commerce relates to the security of
business and commercial transactions. A security threat in term of Internet has been
defined as a circumstance, condition or even with the potential cause economic
hardship to data/network resources in the form of destruction, disclosure, modification of
data, denial of services, fraud and abuse. The IT Act 2000 not only amends the Indian
Panel Code to bring within its scope conventional offences committed electronically, but
also creates a new breed of information technology offences, the prevention of which
are incidental to the maintenance of a secure electronic environment for e-commerce.
To make e-commerce transactions safe and secure, the IT Act 2000, provides for
investigation, trail and punishment for certain offences (these offences are found in
Chapter XI of the Act) like source code attacks (section 65), hacking (section 66),
obscenity (section 67), failure to comply with the controller’s directions (section 68),
subscriber’s failure to Controller’s requirement for decryption (section 69), accessing
designated protected systems (section 70), misrepresentation to CCA (section 71),
breach of privacy/confidentiality (section 72), publishing false digital signature certificate
(section 73), making available digital signature for the fraudulent purpose (section 74)
and section 75 of the IT Act deals with the offences or contravention committed outside
India which reads as:
Subject to the provision of sub-section (2), the provision of this Act shall apply also
to any offences or contravention committed outside India by any person irrespective of
his nationality.
For the purpose of sub-section (1), this Act shall apply to an offences or
contravention committed outside India by any person if the act or conduct constituting
the offences or contravention involves a computer, computer system or computer
network located in India.
Readiness of E-Commerce Laws in India
The IT Act 2000, in spite of being a special regime for e-commerce, has done little to
achieve the objective stated in its preamble. In the current form the Act is completely
inadequate as it has several drawbacks and gray areas. Still, there are many important
issues and areas, which are very important for the promotion and development of e-
commerce in India and they are not covered by the IT Act, 2000. The issues and areas,
which are not touched/covered by the IT Act, 2000, are :
Electronic payment and how electronic transactions are going to be made.
Intellectual Property Rights
Negotiable instruments such as cheque, banker’s orders, pay orders etc.
E-taxation
Right and liabilities of the domain name holders- the most basic starting point
for anyone interested in e-commerce business.
WAP (Wireless Application Protocol) and Mobile Commerce.
Protection of e-consumers and
Privacy Issues

Indian law is also silent on the most important issue on the domain name dispute.
Domain names are registered on the first come first served basis and in such cases,
much depend on the observations of the courts. There is no specific Indian law on
domain names except the judicial pronouncements, which have reiterated the principles
of law that domain names are valuable property and are entitled to trade mark
protection. Another very important issue in e-commerce is that relating to content. If any
site contains material that is lascivious or appeals to the prurient interest of internet
users, the uploading of the material will distinctly attract the provision of Section 67 of
the Information Technology Act 2000 and such an act will be liable for the punishment.