E-Commerce Systems

Mark Micallef

mmica01@um.edu.mt

Objectives of Module

Lifecycles

PeopleInvolved

QualityAttributes

Differences

TypesOf

Systems

Definition

E-CommerceSystems

Introduction to E-Commerce Systems

Introduction

� “We live in an era of e-everything” – David Chaffey

� Everywhere we look, we are likely to see an e-something:

� E-Commerce

� E-Banking

� E-Dating

� E-Government

� E-Learning

� E-Logistics

� …

What are E-Commerce Systems?

� Viewing a product list online?� Ordering products online and paying by cheque or in

person?� Ordering and paying online plus having the product

delivered?� Getting information (e.g. share prices) from a

website for free?� Using your mobile to get online news or even

topping up your prepaid balance?

!!All of the above are examples of e-commerce systems!!

Definition of E-Commerce Systems

“the exchange of information across electronic networks, at any stage in the supply chain, whether within an organisation, between businesses, between businesses and consumers, or between the public and private sectors, whether paid or unpaid”

-The Prime Minister’s Strategy Officewww.number-10.gov.uk/su/ecomm/ec_body.pdf

Benefits of E-Commerce

� Businesses� 24-hour operation� High cost-savings� No geographical

boundaries� Potential access to millions

of customers

� Consumers� Conveniance� Easy to compare products

and prices� Easy to find reviews� Much more choice� …

What is being bought online?

80%

32%30%29%

26%25%24%

13%13%11%

9%8%8%5%4%

1%0%

10%

20%

30%

40%

50%

60%

70%

80%

Products

Books

Software

Hardware

Music

Holidays

Videos/DVDs

Electronics

Cinema/Theatre

IP Telephony

Clothes

Business Supplies

Business Travel

Toys/Games

Shares/Stocks

Food

Jewelry

Players in E-Commerce

� Business

� Typically provide products and/or services online

� Products available to consumers or even other businesses

� Consumers

� Interested in information/products/services and are willing to obtain them online

� Government

� E-Government Services

� Facilitates access to government services for both consumers and businesses

Main Types of E-Commerce Systems

E-Commerce Systems

Business-to-Business Business-to-Consumer Consumer-to-Consumer

Sell-Side Buy Side Marketplace Collaborative

Business to Business (B2B)

� Interdependent Businesses conduct business amongst themselves online

� Usually does not take the form of the traditional website e-Commerce system

� Usually fully (or almost fully) automated (e.g. automatic online ordering when stock levels are low)

Types of B2B Systems

� There are 4 main types of B2B Systems

� Sell-Side

� Buy-Side

� Electronic Marketplace (or Exchange)

� Collaborative

Sell-Side B2B Systems

Seller

Company A

Company B

Company C

Buyers

•One-to-Many Relationship

Buy-Side B2B Systems

Buyer

Company A

Company B

Company C

Sellers

•One-to-Many Relationship

Electronic Marketplace (or Exchange)

An Exchange

Company A

Company B

Company C

Sellers

Company X

Company Y

Company Z

BuyersServices

•Many-to-Many Relationship

•Exchange is usually owned and operated by a 3rd party

•Businesses meet to exchange goods/services

Collaborative B2B Systems

HubManager

GovernmentBuyers

Sellers

Universities Community

Others

IndustrialAssociations

•Many-to-Many Relationship

•Only business partners participate

•Facilitates communication, sharing of designs, planning information, etc

Business to Consumer (B2C)

� Businesses sell products/services to consumers

� Usually take on the form a website through which consumers can browse through products/services, order and pay online

� Typical Examples:

� Amazon.com

� Extending your internet subscription online

Consumer to Consumer (C2C)

� Consumers buying/selling products and services amongst themselves

� Typical Examples:

� E-Bay

� di-ve.com Classifieds

Differences between E-Commerce Systems and

Other Systems

Introduction

� A number of differences exist between e-commerce systems and other types of systems

� The most important ones are:

� They are content-driven

� They are exposed to the world

� They are Browser Based

� Enormous User Base

� They are likely to change quite often

Content Driven (1/2)

� Most e-commerce sites are connected to a database� View product lists

� Compare prices

� View orders

� …

� What information should my site display?

� Is it organised in the best possible way?

� Is it easy for a use to find what she wants

Content Driven (2/2)

� 72% of users know beforehand what they are looking for

� This indicates we should provide an easy means by which users can search for the product they need

� Usability and Navigability of websites are very important issues.

� A customer who has a bad first impression of a site is not likely to return

Importance of Navigability

43%

36%35%

33%

14%

4%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

Reasons

Decided agains buyingproduct

Website Error

Process too long

Site too slow

Delivery/Payment/PricingProblems

Browser CompatibilityProblems

Also more likely to

simply find another site

Why people abandon transactions online….

Exposed to the world

� The internet is an open network of networks

� E-Commerce sites require the transfer of private information� Customer details

� Credit card numbers

� E-Commerce systems need to be secure

� In security circles, it is always assumed that whatever you send online can be seen by everyone else on the internet

Enormous Userbase (1/3)

� Ideally, an e-commerce website will attract vasts amounts of visitors

� This is a mixed blessing

� Ideal scenario

� Thousands of people visit my e-commerce site daily

� They all see products they like and buy them

� I become very very rich

Enormous Userbase (2/3)

� Some bad scenarios:

� Thousands of people visit my website

� The website cannot cope with the load and starts crashing every few minutes

� I get it fixed

� People come back

� They order items but my business models have not been adapted to e-commerce

� How do I deliver products?

� How do I deal with potentially many customer problems and enquiries?

Enormous Userbase (3/3)

� 37% of users first judge a site by its reputation

� Only 18% of customers will remain loyal to a site if if becomes unstable or slow due to popularity

Browser-Based (1/2)

� Most e-commerce systems are accessed through browsers

� This is good because:

� They are accessible from everywhere

� Browsers are widely available for free

� Browser-based applications do present some disadvantages

� A web application does not have access to event-driven programming like applications writing in C++ or Java for example

Browser-Based (2/2)

� Scripting and Enhancing Technologies� Javascript

� CSS

� DHTML

� No standards

� Browsers interpret these technologies differently

� Websites may work fine on one browser but not on another

� Also the problem of different devices and OSs� Windows/LINUX

� Desktop PC, Laptop, PDA, Mobile phone

Likely to Change Quite Often

� E-Businesses are dynamic by nature

� They need to keep one step ahead of the competition

� Constant change to e-commerce sites is inevitable� Changing of prices (simple change)

� Introducing new offers/schemes (not so simple)

� Introducing new features to the site (complex)

� Is my site built well enough to absorb these changes?

� Systems should mature rather than grow old and frail

Important E-Commerce Quality Attributes

� Based on studies and the unique characteristics of e-commerce, one can say that the following quality attributes are important:

1. Security

2. Usability and Navigability

3. Performance and Scalability

4. Reliability

5. Portability

Security in E-Commerce

The Importance of Security

� Security is a very important consideration in e-commerce

� A major security incident would scare away many existing and potential customers

� Analogy: Imagine setting up a shop in a high-street and going home at night leaving it open with a sign saying “Owner not in”

Common Reasons for not using e-commerce

30%

36%

14%

7%

5%

8%

0%

5%

10%

15%

20%

25%

30%

35%

40%

Touch Security Delivery Browse Trust Other

How secure do online stores need to be before people use them?

44%42%

13%

1%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

Watertight

Security

Minor Risks Considerable

Risks

Security Not

Important

Possible security breaches (1/2)

� Fraud resuting in direct financial loss� Transfer of funds

� Destruction of financial records

� Theft of information� Confidential

� Proprietry

� Technological

� Risk of intruder passing this information on to a competing company or people with malicious intend

Possible security breaches (2/2)

� Disruption of service� E.g. Denial of Service Attacks

� Inconveniences to customers

� Loss of business

� Loss of customer confidence� Intrusions into customer files

� Dishonesty

� Human Mistakes

� Network Failures

Security in brick-and-mortar stores

In tradional businesses:

� Merchants expect to be paid with real money

� When they accept credit, they require signatures

� At the end of the day:

� Alarm is set

� Security Guards employed

� Police available in case of a break in

Can we replicate this online?

Paper-based Commerce vs E-Commerce

PaperPaper--Based CommerceBased Commerce Electronic CommerceElectronic Commerce

Signed paper documents

Person to person

Physical payment system

Merchant & Customer face-to-face

Easy detectability of modifications

Easy negotiability of documents

Digital signatures

Electronic via website

Electronic payment system

No face-to-face contact

Detectability is difficulty

Negotiablity via special protocols

Clear legal rules and protection Confusing legal issues

Experiment

Ask yourself:

� Would I attempt to steal something from a shop in Valletta?

Then ask yourself:

� Would I try to hack into a website or online store to gain access to unauthorised information?

Most people say no to the first question but yes to the second.

Why?

Identifying Security Principals

� Principals in online security are:

� People

� Processes

� Machines

� Keys, passwords, etc

� Principals participate in transactions

� Send, receive, access, update, delete, etc

Security Concerns

� Confidentiality / Secrecy

� Ensuring that data remains private

� Authentication

� Making sure that message senders are who they say they are

� Integrity

� Make sure the messages are not modified during transmission

� Nonrepudiation

� Ensuring that principals cannot deny that they sent a message

� Access Control

� Restricting the use of a resource to authorised principals only

Confidentiality / Secrecy (1/3)

PeterJames

Evil Hacker

sa@@!%&&dds#FFDE33@”:{}{PIHJGFs

InterceptsBut cannot Understand messages

aaTTyUIjhg^&bvv$%vDDDg*$$$csdad

Always assume that anyone can viewAlways assume that anyone can view

your electronic communications at will.your electronic communications at will.

????

Confidentiality / Secrecy (2/3)

� Data needs to be encrypted in order for secrecy to prevail

� There are various encryption techniques and algorithms

� Security algorithms should be updated over time.

� One early popular algorithm was DES.� It is now crackable in 3 hours.

� Latest popular encryption algorithm is AES

Confidentiality / Secrecy (3/3)

� SSL (Secure Sockets Layer) is the prevailing encryption mechanism for e-commerce today.

� Uses Public/Private Key Encryption Methods

� All major browsers support SSL

� SSL supports certificates and thus handles other aspects of security besides encryption

� It is beyond the scope of this course to enter into exactly how SSL works as this would require a whole course to trash out

Authentication (1/2)

PeterJames

Evil Hacker

Hello James, this is Peter I have information 4u

Intercepts

Hello Peter, I am James.Give me the information.

Authentication (2/2)

� Passwords are a weak form of authentication

� Current mainstream technique for ensuring authentication is the use of certificates

� Individuals (and organisations) can obtain certificates from a certificate authority and use the certificate to encrypt their messages

� Recipients can verify the sender’s certificate with a certification authority so as to ascertain the identity of the person

Integrity (1/2)

PeterJames

Evil Hacker

Hello James. Please give me your account num

InterceptsandModifiesMessage

Ok. My account number is 55421221

Ok. My account number is 332121221

Integrity (2/2)

� Certificates and Public Key Infrastructure also cater for integrity

� Recipients can detect if the original message has been changed and request the sender to resend the message

What needs to be secured? (1/2)

� Clients – They are vulnerable to � Viruses� Hackers

� Servers� Exposed to anothorised access� Intrusions could lead to a reducion in speed or worse� Server resourses may be used for purposes other than

those originally intended

What needs to be secured? (2/2)

� Networks� The entry point to computer systems

� Can become the root cause for infringment if not secured

� A weak network can allow data to be easily tampered with

� Common cases occuring due to a loophole in network security:� Fradulent Identities

� Eavesdropping

Common Threats on the Web (1/6)

� Accidental Threats

� Arise from human error

� Generally due to lack of awareness and training

� Poor password choices

� Accidental business transactions

� Accidental disclosure of information

� Use of incorrect software

� Physical accidents

� E.g. spilling of coffee, unplugging servers, etc

Common Threats on the Web (2/6)

� Malicious Threats

� Specially intended to cause harm to people, systems and networks

� Malicious Software

� Viruses

� Trojans

� Worms

� Social Engineering Threats

� E.g. pretending to be an employee of a company and asking for private information

Common Threats on the Web (3/6)

� Authorisation Threats� Hacker attempts to bypass security by posing as

an authorised user

� Needs to gain knowledge about a valid username and password combination

� Various techniques exist:� Dictionary Attacks

� Brute-Force Attacks

� Short Attacks

� …

Common Threats on the Web (4/6)

� Application Threats

� Exploit vulnerabilities in applications deployed as part of a web system

� Applications can include

� Web Servers

� FTP Servers

� DNS Servers

� The operating system

� …

� Always keep software updated with the latest version and fixes

Common Threats on the Web (5/6)

� Privacy Threats

� Two forms:

� Network Eavesdropping

� Monitor data being transmitted over networks

� Extract Information

� Radio Signal Evesdropping

� Listen to radio signals from computer hardware (e.g. computer monitors) and try to extract useful information from it

� Rarely used – Requires expensive equipment

Common Threats on the Web (6/6)

� Access Control Threats

� Intruder gains access to a system for which (s)heis not authorised to use

� However, (s)he does not do it by posing as an authorised user

� E.g. Gain access to an unsecured modem

� E.g. Exploit some sort of network flaw

Network Attacks (1/3)

� Denial of Service (DoS) Attacks

� Attempt to make a website or service unusable

� E.g. Uploading vast amounts of data to an FTP server so

as to take bandwidth away from other users

� SYN Flood Attacks

� Exploits the TCP 3-way handshake

� Attacker sends many SYN packets but never completes

the handshake

� Victim uses up a lot of resources and potentially crashes

Network Attacks (2/3)

� SMURF Attacks

� Many ICMP ping requests sent to different with a spoofed source address of

the victim

� Victim receives a large number of ICMP replies which it did not send

� A similar attackcalled Fraggle works in the same way but uses the UDP

protocol

Hacker’s PCSpoofed Ping Requests

Replies to Victim

Victim

Network Attacks (3/3)

� Ping of Death

� Hackers send thousands of ping requests per second to a victim

� They send data which is beyond the 64k ICMP limit

� Can cause a total system crash

� Other Attacks

� DNS Attacks

� Spoofing

� Host Overflow

� Length Overflow

� Zone Transfer

� Distributed Denial-of-Service (DDoS)

� Same as DoS but involves hundreds (or thousands) of simultaneous attacks

Security Counter-measures (1/5)

� Physical Security

� Make sure hardware is physcialy secure

� Security Guards

� Alarms

� Security Procedures

� Safety Procedures

Security Counter-measures (2/5)

� Secure Authentication and Messaging

� Use of public key cryptography

� Ensure that

� Messages received from a user are actually from that

user

� Messages received from a user have not been

tampered with

Security Counter-measures (3/5)

� Firewall Solutions� A firewall sits on the perimiter of your network

� Control network traffic flow

� System Administrator may close

� Ports / protocols

� Traffic from/to certain systems

� …

� Useful against

� Various network attacks

� Spyware

� Unauthorised usage

� Not the silver bullet of security

Security Counter-measures (4/5)

� Bandwidth Managers� Limit the use of bandwidth by different

� Protocols

� Applications

� Particular Sources and Destinations

� Useful against DoS attacks

� Example:� Give high bandwidth to secure ports

� Give low bandwidth to unsecured ports (prevents DoSattacks)

Security Counter-measures (5/5)

� Disaster Recovery and Backup

� Disaster recovery plan

� Everyone should know what to do if the worst-case scenario were to happen

� Regular backups are useful and essential

E-Payments

How payments are made online

Origins of Money and Payments

� Money began with the concept of bartering

� Economic System got more complicated and tokensstarted being used.� Items carried an intrinsic value

� E.g. Precious stones, shells, etc

� E.g. Silver dollar was made of $1 worth of silver

� After tokens, were detached from inherent value, notational money was adopted

� Credit system developed� People pay without actually having the money

� Credit cards

Real-world Cash

� Medium of exchange to simplify transactions� Has a standard value and helps decide worth of goods� Electronic money must fulfill this criteria as well� Benefits of cash

� Convenience� Wide acceptance� Anonymity� No hidden or other cost of use� No audit trail

� Disadvantage of cash is in the cost of holding it� Loss of potential interest in bank� Cost of security� Cost of transport

Electronic Money (E-Money)

� E-Money is an electronic medium for making payments

� Includes� Credit cards

� Smart cards

� Debit cards

� Electronic funds transfer

� Automated Clearinghouse (ACH) systems

� It is notational and can be� Online or Off-line

� Identified of Anonymous

Types of E-Money (1/2)

� Identified and Online (+I+L)

� Unique to credit card and debit cards transactions

� Customer is easily identifiable

� Card is validated against a bank’s computer before payment is made

� Identified and Offline (+I-L)

� Purchasing by cheque, travelers cheques, money orders, etc

� Merchant asks for ID to make sure the identity of the purchaser is known

� No verification is made

Types of E-Money (2/2)

� Anonymous and Online (-I+L)

� Cash transactions where the purchaser is anonymous

� Depositing money in an online account

� Purchase made on the spot for cash

� Anonymous and Offline (-I-L)

� Unique to electronic cash

� E.g. Transfering funds from a credit card to another account using an ATM which does not have a direct connection to the VISA/MasterCard network

Analysing Cash, Cheques and Credit Cards

� Regardless of the form of money, two distinct sets of properties should be considered in a money transfer

� These are� The ACID Test

� Atomicity� Consistency� Isolation� Durability

� The ICES Test� Interoperability� Conservation� Economy� Scalability

The ACID Test (1/2)

� Atomicity

� Transaction must occur completely or not at all

� E.g. A transfer €100 must result in the amount being credited from one account and debited to another. If one action fails, the whole transaction should be aborted.

� Consistency

� All parties involved must agree to the exchange

� E.g. Before a Joe buys a product from Mel, Joe must agree to buy it for €x and Mel must agree to sell it for €x

The ACID Test (2/2)

� Isolation

� Each transaction is independent of any other transaction

� Treated as a stand-alone episode

� Durability

� Always possible to recover to a consistent state or reverse the state of an exchange

� E.g. Customer is not happy with the product so you refund him

The ICES Test (1/2)

� Addresses four important properties of Money Transfer

� Interoperability� Ability to move back and forth between different

systems

� Conservation� How well money holds its value over time

(temporal consistency)

� How easy it is to store and access (temporal durability)

The ICES Test (2/2)

� Economy� Processing a transaction should be inexpensive

and affordable

� Relative to size of transaction

� E.g. Paying a €1 charge to process a €10,000 transaction is acceptable. However, it is not acceptable if you are processing a €5 transaction

� Scalability� Ability of the system to handle multiple users at

the same time

Comparing different systems

YN-NYNYY

Credit

Card

YNYNYNYYCheque

YYNYYYYYCash

ScalabilityEconomyConservationInteroperabilityDurabilityIsolationConsistencyAtomicity

Internet-Based Payments

� Electronic payments are financial transactions made without the use of paper documents such as cheques.

� E.g. Having your stipends credited to your account, paying for a product with your smartcard

� Internet-based payment systems are a form of electronic payment

Important Properties for E-Payments

� Besides, the ACID and ICES tests, other properties are important for e-payment systems

� Acceptability

� Ease of Integration

� Customer base

� Ease of use and ease of access

Internet-Based Payment Systems Models

� There are four main models for processing payments on the internet:

� Electronic Currency

� Credit Cards

� Debit Cards

� Smart Cards

Electronic Currency

� The network equivalent of cash

� E.g. Electronic funds transfer (EFT) moves cash from one account (e.g. employer’s account) to another (e.g. employees bank account). This happens regardless of the bank type, location, etc.

Credit Cards (1/2)

� Credit cards are the most popular form of payment online

� Bank issues credit card to people

� Can be topped up

� Has an associated credit limit

� To sell things on the web, merchants must accept credit cards

� Merchants need to open a merchant account

� Allows them to process credit card transactions

� Merchant pays charges depending on the amount of money processed in a time period.

� If users are unhappy with product/service received, they can generate a charge-back

Credit Cards (2/2)

� Credit cards leave a complete audit trail

� Can be a very insecure way of payment if the right security precautions are not taken

� No signatures required

� No face-to-face clues to interpret

� Third-party credit card processing services are available� Very useful when merchants fail to obtain a

merchant account

Credit Cart Laundering

� Merchants sometimes let other merchants use their merchant account

� They do this for a commission

� This is a violation of the merchant agreement with banks

� The risk is enormous, even if your commission rates are very good

� Why couldn’t your ‘client’ merchant get his own merchant account?

� Bad credit history

� Bad management practices� Typical scenario: Merchant processes payments, closes down

account and does not sent his clients any products. All clientsgenerate charge-backs to YOUR merchant account.

Debit Cards

� Similar to credit cards but the card holder is not borrowing money to purchase a product

� Processed through the issuing bank’s card network (as opposed to the global VISA or Mastercard Network)

� Safer for client if (s)he controls the amount of money in the account linked to the debit card.

� In case of theft, a thief cannot run up debts for the card owner.

Smart Card (1/2)

� Card with a built-in chip capable of storing information in its memory

� Contains programmable chip, RAM and ROM storage

� Handles a variety of applications

� Encrypts digital cash on chip

� Can be refilled by connecting to a bank

� Digital Key to an office

� Prescription authorisation

� Voting purposes

Smart Card (2/2)

� In e-commerce can be used for:

� Digital Cash

� Authenticating access to secured encrypted transactions

� Digital signatures

� Key storage

� Authenticating user by use of special devices

� Safer when compared to the credit-card number system

� Devices not yet popular so smart cards cannot really be as

successful as credit cards for the time being

Electronic Funds Transfer (EFT)

Computer-based system that:

� facilitates the transfer of money or the processing of financial transactions

� between two financial institutions

� same day or overnight

� one of the earliest forms of electronic payment systems on private networks

Automated Clearinghouse (ACH)

� Routes bank transactions involving more than one financial institution

� Ensures the correct accounts held by the correct institutions can be debited and credited

� Consider an example where you go to your bank (e.g. BOV) and deposit a cheque of €300 which originated from another bank (e.g. HSBC) to your bank account which previously had a €100 balance� Bank teller will give you a receipt saying your new balance

is €400� However, the new balance will not be available until that

cheque clears through an ACH system

ACH Example

Cheque’s Account

100,000

3001Cheque deposited

Your Account

100

300

On hold until cleared via ACH

Bank A

2“Not on Us”

Deposit

ACH

3. Cheque goes to ACH for

processing

Bank B

4. ACH Queries Bank B

5. Bank B Approves

6. ACH Credits Bank A with €300

7. Bank B Debits Account

with €300

8. Bank A

releases “Hold”

Secure Electronic Transactions (SET)Protocol (1/2)

� An emerging standard protocol for handling transactions on the Internet

� Administered jointly by VISA and MasterCard

� Covers all aspects of online commerce

� Various services� Cardholder and merchant registration

� Purchase request

� Payment authorisation

� Payment Capture

� Autorisation Reversal

� Credit Reversal

Secure Electronic Transactions (SET)Protocol (2/2)

� Authenticates parties involved using cryptography systems and trust hierarchies of digital certificates

� Based on 4 important goals

� Confidentiality

� Integrity of transmitted data

� Authentication of the card holder and merchant

� Interoperability across network providers

� Very complex and detailed protocol

� Not economical for small payments (micro payments)

SET Example

SETPaymentGateway

Merchant Bank

Customer with SET Wallet Issuing Bank

Acquiring Bank

SecureCardholderCertificate

Network Interchange usingVISA, Mastercard,

American Express, etc

1. OrderDetails 2. Request for

Payment

3. Authorisation

4. ElectronicReceipt

5. Payment

Examples of payment systems

� BankNet(http://mkn.co.uk/bank)

� CheckFree(www.checkfree.com)

� Credit Card Network (http://creditnet.com)

� CyberCents(www.cybercents.com)

� Ecash(www.ecashtechnologies.com)

� PayPal (www.paypal.com)

� QuickCommerce(www.qc123.com)

� WebMoney(www.webmoney.ru)

� Millicent (http://research.compaq.com/SRC/articles/199705/Millicent.html)

� Ziplock(www.portsoft.com.au)

Conclusions

� E-Payments are an essential component of e-commerce systems

� By now, you should

� understand the origins of money and how payment systems evolved

� appreciate different types of e-payment systems

� know how to analyse payment systems using tests such as ACID and ICES

� be familiar with different types of internet payment systems

� be familiar with various e-payment terms, concepts and protocols such as SET and ACH