One of the main reasons that organizations cite for not engaging in Internet commerce is security issues. The concerns are not just related to payment sys- tems, but to a range of issues that stem from being connected to the Internet.

Developing adequate security measures should be high on the agenda of any Internet commerce development team.

The organization should develop a security policy that covers the entire information system. It should outline the general policies in relation to secu- rity, the levels of security that should be adopted, the key risks, and the people who are responsible for maintaining security.

Because Web-based systems are part of broader networks, the broader environment should be made secure. This includes the physical environment as well as the software environment. The particular features of the Web applica- tion systems can then be considered that are not already covered by the security

measures for the information system. Once in operation, the security measures and procedures need to be monitored and evaluated for effectiveness.

Risk Analysis

Developing adequate security measures is all about the assessment of risk. Even with the costliest of safeguards in place, there can be no guarantees that the system will be 100% secure. Therefore, the levels of security required are deter- mined by factors such as the value of the data being protected and the types of likely threats to the system.

Costs are associated with putting security measures into place. Some of these are purely financial costs and others may be just an inconvenience. Web developers should assess the value of the data and information they are about to protect, what the likely cost of system disruption would be, and the possible loss of business that would arise. For instance, there is little point in putting high-cost security measures in place to protect low-value data and information.

However, only the organization can put a value on the loss of business or the value on the data being protected. Hence, security is always a tradeoff in terms of the level of security and the associated costs.

The designers must assess where the main threats to the system are. Do they come from within the organization or outside of the organization? Do deliberate acts of malicious damage or accidental events pose the main threat?

The fact is that most of the problems in any security environment arise from not attending to the basics adequately.

A number of security issues need to be addressed when developing Inter- net commerce systems. Obviously payment systems and secure transactions are a major concern and these are addressed here, but first a classification of Inter- net security issues is presented.

Physical Security

The hardware infrastructure of the Web technology needs to be kept secure just as with any information system within an organization. This means that the Web server should be in a secure location with a locked door and accessed only by authorized personnel. However, this type of threat is probably not so signifi- cant within a networked environment. The reason for this is that the software and data on the Web server or accessed via the Web server can be modified or deleted by a variety of other methods that are discussed shortly.

Backups of any transactions should be made and a copy stored off site in case of fire. Again, they should be made physically secure. The Web server,

application server, and database server, if these are being used, should be pro- tected against power surges by uninterruptible power supplies. After a system crash, adequate procedures for rebooting the system and restoring service to the users should be in place.

Software security for Internet systems could be the topic of a book in its own right. What follows is a brief overview of the main issues.

Network Security: Firewalls

A firewall is a system that can be used to protect a network or system from threats outside and inside the organization. The firewall could be used to sepa- rate the intranet from other systems within the organization or outside of the organization (Figure 7.6). An important point to remember is that not all threats come from outside of the organization.

If the organization requires that staff have access to the Internet and or allows access to the server from outside, then the firewall needs to be inside the organization’s server. The firewall can be used to allow access (sometimes restricted) to the Internet and monitor what is retrieved. It can also be used to allow only authorized external users access to the internal systems (Figure 7.7).

A firewall can block certain incoming traffic by means of passwords and IP addresses, and it can restrict outgoing traffic. The firewall can also be used to log the volume of traffic passing in and out of the organization.

Developing an effective firewall system is not an easy task. There might be a tendency to become too severe in what is allowed in and out of the organi- zation and also in monitoring too much of the communication. If a security policy has been developed for the organization, then this will help in defining the level of firewall security needed.

Firewall and intranet server

Other server Local

area network

Figure 7.6 A firewall to protect the intranet.

Virus Attacks

When corporate networks have a connection to the Internet, they run the risk of virus infection via e-mail attachments and via files downloaded through a browser. Each user needs to have an up-to-date virus scanner that can detect and delete the most recent strains of virus. As far as downloading files is con- cerned, users should be aware of a number of factors.

Users should avoid or minimize the downloading of files, whether soft- ware or documents, from sites that have no reputation to lose. Downloading files from major software vendors lends some assurance that the files will not contain code that has malicious intent. The reason for this is that files are more likely to have been checked and their quality ensured before they are released to the public because the company’s reputation is on the line. A personal site, or even a university site, does not have the same type of reputation at stake when providing free downloads. Free software should also be viewed with some suspicion for much the same reasons, particularly if it is from an unrecognized software vendor.

Potential problems can arise when accessing Web sites that use Java applets, even though Java has been made secure by not allowing applets to write to the user’s hard disk without permission. However, many users would give permission to store configuration information for the applet on the disk because they are unaware of the consequences or just trust the site from which they are downloading. These downloads could result in a number of problems.

Once the applet has been allowed access to the “inside,” it can carry out three main forms of malicious behavior. The Trojan horse analogy is most appropriate for describing this type of threat because rather than trying to break into a computer, the applet is actually voluntarily brought inside without knowledge that it contains rogue code.

The first form of attack is aimed at disclosure of information. A malicious program, once resident on a system, could send information back to the origi- nators of the code. It would be very difficult, however, for the program to know

Internet server Local

area

network Firewall

Outside

Figure 7.7 A firewall to allow external access.

which files were important. The second form of attack relates to compromising information integrity. If a program modifies records in the database this could lead to severe problems for the organization. If the records were financial state- ments, for example, it may look as if a customer spent money that they did not actually have in their account. The third form of attack is denial of service. This involves some aspect of the system no longer being available. Examples are sys- tem crashes, using up all of the RAM and thereby slowing the system, or even using up a large percentage of the CPU time. The consequences of this form of attack can be disastrous for some companies.

Encryption

Encryption is a method of changing the text in a file by using a coding system.

It is can be used when a file is transmitted over the Internet. If the file is inter- cepted and read without the decoding key, the contents of the file would be meaningless. The authorized receiver of the file requires the decryption algo- rithm to read the file. This is termed end-to-end encryption.

The server can also be set up to automatically encrypt everything before it is transmitted over the Internet (secure links). The Internet does not encrypt data automatically, so if it is required, end-to-end encryption must be per- formed. The onus is on both parties to keep the key confidential. The problem is that the single key must be transmitted over the Internet. Systems where each party has the same code, or key, for encrypting and decrypting of data are called private key cryptography systems.

In public key cryptography methods, the key to encode the data is pub- licly distributed. The organization receiving the data holds the second key. This is viewed as better than private key methods because the system is publicly open, except of course for the second key held by the recipient.

The secure sockets layer protocol is a public key encryption method for sending secure data over the Internet. It is used in Netscape Navigator and Microsoft’s Internet Explorer.

Authentication

Authentication deals with proving the identity of a person. Passwords, hard- ware tokens, smart cards, and biometric properties such as fingerprints or retinal patterns are all forms of authentication. Passwords are the most com- monly used form of authentication. The problem is that they are also probably the most abused form of security measure. Users choose names and favorite words as their passwords, sometimes they write them down, and before long a system that could be effective becomes quite ineffective.

Payment Options

Smart card technology requires a card reader to be attached to the computer.

The cards have microchips on them that can be used to send credit card or billing information or for storing personal information about the owner. Obvi- ously smart cards can be lost or stolen, which is a major drawback. However, they are expected to be widely used in the future for online purchasing.

The secure electronic transaction method allows the company, customer, and bank to communicate in a secure way and exchange payments. No credit card number is provided. The customer notifies the bank that a certain com- pany requires payment. This is then forwarded to the company from the bank.

Digital signatures use public key cryptography and digital checksums to ensure the identity of the sender, and they also check to determine if the con- tents of the document have been changed. The private key is used to create the checksum that is attached to the document. A copy of the public key is needed to check to see if the checksum is correct. If the checksums do not match, then the document has been altered. This allows a system where anyone with the public key can read the document but only the person with the private key can change it. This is equivalent to a signature on a transmitted document. Digital signatures are available via most browsers.

Electronic cash is used to pay for online transactions. It is generally used for small sums of money because ordinary credit cards are administratively expensive for small transactions under a few dollars (micropayments). Some systems require smart cards (Visa Cash) although others operate entirely through software (DigiCash). If the card is lost or stolen then so is the cash but software versions can revert to a backup or copies. The criteria for choosing a payment method are shown in Table 7.2.

Many organizations are looking at making the shift to implementing secure electronic transactions. The important issues related to this transition are as follows:

• Developing the technology to cope with the security issues;

• The range of payment methods and protocols;

• The reliability of the systems;

• The flexibility and adaptability of the systems to cope with new developments.

Sun Microsystems has been working on developing a secure payment and transaction system [9]. Its approach consists of the Java Commerce Framework, the Java Commerce APIs, the Java Wallet, and the Java Commerce Toolkit.

The Java Commerce APIs are an extension to the core Java Platform and are designed to help developers easily and rapidly create electronic commerce applications. The Java Wallet and Commerce Toolkit are the first tools to be produced as part of the framework. The Java Wallet is a tool from the toolkit to aid developers in creating complex payment systems that offer a wide variety of protocols. Overall, Sun’s aim is provide tools that reduce the time and effort required to develop electronic commerce applications.