Académique Documents
Professionnel Documents
Culture Documents
Sho
rt
for
Sec
ure SSL (Secure Sockets Layer):
Soc
kets The Secure Sockets Layer (SSL) is a commonly-used protocol for managing
Lay the security of a message transmission on the Internet. SSL has recently been
er, succeeded by Transport Layer Security (TLS), which is based on SSL. SSL
a uses a program layer located between the Internet's Hypertext Transfer Protocol
prot (HTTP) and Transport Control Protocol (TCP) layers. SSL is included as part
Your browser
of both encrypts the
the Microsoft anddata and sends
Netscape to the receiving
browsers and mostWeb Website usingproducts.
server either 40-bit or
ocol 128-bit encryption. Your browser alone cannot secure the whole transaction and that's why
dev Developed
it's incumbentbyupon Netscape, SSL also
e-commerce gained the
site builders to dosupport of Microsoft and other
their part.
elop Internet client/server developers as well and became the de facto standard until
ed evolving
SSL into Transport Layer Security. The "sockets" part of the term refers to
Certificates
by thethe
At sockets
other endmethod
of theofequation,
passinganddataofback and importance
greatest forth between a client andsite
to e-commerce a server
builders, is
Net the
program in a network or between program layers in the same computer. SSL the
SSL certificate. The SSL certificate sits on a secure server and is used to encrypt
data
usesandthe to identify the Web site.
public-and-private keyThe SSL certificate
encryption system helps
from to RSA,
prove which
the sitealso
belongs to who
sca it says it belongs to and contains information about the certificate holder, the domain that
pe includes
the the use
certificate was of a digital
issued certificate.
to, the name of the Certificate Authority who issued the certificate,
for the root and the country it was issued in.
tran TLS and SSL are an integral part of most Web browsers (clients) and Web
smit SSL certificates
servers. If a Webcome
siteinis40-bit
on a and 128-bit
server thatvarieties,
supportsthough 40-bitcan
SSL, SSL encryption
be enabledhas and
been
hacked. As such, you definitely should be looking at getting a 128-bit certificate.
specific Web pages can be identified as requiring SSL access. Any Web server
ting
priv can be enabled
Though by using
there a wide varietyNetscape's SSLRef
of ways in which youprogram library which
could potentially acquirecan be
a 128-bit
ate downloaded for noncommercial use or licensed for commercial use.
certificate, there is one key element that is often overlooked in order for full two-way 128-bit
doc encryption to occur. According to SSL certificate vendor VeriSign, in order to have 128-bit
ume encryption
TLS and SSL you need a certificate
are not that has
interoperable. SGC (server
However, grade cryptography)
a message sent with TLS capabilities.
can be
nts handled by a client that handles SSL but not TLS.
via
• How to Get an SSL Certificate ... The Wrong Way
the Additional Note
There are twoon SSL: ways of getting an SSL certificate: you can either buy one
principal
Inte The e-commerce business
from a certificate vendoris all
or about
you can making money
"self-sign" andown
your thencertificate.
finding ways
Thattois,
make
usingmore
rnet money. anyOfnumber
course, ofit'sdifferent
hard to tools
make(both(more)openmoney,
source when
andconsumers
proprietary)don't
you feel
can safe
actually
. executing
signayour
transaction
own SSLoncertificate
your Weband site. That's
save thewhere SSLexpense
time and (SecureofSocket
going Layer)
throughcomes
a
into play. Understanding
certificate vendor. how SSL affects e-commerce business can also potentially help
SSL you to unlock (more) money from your customers.
wor Technically speaking, the data may be encrypted, but there still is a fundamental
ks What problem
is SSL? with self-signing that defeats part of the purpose of having an SSL
by Since certificate in theinfirst
its introduction place.
1994, SSLSelf-signing
has been the a certificate is like issuing
de facto standard yourself a driver's
for e-commerce
usin license.
transaction Roadsand
security, are it's
safer because
likely governments
to remain so well intoissue licenses. Making sure those
the future.
ga SSL isroads are safe
all about is the role
encryption. SSLofencrypts
the certificate authorities.
data, like Certificate
credit cards numbers authorities
(as well make
other
sure identifiable
personally the site is legitimate.
information), which prevents the "bad guys" from stealing your
priv information for malicious intent. You know that you're on an SSL protected page when the
ate addressSelf-Signed
begins with certificates
"https" and willthere
trigger
is aa padlock
warningiconwindow
at thein bottom
most browser configurations
of the page (and in the
key that will indicate that the certificate
case of Mozilla Firefox in the address bar as well). was not recognized. VeriSign admits that there
to are a lot of people that will click through anyway just like there are a lot of people
encr that will click through an expired SSL certificate as well.
ypt A site that conveys trust is also more likely to be a site that makes (more) money.
data There is research that suggests that having a recognizable SSL certificate may, in
that' fact, have a direct correlation to increased e-commerce sales. VeriSign, in
s particular, has done some research that shows that users who visit sites that have a
tran recognizable trust mark (like the VeriSign Secure Site seal) are more comfortable
shopping on those sites and have fewer abandoned shopping carts and better
sfer repeat purchases.
red
over Choosing an SSL Certificate Vendor
the According to GeoTrust Lockhart there are several things that buyers should look for
SSL when purchasing a certificate:
con
nect
• Reputation and credibility of the CA (How long have they been in business? Do they have
lots of customers?)
• Ubiquity of the root (is it embedded in all of the popular browsers?)
• Root is owned by the CA (and not chained to someone else's root)
• Lifecycle management tools (how easy is it to install, renew, reinstall, and revoke if
compromised, etc.)
• Ease of acquiring the certificate
• Who is doing the vetting (is it the CA itself, or in the case of some resellers, do they
delegate this to their resellers?)
Conclusion
You are who you say you are. You have nothing to hide and you are running a legitimate e-
commerce business that you want consumers to trust and feel comfortable doing business with
The SSL certificate system exists to help promote the security and integrity of e-commerce for
everyone. In an era where phishing scams run rampant and trust is king, a proper SSL certificate
may well be your key to e-commerce success.
Encryption:
In order to easily recover the contents of an encrypted signal, the correct decryption key
is required. The key is an algorithm that undoes the work of the encryption algorithm.
Alternatively, a computer can be used in an attempt to break the cipher. The more
complex the encryption algorithm, the more difficult it becomes to eavesdrop on the
communications without access to the key.
In recent years, a controversy has arisen over so-called strong encryption. This refers to
ciphers that are essentially unbreakable without the decryption keys. While most
companies and their customers view it as a means of keeping secrets and minimizing
fraud, some governments view strong encryption as a potential vehicle by which
terrorists might evade authorities. These governments, including that of the United States,
want to set up a key-escrow arrangement. This means everyone who uses a cipher would
be required to provide the government with a copy of the key. Decryption keys would be
stored in a supposedly secure place, used only by authorities, and used only if backed up
by a court order. Opponents of this scheme argue that criminals could hack into the key-
escrow database and illegally obtain, steal, or alter the keys. Supporters claim that while
this is a possibility, implementing the key escrow scheme would be better than doing
nothing to prevent criminals from freely using encryption/decryption.
Digital Signature:
Digital signatures are often used to implement electronic signatures, a broader term that
refers to any electronic data that carries the intent of a signature,[1] but not all electronic
signatures use digital signatures.[2][3][4] In some countries, including the United States,
India, and members of the European Union, electronic signatures have legal significance.
However, laws concerning electronic signatures do not always make clear whether they
are digital cryptographic signatures in the sense used here, leaving the legal definition,
and so their importance, somewhat confused.
Digital signatures employ a type of asymmetric cryptography. For messages sent through
an insecure channel, a properly implemented digital signature gives the receiver reason to
believe the message was sent by the claimed sender. Digital signatures are equivalent to
traditional handwritten signatures in many respects; properly implemented digital
signatures are more difficult to forge than the handwritten type. Digital signature schemes
in the sense used here are cryptographically based, and must be implemented properly to
be effective. Digital signatures can also provide non-repudiation, meaning that the signer
cannot successfully claim they did not sign a message, while also claiming their private
key remains secret; further, some non-repudiation schemes offer a time stamp for the
digital signature, so that even if the private key is exposed, the signature is valid
nonetheless. Digitally signed messages may be anything representable as a bitstring:
examples include electronic mail, contracts, or a message sent via some other
cryptographic protocol.
Following diagram showing how a simple digital signature is applied and then verified:
• A key generation algorithm that selects a private key uniformly at random from a
set of possible private keys. The algorithm outputs the private key and a
corresponding public key.
• A signing algorithm that, given a message and a private key, produces a signature.
• A signature verifying algorithm that, given a message, public key and a signature,
either accepts or rejects the message's claim to authenticity.
Two main properties are required. First, a signature generated from a fixed message and
fixed private key should verify the authenticity of that message by using the
corresponding public key. Secondly, it should be computationally infeasible to generate a
valid signature for a party who does not possess the private key.
As organizations move away from paper documents with ink signatures or authenticity
stamps, digital signatures can provide added assurances of the evidence to provenance,
identity, and status of an electronic document as well as acknowledging informed consent
and approval by a signatory. The United States Government Printing Office (GPO)
publishes electronic versions of the budget, public and private laws, and congressional
bills with digital signatures. Universities including Penn State, University of Chicago,
and Stanford are publishing electronic student transcripts with digital signatures.
Below are some common reasons for applying a digital signature to communications:
1. Authentication
2. Integrity
3. Non-repudiation
Authentication
Although messages may often include information about the entity sending a message,
that information may not be accurate. Digital signatures can be used to authenticate the
source of messages. When ownership of a digital signature secret key is bound to a
specific user, a valid signature shows that the message was sent by that user. The
importance of high confidence in sender authenticity is especially obvious in a financial
context. For example, suppose a bank's branch office sends instructions to the central
office requesting a change in the balance of an account. If the central office is not
convinced that such a message is truly sent from an authorized source, acting on such a
request could be a grave mistake.
Integrity
In many scenarios, the sender and receiver of a message may have a need for confidence
that the message has not been altered during transmission. Although encryption hides the
contents of a message, it may be possible to change an encrypted message without
understanding it. (Some encryption algorithms, known as nonmalleable ones, prevent
this, but others do not.) However, if a message is digitally signed, any change in the
message after signature will invalidate the signature. Furthermore, there is no efficient
way to modify a message and its signature to produce a new message with a valid
signature, because this is still considered to be computationally infeasible by most
cryptographic hash functions
Non-repudiation
digital certificate An attachment to an electronic message used for security purposes. The
An attachment to most common use of a digital certificate is to verify that a user sending a
an electronic message is who he or she claims to be, and to provide the receiver with the
means to encode a reply.
message used for
security purposes.
An individual wishing to send an encrypted message applies for a digital
The most certificate from a Certificate Authority (CA). The CA issues an encrypted
common use of a digital certificate containing the applicant's public key and a variety of other
digital certificate is identification information. The CA makes its own public key readily
to verify that a available through print publicity or perhaps on the Internet.
user sending a
message is who The recipient of an encrypted message uses the CA's public key to decode
the digital certificate attached to the message, verifies it as issued by the CA
he or she claims and then obtains the sender's public key and identification information held
to be, and to within the certificate. With this information, the recipient can send an
provide the encrypted reply.
receiver with the
means to encode The most widely used standard for digital certificates is X.509.
a reply
Also see the additional note on SSL, which is provided above.
Server Security:
An organization’s servers provide a wide variety of services to internal and external users, and
many servers also store or process sensitive information for the organization. Some of the most
common types of servers are Web, email, database, infrastructure management, and file servers.
This publication addresses the general security issues of typical servers.
Servers are frequently targeted by attackers because of the value of their data and services. For
example, a server might contain personally identifiable information that could be used to perform
identity theft. The following are examples of common security threats to servers:
1 � Malicious entities may exploit software bugs in the server or its underlying operating
system to gain unauthorized access to the server.
2 �Denial of service (DoS) attacks may be directed to the server or its supporting network
infrastructure, denying or hindering valid users from making use of its services.
To secure Server, organizations in installing, configuring, and maintaining secure servers should
follow the following practices to apply:
The following key guidelines are recommended to Federal departments and agencies for
maintaining a secure server.
Organizations should carefully plan and address the security aspects of the deployment of a
server.
Because it is much more difficult to address security once deployment and implementation have
occurred, security should be carefully considered from the initial planning stage. Organizations
are more likely to make decisions about configuring computers appropriately and consistently
when they develop and use a detailed, well-designed deployment plan. Developing such a plan
will support server administrators in making the inevitable tradeoff decisions between usability,
performance, and risk.
Organizations often fail to consider the human resource requirements for both deployment and
operational phases of the server and supporting infrastructure. Organizations should address the
following points in a deployment plan:
3 �Individual (i.e., level of effort required of specific personnel types) and collective staffing
(i.e., overall level of effort) requirements.
Appropriate management practices are essential to operating and maintaining a secure server.
Security practices entail the identification of an organization’s information system assets and the
development, documentation, and implementation of policies, standards, procedures, and
guidelines that help to ensure the confidentiality, integrity, and availability of information system
resources. To ensure the security of a server and the supporting network infrastructure, the
following practices should be implemented:
4 �Standardized software configurations that satisfy the information system security policy
Organizations should ensure that the server operating system is deployed, configured, and
managed to meet the security requirements of the organization.
The first step in securing a server is securing the underlying operating system. Most commonly
available servers operate on a general-purpose operating system. Many security issues can be
avoided if the operating systems underlying servers are configured appropriately. Default
hardware and software configurations are typically set by manufacturers to emphasize features,
functions, and ease of use, at the expense of security. Because manufacturers are not aware of
each organization’s security needs, each server administrator must configure new servers to
reflect their organization’s security requirements and reconfigure them as those requirements
change. Using security configuration guides or checklists can assist administrators in securing
servers consistently and efficiently. Securing an operating system initially would generally
include the following steps:
In many respects, the secure installation and configuration of the server application will mirror
the operating system process discussed above. The overarching principle is to install the minimal
amount of services required and eliminate any known vulnerabilities through patches or upgrades.
If the installation program installs any unnecessary applications, services, or scripts, they should
be removed immediately after the installation process concludes. Securing the server application
would generally include the following steps:
5 �Test the security of the server application (and server content, if applicable).
Many servers also use authentication and encryption technologies to restrict who can access the
server and to protect information transmitted between the server and its clients. Organizations
should periodically examine the services and information accessible on the server and determine
the necessary security requirements. Organizations should also be prepared to migrate their
servers to stronger cryptographic technologies as weaknesses are identified in the servers’
existing cryptographic technologies. For example, NIST has recommended that use of the Secure
Hash Algorithm 1 (SHA-1) be phased out by 2010 in favor of SHA-224, SHA-256, and other
larger, stronger hash functions. Organizations should stay aware of cryptographic requirements
and plan to update their servers accordingly.
Organizations should commit to the ongoing process of maintaining the security of servers
to ensure continued security.
Maintaining a secure server requires constant effort, resources, and vigilance from an
organization. Securely administering a server on a daily basis is an essential aspect of server
security. Maintaining the security of a server will usually involve the following actions:
1 �Configuring, protecting, and analyzing log files on an ongoing and frequent basis
Firewall:
Def. yet has to include.
Password:
A password is a secret word or string of characters that is used for authentication, to
prove identity or gain access to a resource (example: an access code is a type of
password). The password should be kept secret from those not allowed access.
The use of passwords is known to be ancient. Sentries would challenge those wishing to
enter an area or approaching it to supply a password or watchword. Sentries would only
allow a person or group to pass if they knew the password. In modern times, user names
and passwords are commonly used by people during a log in process that controls access
to protected computer operating systems, mobile phones, cable TV decoders, automated
teller machines (ATMs), etc. A typical computer user may require passwords for many
purposes: logging in to computer accounts, retrieving e-mail from servers, accessing
programs, databases, networks, web sites, and even reading the morning newspaper
online.
Despite the name, there is no need for passwords to be actual words; indeed passwords
which are not actual words may be harder to guess, a desirable property. Some passwords
are formed from multiple words and may more accurately be called a passphrase. The
term passcode is sometimes used when the secret information is purely numeric, such as
the personal identification number (PIN) commonly used for ATM access. Passwords are
generally short enough to be easily memorized and typed.
For the purposes of more compellingly authenticating the identity of one computing
device to another, passwords have significant disadvantages (they may be stolen,
spoofed, forgotten, etc.) over authentications systems relying on cryptographic protocols,
which are more difficult to circumvent.
Nowadays it is a common practice for computer systems to hide passwords as they are
typed. The purpose of this measure is to avoid bystanders reading the password.
However, some argue that such practice may lead to mistakes and stress, encouraging
users to choose weak passwords. As an alternative, users should have the option to show
or hide passwords as they type them.[4]
Effective access control provisions may force extreme measures on criminals seeking to
acquire a password or biometric token.[5] Less extreme measures include extortion, rubber
hose cryptanalysis, and side channel attack.
Here are some specific password management issues that must be considered in thinking
about, choosing, and handling, a password.
The rate at which an attacker can submit guessed passwords to the system is a key factor
in determining system security. Some systems impose a time-out of several seconds after
a small number (e.g., three) of failed password entry attempts. In the absence of other
vulnerabilities, such systems can be effectively secure with relatively simple passwords,
if they have been well chosen and are not easily guessed.[6]
Many systems store or transmit a cryptographic hash of the password in a manner that
makes the hash value accessible to an attacker. When this is done, and it is very common,
an attacker can work off-line, rapidly testing candidate passwords against the true
password's hash value. Passwords that are used to generate cryptographic keys (e.g., for
disk encryption or Wi-Fi security) can also be subjected to high rate guessing. Lists of
common passwords are widely available and can make password attacks very efficient.
(See Password cracking.) Security in such situations depends on using passwords or
passphrases of adequate complexity, making such an attack computationally infeasible
for the attacker. Some systems, such as PGP and Wi-Fi WPA, apply a computation-
intensive hash to the password to slow such attacks. See key strengthening.
Some computer systems store user passwords as cleartext, against which to compare user
log on attempts. If an attacker gains access to such an internal password store, all
passwords—and so all user accounts—will be compromised. If some users employ the
same password for accounts on different systems, those will be compromised as well.
A common approach stores only a "hashed" form of the plaintext password. When a user
types in a password on such a system, the password handling software runs through a
cryptographic hash algorithm, and if the hash value generated from the user's entry
matches the hash stored in the password database, the user is permitted access. The hash
value is created by applying a hash function (for maximum resistance to attack this
should be a cryptographic hash function) to a string consisting of the submitted password
and, usually, another value known as a salt. The salt prevents attackers from easily
building a list of hash values for common passwords. MD5 and SHA1 are frequently
used cryptographic hash functions.
A modified version of the DES algorithm was used for this purpose in early Unix
systems. The UNIX DES function was iterated to make the hash function equivalent
slow, further frustrating automated guessing attacks, and used the password candidate as
a key to encrypt a fixed value, thus blocking yet another attack on the password
shrouding system. More recent Unix or Unix like systems (e.g., Linux or the various BSD
systems) use what most believe to be still more effective protective mechanisms based on
MD5, SHA1, Blowfish, Twofish, or any of several other algorithms to prevent or
frustrate attacks on stored password files.[7]
A poorly designed hash function can make attacks feasible even if a strong password is
chosen. See LM hash for a widely deployed, and insecure, example.[8]
Various methods have been used to verify submitted passwords in a network setting:
Passwords are vulnerable to interception (i.e., "snooping") while being transmitted to the
authenticating machine or person. If the password is carried as electrical signals on
unsecured physical wiring between the user access point and the central system
controlling the password database, it is subject to snooping by wiretapping methods. If it
is carried as packetized data over the Internet, anyone able to watch the packets
containing the logon information can snoop with a very low probability of detection.
Email is sometimes used to distribute passwords. Since most email is sent as cleartext, it
is available without effort during transport to any eavesdropper. Further, the email will be
stored on at least two computers as cleartext—the sender's and the recipient's. If it passes
through intermediate systems during its travels, it will probably be stored on those as
well, at least for some time. Attempts to delete an email from all these vulnerabilities
may, or may not, succeed; backups or history files or caches on any of several systems
may still contain the email. Indeed merely identifying every one of those systems may be
difficult. Emailed passwords are generally an insecure method of distribution.
Using client-side encryption will only protect transmission from the mail handling system
server to the client machine. Previous or subsequent relays of the email will not be
protected and the email will probably be stored on multiple computers, certainly on the
originating and receiving computers, most often in cleartext.
The risk of interception of passwords sent over the Internet can be reduced by, among
other approaches, using cryptographic protection. The most widely used is the Transport
Layer Security (TLS, previously called SSL) feature built into most current Internet
browsers. Most browsers alert the user of a TLS/SSL protected exchange with a server by
displaying a closed lock icon, or some other sign, when TLS is in use. There are several
other techniques in use; see cryptography.
Rather than transmitting a password, or transmitting the hash of the password, password-
authenticated key agreement systems can perform a zero-knowledge password proof,
which proves knowledge of the password without exposing it.
Usually, a system must provide a way to change a password, either because a user
believes the current password has been (or might have been) compromised, or as a
precautionary measure. If a new password is passed to the system in unencrypted form,
security can be lost (e.g., via wiretapping) even before the new password can even be
installed in the password database. And, of course, if the new password is given to a
compromised employee, little is gained. Some web sites include the user-selected
password in an unencrypted confirmation e-mail message, with the obvious increased
vulnerability.
Password longevity
"Password aging" is a feature of some operating systems which forces users to change
passwords frequently (e.g., quarterly, monthly or even more often), with the intent that a
stolen password will become unusable more or less quickly. Such policies usually
provoke user protest and foot-dragging at best and hostility at worst. Users may develop
simple variation patterns to keep their passwords memorable. In any case, the security
benefits are distinctly limited, if worthwhile, because attackers often exploit a password
as soon as it is compromised, which will probably be some time before change is
required. In many cases, particularly with administrative or "root" accounts, once an
attacker has gained access, he can make alterations to the operating system that will allow
him future access even after the initial password he used expires. (see rootkit).
Implementing such a policy requires careful consideration of the relevant human factors.
It may be required because of the nature of IT systems the password allows access to, if
personal data is involved the EU Data Protection Directive is in force.
Sometimes a single password controls access to a device, for example, for a network
router, or password-protected mobile phone. However, in the case of a computer system,
a password is usually stored for each user account, thus making all access traceable (save,
of course, in the case of users sharing passwords). A would-be user on most systems must
supply a username as well as a password, almost always at account set up time, and
periodically thereafter. If the user supplies a password matching the one stored for the
supplied username, he or she is permitted further access into the computer system. This is
also the case for a cash machine, except that the 'user name' is typically the account
number stored on the bank customer's card, and the PIN is usually quite short (4 to 6
digits).
Biometrics:
Biometrics comprises methods for uniquely recognizing humans based upon one or more
intrinsic physical or behavioral traits. In computer science, in particular, biometrics is
used as a form of identity access management and access control. It is also used to
identify individuals in groups that are under surveillance.
• Physiological are related to the shape of the body. Examples include, but are not
limited to fingerprint, face recognition, DNA, Palm print, hand geometry, iris
recognition, which has largely replaced retina, and odour/scent.
• Behavioral are related to the behavior of a person. Examples include, but are not
limited to typing rhythm, gait, and voice. Some researchers[1] have coined the term
behaviometrics for this class of biometrics.
Strictly speaking, voice is also a physiological trait because every person has a different
vocal tract, but voice recognition is mainly based on the study of the way a person
speaks, commonly classified as behavioral.
The first time an individual uses a biometric system is called an enrollment. During the
enrollment, biometric information from an individual is stored. In subsequent uses,
biometric information is detected and compared with the information stored at the time of
enrollment. Note that it is crucial that storage and retrieval of such systems themselves be
secure if the biometric system is to be robust. The first block (sensor) is the interface
between the real world and the system; it has to acquire all the necessary data. Most of
the times it is an image acquisition system, but it can change according to the
characteristics desired. The second block performs all the necessary pre-processing: it has
to remove artifacts from the sensor, to enhance the input (e.g. removing background
noise), to use some kind of normalization, etc. In the third block necessary features are
extracted. This step is an important step as the correct features need to be extracted in the
optimal way. A vector of numbers or an image with particular properties is used to create
a template. A template is a synthesis of the relevant characteristics extracted from the
source. Elements of the biometric measurement that are not used in the comparison
algorithm are discarded in the template to reduce the filesize and to protect the identity of
the enrollee
If enrollment is being performed, the template is simply stored somewhere (on a card or
within a database or both). If a matching phase is being performed, the obtained template
is passed to a matcher that compares it with other existing templates, estimating the
distance between them using any algorithm (e.g. Hamming distance). The matching
program will analyze the template with the input. This will then be output for any
specified use or purpose (e.g. entrance in a restricted area).
Payment Security:
Summary
Protect card details over the Internet, and make your customers feel secure.
Although it is perceived otherwise, transactions over the Internet are in fact safer
than offline transactions.
Three commonly used security measures are SSL, SET and PKI technology.
Perception can get in the way of fact. Both software and hardware
companies have invested a great deal to further protect online data
and build up customer confidence. Be aware of the security issue and
help customers to feel at ease by telling them about the precautions
you have taken. In the current Internet climate it is vitally important
that you are not only secure but are seen to be secure.
Three of the best known options for the encryption and security of
personal and card details are explained below. Almost every payment
solution mentioned in this online payments tool includes this
technology as standard. Online retailers will not need extra security
measures if they use these market-tested and well-established
products.
SET encrypts payment card transaction data and verifies that both
parties in the transaction are genuine. SET, originally developed by
Mastercard and Visa in collaboration with leading technology providers,
has a large corporate backing and is perceived to be more secure as a
result of its validation from card companies.
PKI is similar to a bank’s night safe in that many public keys can be
used to deposit items into the safe, but only one private key,
belonging to the bank can make withdrawals.
Safety Knowhow
Exposure is the acquiring banks estimate of the total risk you are
exposed to at any one time, for instance, the number of sales open to
refund over a given period. The bond is an amount of money,
overdraft facility or insurance to cover any exposure. Your exposure
level will also affect the charge bands offered to your business, i.e.
monthly charges and transaction charges.
The bond that may be introduced to underwrite the exposure level can
range from £300-£2000 (maybe even £0) for an average SME bond.
Often the bond can be covered by a small increase to your overdraft
facility and even some specialist insurance.
The level of bond required from your company depends on the factors
above. For instance a travel company where products are often
purchased months prior to the fulfillment of the transaction have a
much higher exposure to charge-back than a product where fulfillment
is immediate, or even prior to payment, for example a restaurant
business, which will rarely have to lodge a bond.
Payment Methods
Payment transfers may be completed by a variety of means. All of these payments are
applicable to mainstream national currencies, but many of them also apply to the various
local or community currencies (e.g. LETS, Ithaca HOURS, Time Dollars) as well.
• Plenty of barter and service exchange networks are thriving on and off
the net. To name a few:
o The International Reciprocal Trade Association aims to "advance
the barter industry worldwide and raise barter's value to the
business community and economy".
o Habitat For Humanity helps low-income families trade their
"sweat equity" for affordable housing.
o The Global Village Bank facilitates the exchange of computer-
and Internet-related services.
o The Global Resource Bank attempts to preserve shareholders'
"natural capital".
• Some companies list an 800 number on their web page for orders.
Unfortunately, some imply that transactions over the internet aren't as
safe as other transactions.
Mediated Three-Party Payment Methods
• CheckFree has been creating electronic payment systems since 1981, and
has a checkless payment system which you can use from a PC.
• Verifone is another company that has been making electronic payment
systems for many years. They now have an internet system for
consumers, retailers and financial institutions.
• Likewise, the FSTC Electronic Check Project tries to extend checking as
we know it into the web.
• Look into the encryption methods pioneered by Brands's Cash
• Electronic Funds Clearinghouse, Inc. attempts to extend Electronic
Funds Transfer technology (which they helped develop) to online
business.
• "Check" out some big-name efforts, like Secure Electronic Transaction
(SET) from Visa/Mastercard, iKP: A Family of Secure Payment
Protocols from IBM, and what Sun Internet Commerce Group has been
working on.
• NetCheque provides an accounting server to process checks tendered
online.
• NetChex and Online Check Systems have developed online check
registries and verification services.
• Redi-Check allows users to draft pre-authorized checks online.
• PaymentNet handles online credit and debit card transactions.
• TipJar is another mediated payment system.
Micropayment Methods
Virus Protection:
Hacking:
Hacking (English verb to hack, singular noun a hack) refers to the re-configuring or re-
programming of a system to function in ways not facilitated by the owner, administrator,
or designer. The term(s) have several related meanings in the technology and computer
science fields, wherein a "hack" may refer to a clever or quick fix to a computer program
problem, or to what may be perceived to be a clumsy or inelegant (but usually relatively
quick) solution to a problem, such as a "kludge".
The terms "hack" and "hacking" are also used to refer to a modification of a program or
device to give the user access to features that were otherwise unavailable, such as by
circuit bending. It is from this usage that the term "hacking" is often used to refer to more
nefarious criminal uses such as identity theft, credit card fraud or other actions
categorized as computer crime.
On many internet websites and in everyday language the word "hack" can be slang for
"copy", "imitation" or "rip-off."
The term has since acquired an additional and now more common meaning, since
approximately the 1980s; this more modern definition was initially associated with
crackers. This growing use of the term "hack" is to refer to a program that (sometimes
illegally) modifies another program, often a computer game, giving the user access to
features otherwise inaccessible to them. As an example of this use, for Palm OS users
(until the 4th iteration of this operating system), a "hack" refers to an extension of the
operating system which provides additional functionality. The general media also uses
this term to describe the act of illegally breaking into a computer, but this meaning is
disputed. This term also refers to those people who cheat on video games using special
software. This can also refer to the jaibreaking of ipods.
Creacking: