What you should know
· B2C versus B2B
· Payment Methods
o Cash
o Cheque
o Debit card
o Credit card
· Online payments
o Bank EFT
o Credit Card
§ Over 85% worldwide use credit card, US-95%, only 5% of all credit card transactions (in all methods) are done online, accounts for 50% of all credit card fraud
o Scrip (fake money, etc. – ex: Canada Tire Money, Air Miles – can’t exchange it for cash but I can use it to buy merchandise online)
§ Flooz
§ beenz
· Consumer concerns
o Privacy and security
o Independence (don’t want the merchant dictating what form of payment you must use-ex: we only take visa not M/C)
o Portability-want to be able to take it from place to place (ex: not just on my own desktop-buy on different computers)
o Convenience
o Phishing – bank or trusted authority that gives you money – and you have a 3rd party that is trying to portray themselves as that authority and emailing you or contacting you telling you that you must fix something on your bank account, etc – but the link doesn’t actually take you to your bank – gets your info
Payment Cards
· Types of cards
o Credit cards – open loop processing – whenever you perform a transaction, there is always a third party involved (Visa and M/C – another bank, clearing house, etc)
o Charge cards-Amex – closed loop processing (no other authority) – have to pay your bill off at the end of the month
o Debit cards
o Single use card – changes the number each transaction
· Advantages *****
o Consumer protection from fraud
o Worldwide acceptance
o Currency conversion handled
o Merchant protection (authorization/verification)
o Merchant assurance from issuing companies – bank covers for merchants if the person buying can’t pay – guaranteed you are going to get paid
· Disadvantages *****
o Costs to merchants: per transaction and monthly fees
o Costs to consumers: annual fee
· Payment processing
o EMV Standard – standard system where data is transferred
o 30 day shipping requirements (if you bill the credit card – you have to ship in within 30 days) – often now see that they do not bill credit card until the product is shipped
o Merchant accounts required to accept credit cards
o General payment service providers– IcVerify – authorizes transactions-3rd party
o Online payment service providers – internet secure, payment online, paypal merchants, Reg.net for FRM
o Figure 11.3
Electronic Cash (in the PayPal account – not in a bank)
· Advantages
o Good for micro payment (<$1) and small payment (<$10) transactions
o Readily exchanged for real cash (unlike Scrip)
o Useful for those who cannot get credit cards
o No need for authorizations, as required by payment cards
o Independence: unrelated to any proprietary network or storage device
o Portability: freely transferable between two parties (across borders)
o Convenience: doesn’t require any special hardware/software
· Disadvantages
o Not standardized or universally accepted
o No audit trail, due to independence and privacy
o Security issues: potential for “double spending” and “money laundering”
o Security issues: susceptible to forgery
o Online systems
§ Authorize.net
§ Checkfree
§ Clickshare
§ Echarge
§ Pay pal
§ Vallista
§ worldpay
Electronic Wallets (not only can it be used as a debit card or credit card but it also has all my medical and passport info, other important data)
o server side
o Billeo services
o Microsoft passport
o Yahoo Wallet
o client side
o llium ewallet
o sxipper for firefox
o smart cards-micro processor trip – stores all your info on one card, benefits over magnetic
Monday, March 31, 2008
Thursday, March 27, 2008
Chapter 11-Key Concept - Payment Systems for E-commerce
Online Payment Basics
Four ways to pay for purchases: Cash, checks, credit cards, and debit cards account for more than 90% of all consumer payments in the US. A small but growing percentage of consumer payments are made by electronic transfer. The most popular consumer electronic transfers are automated payments of auto loans, insurance payments, and mortgage payments made from consumers’ checking accounts. Scrip is digital cash minted by a company instead of by a government. Most scrip cannot be exchanged for cash; it must be exchanged for goods or services by the company that issued the scrip. Scrip is like a gift certificate.
Payment card -all types of plastic cards that consumers (and some businesses) use to make purchases. The main categories of payment cards are credit cards, debit cards, and charge cards. A credit card, such as a Visa or a MasterCard, has a spending limit based on the user’s credit history; a user can pay off the entire credit card balance or pay a minimum amount each billing period. Credit card issuers charge interest on any unpaid balance. A charge card, offered by companies such as American Express, carries no spending limit, and the entire amount charged to the card is due at the end of the billing period. Charge cards do not involve lines of credit and do not accumulate interest charges. Several payment card companies now offer cards with disposable numbers- single use cards
Advantages and disadvantages of payment cards
For merchants, payment cards provide fraud protection. When a merchant accepts payment cards for online payment or for orders placed over the telephone, the merchant can authenticate and authorize purchases using a payment card processing network. The greatest advantage of using payment cards is their worldwide acceptance. However, payment card service companies charge merchants per transaction fees and monthly processing fees. The consumer pays no direct transaction based fees for using payment cards, but the prices of goods and services are slightly higher.
-MasterCard International-Europay-have implemented a single standard for the handling of payment card transactions called the EMV standard (Europay, Mastercard, and Visa). In a brick and mortar store, customers walk out of the store with purchases in their possession, so charging and shipment occur nearly simultaneously. Online stores must ship merchandise within 30 days of charging a payment card. Because the penalties for violating this law can be significant, most online and mail order merchants don’t charge payment card accounts until they ship merchandise.
Open and closed loop systems: in some payment card systems, the card issuers pays the merchants that accept the card directly and doesn’t use an intermediary, such as a bank or clearinghouse system- closed loop systems-Ex: American Express. Open loop systems involve three or more parties. Open loop system-Visa or MasterCard-neither Visa nor MasterCard issues cards directly to consumers. Visa and MasterCard are credit card associations that are operated by the banks who are members in the associations. Member banks-customer issuing banks-responsible for establishing customer credit limits.
Merchant Accounts: A merchant bank or acquiring bank is a bank that does business with sellers that want to accept payment cards. To process payment cards for Internet transactions, an online merchant must set up a merchant account. When the merchant’s bank collects credit card receipts on behalf of the merchant from the payment card issuer, it credits their value to the merchant’s account. When a cardholder successfully contests a charge, the merchant bank must retrieve the money it placed in the merchant account is a process called a chargeback. To ensure that sufficient funds are available to cover chargebacks, a merchant bank might require a company to maintain funds on deposit in the merchant account.
Processing Payment Cards online: software packaged with e-commerce software can handle payment card processing automatically, or merchants can contract with a third party to handle payment card processing- payment processing service providers. Banks connect to an Automatic Clearing House through highly secure, private leased telephone lines. The merchant sends the card info to a payment card authorization company, which reviews the customer account and, if it approves the transaction, sends the credit authorization to the issuing bank. Then the issuing bank deposits the money in the merchant’s web site receives confirmation of the acceptance of the consumer transaction. The merchant website confirms the sale to the customer over the internet.
Electronic cash
Electronic cash (e-cash or digital cash) describes any value storage and exchange system created by a private (nongovernmental) entity that doesn’t use paper documents or coins and that can serve as a substitute for government-issued physical currency. Because e-cash is issued by private entities, there is a need for common standards among all e-cash issuers so that one issuer’s e-cash can be accepted by another issuer. E-cash shows particular promise in two applications: the sale of goods and services priced less than $10 – the loser threshold for credit card payments-and the sale of all goods and services to those without credit cards.
-Internet payments for items costing from a few cents to approximately a dollar are called micropayments.
Privacy and security of e-cash
Concerns about electronic payment methods include privacy and security, independence, portability, and convenience. Electronic cash has unique security problems. First, it must be possible to spend electronic cash only once, just as with traditional currency. Second, e-cash ought to be anonymous, just as hard currency is. That is, security procedures should be in place to guarantee that the entire e-cash transaction occurs only between two parties, and that the recipient knows that the electronic currency being received is not counterfeit or being used in two different transactions. Electronic cash has the advantages of being independent and portable. Advantage-E-cash portability means that it must be freely transferable between any two parties.
Holding e-cash: online and offline cash
Two widely accepted approaches to holding cash exist today: online storage and offline storage. Online cash storage means that the consumer doesn’t personally possess electronic cash. Instead, a trusted third party-an online bank-is involved in all transfers of electronic cash and holds the consumers’ cash accounts-helps prevent fraud by confirming that the consumer’s cash is valid. Offline cash storage is the virtual equivalent of money kept in a wallet. The customer holds it-software safeguards must be used to prevent fraudulent or double spending. Double spending is spending a particular piece of electronic cash twice by submitting the same e=currency to two different vendors.
Advantages and disadvantages of e-cash
E-cash transactions are more efficient (and therefore less costly) than other methods, and that efficiency should foster more business, which eventually means lower prices for consumers. E-cash transfers occur on an existing infrastructure – the internet-and through existing computer systems. Thus, the additional costs that users of e-cash must incur are nearly zero. E-cash doesn’t require that one party obtain an authorization, as is required with credit card transactions. Disadvantages-no audit trail, e-cash is just like real cash in that it cannot be easily traced. Another problem arises: money laundering. Money laundering is a technique used by criminals to convert money that they have obtained illegally into cash that they can spend without having it identified as the proceeds of an illegal activity.
How e-cash works
To begin using e-cash, a consumer opens an account with an e-cash issuer (such as a bank that issues e-cash or a private cendor of e-cash such as paypal) and presents proof of identity. The consumer can then withdraw e-cash. After the issuer verifies the consumer’s identity, it gives the consumer a specific amount of e-cash and deducts the same amount from the consumer’s account
Providing security for e-cash
Cryptographic algorithms are the key to creating tamperproof e-cash that can be traced back to its origins. A two part lock provides anonymous security that also signals when someone is attempting to double spend cahs. When a second transaction occurs for the same e-cash, a complicated process comes into play the reveals the attempted second use and the identity of the original e-cash holder. Double spending can neither be detected nor prevented with truly anonymous e-cash. Anonymous e-cash is e-cash that, like bills and coins, can not be traced back to the person who spent it. One way to be able to trace e-cash is to attach a serial number to each e-cash transaction. -The absence of e-cash standards means that consumers are faced with choosing form an array of proprietary e-cash alternatives – none of which are interoperable. Interoperable software runs transparently on a variety of hardware configurations and on different software systems.
Electronic wallet (sometimes called an e-wallet), serving a function similar to a physical wallet, holds credit card numbers, electronic cash,, owner identification, and owner contact info and provides that info at an electronic commerce site’s checkout counter-give consumers the benefit of entering their info just once. When consumers select items to purchase, they can then click their e-wallet to order the items quickly. E-wallets fall into two categories based on where they are stored. A server side electronic wallet stores a customer’s info on a remote server belonging to a particular merchant or wallet publisher. The main weakness – a security breach could reveal thousands of users’ personal info. A client side e-wallet stores a consumer’s info on his or her own computer. A disadvantage of client side wallets is that they aren’t portable-not available when a purchase is made for a computer other than the computer on which the wallet resides. This removes the risk that an attack on a client side e-wallet vendor’s server could reveal the sensitive info. However, an attack on the user’s computer could yield that info.
Stored value Cards
One solution that could reduce all those cards to a single plastic card is called a stored value card. A stored value card can be an elaborate smart card with a microchip or a plastic card with a magnetic strip that records the currency balance. The main different is that a smart card can store larger amounts of info and includes a processor chip on the card. The card readers needed for smart cards are different, too. Common stored value cards include prepaid phone, copy, subway, and bus cards. Many people use the terms “stored-value card” and smart card interchangeably.
-Most magnetic strip cards hold value that can be recharged by inserting them into the appropriate machines, inserting currency into the machine, and withdrawing the card; the card’s strip stores the increased cash value.
A smart card is a stored value card that is a plastic card with an embedded microchip that can store info. A smart card can store about 100 times the amount of info that a magnetic strip plastic card can store. A smart card can hold private user data, such as financial facts, encryption keys, account info, credit card numbers, health insurance info, medical records. Smart cards are safer than conventional credit cards because the info stored on a smart card is encrypted.
Internet technologies and the banking industry
Check processing
In the past, checks were processed physically by banks and clearinghouses. The retailer’s bank would then send the paper check to a clearing house which would manage the transfer of funds from the consumer’s bank to the retailer’s account. Banks have been working for years to develop technologies that will help them reduce the float. In 2004, a US law went into effect that many bankers believe will eventually eliminate the float.
Phishing attacks
The basic structure of a phishing attack is fairly simple. The attacker sends email messages to a large number of recipients who might have an account at the targeted web site. The email message tells the recipient that his or her account has been compromised and it is necessary for the recipient that his or her account has been compromised and it is necessary for the recipient to log in to the account to correct the matter. The email message includes a link that appears to be a link to the login page of the web site. The link actually leads the recipient to the phishing attack perpetrator’s website, which is disguised to look like the targeted website. The unsuspecting recipient enters his or her login name and password, which the perpetrator captures and then uses to access the recipient’s account.
Organized Crime, Identity theft, and phishing attacks
US laws define organized crime, also called racketeering, as unlawful activities conducted by a highly organized, disciplined association for profit. The associations that engage in organized crime are often differentiated from less organized groups such as gangs and from organized groups that conduct unlawful activities for political purposes such as terrorist organizations-traditionally engaged in criminal activities such as drug trafficking, gambling, money laundering, prostitution, pornography production and distribution, extortion, truck hijacking, fraud, theft, and insider trading. Identity theft is a criminal act in which the perpetrator gathers personal info about a victim and then uses that information to obtain credit. There are two elements in phishing, the collection of the info (done by collectors) and the use of the info (done by cashers).
Phishing attack countermeasures
Since spam is a key elements of phishing attacks, any protocol change that improves email recipients’ ability to identify the source of an email message will also help to reduce the threat of phishing attacks. The most important step that companies can take today-is to educate their web site users. Another anti-phishing technique is to monitor online chat rooms that are used by criminals.
Four ways to pay for purchases: Cash, checks, credit cards, and debit cards account for more than 90% of all consumer payments in the US. A small but growing percentage of consumer payments are made by electronic transfer. The most popular consumer electronic transfers are automated payments of auto loans, insurance payments, and mortgage payments made from consumers’ checking accounts. Scrip is digital cash minted by a company instead of by a government. Most scrip cannot be exchanged for cash; it must be exchanged for goods or services by the company that issued the scrip. Scrip is like a gift certificate.
Payment card -all types of plastic cards that consumers (and some businesses) use to make purchases. The main categories of payment cards are credit cards, debit cards, and charge cards. A credit card, such as a Visa or a MasterCard, has a spending limit based on the user’s credit history; a user can pay off the entire credit card balance or pay a minimum amount each billing period. Credit card issuers charge interest on any unpaid balance. A charge card, offered by companies such as American Express, carries no spending limit, and the entire amount charged to the card is due at the end of the billing period. Charge cards do not involve lines of credit and do not accumulate interest charges. Several payment card companies now offer cards with disposable numbers- single use cards
Advantages and disadvantages of payment cards
For merchants, payment cards provide fraud protection. When a merchant accepts payment cards for online payment or for orders placed over the telephone, the merchant can authenticate and authorize purchases using a payment card processing network. The greatest advantage of using payment cards is their worldwide acceptance. However, payment card service companies charge merchants per transaction fees and monthly processing fees. The consumer pays no direct transaction based fees for using payment cards, but the prices of goods and services are slightly higher.
-MasterCard International-Europay-have implemented a single standard for the handling of payment card transactions called the EMV standard (Europay, Mastercard, and Visa). In a brick and mortar store, customers walk out of the store with purchases in their possession, so charging and shipment occur nearly simultaneously. Online stores must ship merchandise within 30 days of charging a payment card. Because the penalties for violating this law can be significant, most online and mail order merchants don’t charge payment card accounts until they ship merchandise.
Open and closed loop systems: in some payment card systems, the card issuers pays the merchants that accept the card directly and doesn’t use an intermediary, such as a bank or clearinghouse system- closed loop systems-Ex: American Express. Open loop systems involve three or more parties. Open loop system-Visa or MasterCard-neither Visa nor MasterCard issues cards directly to consumers. Visa and MasterCard are credit card associations that are operated by the banks who are members in the associations. Member banks-customer issuing banks-responsible for establishing customer credit limits.
Merchant Accounts: A merchant bank or acquiring bank is a bank that does business with sellers that want to accept payment cards. To process payment cards for Internet transactions, an online merchant must set up a merchant account. When the merchant’s bank collects credit card receipts on behalf of the merchant from the payment card issuer, it credits their value to the merchant’s account. When a cardholder successfully contests a charge, the merchant bank must retrieve the money it placed in the merchant account is a process called a chargeback. To ensure that sufficient funds are available to cover chargebacks, a merchant bank might require a company to maintain funds on deposit in the merchant account.
Processing Payment Cards online: software packaged with e-commerce software can handle payment card processing automatically, or merchants can contract with a third party to handle payment card processing- payment processing service providers. Banks connect to an Automatic Clearing House through highly secure, private leased telephone lines. The merchant sends the card info to a payment card authorization company, which reviews the customer account and, if it approves the transaction, sends the credit authorization to the issuing bank. Then the issuing bank deposits the money in the merchant’s web site receives confirmation of the acceptance of the consumer transaction. The merchant website confirms the sale to the customer over the internet.
Electronic cash
Electronic cash (e-cash or digital cash) describes any value storage and exchange system created by a private (nongovernmental) entity that doesn’t use paper documents or coins and that can serve as a substitute for government-issued physical currency. Because e-cash is issued by private entities, there is a need for common standards among all e-cash issuers so that one issuer’s e-cash can be accepted by another issuer. E-cash shows particular promise in two applications: the sale of goods and services priced less than $10 – the loser threshold for credit card payments-and the sale of all goods and services to those without credit cards.
-Internet payments for items costing from a few cents to approximately a dollar are called micropayments.
Privacy and security of e-cash
Concerns about electronic payment methods include privacy and security, independence, portability, and convenience. Electronic cash has unique security problems. First, it must be possible to spend electronic cash only once, just as with traditional currency. Second, e-cash ought to be anonymous, just as hard currency is. That is, security procedures should be in place to guarantee that the entire e-cash transaction occurs only between two parties, and that the recipient knows that the electronic currency being received is not counterfeit or being used in two different transactions. Electronic cash has the advantages of being independent and portable. Advantage-E-cash portability means that it must be freely transferable between any two parties.
Holding e-cash: online and offline cash
Two widely accepted approaches to holding cash exist today: online storage and offline storage. Online cash storage means that the consumer doesn’t personally possess electronic cash. Instead, a trusted third party-an online bank-is involved in all transfers of electronic cash and holds the consumers’ cash accounts-helps prevent fraud by confirming that the consumer’s cash is valid. Offline cash storage is the virtual equivalent of money kept in a wallet. The customer holds it-software safeguards must be used to prevent fraudulent or double spending. Double spending is spending a particular piece of electronic cash twice by submitting the same e=currency to two different vendors.
Advantages and disadvantages of e-cash
E-cash transactions are more efficient (and therefore less costly) than other methods, and that efficiency should foster more business, which eventually means lower prices for consumers. E-cash transfers occur on an existing infrastructure – the internet-and through existing computer systems. Thus, the additional costs that users of e-cash must incur are nearly zero. E-cash doesn’t require that one party obtain an authorization, as is required with credit card transactions. Disadvantages-no audit trail, e-cash is just like real cash in that it cannot be easily traced. Another problem arises: money laundering. Money laundering is a technique used by criminals to convert money that they have obtained illegally into cash that they can spend without having it identified as the proceeds of an illegal activity.
How e-cash works
To begin using e-cash, a consumer opens an account with an e-cash issuer (such as a bank that issues e-cash or a private cendor of e-cash such as paypal) and presents proof of identity. The consumer can then withdraw e-cash. After the issuer verifies the consumer’s identity, it gives the consumer a specific amount of e-cash and deducts the same amount from the consumer’s account
Providing security for e-cash
Cryptographic algorithms are the key to creating tamperproof e-cash that can be traced back to its origins. A two part lock provides anonymous security that also signals when someone is attempting to double spend cahs. When a second transaction occurs for the same e-cash, a complicated process comes into play the reveals the attempted second use and the identity of the original e-cash holder. Double spending can neither be detected nor prevented with truly anonymous e-cash. Anonymous e-cash is e-cash that, like bills and coins, can not be traced back to the person who spent it. One way to be able to trace e-cash is to attach a serial number to each e-cash transaction. -The absence of e-cash standards means that consumers are faced with choosing form an array of proprietary e-cash alternatives – none of which are interoperable. Interoperable software runs transparently on a variety of hardware configurations and on different software systems.
Electronic wallet (sometimes called an e-wallet), serving a function similar to a physical wallet, holds credit card numbers, electronic cash,, owner identification, and owner contact info and provides that info at an electronic commerce site’s checkout counter-give consumers the benefit of entering their info just once. When consumers select items to purchase, they can then click their e-wallet to order the items quickly. E-wallets fall into two categories based on where they are stored. A server side electronic wallet stores a customer’s info on a remote server belonging to a particular merchant or wallet publisher. The main weakness – a security breach could reveal thousands of users’ personal info. A client side e-wallet stores a consumer’s info on his or her own computer. A disadvantage of client side wallets is that they aren’t portable-not available when a purchase is made for a computer other than the computer on which the wallet resides. This removes the risk that an attack on a client side e-wallet vendor’s server could reveal the sensitive info. However, an attack on the user’s computer could yield that info.
Stored value Cards
One solution that could reduce all those cards to a single plastic card is called a stored value card. A stored value card can be an elaborate smart card with a microchip or a plastic card with a magnetic strip that records the currency balance. The main different is that a smart card can store larger amounts of info and includes a processor chip on the card. The card readers needed for smart cards are different, too. Common stored value cards include prepaid phone, copy, subway, and bus cards. Many people use the terms “stored-value card” and smart card interchangeably.
-Most magnetic strip cards hold value that can be recharged by inserting them into the appropriate machines, inserting currency into the machine, and withdrawing the card; the card’s strip stores the increased cash value.
A smart card is a stored value card that is a plastic card with an embedded microchip that can store info. A smart card can store about 100 times the amount of info that a magnetic strip plastic card can store. A smart card can hold private user data, such as financial facts, encryption keys, account info, credit card numbers, health insurance info, medical records. Smart cards are safer than conventional credit cards because the info stored on a smart card is encrypted.
Internet technologies and the banking industry
Check processing
In the past, checks were processed physically by banks and clearinghouses. The retailer’s bank would then send the paper check to a clearing house which would manage the transfer of funds from the consumer’s bank to the retailer’s account. Banks have been working for years to develop technologies that will help them reduce the float. In 2004, a US law went into effect that many bankers believe will eventually eliminate the float.
Phishing attacks
The basic structure of a phishing attack is fairly simple. The attacker sends email messages to a large number of recipients who might have an account at the targeted web site. The email message tells the recipient that his or her account has been compromised and it is necessary for the recipient that his or her account has been compromised and it is necessary for the recipient to log in to the account to correct the matter. The email message includes a link that appears to be a link to the login page of the web site. The link actually leads the recipient to the phishing attack perpetrator’s website, which is disguised to look like the targeted website. The unsuspecting recipient enters his or her login name and password, which the perpetrator captures and then uses to access the recipient’s account.
Organized Crime, Identity theft, and phishing attacks
US laws define organized crime, also called racketeering, as unlawful activities conducted by a highly organized, disciplined association for profit. The associations that engage in organized crime are often differentiated from less organized groups such as gangs and from organized groups that conduct unlawful activities for political purposes such as terrorist organizations-traditionally engaged in criminal activities such as drug trafficking, gambling, money laundering, prostitution, pornography production and distribution, extortion, truck hijacking, fraud, theft, and insider trading. Identity theft is a criminal act in which the perpetrator gathers personal info about a victim and then uses that information to obtain credit. There are two elements in phishing, the collection of the info (done by collectors) and the use of the info (done by cashers).
Phishing attack countermeasures
Since spam is a key elements of phishing attacks, any protocol change that improves email recipients’ ability to identify the source of an email message will also help to reduce the threat of phishing attacks. The most important step that companies can take today-is to educate their web site users. Another anti-phishing technique is to monitor online chat rooms that are used by criminals.
Wednesday, March 19, 2008
Key Concept Chapter 10 – Electronic Commerce Security
In the late 1970s, the Defense Department formed a committee to develop computer security guidelines for handling classified info on computers- Trusted Computer System Evaluation Criteria.-spelled out rules for mandatory access control.
Online Security Issues Overview
-Computer security is the protection of assets from unauthorized access, use, alteration, or destruction-two general types of security: physical and logical. Physical security includes tangible protection devices, such as alarms, guards, fireproof doors, security defenses. Protection of assets using nonphysical means is called logical security. Any act or object that poses a danger to computer assets is known as a threat.
-Countermeasure is the general name for a procedure, either physical or logical, that reduces, or eliminates a threat. There are four general actions that an organization could take, depending on the impact (cost) and the probability of the physical threat: Contain and control, Prevent, Insurance or backup plan, Ignore.
-An eavesdropper is a person or device that can listen in on and copy internet transmissions. People who write programs or manipulate technologies to obtain unauthorized access to computers and networks are called crackers/hackers.
-Computer security is generally classified into three categories: secrecy, integrity, and necessity.
-A security policy is a written statement describing which assets to protect and why they are being protected, who is responsible for that protection, and which behaviours are acceptable and which aren’t. The policy primarily addresses physical security, network security, access authorizations, virus protection, and disaster recovery. Minimum level of acceptable security for most electronic commerce operations:
Secrecy: prevent unauthorized persons from reading messages and business plans, obtaining credit card numbers, or deriving other confidential info; Integrity: enclose info in a digital envelope so that the computer can automatically detect messages that have been altered in transit; Availability: provide delivery assurance for each message segment so that messages or message segments cannot be lost undetectably; Key management: provide secure distribution and management of keys needed to provide secure communications; Nonrepudiation: provide undeniable, end to end proof of each message’s origin and recipient; Authentication: securely identify clients and servers with digital signatures and certificates.
A security policy covers many security concerns that must be addressed by a comprehensive and integrated security plans: Authentication: who is trying to access the e-commerce site; Access control: who is allowed to log on to and access the e-commerce site; Secrecy: who is permitted to view selected information; Data integrity: who is allowed to change data; Audit: who or what causes specific events to occur, and when
Security for client computers
Cookies-The internet provides a type of connection between web clients and servers called a stateless connection. In a stateless connection, each transmission of info is independent, that is, no continuous connection (also called an open session) is maintained between any client and server on the internet. Cookies are small text files that web servers place on web client computers to identify returning visitors. Also allow web servers to maintain continuing open sessions with web clients. Cookies were invented to solve the stateless connection problem by saving info about a web user from one set of server client message exchanges to another. Two ways of categorizing cookies: by time duration and by source. Time duration cookie categories include: session cookies which exist until the web client ends the connection (or session) and persistent cookies which remain on the client computer indefinitely. Another way of categorizing cookies is by their source. Cookies can be placed on the client computer by the web server site, in which case they are called first party cookies, or cookies. A third party cookie originates on a web site other than the site being visited.
Web bugs- a tiny graphic that a third party web site places on another site’s web page. When a site visitor loads the web page, the web bug is delivered by the third-party site, which can then place a cookie on the visitor’s computer. A web bug’s only purpose is to provide a way for a third party web site to place cookies from that third party site on the visitor’s computer.
Active content refers to programs that are embedded transparently in web pages and that cause action to occur-can display moving graphics, download and play audio, or implement web based spreadsheet programs. An applet is a small application program. Because active content modules are embedded in web pages, they can be completely transparent to anyone browsing a page containing them. A Trojan horse is a program hidden inside another program or web page that masks its true purpose. Zombies are equally threatening-it is a Trojan horse that secretly takes over another computer for the purpose of launching attacks on other computers. Zombie attacks can be very difficult to trace.
Java Applets-The web server sends the Java applets along with web pages requested by the web client. In most cases, the Java applet’s operation will be visible to the site visitor, however, it is possible for a Java applet to perform functions that would not be noticed by the site visitor. Java is platform independent, it can run on many different computers. Once downloaded, embedded Java code can run on a client’s computer, which means that security violations can occur. Untrusted Java applets are those that have not been established as secure.
JavaScript is a scripting language developed by Netscape to enable Web page designers to build active content. When a user downloads a web page with embedded Java Script code, it executes o the user’s (client) computer. Like other active content vehicles, JavaScript can be used for attacks by executing code that destroys the client’s hard disk, discloses the email stored in client mailboxes, etc. JavaScript code can also record the URLS of web pages a user visits and capture info entered into web forms. Unlike Java applets, a Java Script program cannot commence on its own.
An ActiveX control is an object that contains programs and properties that web designers place on web pages to perform particular tasks. ActiveX controls run only on computers with windows operating systems. The security danger with Active X controls is that once they are downloaded, they execute like any other program on a client computer-full access to all system resources.
Graphics and Plug Ins-Some graphics file formats have been designed specifically to contain instructions on how to render a graphic. That means that any web page containing such a graphic could be a threat because the code embedded in the graphic could cause harm to a client computer-browser plug ins, which are programs that enhance the capabilities of browsers, handle web content that a browser cannot handle-perform tasks for a browser, such as playing audio clips, displaying movies, or animating graphics. Pose security threats-users download these plug in programs and install them so their browsers can display content that cannot be included in HTML tags. Viruses, worms, and antivirus software-A virus is software that attaches itself to another program and can cause damage when the host program is activated. A worm is a type of virus that replicates itself on the computers that it infects. A macro virus is a type of virus that is coded as a small program, called a macro, and is embedded in a file. Multivector virus-can enter a computer system in several different ways (vectors).
Digital Certificates- way to control threats from active content is to use digital certificates- an attachment to an email message or a program embedded in a web page that verifies that the sender or web site is who or what it claims to be. It contains a means to send an encrypted message-encoded so other cannot read it-to the entity that sent the original web page or email message. Digital certificates are issued by a certification authority (CA)- requires entities applying for digital certificates to supply appropriate proof of identity.
A key is simply a number used with the encryption algorithm to lock the characters of the message being protected so that they are undecipherable without the key.
Steganography-process of hiding info within another piece of info. This other info resides in the background and is undetectable by anyone without the correct decoding software. A way of hiding an encrypted file within another file so that a casual observer cannot detect that there is anything of importance in the container file. In this two step process, encrypting the file protects it form being read, and steganography makes it invisible.
Communication Channel security
-Secrecy is the prevention of unauthorized info disclosure. Privacy is the protection of individual rights to nondisclosure. Software applications called sniffer programs provide the means to record info that passes through a computer or router that is handling internet traffic.
-An integrity threat, also known as active wiretapping, exists when an unauthorized party can alter a message stream of info. Unlike secrecy threats, where a viewer simply sees info he or she should not, integrity threats can cause a change in the actions a person or corporation takes because a mission critical transmission has been altered. Cybervandalism is the electronic defacing of an existing web site’s page. The electronic equivalent of destroying property or placing graffiti on objects, cybervandalism occurs whenever someone replaces a web site’s regular content with his or her own content. Masquerading or spoofing pretending to be someone you are not, or representing a web site as an original when it is a fake-is one means of disrupting web sites. Domain name servers (DNSs) are the computers on the internet that maintain directories that link domain names to IP addresses.
-The purpose of a necessity threat, also known by other names such as a delay, denial, or denial of service threat, is to disrupt normal computer processing, or deny processing entirely.
Threats to wireless networks-If not protected, a wireless network allows anyone within that range to log in and have access to any resources connected to that network. The security of the connection depends on the Wireless Encryption Protocol (WEP), which is a set of rules for encrypting transmissions from the wireless devices to the WAPs. Attackers-wardrivers, warchalking.
-Encryption is the coding of info by using a mathematically based program and a secret key to produce a strong of characters that is unintelligible. The science that studies encryption is called cryptography- the science of creating messages that only the sender and receiver can read. Cryptography is different from steganography, which makes text undetectable to the naked eye. Cryptography doesn’t hide text; it convents it to other text that is visible, but doesn’t appear to have any meaning.
Encryption Algorithms: the program that transforms normal text, called plain text, into cipher text (the unintelligible string of characters) is called an encryption program. The logic behind an encryption program that includes the mathematics used to do the transformation-is called an encryption algorithm. Hash coding is a process that uses a hash algorithm to calculate a number, called a hash value, from a message of any length. It is a fingerprint for the message because it is almost certain to be unique for each message. Asymmetric encryption or public key encryption, encodes messages by using two mathematically related numeric keys. One key of the pair, called a public key, is freely distributed to the public at large- to anyone interested in communicating securely with the holder of both keys. The public key is used to encrypt messages using one of several different encryption algorithms. The second key-called a private key-belongs to the key owner, who keeps the key secret. The owner uses the private key to decrypt all messages received. One of the most popular technologies used to implement public key encryption today is called Pretty Good Privacy (PGP). PGP is a set of software tools that can use several different encryption algorithms to perform public key encryption. Symmetric encryption, also known as private key encryption, encodes a message with one of several available algorithms that use a single numeric key to encode and decode data. Because the same key is used, both the message sender and the message receiver must known the key-very fast and efficient.
-Comparing Asymmetric and Symmetric Encryption Systems: Public key (asymmetric) systems provide several advantages over private key (symmetric) encrpyion methods. First, the combination of keys required to provide private messages between enormous numbers of people is small. If n people want to share secret info with one another, then only n unique public key pairs are required – far fewer than an equivalent private key system. Second, key distribution isn’t a problem. Each person’s public key can be posted anywhere and doesn’t require any special handling to distribute. Third, public key systems make implementation of digital signatures possible. Public key systems have disadvantages. One disadvantage is that public key encryption and decryption are significantly slower than private key systems. Don’t replace private key systems, but serve as a complement to them.
-Secure Sockets Layer (SSL) Protocol: SSL provides a security “handshake” in which the client and server computers exchange a brief burst of messages. In those messages, the level of security to be used for exchange of digital certificates and other tasks is agreed upon. Each computer identifies the other. After identification, SSL encrypts and decrypts info flowing between the two computers. Info in both the HTTP request and any HTTP response is encrypted. Secure Sockets Layer allows the length of the private session key generated by every encrypted transaction to be set at a variety of bit length. A session key is a key used by an encryption algorithm to create cipher text from plain text during a single secure session.
Secure HTTP (S-HTTP): Secure HTTP (S-HTTP) is an extension to HTTP that provides a number of security features, including client and server authentication, spontaneous encryption, and request/response nonrepudiation. S-HTTP provides symmetric encryption for maintaining secret communications and public key encryption to establish client/server authentication. S-HTTP differs from SSL in the way it establishes a secure session. SSL carries out a client/server handshake exchange to set up a secure communication, but S-HTTP sets up security details with special packet headers that are exchanged in S-HTTP. A secure envelope encapsulates a message and provides secrecy, integrity, and client/server authentication. S-HTTP is no longer used by many web sites. SSL has become a more generally accepted standard for establishing secure communication links between web clients and web servers.
Security for Server Computers
-The server is the third link in the client-internet server e-commerce path between the user and a web server.
Web Server Threats-Web server software is designed to deliver web pages by responding to HTTP requests. A web server can compromise secrecy if it allows automatic directory listings.
-Dictionary attack programs cycle through an electronic dictionary, trying every work in the book as a password. Users’ passwords, once broken, may provide an opening for illegal entry into a server that can remain undetected for a long time.
-buffer is an area of memory set aside to hold data read from a file or database. A buffer is necessary whenever any input or output operation takes place because a computer can process file info much faster than the info can be read from input devices or written to output devices.
-An access control list is a list or database of files and other resources and the usernames of people who can access the files and other resources.
-firewall is software or hardware and software combination that is installed in a network to control the packet traffic moving through it. Most organizations place a firewall at the internet entry point of their networks. The firewall provides a defense between a network and the internet or between a network and any other network that could pose a threat.
-networks inside the firewall are often called trusted, whereas networks outside the firewall are called untrusted. Acting as a filter, firewalls permit selected message to flow into and out of the protected network.
-Firewalls are classified into the following categories: packet filter, gateway server, and proxy server. Packet filter firewalls examine all data flowing back and forth between the trusted network and the internet. Packet filtering examines the source and destination addresses and ports of incoming packets and denies or permits entrance to the packets based on a preprogrammed set of rules. Gateway servers are firewalls that filer traffic based on the application requested. Gateway servers limit access to specific applications such as Telnet, FTP, and HTTP. In contrast to a packet filter technique, an application level firewall filters requests and logs them at the application level, rather than at the lower IP level. A gateway firewall provides a central point where all requests can be classified, logged, and later analyzed. Proxy server firewalls are firewalls that communicate with the internet on the private network’s behalf. Intrusion detection systems are designed to monitor attempts to login to servers and analyze those attempts for patterns and might indicate a cracker’s attack is underway. Once the intrusion detection system identifies an attack, it can block further attempts that originate form the same IP address. In addition to firewalls installed on organizations’ networks, it is possible to install software only firewalls on individual client computers-personal firewalls.
Online Security Issues Overview
-Computer security is the protection of assets from unauthorized access, use, alteration, or destruction-two general types of security: physical and logical. Physical security includes tangible protection devices, such as alarms, guards, fireproof doors, security defenses. Protection of assets using nonphysical means is called logical security. Any act or object that poses a danger to computer assets is known as a threat.
-Countermeasure is the general name for a procedure, either physical or logical, that reduces, or eliminates a threat. There are four general actions that an organization could take, depending on the impact (cost) and the probability of the physical threat: Contain and control, Prevent, Insurance or backup plan, Ignore.
-An eavesdropper is a person or device that can listen in on and copy internet transmissions. People who write programs or manipulate technologies to obtain unauthorized access to computers and networks are called crackers/hackers.
-Computer security is generally classified into three categories: secrecy, integrity, and necessity.
-A security policy is a written statement describing which assets to protect and why they are being protected, who is responsible for that protection, and which behaviours are acceptable and which aren’t. The policy primarily addresses physical security, network security, access authorizations, virus protection, and disaster recovery. Minimum level of acceptable security for most electronic commerce operations:
Secrecy: prevent unauthorized persons from reading messages and business plans, obtaining credit card numbers, or deriving other confidential info; Integrity: enclose info in a digital envelope so that the computer can automatically detect messages that have been altered in transit; Availability: provide delivery assurance for each message segment so that messages or message segments cannot be lost undetectably; Key management: provide secure distribution and management of keys needed to provide secure communications; Nonrepudiation: provide undeniable, end to end proof of each message’s origin and recipient; Authentication: securely identify clients and servers with digital signatures and certificates.
A security policy covers many security concerns that must be addressed by a comprehensive and integrated security plans: Authentication: who is trying to access the e-commerce site; Access control: who is allowed to log on to and access the e-commerce site; Secrecy: who is permitted to view selected information; Data integrity: who is allowed to change data; Audit: who or what causes specific events to occur, and when
Security for client computers
Cookies-The internet provides a type of connection between web clients and servers called a stateless connection. In a stateless connection, each transmission of info is independent, that is, no continuous connection (also called an open session) is maintained between any client and server on the internet. Cookies are small text files that web servers place on web client computers to identify returning visitors. Also allow web servers to maintain continuing open sessions with web clients. Cookies were invented to solve the stateless connection problem by saving info about a web user from one set of server client message exchanges to another. Two ways of categorizing cookies: by time duration and by source. Time duration cookie categories include: session cookies which exist until the web client ends the connection (or session) and persistent cookies which remain on the client computer indefinitely. Another way of categorizing cookies is by their source. Cookies can be placed on the client computer by the web server site, in which case they are called first party cookies, or cookies. A third party cookie originates on a web site other than the site being visited.
Web bugs- a tiny graphic that a third party web site places on another site’s web page. When a site visitor loads the web page, the web bug is delivered by the third-party site, which can then place a cookie on the visitor’s computer. A web bug’s only purpose is to provide a way for a third party web site to place cookies from that third party site on the visitor’s computer.
Active content refers to programs that are embedded transparently in web pages and that cause action to occur-can display moving graphics, download and play audio, or implement web based spreadsheet programs. An applet is a small application program. Because active content modules are embedded in web pages, they can be completely transparent to anyone browsing a page containing them. A Trojan horse is a program hidden inside another program or web page that masks its true purpose. Zombies are equally threatening-it is a Trojan horse that secretly takes over another computer for the purpose of launching attacks on other computers. Zombie attacks can be very difficult to trace.
Java Applets-The web server sends the Java applets along with web pages requested by the web client. In most cases, the Java applet’s operation will be visible to the site visitor, however, it is possible for a Java applet to perform functions that would not be noticed by the site visitor. Java is platform independent, it can run on many different computers. Once downloaded, embedded Java code can run on a client’s computer, which means that security violations can occur. Untrusted Java applets are those that have not been established as secure.
JavaScript is a scripting language developed by Netscape to enable Web page designers to build active content. When a user downloads a web page with embedded Java Script code, it executes o the user’s (client) computer. Like other active content vehicles, JavaScript can be used for attacks by executing code that destroys the client’s hard disk, discloses the email stored in client mailboxes, etc. JavaScript code can also record the URLS of web pages a user visits and capture info entered into web forms. Unlike Java applets, a Java Script program cannot commence on its own.
An ActiveX control is an object that contains programs and properties that web designers place on web pages to perform particular tasks. ActiveX controls run only on computers with windows operating systems. The security danger with Active X controls is that once they are downloaded, they execute like any other program on a client computer-full access to all system resources.
Graphics and Plug Ins-Some graphics file formats have been designed specifically to contain instructions on how to render a graphic. That means that any web page containing such a graphic could be a threat because the code embedded in the graphic could cause harm to a client computer-browser plug ins, which are programs that enhance the capabilities of browsers, handle web content that a browser cannot handle-perform tasks for a browser, such as playing audio clips, displaying movies, or animating graphics. Pose security threats-users download these plug in programs and install them so their browsers can display content that cannot be included in HTML tags. Viruses, worms, and antivirus software-A virus is software that attaches itself to another program and can cause damage when the host program is activated. A worm is a type of virus that replicates itself on the computers that it infects. A macro virus is a type of virus that is coded as a small program, called a macro, and is embedded in a file. Multivector virus-can enter a computer system in several different ways (vectors).
Digital Certificates- way to control threats from active content is to use digital certificates- an attachment to an email message or a program embedded in a web page that verifies that the sender or web site is who or what it claims to be. It contains a means to send an encrypted message-encoded so other cannot read it-to the entity that sent the original web page or email message. Digital certificates are issued by a certification authority (CA)- requires entities applying for digital certificates to supply appropriate proof of identity.
A key is simply a number used with the encryption algorithm to lock the characters of the message being protected so that they are undecipherable without the key.
Steganography-process of hiding info within another piece of info. This other info resides in the background and is undetectable by anyone without the correct decoding software. A way of hiding an encrypted file within another file so that a casual observer cannot detect that there is anything of importance in the container file. In this two step process, encrypting the file protects it form being read, and steganography makes it invisible.
Communication Channel security
-Secrecy is the prevention of unauthorized info disclosure. Privacy is the protection of individual rights to nondisclosure. Software applications called sniffer programs provide the means to record info that passes through a computer or router that is handling internet traffic.
-An integrity threat, also known as active wiretapping, exists when an unauthorized party can alter a message stream of info. Unlike secrecy threats, where a viewer simply sees info he or she should not, integrity threats can cause a change in the actions a person or corporation takes because a mission critical transmission has been altered. Cybervandalism is the electronic defacing of an existing web site’s page. The electronic equivalent of destroying property or placing graffiti on objects, cybervandalism occurs whenever someone replaces a web site’s regular content with his or her own content. Masquerading or spoofing pretending to be someone you are not, or representing a web site as an original when it is a fake-is one means of disrupting web sites. Domain name servers (DNSs) are the computers on the internet that maintain directories that link domain names to IP addresses.
-The purpose of a necessity threat, also known by other names such as a delay, denial, or denial of service threat, is to disrupt normal computer processing, or deny processing entirely.
Threats to wireless networks-If not protected, a wireless network allows anyone within that range to log in and have access to any resources connected to that network. The security of the connection depends on the Wireless Encryption Protocol (WEP), which is a set of rules for encrypting transmissions from the wireless devices to the WAPs. Attackers-wardrivers, warchalking.
-Encryption is the coding of info by using a mathematically based program and a secret key to produce a strong of characters that is unintelligible. The science that studies encryption is called cryptography- the science of creating messages that only the sender and receiver can read. Cryptography is different from steganography, which makes text undetectable to the naked eye. Cryptography doesn’t hide text; it convents it to other text that is visible, but doesn’t appear to have any meaning.
Encryption Algorithms: the program that transforms normal text, called plain text, into cipher text (the unintelligible string of characters) is called an encryption program. The logic behind an encryption program that includes the mathematics used to do the transformation-is called an encryption algorithm. Hash coding is a process that uses a hash algorithm to calculate a number, called a hash value, from a message of any length. It is a fingerprint for the message because it is almost certain to be unique for each message. Asymmetric encryption or public key encryption, encodes messages by using two mathematically related numeric keys. One key of the pair, called a public key, is freely distributed to the public at large- to anyone interested in communicating securely with the holder of both keys. The public key is used to encrypt messages using one of several different encryption algorithms. The second key-called a private key-belongs to the key owner, who keeps the key secret. The owner uses the private key to decrypt all messages received. One of the most popular technologies used to implement public key encryption today is called Pretty Good Privacy (PGP). PGP is a set of software tools that can use several different encryption algorithms to perform public key encryption. Symmetric encryption, also known as private key encryption, encodes a message with one of several available algorithms that use a single numeric key to encode and decode data. Because the same key is used, both the message sender and the message receiver must known the key-very fast and efficient.
-Comparing Asymmetric and Symmetric Encryption Systems: Public key (asymmetric) systems provide several advantages over private key (symmetric) encrpyion methods. First, the combination of keys required to provide private messages between enormous numbers of people is small. If n people want to share secret info with one another, then only n unique public key pairs are required – far fewer than an equivalent private key system. Second, key distribution isn’t a problem. Each person’s public key can be posted anywhere and doesn’t require any special handling to distribute. Third, public key systems make implementation of digital signatures possible. Public key systems have disadvantages. One disadvantage is that public key encryption and decryption are significantly slower than private key systems. Don’t replace private key systems, but serve as a complement to them.
-Secure Sockets Layer (SSL) Protocol: SSL provides a security “handshake” in which the client and server computers exchange a brief burst of messages. In those messages, the level of security to be used for exchange of digital certificates and other tasks is agreed upon. Each computer identifies the other. After identification, SSL encrypts and decrypts info flowing between the two computers. Info in both the HTTP request and any HTTP response is encrypted. Secure Sockets Layer allows the length of the private session key generated by every encrypted transaction to be set at a variety of bit length. A session key is a key used by an encryption algorithm to create cipher text from plain text during a single secure session.
Secure HTTP (S-HTTP): Secure HTTP (S-HTTP) is an extension to HTTP that provides a number of security features, including client and server authentication, spontaneous encryption, and request/response nonrepudiation. S-HTTP provides symmetric encryption for maintaining secret communications and public key encryption to establish client/server authentication. S-HTTP differs from SSL in the way it establishes a secure session. SSL carries out a client/server handshake exchange to set up a secure communication, but S-HTTP sets up security details with special packet headers that are exchanged in S-HTTP. A secure envelope encapsulates a message and provides secrecy, integrity, and client/server authentication. S-HTTP is no longer used by many web sites. SSL has become a more generally accepted standard for establishing secure communication links between web clients and web servers.
Security for Server Computers
-The server is the third link in the client-internet server e-commerce path between the user and a web server.
Web Server Threats-Web server software is designed to deliver web pages by responding to HTTP requests. A web server can compromise secrecy if it allows automatic directory listings.
-Dictionary attack programs cycle through an electronic dictionary, trying every work in the book as a password. Users’ passwords, once broken, may provide an opening for illegal entry into a server that can remain undetected for a long time.
-buffer is an area of memory set aside to hold data read from a file or database. A buffer is necessary whenever any input or output operation takes place because a computer can process file info much faster than the info can be read from input devices or written to output devices.
-An access control list is a list or database of files and other resources and the usernames of people who can access the files and other resources.
-firewall is software or hardware and software combination that is installed in a network to control the packet traffic moving through it. Most organizations place a firewall at the internet entry point of their networks. The firewall provides a defense between a network and the internet or between a network and any other network that could pose a threat.
-networks inside the firewall are often called trusted, whereas networks outside the firewall are called untrusted. Acting as a filter, firewalls permit selected message to flow into and out of the protected network.
-Firewalls are classified into the following categories: packet filter, gateway server, and proxy server. Packet filter firewalls examine all data flowing back and forth between the trusted network and the internet. Packet filtering examines the source and destination addresses and ports of incoming packets and denies or permits entrance to the packets based on a preprogrammed set of rules. Gateway servers are firewalls that filer traffic based on the application requested. Gateway servers limit access to specific applications such as Telnet, FTP, and HTTP. In contrast to a packet filter technique, an application level firewall filters requests and logs them at the application level, rather than at the lower IP level. A gateway firewall provides a central point where all requests can be classified, logged, and later analyzed. Proxy server firewalls are firewalls that communicate with the internet on the private network’s behalf. Intrusion detection systems are designed to monitor attempts to login to servers and analyze those attempts for patterns and might indicate a cracker’s attack is underway. Once the intrusion detection system identifies an attack, it can block further attempts that originate form the same IP address. In addition to firewalls installed on organizations’ networks, it is possible to install software only firewalls on individual client computers-personal firewalls.
Tuesday, March 11, 2008
Ch.9 Key Concept-Electronic Commerce Software
Web Hosting Alternatives
When companies need to incorporate electronic commerce components, they may opt to run servers in house-self hosting. Many midsize and smaller companies decide that a third-party web hosting service provider is a better choice than self hosting. A number of companies called Internet service providers (ISPs) provide internet access to companies and individuals-some offer web hosting as well-sometimes call themselves commerce service providers (CSPs). These firms often offer web server management and rent application software (such as databases, shopping carts, and content management programs) to businesses, sometimes called managed service providers. Service providers offer clients hosting arrangements that include shared hosting, dedicated hosting, and co-location. Shared hosting means that the client’s web site is on a service that hosts other web sites simultaneously and is operated by the service provider at its location. Dedicated hosting-service provider makes a web server available to the client, but the client doesn’t share the server with other clients of the service provider. The service provider is responsible for maintaining the routers, and other network hardware. In a co-location service, the service provider rents a physical space to the client to install its own service hardware. The client installs its own software and maintains the server-the service provider is responsible only for providing a reliable power supply and a connection to the internet through its routers and other networking hardware. The best hosting services provide web server hardware and software combinations that are scalable, which means they can be adapted to meet changing requirements when their clients grow.
Basic functions of electronic commerce software
Inexpensive end of the spectrum-externally hosted stores that provide software tools to build an online store on a host’s site. At the other end- software suites that can handle high transaction volumes and include a broad assortment of features and tools. The type of e-commerce software an organization needs depends on several factors- the expected size of the enterprise and its projected traffic and sales, budget, etc. All e-commerce solutions must at least provide:
-a catalog display, shopping cart capabilities, transaction processing
Additional software components: middleware that integrates the e-commerce system with existing company info systems that handle inventory control, order processing, and accounting, enterprise application integration, web services, integration with enterprise resource planning software, supply chain management software, CRM, content management software, knowledge management software
Catalog display
A static catalog is a simple list written in HTML that appears on a web page or a series of web page. A dynamic catalog stores the information about items in a database, usually on a separate computer that is accessible to the server that is running the web site itself. It can feature multiple photos of each item, detailed descriptions, and a search tool.
Shopping cart
In the early days of e-commerce, shoppers selected items they wanted to purchase by filling out online forms. This system was awkward for ordering more than one or two items at a time. One problem with forms-based shopping was that shoppers had to write down product codes, unit prices, and other info about the product before going to the order form, which was inevitably on another page. Today, shopping carts are a standard of e-commerce. It keeps track of the items the customer has selected and allows customers to view the contents of their cards, add new items, or remove items. To order an item, the customer simply clicks that item.
Transaction processing
Transaction processing when the shopper proceeds to the checkout by clicking a checkout button. Then, the e-commerce software performs any necessary calculations such as volume discounts, sales taxes, and shipping costs. Most complex part of the online sale.
Advanced functions of e-commerce software
Middleware
Establish the connections between their e-commerce software and their existing accounting systems. Most of the cost of middleware isn’t the software itself, but the consulting fees needed. Making a company’s info systems work together is called interoperability.
Enterprise application integration and databases
A program that performs a specific function, such as creating invoices, calculating payroll or processing payments received from customers, is called an application program/application software. An application server is a computer that takes the request messages received by the web server and runs application programs that perform some kind of action based on the contents of the request messages. The actions that the application server software performs are determined by the rules-business logic. Links among these scattered applications so that the organization’s business logic can be interconnected is called application integration/enterprise application integration-accomplished by programs that transfer info from one application to another, programmers are using XML data feeds more. Application servers are usually grouped into two types: page based and component based systems. Page based application systems return pages generated by scripts that include the rules for presenting data on the web page with the business logic. Larger businesses often prefer to use a component based application system that separates the presentation logic from the business logic. Application servers usually obtain the business logic info they use to build web pages from databases. A database manager is software that stores info in a highly structured way. Large information systems that store the same data in many different physical locations are called distributed info systems and the databases within those systems are called distributed database systems. Most web stores selling many products use a database that stores product info, including size, color, type, and price details.
Web services
Web services as a combination of software tools that let application software in one organization communicate with other applications over a network by using a specific set of standard protocols known by their acronyms: SOAP, UDDI, and WSDL.
How web services work: a key element of the web services approach is that programmers can write software that accesses these units of business application logic without knowing the details of how each unit is implemented. Web services can be mixed and matched with other web services to execute a complex business transaction. The first web services were info sources. The web services model allowed programmers to incorporate these info sources into software applications.
SOAP, WSDL, and UDDI Specifications: three rule sets (usually called protocols or specifications) let programs work with the formatted (using XML or HTML) data flows to accomplish the communication that makes web services work. The simple object access protocol (SOAP) is a message-passing protocol that defines how to send marked up data from one software application to another across a network. The characteristics of the logic units that make up specific web services are described using the web services description language (WSDL). They can use the info in a WSDL description to modify an application program so it can connect to a web service. Programmers (and, eventually, the programs themselves) need to find the location of web services before they can interpret their characteristics (described in WSDL) or communicate with them (using SOAP). The set of protocols that identify locations of web services and their associated WSDL descriptions is called the Universal Description, Discovery, and Integration (UDDI) specification.
The future of web services: Much of the data in web services applications is stored and transmitted in XML format. Because there are so many variations of XML is in use today, it is critical that data providing and data using partners agree on which XML implementation to use. No web services management standards or history of best practices – this lack of standards means that each web service subscriber needs a detailed agreement (specifying service levels, quality of service standards, and so on) with each web services provider.
Integration with ERP Systems
Many B2B web sites must be able to connect to existing info systems such as enterprise resource planning software. Enterprise resource planning (ERP) software packages are business systems that integrate all facets of a business.
E-Commerce Software for small and midsize companies
Basic Commerce Service Providers
Using a service provider’s shared or dedicated hosting services instead of building in-house servers or using a co-location service means that the staffing burden shifts from the company to the web host. CSPs have the same advantages as ISP hosting services, spreading the cost of a large web site over several “renters” hosted by the service.
Mall style commerce service providers
Mall style CSPs provide small businesses with an Internet connection, web site creation tools, and little or no banner advertising clutter. Web hosts in this group charge a monthly fee that is often higher than that of lower end providers, and may also charge one time setup fees. Some of these providers also charge a percentage of or fixed amount for each customer transaction. The CSP processes the acceptance and authorization of credit cards on behalf of the merchant.
E-commerce software for midsize to large businesses
The midrange packages allow the merchant to have explicit control over merchandising choices, site layout, internal architecture, and remote and local management options. The midrange and basic e-commerce packages differ on price, capability, database connectivity, software portability, software customization tools, and computer expertise required of the merchant.
Web site development tools
Although they are more often used for creating small business site, it is possible to construct the elements of a midrange e-commerce web site using the web page creation and site management tools – Macromedia Dreamweaver, Microsoft FrontPage. After creating the web site with these development tools, the designer can add purchased software elements, such as shopping carts and content management software, to the site. The final step is to create the middleware that connects the site to the company’s existing product and transaction processing databases. Buying and using midrange e-commerce software is more expensive than using CSPs. Midrange software traditionally offers connectivity to database systems that store catalog info.
E-commerce software for large businesses
Larger businesses require many of the same advanced capabilities as midsize firms, but the larger firms need to handle higher transaction loads. They need dedicated software applications to handle specific elements of their online business. The distinction between midrange and large scale e-commerce software is much clearer than the one between basic systems and midrange systems. The tell tale sign is price. Commerce software in this class is sometimes called enterprise-class software- a system that serves multiple locations or divisions of one company and encompasses all areas of the business or enterprise.
Enterprise class e-commerce software
Enterprise-class software provides good tools for linking to and supporting supply and purchasing activities. For a selling business, e-business software provides standard e-commerce activities, such as secure transaction processing and fulfillment, but it can also do more. In contrast, both basic and midrange e-commerce packages usually require an administrator to check inventory manually and place orders explicitly for items that need to be replenished. A merchant server houses the e-business system and key back end software. It processes payments, computes shipping and taxes, and sends a message to the fulfillment department when it must ship goods to a purchaser.
Supply Chain Management Software
Supply chain management (SCM) software helps companies to coordinate planning and operations with their partners in the industry supply chains of which they are members-performs two general types of functions: planning and execution. SCM planning software helps companies develop coordinated demand forecasts using info from each participant in the supply chain. SCM execution software helps with tasks such as warehouse and transportation management.
Content Management Software
Most e-commerce software comes with wizards and other automated helpers that create template-driven pages, such as home pages, about pages, and contact pages. But most businesses want to customize web pages. Content management software helps companies control the large amounts of text, graphics, and media files that have become a key part of doing business.
Knowledge management software
An increasing number of large companies have achieved cost savings by using content management software. Software is designed to help companies manage info that, until recently, was stored in paper reports, schedules, analyses, and memos. KM software helps companies do four main things: collect and organize info, share the info among users, enhance the ability of users to collaborate, and preserver the knowledge gained through the use of info so that future users can benefit from the learning of current users-includes tools that read e-documents scanned paper documents, email messages, and web pages.
When companies need to incorporate electronic commerce components, they may opt to run servers in house-self hosting. Many midsize and smaller companies decide that a third-party web hosting service provider is a better choice than self hosting. A number of companies called Internet service providers (ISPs) provide internet access to companies and individuals-some offer web hosting as well-sometimes call themselves commerce service providers (CSPs). These firms often offer web server management and rent application software (such as databases, shopping carts, and content management programs) to businesses, sometimes called managed service providers. Service providers offer clients hosting arrangements that include shared hosting, dedicated hosting, and co-location. Shared hosting means that the client’s web site is on a service that hosts other web sites simultaneously and is operated by the service provider at its location. Dedicated hosting-service provider makes a web server available to the client, but the client doesn’t share the server with other clients of the service provider. The service provider is responsible for maintaining the routers, and other network hardware. In a co-location service, the service provider rents a physical space to the client to install its own service hardware. The client installs its own software and maintains the server-the service provider is responsible only for providing a reliable power supply and a connection to the internet through its routers and other networking hardware. The best hosting services provide web server hardware and software combinations that are scalable, which means they can be adapted to meet changing requirements when their clients grow.
Basic functions of electronic commerce software
Inexpensive end of the spectrum-externally hosted stores that provide software tools to build an online store on a host’s site. At the other end- software suites that can handle high transaction volumes and include a broad assortment of features and tools. The type of e-commerce software an organization needs depends on several factors- the expected size of the enterprise and its projected traffic and sales, budget, etc. All e-commerce solutions must at least provide:
-a catalog display, shopping cart capabilities, transaction processing
Additional software components: middleware that integrates the e-commerce system with existing company info systems that handle inventory control, order processing, and accounting, enterprise application integration, web services, integration with enterprise resource planning software, supply chain management software, CRM, content management software, knowledge management software
Catalog display
A static catalog is a simple list written in HTML that appears on a web page or a series of web page. A dynamic catalog stores the information about items in a database, usually on a separate computer that is accessible to the server that is running the web site itself. It can feature multiple photos of each item, detailed descriptions, and a search tool.
Shopping cart
In the early days of e-commerce, shoppers selected items they wanted to purchase by filling out online forms. This system was awkward for ordering more than one or two items at a time. One problem with forms-based shopping was that shoppers had to write down product codes, unit prices, and other info about the product before going to the order form, which was inevitably on another page. Today, shopping carts are a standard of e-commerce. It keeps track of the items the customer has selected and allows customers to view the contents of their cards, add new items, or remove items. To order an item, the customer simply clicks that item.
Transaction processing
Transaction processing when the shopper proceeds to the checkout by clicking a checkout button. Then, the e-commerce software performs any necessary calculations such as volume discounts, sales taxes, and shipping costs. Most complex part of the online sale.
Advanced functions of e-commerce software
Middleware
Establish the connections between their e-commerce software and their existing accounting systems. Most of the cost of middleware isn’t the software itself, but the consulting fees needed. Making a company’s info systems work together is called interoperability.
Enterprise application integration and databases
A program that performs a specific function, such as creating invoices, calculating payroll or processing payments received from customers, is called an application program/application software. An application server is a computer that takes the request messages received by the web server and runs application programs that perform some kind of action based on the contents of the request messages. The actions that the application server software performs are determined by the rules-business logic. Links among these scattered applications so that the organization’s business logic can be interconnected is called application integration/enterprise application integration-accomplished by programs that transfer info from one application to another, programmers are using XML data feeds more. Application servers are usually grouped into two types: page based and component based systems. Page based application systems return pages generated by scripts that include the rules for presenting data on the web page with the business logic. Larger businesses often prefer to use a component based application system that separates the presentation logic from the business logic. Application servers usually obtain the business logic info they use to build web pages from databases. A database manager is software that stores info in a highly structured way. Large information systems that store the same data in many different physical locations are called distributed info systems and the databases within those systems are called distributed database systems. Most web stores selling many products use a database that stores product info, including size, color, type, and price details.
Web services
Web services as a combination of software tools that let application software in one organization communicate with other applications over a network by using a specific set of standard protocols known by their acronyms: SOAP, UDDI, and WSDL.
How web services work: a key element of the web services approach is that programmers can write software that accesses these units of business application logic without knowing the details of how each unit is implemented. Web services can be mixed and matched with other web services to execute a complex business transaction. The first web services were info sources. The web services model allowed programmers to incorporate these info sources into software applications.
SOAP, WSDL, and UDDI Specifications: three rule sets (usually called protocols or specifications) let programs work with the formatted (using XML or HTML) data flows to accomplish the communication that makes web services work. The simple object access protocol (SOAP) is a message-passing protocol that defines how to send marked up data from one software application to another across a network. The characteristics of the logic units that make up specific web services are described using the web services description language (WSDL). They can use the info in a WSDL description to modify an application program so it can connect to a web service. Programmers (and, eventually, the programs themselves) need to find the location of web services before they can interpret their characteristics (described in WSDL) or communicate with them (using SOAP). The set of protocols that identify locations of web services and their associated WSDL descriptions is called the Universal Description, Discovery, and Integration (UDDI) specification.
The future of web services: Much of the data in web services applications is stored and transmitted in XML format. Because there are so many variations of XML is in use today, it is critical that data providing and data using partners agree on which XML implementation to use. No web services management standards or history of best practices – this lack of standards means that each web service subscriber needs a detailed agreement (specifying service levels, quality of service standards, and so on) with each web services provider.
Integration with ERP Systems
Many B2B web sites must be able to connect to existing info systems such as enterprise resource planning software. Enterprise resource planning (ERP) software packages are business systems that integrate all facets of a business.
E-Commerce Software for small and midsize companies
Basic Commerce Service Providers
Using a service provider’s shared or dedicated hosting services instead of building in-house servers or using a co-location service means that the staffing burden shifts from the company to the web host. CSPs have the same advantages as ISP hosting services, spreading the cost of a large web site over several “renters” hosted by the service.
Mall style commerce service providers
Mall style CSPs provide small businesses with an Internet connection, web site creation tools, and little or no banner advertising clutter. Web hosts in this group charge a monthly fee that is often higher than that of lower end providers, and may also charge one time setup fees. Some of these providers also charge a percentage of or fixed amount for each customer transaction. The CSP processes the acceptance and authorization of credit cards on behalf of the merchant.
E-commerce software for midsize to large businesses
The midrange packages allow the merchant to have explicit control over merchandising choices, site layout, internal architecture, and remote and local management options. The midrange and basic e-commerce packages differ on price, capability, database connectivity, software portability, software customization tools, and computer expertise required of the merchant.
Web site development tools
Although they are more often used for creating small business site, it is possible to construct the elements of a midrange e-commerce web site using the web page creation and site management tools – Macromedia Dreamweaver, Microsoft FrontPage. After creating the web site with these development tools, the designer can add purchased software elements, such as shopping carts and content management software, to the site. The final step is to create the middleware that connects the site to the company’s existing product and transaction processing databases. Buying and using midrange e-commerce software is more expensive than using CSPs. Midrange software traditionally offers connectivity to database systems that store catalog info.
E-commerce software for large businesses
Larger businesses require many of the same advanced capabilities as midsize firms, but the larger firms need to handle higher transaction loads. They need dedicated software applications to handle specific elements of their online business. The distinction between midrange and large scale e-commerce software is much clearer than the one between basic systems and midrange systems. The tell tale sign is price. Commerce software in this class is sometimes called enterprise-class software- a system that serves multiple locations or divisions of one company and encompasses all areas of the business or enterprise.
Enterprise class e-commerce software
Enterprise-class software provides good tools for linking to and supporting supply and purchasing activities. For a selling business, e-business software provides standard e-commerce activities, such as secure transaction processing and fulfillment, but it can also do more. In contrast, both basic and midrange e-commerce packages usually require an administrator to check inventory manually and place orders explicitly for items that need to be replenished. A merchant server houses the e-business system and key back end software. It processes payments, computes shipping and taxes, and sends a message to the fulfillment department when it must ship goods to a purchaser.
Supply Chain Management Software
Supply chain management (SCM) software helps companies to coordinate planning and operations with their partners in the industry supply chains of which they are members-performs two general types of functions: planning and execution. SCM planning software helps companies develop coordinated demand forecasts using info from each participant in the supply chain. SCM execution software helps with tasks such as warehouse and transportation management.
Content Management Software
Most e-commerce software comes with wizards and other automated helpers that create template-driven pages, such as home pages, about pages, and contact pages. But most businesses want to customize web pages. Content management software helps companies control the large amounts of text, graphics, and media files that have become a key part of doing business.
Knowledge management software
An increasing number of large companies have achieved cost savings by using content management software. Software is designed to help companies manage info that, until recently, was stored in paper reports, schedules, analyses, and memos. KM software helps companies do four main things: collect and organize info, share the info among users, enhance the ability of users to collaborate, and preserver the knowledge gained through the use of info so that future users can benefit from the learning of current users-includes tools that read e-documents scanned paper documents, email messages, and web pages.
Ch. 8 Key Concept-Web Server Hardware and Software
Web Server Basics
Elements of a web server: hardware (computers/related components), operating system software, and web server software.
Types of web sites
First step in planning a web server-determine what the company wants to accomplish with the server. Decisions about sever hardware and software should be driven by the volume and type of web activities expected. Types of sites include:
-Development sites: simple sites that companies use to evaluate different web design with little initial investment. A development site can reside on an existing PC running web server software.
-Intranets: corporate networks that house internal memos, corporate policy handbooks, expense account worksheets, budgets, newsletters, and a variety of other corporate documents
-Extranets: allow certain authorized parties outside the company to access parts of the information in the system
-Transaction-processing sites such as business to business and business to consumer electronic commerce sites that must be available 24 hours a day, seven days a week. These sites must have spare server computers for handling high traffic volumes and must run web and commerce software that is efficient and easily upgraded.
-Content delivery sites: deliver content such as news, histories, summaries, and other digital information. Content must be presented rapidly on the visitor’s screen. Sites must be available 24 hours a day, seven day a week and hardware requirements are similar to those of transaction-processing commerce sites.
Web clients and web servers
When people use their internet connections to become part of the web, their computers become web client computers on a worldwide client/server network- used in LANs, WANs, and the web. The client computer request services from the server. Web browser software is the software that makes computers work as web clients-called web client software. Web software is platform neutral-it lets computers communicate with each other easily and effectively.
Dynamic content
A dynamic page is a web page whose content is shaped by a program in response to user requests, whereas a static page is an unchanging page retrieved from disk. Static pages require less computing power than dynamic page delivery. Dynamic content is nonstatic information constructed in response to a web client’s request-use of databases, etc.
On a web site that is a collection of HTML pages, the content on the site can be changed only by editing the HTML in the pages. This doesn’t allow customized pages to be produced in response to specific queries. To create customized pages, web sites use one of two basic approaches: server-side scripting or a dynamic page generation technology.
Server side scripting: in server side scripting programs running on the web server creates the web pages before sending them back to the requesting web clients as parts of response messages are slow.
Dynamic page generation technologies: Server side scripts are mixed with HTML tagged text to create dynamic web pages. The future of dynamic web page generation: critics of dynamic page creation technologies- do not really solve the problem of dynamic web page generation. They argue that these dynamic page creation approaches merely shift the task of creating dynamic pages from people who write HTML code to ASP programmers. The Apache Cocoon Project- outlined a more complex model of the web page generation process that identifies four areas of concern (logic, content, style, and management). It lets web page developers divide the work into these four areas of concern and it breaks the direct connection between logic and style. By separating the logic (the work of programmers) and styles (the work of graphic artists) that is combined in the structure of HTML, web designers could make dynamic web page design easier in the future.
Various Meanings of “Server”
A server is any computer used to provide files of make programs available to other computers connected to it through a network. The software that the server computer uses to make these files and programs available called server software. Some servers are connected through a router to the internet-can run software, called web server software that makes files on those servers available to other computers on the internet. When a server computer is connected to the internet and is running web server software it is called a web server. The server computer that handles incoming and outgoing email is usually called an email server, and the software that managers email activity on that server is frequently called email server software. The server computer on which database management software runs is often called a database server.
Web client/ server communication
A web page containing many graphics and other objects can be slow to appear in the client’s web browser window because each page element (each graphic or multimedia file) requires a separate request and response.
Two tier client/server architecture
The basic web client/server model is a two tier model because it has only one client and one server. The message that a web client sends to request a file or files from a web server is called a request message-consists of three major parts:
-request line (contains a command, the name of the target resource (a filename and a description of the path to that file on the server), and the protocol name and version number)
-optional request headers (contain info about the types of files that the client will accept in response to this request)
-optional entity body (sometimes used to pass bulk info to the server)
When the server receives the request message it executes the command included in the message by retrieving the web page file from its disk and then creating a property formatted response message to send back to the client. A server’s response consists of three parts that are identical in structure to a request message: a response header line indicates the HTTP version used by the server, the status of the response and an explanation of the status information. Response header fields follow the response header line. A response header field returns info describing the server’s attributes. The entity body returns the HTML page requests by the client machine.
Three tier and N-tier client/server architectures
A three tier architecture extends the two tier architecture to allow additional processing (ex: collecting the info from a database needed to generate a dynamic web page) to occur before the web server responds to the web client’s request. The client request is formulated into an HTTP message by the web browser, sent over the internet to the web server, and examined by the web server. The web server analyzes the request and determines that responding to the request requires the help of the server’s database. The server sends a request to the database management software to search for, retrieve, and return all information about exotic fruit in the catalog database. The database info flows back through the database management software system to the server, which formats the response into an HTML document and sends that documents inside an HTTP response message back to the client over the internet.
Software for web servers
Operating systems for web servers
Operating system tasks include running programs and allocating computer resources such as memory and disk space to programs. Open source software is developed by a community of programmers who make the software available for download at no cost.
The performance of one web server differs from that of another based on workload, operating system, and the size and type of web pages served.
Electronic Mail
E-mail is the most popular form of business communication
Email conveys messages from one destination to another in few seconds. One feature of email is that documents, pictures, movies, worksheets, or other information can be sent along with the message itself.
Email drawbacks-annoyance, amount of time that businesspeople spend answering their email today, about 5 mins per message
The computer virus is a program that attaches itself to another program and can cause damage when the host program is activated. The most frustrating and expensive problem associated with email today is the issue of unsolicited commercial email – spam.
Individual user antispam tactics
-reduce the likelihood that a spammer can automatically generate their email addresses-using an email address that is more complex, individuals can reduce the chances that a spammer can randomly generate his or her address. A second way to reduce spam is to control the exposure of an email address.
Basic Content Filtering: all content filtering solutions require software that identifies content elements in an incoming email message that indicate the message is (or is not) spam. Most basic content filters examine the email headers and look for indications that the message might be spam. The software can be placed on individual users’ computers-client level filtering or on mail server computers-server level filtering. The most common basic content filtering techniques are black lists and white lists. A black list spam filter looks for From addresses in incoming messages that are known to be spammers-can delete the message or put it into the separate mailbox for review. The biggest drawback to the black list approach is that spammers frequently change their email servers, which means that a balck list must be continually updated to be effective. A white list spam filter examines From addresses and compares them to a list of known good sender addresses and usually applied at the individual user level, although it is possible to do the filtering at the organization level if the email administrator has access to all individuals’ address books. The main drawback to this approach is that it filters out any messages sent by unknown parties, not just spam.
Challenge-responses content filtering: one content filtering technique uses a white list as the basis for a confirmation procedure called challenge-response, compares all incoming messages to a white list. If the message is from a sender who isn’t on the white list, an automated email response is sent to the sender. This message (the challenge) asks the sender to reply to the email (the response). These challenges are designed so that a human can respond easily, but a computer would have difficultly formulating the response. One major drawback to challenge response systems is that they can be abused. Another issue with challenge-response systems will arise if they become widespread. Most mail that any individual receives from unknown sender. A challenge-response system thus doubles the amount of useless email messages that must be handled by the Internet’s infrastructure.
Advanced content filtering: advanced content filters that examine the entire email message can be more effective than basic content filters that only examine the message headers on the IP address of the email sender. When the filter identifies an indicator in a message, it increases that message’s spam “score”. Bayesian revision is a statistical technique in which additional knowledge is used to revise earlier estimates of probabilities. In software that contains a naïve Bayesian filter the software begins by not classifying any messages. The user reviews messages and indicates to the software which messages are spam and which aren’t/ The software gradually learns (by revising its estimates of the probability that a message element appears in a spam message) to identify spam messages.
Elements of a web server: hardware (computers/related components), operating system software, and web server software.
Types of web sites
First step in planning a web server-determine what the company wants to accomplish with the server. Decisions about sever hardware and software should be driven by the volume and type of web activities expected. Types of sites include:
-Development sites: simple sites that companies use to evaluate different web design with little initial investment. A development site can reside on an existing PC running web server software.
-Intranets: corporate networks that house internal memos, corporate policy handbooks, expense account worksheets, budgets, newsletters, and a variety of other corporate documents
-Extranets: allow certain authorized parties outside the company to access parts of the information in the system
-Transaction-processing sites such as business to business and business to consumer electronic commerce sites that must be available 24 hours a day, seven days a week. These sites must have spare server computers for handling high traffic volumes and must run web and commerce software that is efficient and easily upgraded.
-Content delivery sites: deliver content such as news, histories, summaries, and other digital information. Content must be presented rapidly on the visitor’s screen. Sites must be available 24 hours a day, seven day a week and hardware requirements are similar to those of transaction-processing commerce sites.
Web clients and web servers
When people use their internet connections to become part of the web, their computers become web client computers on a worldwide client/server network- used in LANs, WANs, and the web. The client computer request services from the server. Web browser software is the software that makes computers work as web clients-called web client software. Web software is platform neutral-it lets computers communicate with each other easily and effectively.
Dynamic content
A dynamic page is a web page whose content is shaped by a program in response to user requests, whereas a static page is an unchanging page retrieved from disk. Static pages require less computing power than dynamic page delivery. Dynamic content is nonstatic information constructed in response to a web client’s request-use of databases, etc.
On a web site that is a collection of HTML pages, the content on the site can be changed only by editing the HTML in the pages. This doesn’t allow customized pages to be produced in response to specific queries. To create customized pages, web sites use one of two basic approaches: server-side scripting or a dynamic page generation technology.
Server side scripting: in server side scripting programs running on the web server creates the web pages before sending them back to the requesting web clients as parts of response messages are slow.
Dynamic page generation technologies: Server side scripts are mixed with HTML tagged text to create dynamic web pages. The future of dynamic web page generation: critics of dynamic page creation technologies- do not really solve the problem of dynamic web page generation. They argue that these dynamic page creation approaches merely shift the task of creating dynamic pages from people who write HTML code to ASP programmers. The Apache Cocoon Project- outlined a more complex model of the web page generation process that identifies four areas of concern (logic, content, style, and management). It lets web page developers divide the work into these four areas of concern and it breaks the direct connection between logic and style. By separating the logic (the work of programmers) and styles (the work of graphic artists) that is combined in the structure of HTML, web designers could make dynamic web page design easier in the future.
Various Meanings of “Server”
A server is any computer used to provide files of make programs available to other computers connected to it through a network. The software that the server computer uses to make these files and programs available called server software. Some servers are connected through a router to the internet-can run software, called web server software that makes files on those servers available to other computers on the internet. When a server computer is connected to the internet and is running web server software it is called a web server. The server computer that handles incoming and outgoing email is usually called an email server, and the software that managers email activity on that server is frequently called email server software. The server computer on which database management software runs is often called a database server.
Web client/ server communication
A web page containing many graphics and other objects can be slow to appear in the client’s web browser window because each page element (each graphic or multimedia file) requires a separate request and response.
Two tier client/server architecture
The basic web client/server model is a two tier model because it has only one client and one server. The message that a web client sends to request a file or files from a web server is called a request message-consists of three major parts:
-request line (contains a command, the name of the target resource (a filename and a description of the path to that file on the server), and the protocol name and version number)
-optional request headers (contain info about the types of files that the client will accept in response to this request)
-optional entity body (sometimes used to pass bulk info to the server)
When the server receives the request message it executes the command included in the message by retrieving the web page file from its disk and then creating a property formatted response message to send back to the client. A server’s response consists of three parts that are identical in structure to a request message: a response header line indicates the HTTP version used by the server, the status of the response and an explanation of the status information. Response header fields follow the response header line. A response header field returns info describing the server’s attributes. The entity body returns the HTML page requests by the client machine.
Three tier and N-tier client/server architectures
A three tier architecture extends the two tier architecture to allow additional processing (ex: collecting the info from a database needed to generate a dynamic web page) to occur before the web server responds to the web client’s request. The client request is formulated into an HTTP message by the web browser, sent over the internet to the web server, and examined by the web server. The web server analyzes the request and determines that responding to the request requires the help of the server’s database. The server sends a request to the database management software to search for, retrieve, and return all information about exotic fruit in the catalog database. The database info flows back through the database management software system to the server, which formats the response into an HTML document and sends that documents inside an HTTP response message back to the client over the internet.
Software for web servers
Operating systems for web servers
Operating system tasks include running programs and allocating computer resources such as memory and disk space to programs. Open source software is developed by a community of programmers who make the software available for download at no cost.
The performance of one web server differs from that of another based on workload, operating system, and the size and type of web pages served.
Electronic Mail
E-mail is the most popular form of business communication
Email conveys messages from one destination to another in few seconds. One feature of email is that documents, pictures, movies, worksheets, or other information can be sent along with the message itself.
Email drawbacks-annoyance, amount of time that businesspeople spend answering their email today, about 5 mins per message
The computer virus is a program that attaches itself to another program and can cause damage when the host program is activated. The most frustrating and expensive problem associated with email today is the issue of unsolicited commercial email – spam.
Individual user antispam tactics
-reduce the likelihood that a spammer can automatically generate their email addresses-using an email address that is more complex, individuals can reduce the chances that a spammer can randomly generate his or her address. A second way to reduce spam is to control the exposure of an email address.
Basic Content Filtering: all content filtering solutions require software that identifies content elements in an incoming email message that indicate the message is (or is not) spam. Most basic content filters examine the email headers and look for indications that the message might be spam. The software can be placed on individual users’ computers-client level filtering or on mail server computers-server level filtering. The most common basic content filtering techniques are black lists and white lists. A black list spam filter looks for From addresses in incoming messages that are known to be spammers-can delete the message or put it into the separate mailbox for review. The biggest drawback to the black list approach is that spammers frequently change their email servers, which means that a balck list must be continually updated to be effective. A white list spam filter examines From addresses and compares them to a list of known good sender addresses and usually applied at the individual user level, although it is possible to do the filtering at the organization level if the email administrator has access to all individuals’ address books. The main drawback to this approach is that it filters out any messages sent by unknown parties, not just spam.
Challenge-responses content filtering: one content filtering technique uses a white list as the basis for a confirmation procedure called challenge-response, compares all incoming messages to a white list. If the message is from a sender who isn’t on the white list, an automated email response is sent to the sender. This message (the challenge) asks the sender to reply to the email (the response). These challenges are designed so that a human can respond easily, but a computer would have difficultly formulating the response. One major drawback to challenge response systems is that they can be abused. Another issue with challenge-response systems will arise if they become widespread. Most mail that any individual receives from unknown sender. A challenge-response system thus doubles the amount of useless email messages that must be handled by the Internet’s infrastructure.
Advanced content filtering: advanced content filters that examine the entire email message can be more effective than basic content filters that only examine the message headers on the IP address of the email sender. When the filter identifies an indicator in a message, it increases that message’s spam “score”. Bayesian revision is a statistical technique in which additional knowledge is used to revise earlier estimates of probabilities. In software that contains a naïve Bayesian filter the software begins by not classifying any messages. The user reviews messages and indicates to the software which messages are spam and which aren’t/ The software gradually learns (by revising its estimates of the probability that a message element appears in a spam message) to identify spam messages.
Wednesday, March 5, 2008
Ch.12: planning for e-commerce
Planning electronic commerce initiatives
- keys to successful implementation of info technology projects: planning and execution.
-when setting objectives consider the role of the project, intended scope, and resources available
Identifying objectives
-Common objectives: increasing sales in existing markets, opening new markets, serving existing customers better, identifying new vendors, coordinating more efficiently with existing vendors, or recruiting employees more effectively. Linking Objectives to business strategies
-Can use tactics called downstream strategies to improve the value that the business provides to its customers. Pursuing upstream strategies is when focusing on reducing costs or generating value by working with suppliers.
First wave- firms conducted e-commerce without setting specific and measurable goals. Second wave- closer look at the benefits and costs
Measuring benefits
Complication occur when trying to measure things such as brand awareness or sales because the increases can be caused by other things that the company is doing at the same time or by a general improvement in the economy. Some sites use online surveys to gather this data; most settle for estimates based on the length of time each visitor remains on the site and how often visitors return.
Total cost of ownership
Many sites track costs by activity and calculate a total cost for each activity. Total cost of ownership (TCO)-include a wide variety of costs related to the activity-hardware, software, design work outsourced, salaries.
Opportunity costs
One of the largest and most significant costs -the cost of not undertaking an initiative-opportunity cost (lost benefits)
Web site costs
Large portion of the costs is from labor (79%). Estimates for the cost of creating a web business at three different levels: a basic entry level, a level comparable to most existing web competitors and a level that makes the website stand out-true differentiator. Annual cost to maintain and improve a site once it is up and running-whether it is a small site or a large site-will be between 50% and 200% of its initial cost. Smaller organizations can control their costs by using a combination of a third party hosting service and packaged electronic commerce software.
Return on Investment (ROI)
Payback method, net present value method, internal rate of return method-return on investment (ROI)-measure the amount of income (return) that will be provided by a specific current expenditure. ROI has some built in biases that can lead managers to make poor decisions. First, ROI requires that all costs and benefits be stated in dollars. Because it is usually easier to quantify costs than benefits, ROI measurements can be biased in a way that gives undue weight to costs. Second, ROI focuses on benefits that can be predicted. It also tends to emphasize short run benefits over long run benefits. This biases ROI calculations to weigh short term costs and benefits more heavily than long term costs and benefits.
Strategies for developing electronic commerce web sites
When companies began establishing their presences on the web, the typical web site was a static brochure that wasn’t updated frequently with new information
1994-1996 -STATIC BROCHURE (contact info, logo and other branding, some product information, financial statements
1996-1999-TRANSACTION PROCESSING (static brochure, plus: complete product catalog, shopping cart, secure payment processing, order info inquiries, shipment tracking
1999-Present-FULL RANGE OF AUTOMATED BUSIENSS PROCESSES (transaction processing, plus: personalization, interactive capabilities, frequently updated content, customer relationship management tools).
Internal development vs. outsourcing
-Using internal people to lead projects helps to ensure that the company’s specific needs are addressed and that the initiative is congruent with the goals and the culture of the organization. However, few companies are large enough or have in house expertise. OPTIONS:
The internal team: the first step is determining which parts of an electronic commerce project to outsource is to create an internal team that is responsible for the project. Members should be recognized by their peers as successful individuals so the project doesn’t suffer from lack of credibility. The internal team should hold ultimate and complete responsibility for the electronic commerce initiative, from the setting of objectives to the final implementation and operation of the site.
Early outsourcing: outsource the initial site design and development to launch the project quickly. The outsourcing team then trains the company’s info systems professionals in the new technology before handing the operation of the site to them-early outsourcing.
Late outsourcing: more traditional approaches, the company’s info systems professionals do the initial design and development work, implement the system, and operate the system until it becomes a stable part of the business operation. Once the company has gained all the competitive advantage provided by the system, the maintenance of the electronic commerce system can be outsourced so that the company’s info systems professionals can turn their attention and talents to developing new technologies that will provide further competitive advantage.
Partial outsourcing: In partial outsourcing, which is also called component outsourcing, the company identifies specific portions of the project that can be completely designed, developed, implemented, and operated by another firm that specializes in a particular function. One of the most common elements of electronic commerce initiatives that companies outsource using this approach is the web hosting activity. Providers of internet connectivity, applications, and business services (including ISPs, CSPs, MSPs, and ASPs) offer web hosting services to companies that want to operate electronic commerce sites, but that do not want to invest in the hardware and staff needed to create their own web servers.
Selecting a hosting service
The internal team should be responsible for selecting the ISP that will provide the site’s hosting service. It can consult an ISP directory. The team should obtain the advice of consultants that rate service providers (ISPs, ASPs, and CSPs); the most important factors to evaluate: functionality, reliability, bandwidth and server scalability, security, backup and disaster recovery, cost
New Methods for Implementing Partial Outsourcing
Incubators: an incubator is a company that offers start up companies a physical location with offices, accounting and legal assistance, computers, and Internet connections at a very low monthly cost. Receives an ownership interest in the company-10% and 50%. When the company grows to the point that it can obtain venture capital financing or launch a public offering of its stock, the incubator sells all or part of its interest and reinvests the money in new incubator candidates.
Fast Venturing: In fast venturing an existing company that wants to launch an electronic commerce initiative joins external equity partners and operational partners that can offer the experience and skills needed to develop and scale up the project very rapidly. Venture Sponsor: develops idea, staffs internal team, creates prototype, provides all or most of the start up funds (is the existing company that wants to launch the electronic commerce initiative) Equity partners: review and refine ideas, provide advice, evaluate prototype, provide contacts (including operational partners) (entities that have provided start up money to new ventures in the past and have developed knowledge about operating new ventures) Operational partners: turn ideas into a business plan, provide financial, technical, and operations expertise, provide industry best practices knowledge, scale up prototype to an operating model (people and companies that previously have built web business sites)
Managing electronic commerce implementations
Use formal management techniques. Project management, project portfolio management, specific staffing, and postimplementation audits are methods businesses use to efficiently administer their e-commerce projects.
Project management is a collection of formal techniques for planning and controlling the activities undertaken to achieve a specific goal-developed by the US military in the 1950s and the 1960s to develop weapons and other large systems. The project plan includes criteria for cost, schedule, and performance-it helps project managers make intelligent trade off decisions regarding these three criteria. Information systems development projects are much more likely to fail than other types of projects. Causes-rapidly changing technologies, long development times, and changing customer expectations, many teams rely on project management software to help. E-commerce initiatives are more successful that other types of info system implementations in general.
Project portfolio management is a technique in which each project is monitored as if it were an investment in a financial portfolio. The CIO records the projects in a list and updates the list regularly with current information about each project’s status. Project management software tracks the details of how each project is accomplishing its specific goals. In project portfolio management, the CIO assigns a ranking for each project based on its importance to the strategic goals of the business and its level of risk.
Staffing
The business management function should include internal staff. The business manager should be a member of the internal team that sets the objectives for the project. The business managers is responsible for implementing the elements of the business plan and reaching the objectives set by the internal team.
A project manager is a person with specific training or skills in tracking costs and the accomplishment of specific objectives in a project. An account manager keeps track of multiple web sites in use by a project or keeps track of the projects that will combine to create a larger web site. Most larger projects will have a test version, a demonstration version, and a project version of the web site located on different servers. The test version is the under construction version of the web site. The demonstration version has features that have passed testing and must be demonstrated to an internal audience. The production version is the full operating version of the site that is available to customers and other visitors. The account manager supervises the location of specific web pages and related software installations as they are moved from test to demonstration to production.
Applications specialists maintain accounting, human resources, and logistics software. As web sites have become more complicated, the need for web programmers, who design and write the underlying code for dynamic database-driven web pages, has increased.
Content creators – write original content; content managers/editors-purchase existing materials and adapt it for use on the site.
Customer service personnel help design and implement customer relationship management activities in the electronic commerce operation. They can issue and administer passwords, design customer interface features, handle customer email and telephone requests for service of follow up action, and conduct telemarketing for the site.
The systems administrator is responsible for the system’s reliable and secure operation.
Network operations staff functions include load estimation and load monitoring, resolving network problems as they arise, designing and implementing fault resistant technologies, and managing any network operations that are outsourced to service providers or telephone companies.
Database administration-support activities such as transaction processing, order entry, inquiry management, or shipping logistics
Post implementation Audits
-formal review of a project after it is up and running. The audit should result in a comprehensive report that analyzes that project’s overall performance, how well the project was administered, whether the organizational structure was appropriate for the project, and the specific performance of the project team(s). Summaries of member performance can help managers decide which employees should be included in future projects.
- keys to successful implementation of info technology projects: planning and execution.
-when setting objectives consider the role of the project, intended scope, and resources available
Identifying objectives
-Common objectives: increasing sales in existing markets, opening new markets, serving existing customers better, identifying new vendors, coordinating more efficiently with existing vendors, or recruiting employees more effectively. Linking Objectives to business strategies
-Can use tactics called downstream strategies to improve the value that the business provides to its customers. Pursuing upstream strategies is when focusing on reducing costs or generating value by working with suppliers.
First wave- firms conducted e-commerce without setting specific and measurable goals. Second wave- closer look at the benefits and costs
Measuring benefits
Complication occur when trying to measure things such as brand awareness or sales because the increases can be caused by other things that the company is doing at the same time or by a general improvement in the economy. Some sites use online surveys to gather this data; most settle for estimates based on the length of time each visitor remains on the site and how often visitors return.
Total cost of ownership
Many sites track costs by activity and calculate a total cost for each activity. Total cost of ownership (TCO)-include a wide variety of costs related to the activity-hardware, software, design work outsourced, salaries.
Opportunity costs
One of the largest and most significant costs -the cost of not undertaking an initiative-opportunity cost (lost benefits)
Web site costs
Large portion of the costs is from labor (79%). Estimates for the cost of creating a web business at three different levels: a basic entry level, a level comparable to most existing web competitors and a level that makes the website stand out-true differentiator. Annual cost to maintain and improve a site once it is up and running-whether it is a small site or a large site-will be between 50% and 200% of its initial cost. Smaller organizations can control their costs by using a combination of a third party hosting service and packaged electronic commerce software.
Return on Investment (ROI)
Payback method, net present value method, internal rate of return method-return on investment (ROI)-measure the amount of income (return) that will be provided by a specific current expenditure. ROI has some built in biases that can lead managers to make poor decisions. First, ROI requires that all costs and benefits be stated in dollars. Because it is usually easier to quantify costs than benefits, ROI measurements can be biased in a way that gives undue weight to costs. Second, ROI focuses on benefits that can be predicted. It also tends to emphasize short run benefits over long run benefits. This biases ROI calculations to weigh short term costs and benefits more heavily than long term costs and benefits.
Strategies for developing electronic commerce web sites
When companies began establishing their presences on the web, the typical web site was a static brochure that wasn’t updated frequently with new information
1994-1996 -STATIC BROCHURE (contact info, logo and other branding, some product information, financial statements
1996-1999-TRANSACTION PROCESSING (static brochure, plus: complete product catalog, shopping cart, secure payment processing, order info inquiries, shipment tracking
1999-Present-FULL RANGE OF AUTOMATED BUSIENSS PROCESSES (transaction processing, plus: personalization, interactive capabilities, frequently updated content, customer relationship management tools).
Internal development vs. outsourcing
-Using internal people to lead projects helps to ensure that the company’s specific needs are addressed and that the initiative is congruent with the goals and the culture of the organization. However, few companies are large enough or have in house expertise. OPTIONS:
The internal team: the first step is determining which parts of an electronic commerce project to outsource is to create an internal team that is responsible for the project. Members should be recognized by their peers as successful individuals so the project doesn’t suffer from lack of credibility. The internal team should hold ultimate and complete responsibility for the electronic commerce initiative, from the setting of objectives to the final implementation and operation of the site.
Early outsourcing: outsource the initial site design and development to launch the project quickly. The outsourcing team then trains the company’s info systems professionals in the new technology before handing the operation of the site to them-early outsourcing.
Late outsourcing: more traditional approaches, the company’s info systems professionals do the initial design and development work, implement the system, and operate the system until it becomes a stable part of the business operation. Once the company has gained all the competitive advantage provided by the system, the maintenance of the electronic commerce system can be outsourced so that the company’s info systems professionals can turn their attention and talents to developing new technologies that will provide further competitive advantage.
Partial outsourcing: In partial outsourcing, which is also called component outsourcing, the company identifies specific portions of the project that can be completely designed, developed, implemented, and operated by another firm that specializes in a particular function. One of the most common elements of electronic commerce initiatives that companies outsource using this approach is the web hosting activity. Providers of internet connectivity, applications, and business services (including ISPs, CSPs, MSPs, and ASPs) offer web hosting services to companies that want to operate electronic commerce sites, but that do not want to invest in the hardware and staff needed to create their own web servers.
Selecting a hosting service
The internal team should be responsible for selecting the ISP that will provide the site’s hosting service. It can consult an ISP directory. The team should obtain the advice of consultants that rate service providers (ISPs, ASPs, and CSPs); the most important factors to evaluate: functionality, reliability, bandwidth and server scalability, security, backup and disaster recovery, cost
New Methods for Implementing Partial Outsourcing
Incubators: an incubator is a company that offers start up companies a physical location with offices, accounting and legal assistance, computers, and Internet connections at a very low monthly cost. Receives an ownership interest in the company-10% and 50%. When the company grows to the point that it can obtain venture capital financing or launch a public offering of its stock, the incubator sells all or part of its interest and reinvests the money in new incubator candidates.
Fast Venturing: In fast venturing an existing company that wants to launch an electronic commerce initiative joins external equity partners and operational partners that can offer the experience and skills needed to develop and scale up the project very rapidly. Venture Sponsor: develops idea, staffs internal team, creates prototype, provides all or most of the start up funds (is the existing company that wants to launch the electronic commerce initiative) Equity partners: review and refine ideas, provide advice, evaluate prototype, provide contacts (including operational partners) (entities that have provided start up money to new ventures in the past and have developed knowledge about operating new ventures) Operational partners: turn ideas into a business plan, provide financial, technical, and operations expertise, provide industry best practices knowledge, scale up prototype to an operating model (people and companies that previously have built web business sites)
Managing electronic commerce implementations
Use formal management techniques. Project management, project portfolio management, specific staffing, and postimplementation audits are methods businesses use to efficiently administer their e-commerce projects.
Project management is a collection of formal techniques for planning and controlling the activities undertaken to achieve a specific goal-developed by the US military in the 1950s and the 1960s to develop weapons and other large systems. The project plan includes criteria for cost, schedule, and performance-it helps project managers make intelligent trade off decisions regarding these three criteria. Information systems development projects are much more likely to fail than other types of projects. Causes-rapidly changing technologies, long development times, and changing customer expectations, many teams rely on project management software to help. E-commerce initiatives are more successful that other types of info system implementations in general.
Project portfolio management is a technique in which each project is monitored as if it were an investment in a financial portfolio. The CIO records the projects in a list and updates the list regularly with current information about each project’s status. Project management software tracks the details of how each project is accomplishing its specific goals. In project portfolio management, the CIO assigns a ranking for each project based on its importance to the strategic goals of the business and its level of risk.
Staffing
The business management function should include internal staff. The business manager should be a member of the internal team that sets the objectives for the project. The business managers is responsible for implementing the elements of the business plan and reaching the objectives set by the internal team.
A project manager is a person with specific training or skills in tracking costs and the accomplishment of specific objectives in a project. An account manager keeps track of multiple web sites in use by a project or keeps track of the projects that will combine to create a larger web site. Most larger projects will have a test version, a demonstration version, and a project version of the web site located on different servers. The test version is the under construction version of the web site. The demonstration version has features that have passed testing and must be demonstrated to an internal audience. The production version is the full operating version of the site that is available to customers and other visitors. The account manager supervises the location of specific web pages and related software installations as they are moved from test to demonstration to production.
Applications specialists maintain accounting, human resources, and logistics software. As web sites have become more complicated, the need for web programmers, who design and write the underlying code for dynamic database-driven web pages, has increased.
Content creators – write original content; content managers/editors-purchase existing materials and adapt it for use on the site.
Customer service personnel help design and implement customer relationship management activities in the electronic commerce operation. They can issue and administer passwords, design customer interface features, handle customer email and telephone requests for service of follow up action, and conduct telemarketing for the site.
The systems administrator is responsible for the system’s reliable and secure operation.
Network operations staff functions include load estimation and load monitoring, resolving network problems as they arise, designing and implementing fault resistant technologies, and managing any network operations that are outsourced to service providers or telephone companies.
Database administration-support activities such as transaction processing, order entry, inquiry management, or shipping logistics
Post implementation Audits
-formal review of a project after it is up and running. The audit should result in a comprehensive report that analyzes that project’s overall performance, how well the project was administered, whether the organizational structure was appropriate for the project, and the specific performance of the project team(s). Summaries of member performance can help managers decide which employees should be included in future projects.
Subscribe to:
Posts (Atom)