Escolar Documentos
Profissional Documentos
Cultura Documentos
1. Transactional e-commerce site. These enable purchase of products online. The main
business contribution of the site is through sale of these products. The sites also
support the business by providing information for consumers that prefer to purchase
products offline. These include retail sites, travel sites and online banking services.
2. Services oriented relationship building web site. Provides information to stimulate
purchase and build relationships Products are not typically available for purchase
online. Information is provided through the web site and e-newsletters to inform
purchase decisions. The main business contribution is through encouraging offline sales
and generating enquires or leads from potential customers. Such sites also add value to
existing customers by providing them with detailed information to help them support
them in their lives at work or at home.
3. Brand building site. Provide an experience to support the brand. Products are not
typically available for online purchase. Their main focus is to support the brand by
developing an online experience of the brand. They are typical for low-value, high
volume Fast Moving Consumer Goods (FMCG brands) for consumers.
4. Portal or media site. Provide information or news about a range of topics. Portal refers
to a gateway of information. This is information both on the site and links through other
sites. Portals have a diversity of options for generating revenue including advertising,
commission-based sales, sale of customer data (lists).
E-business definition
Let’s start from the original definition (now moved) by IBM (www.ibm.com/e-business), which
was one of the first suppliers to use the term in 1997 to promote its services:
"e-business (e’biz’nis) – the transformation of key business processes through the use of
Internet technologies".
The key business processes referred to in the IBM definitions are the organizational processes
or units in the centre of Figure 1.1. They include research and development, marketing,
manufacturing and inbound and outbound logistics. The buy-side e-commerce transactions
with suppliers and the sell-side e-commerce transactions with customers can also be
considered to be key business processes.
The majority of Internet services are available to any business or consumer that has access to
the Internet. However, many e-business applications that access sensitive company
information require access to be limited to qualified individuals or partners.
E-business goes far beyond ecommerce or buying and selling over the Internet, and deep into
the processes and cultures of an enterprise. It is the powerful business environment that is
created when you connect critical business systems directly to customers, employees,
vendors, and business partners, using Intranets, Extranets, ecommerce technologies,
collaborative applications, and the Web. Dell Computer gets a lot of attention as a pioneering
E-business today and is the best example of this form of business. It sells $ 15m worth of
computers from its websites each day. The company has created a ‘fully integrated value
chain ’ – a three-way information partnership with its suppliers and customers by treating them
as collaborators who together find ways of improving efficiency across the entire chain of
supply and demand. Dell's suppliers have real-time access to information about its orders.
Through its corporate extranet, they can organize their production and delivery to ensure that
their customer always has just enough of the right parts to keep the production line moving
smoothly. By plugging its suppliers directly into the customer database, Dell has ensured that
they will instantly know about changes in their demand. Similarly, by allowing entry to
customers into its supply chain via its website, Dell enables them to track the progress of their
orders from the factory to their doorstep. Successful new-businesses can emerge from
nowhere. Trends suggest it takes little more than two years for a start-up to emerge out of
nowhere, formulate an innovative business idea, establish a web-presence and reach a
dominant position in its chosen sector. The high valuation of the stocks of such start-ups and
the massive amount of venture capital flowing into their businesses is proof enough that
complacency is foolhardy here. America has already reached a threshold in E-business, from
where it is set to accelerate into hyper-growth, as per Forrester Research. Britain and
Germany will go into the same level of hyper-growth two years after America, with Japan,
France and Italy, a further two years behind.
In the past the rules of business were simple – Beat the competition, squeeze your suppliers
and keep your customers in the dark. But with increased collaboration in the completely
networked world, uncertainties arise. Nobody can predict how the customer with all the perfect
market information available at his disposal will respond to the rapidly shifting business
alliances and federations or how companies will manage such customers. The need of the
hour is a good strategy. Early ecommerce companies have used their understanding of the
technology’s potential and the absence of any competition to steal a march and enter markets
that would previously have been closed to them, but in future simply having a good business
idea and being technologically smart might not be enough. The global giants, after taking a
while to see the opportunity seem to have worked out how to adapt their multi-layered supply
chains and diverse distribution channels and are finally getting into the race. Besides this, for
successful implementation of E-business security is the key issue. E-business security is very
important as the transactions processed contain critical information. Read More on Ebusiness
Security.
E-cheque
E-cheque is a Payment Instrument designed to support electronic payments over the Internet
using cryptographic signatures and secure messaging / web sessions. E-cheque
payment process: the payer writes an E-cheque by structuring an electronic document
with the information legally required to be in a cheque and digitally signs it. The payee
receives the E-cheque over e-mail or WWW, verifies the payer’s digital signature, writes
out a deposit and digitally signs it. The payee’s bank verifies the payer’s and payee’s
digital signatures and forwards the cheque for clearing and settlement. The payer’s bank
verifies the payer’s digital signature and debits the payer s account. Salient Features:
Can be used for on-line transactions over the web or offline transactions using e-mail.
Support for Business requirements such as Co-Sign / Counter Sign. Electronic Cheque
Book is stored in a Smart Card. A low priced floppy based solution is also available. E-
cheque can be re-sent but payment will be made only once. The software handles the
detection of duplicate cheques. E-cheque is an ideal B2B payment instrument suitable for
high value transactions. It can also be used for B2C payments.
E-cash
While many different companies are rushing to offer digital money products, currently e-cash is
cash is represented by two models. One is the on-line form of E-cash (introduced by DigiCash)
which allows for the completion of all types of internet transactions. The other form is off-line;
essentially a digitally encoded card that could be used for many of the same transactions as
cash. This off-line version (which also has on-line capabilities) is being tested by Mondex in
partnership with various banks.
The primary function of E-cash is to facilitate transactions on the Internet. Many of these
transactions may be small in size and would not be cost efficient through other payment
mediums such as credit cards. Thus, WWW sites in the future may charge $0.10 a visit, or
$0.25 to download a graphics file. These types of payments, turning the Internet into a
transaction oriented forum, require mediums that are easy, cheap (from a merchants
perspective), private (see Privacy), and secure (see Security). Electronic Cash is the natural
solution, and the companies that are pioneering these services claim that the products will
meet the stated criteria. By providing this type of payment mechanism, the incentives to
provide worthwhile services and products via the Internet should increase. Another prospective
beneficiary from these developments would be Shareware providers, since currently they
rarely receive payments. To complete the digital money revolution an offline product is also
required for the pocket money/change that most people must carry for small transactions (e.g.
buying a newspaper, buying a cup of coffee, etc...).
The concept of electronic money is at least a decade old. [Hewitt 1994] demonstrates that
check writing is a pre-cursor to E-cash. When one person writes a check on his bank account
and gives the check to another person with an account at a different bank, the banks do not
transfer currency. The banks use electronic fund transfer. Electronic money, removes the
middleman. Instead of requesting the banks to transfer the funds through the mechanism of a
check, the E-cash user simply transfers the money from his bank account to the account of the
receiver.
The reality of E-cash is only slightly more complicated, and these complications make the
transactions both secure and private. The user downloads electronic money from his bank
account using special software and stores the E-cash on his local hard drive. To pay a WWW
merchant electronically, the E-cash user goes through the software to pay the desired amount
from the E-cash "wallet" to the merchants local hard drive ("wallet") after passing the
transaction through an E-cash bank for authenticity verification. The merchant can then pay its
bills/payroll with this E-cash or upload it to the merchant's hard currency bank account. The E-
cash company makes money on each transaction from the merchant (this fee is very small,
however) and from royalties paid by banks which provide customers with E-cash
software/hardware for a small monthly fee. Transactions between individuals would not be
subject to a fee.
E-cash truly globalizes the economy, since the user can download money into his cyber-wallet
in any currency desired. A merchant can accept any currency and convert it to local currency
when the cybercash is uploaded to the bank account.
To the extent a user wants E-cash off-line, all that is necessary is smart card technology. The
money is loaded onto the smartcard, and special electronic wallets are used to offload the
money onto other smartcards or directly to an on-line system. Smartcards have been used
successful in other countries for such transactions as phone calls for a number of years. The
money could also be removed from a smartcard and returned to a bank account. Visa is
developing a related product, the stored value card. This card comes in a variety of
denominations, but functions more like a debit card than E-cash.
In essence, E-cash combines the benefits of other transaction mediums. Thus, it is similar to
debit/credit cards, but E-cash allows individuals to conduct transactions with each other.
It is similar to personal checks, but it is feasible for very small transactions. While it
appears superior to other forms, E-cash will not completely replace paper currency. Use
of E-cash will require special hardware, and while most people will have access, not all
will. However, E-cash presents special challenges for the existing "middlemen" of the
current paper currency society. More and more, banks and other financial intermediaries
will serve simply as storehouses for money, lenders, and processing/verifying electronic
transactions. Personal interaction with a teller or even visits to a bank ATM will become
obsolete. All one will have to do is turn on his computer.
E-security
What is E-security?
The World Wide Web opens up many new opportunities for businesses, but exposes you to
new risks. Before embarking on eCommerce ventures, take time to understand the risks and
protect your business. Common risks include viruses, hackers, security for online banking and
credit card fraud. In this training module, we shall touch on methods you can use to protect
yourself and your business online:
• Internet Security Software – software which combines antivirus and firewall software and
often includes anti-spam and other security and productivity features.
• Antivirus software — software which detects and removes known computer viruses. Quite
often, viruses arrive onto your computer network through email. Antivirus software ensures that
all emails arriving in your Inbox are “clean” and quarantines those emails it detects as being
infected.
• Firewall software — software which acts as an intelligent gateway between your computer
and the rest of the Internet. It monitors the traffic flowing in and out of your system and checks
if it’s authorized to do so. If there is no authorization, that communication is blocked and you
remain protected.
• Online banking security features — features that banks include in their online banking
service offerings to protect their customers, and themselves, during online banking
transactions.
• Online transaction (buying and selling) security features — features such as encryption
used on websites to protect customer details during transactions. These are often part of the
Internet Service Provider package, so remember to ask your ISP.
The key business gain in establishing a robust E-security program in your business is that it
allows you to operate without interruption. Imagine the disruption caused to your operations if
your system was infected by a virus and shut down, your business was hacked into and your
confidential material was accessed or your customers were defrauded. These things can take
an hour or weeks to fix so in the case of E-security, prevention is better than finding a cure.
Specifically, the benefits (often referred to as the ‘Four Pillars of Trust’) of applying E-security
technologies include:
• Privacy and confidentiality – To ensure that customer data remains private and users have
control over how information is used
• Authenticity – For businesses to know exactly who they are dealing with
• Integrity– Transaction details and other valuable commercial information will not be
accessible to anyone other than those involved in the transaction
• Secure connections (SSL) – Secure Socket Layer (SSL) combines a basic password
system with protocols that encrypt data transmissions. Used: for websites that sell products
and services
• Secure interconnection (PKI) – Public Key Infrastructure (PKI) uses keys to scramble and
decipher messages. Used: for high value business, government and military transactions
• Secure personal connection (PGP) – Pretty Good Privacy (PGP) uses public key
encryption. Used: as a popular security option for individuals
• Secure networking (VPN) – Virtual Private Networks offer one of the highest levels of
security using advanced encryption and tunneling technologies. Used: by business with
multiple office locations
• Email security – Where similar software is used to send and receive encrypted email
messages so only the intended recipient can read it. Email software includes:
o Dedicated email encryption- Uses same technology as PKI/PGP and can plug-in to
existing email software (e.g. Microsoft Outlook, Eudora)
o Secure email gateways – For businesses that do not require email security within their
own office environment yet do outside the internal mail gateway
• Firewall – A firewall is software that separates a public business Web server from its internal
network and provides the first layer of security for your computer when you connect to the
Internet.
Quite often, you can stop viruses even before your anti-virus software detects them. By
following the steps below, you can ensure protection against virus attacks:
Firewalls
• Firewalls can provide many levels of security. As firewalls require some skills to set up, it is
advisable to seek technical advice to set up your firewall to suit your needs — see your ISP or
computer retailer. Where can I purchase Firewall software?
• Some firewall software comes in shrink-wrapped boxes and can be purchased from a
computer retailer, software dealer or can be directly downloaded from the World Wide Web.
• Set your firewall to update itself automatically. Most update when you are connected to the
web.
Antivirus Software
• The decision revolves around how many individual computers your business has that require
protection. Like firewall software, it can be purchased by traditional retail means or
downloaded across the Internet. Also like firewalls, antivirus software must be kept up-to-date
and can be updated automatically when you are connected to the Internet.
• Secure online payment solution costs are based on the volume of transactions. The more you
do, the cheaper it gets – a bit like mobile phone plans. Try and estimate how many
transactions you will be doing across your website and use this number to make your decision.
E-broker
An electronic intermediary who only introduces the commercial sites and is not responsible for
the order fulfillment and guarantee.
E-CRM
A proper e-CRM Strategy includes all processes, touchpoints, people and technologies
throughout the enterprise aiming at acquiring and retaining the organisation’s preferred
customers. It starts with getting a clear and company-wide understanding of e-CRM and
recognizing why it is needed. As a next step, the e-CRM strategy is defined as covering all e-
CRM domains based on the business vision and aligned with the company’s values. The
vision, together with the current situation lead to the definition of the e-CRM strategy and this is
concretized through a roadmap indicating main projects, seeking minimization of the time gap
between project investments and business benefits.
Customer Management Strategies for E-business reveals where and how e-CRM can impact
on your organization's profitability. You will discover:
• New organizational structures for e-CRM - How to ensure your company's people,
skills and processes work together to manage e-CRM challenges.
• How to manage the e-CRM change programme - Ready-made frameworks and
techniques to help your e-CRM change programme stay on track.
• Launch a stand-alone dot.com or evolve the current organization? - Case reports
of companies which have taken both approaches provide an insight into the
opportunities and trouble-spots.
• Solutions to and advice on many of the key IT issues - How to achieve integration,
how to draw up a vendor shortlist, essential analytical tools which help drive your e-
CRM strategy, important lessons in email marketing and more.
• Key lessons in collecting and managing data for e-CRM - Essential skills for
deploying analytical tools and creating a holistic view of the customer.
• One-stop guide to email marketing - Get to grips with the important issues
surrounding data collection, data protection laws, email automation tools, process and
service level agreements.
• Measurement tools and techniques for e-CRM - Discover the opportunities offered by
models such as the balanced scorecard and Drivers of Customer Performance models,
plus new metrics including share of wallet, lifetime value, retention rate and innovative
measures for web site performance.
Internet
The Internet is a worldwide, publicly accessible network of interconnected computer networks
that transmit data by packet switching using the standard Internet Protocol (IP). It is a
"network of networks" that consists of millions of smaller domestic, academic, business,
and government networks, which together carry various information and services, such as
electronic mail, online chat, file transfer, and the interlinked Web pages and other
documents of the World Wide Web.
The concept of sending electronic text messages between parties in a way analogous to
mailing letters or memos predates the creation of the Internet. Even today it can be important
to distinguish between Internet and internal e-mail systems. Internet e-mail may travel and be
stored unencrypted on many other networks and machines out of both the sender's and the
recipient's control. During this time it is quite possible for the content to be read and even
tampered with by third parties, if anyone considers it important enough. Purely internal or
intranet mail systems, where the information never leaves the corporate or organization's
network, are much more secure, although in any organization there will be IT and other
personnel whose job may involve monitoring, and occasionally accessing, the email of other
employees not addressed to them.
Many people use the terms Internet and World Wide Web (a.k.a. the Web) interchangeably,
but in fact the two terms are not synonymous. The Internet and the Web are two separate but
related things. The Internet is a massive network of networks, a networking infrastructure. It
connects millions of computers together globally, forming a network in which any computer can
communicate with any other computer as long as they are both connected to the Internet.
Information that travels over the Internet does so via a variety of languages known as
protocols.
The Web is a way of accessing information over the medium of the Internet. It is an
information-sharing model that is built on top of the Internet. The Web uses the HTTP protocol,
only one of the languages spoken over the Internet, to transmit data. Web services, which use
HTTP to allow applications to communicate in order to exchange business logic, use the Web
to share information. The Web also utilizes browsers, such as Internet Explorer or Netscape, to
access Web documents called Web pages that are linked to each other via hyperlinks. Web
documents also contain graphics, sounds, text and video.
The Web is just one of the ways that information can be disseminated over the Internet. The
Internet, not the Web, is also used for e-mail, Usenet news groups, instant messaging, file
sharing and FTP. So the Web is just a portion of the Internet, albeit a large portion, but the two
terms are not synonymous and should not be confused.
Through keyword-driven Internet research using search engines, like Yahoo!, and Google,
millions of people worldwide have easy, instant access to a vast and diverse amount of online
information. Compared to encyclopedias and traditional libraries, the World Wide Web has
enabled a sudden and extreme decentralization of information and data.
Many individuals and some companies and groups have adopted the use of "Web logs" or
blogs, which are largely used as easily-updatable online diaries. Some commercial
organizations encourage staff to fill them with advice on their areas of specialization in the
hope that visitors will be impressed by the expert knowledge and free information, and be
attracted to the corporation as a result. One example of this practice is Microsoft, whose
product developers publish their personal blogs in order to pique the public's interest in their
work.
For more information on the distinction between the World Wide Web and the Internet itself—
as in everyday use the two are sometimes confused—see Dark internet where this is
discussed in more detail.
Remote access
The Internet allows computer users to connect to other computers and information stores
easily, wherever they may be across the world. They may do this with or without the use of
security, authentication and encryption technologies, depending on the requirements.
This is encouraging new ways of working from home, collaboration and information sharing in
many industries. An accountant sitting at home can audit the books of a company based in
another country, on a server situated in a third country that is remotely maintained by IT
specialists in a fourth. These accounts could have been created by home-working book-
keepers, in other remote locations, based on information e-mailed to them from offices all over
the world. Some of these things were possible before the widespread use of the Internet, but
the cost of private, leased lines would have made many of them infeasible in practice.
An office worker away from his desk, perhaps the other side of the world on a business trip or
a holiday, can open a remote desktop session into their normal office PC using a secure
Virtual Private Network (VPN) connection via the Internet. This gives the worker complete
access to all of their normal files and data, including e-mail and other applications, while away
from the office.
This concept is also referred to by some network security people as the Virtual Private
Nightmare, because it extends the secure perimeter of a corporate network into its employees'
homes; this has been the source of some notable security breaches, but also provides security
for the workers.
Collaboration
The low cost and nearly instantaneous sharing of ideas, knowledge, and skills has made
collaborative work dramatically easier. Not only can a group cheaply communicate and test,
but the wide reach of the Internet allows such groups to easily form in the first place, even
among niche interests. An example of this is the free software movement in software
development which produced GNU and Linux from scratch and has taken over development of
Mozilla and OpenOffice.org (formerly known as Netscape Communicator and StarOffice).
Internet 'chat', whether in the form of IRC 'chat rooms' or channels, or via instant messaging
systems allow colleagues to stay in touch in a very convenient way when working at their
computers during the day. Messages can be sent and viewed even more quickly and
conveniently than via e-mail. Extension to these systems may allow files to be exchanged,
'whiteboard' drawings to be shared as well as voice and video contact between team
members.
Version control systems allow collaborating teams to work on shared sets of documents
without either accidentally overwriting each other's work or having members wait until they get
'sent' documents to be able to add their thoughts and changes.
File sharing
A computer file can be e-mailed to customers, colleagues and friends as an attachment. It can
be uploaded to a Web site or FTP server for easy download by others. It can be put into a
"shared location" or onto a file server for instant use by colleagues. The load of bulk
downloads to many users can be eased by the use of "mirror" servers or peer-to-peer
networks. In any of these cases, access to the file may be controlled by user authentication;
the transit of the file over the Internet may be obscured by encryption and money may change
hands before or after access to the file is given. The price can be paid by the remote charging
of funds from, for example a credit card whose details are also passed—hopefully fully
encrypted—across the Internet. The origin and authenticity of the file received may be checked
by digital signatures or by MD5 or other message digests.
These simple features of the Internet, over a world-wide basis, are changing the basis for the
production, sale, and distribution of anything that can be reduced to a computer file for
transmission. This includes all manner of office documents, publications, software products,
music, photography, video, animations, graphics and the other arts. This in turn is causing
seismic shifts in each of the existing industry associations, such as the RIAA and MPAA in the
United States, that previously controlled the production and distribution of these products in
that country.
Streaming media
Many existing radio and television broadcasters provide Internet 'feeds' of their live audio and
video streams (for example, the BBC and Rush Limbaugh). They may also allow time-shift
viewing or listening such as Preview, Classic Clips and Listen Again features. These providers
have been joined by a range of pure Internet 'broadcasters' who never had on-air licenses.
This means that an Internet-connected device, such as a computer or something more
specific, can be used to access on-line media in much the same way as was previously
possible only with a television or radio receiver. The range of material is much wider, from
pornography to highly specialized technical Web-casts. Podcasting is a variation on this
theme, where—usually audio—material is first downloaded in full and then may be played back
on a computer or shifted to a digital audio player to be listened to on the move. These
techniques using simple equipment allow anybody, with little censorship or licensing control, to
broadcast audio-visual material on a worldwide basis.
Webcams can be seen as an even lower-budget extension of this phenomenon. While some
webcams can give full frame rate video, the picture is usually either small or updates slowly.
Internet users can watch animals around an African waterhole, ships in the Panama Canal, the
traffic at a local roundabout or their own premises, live and in real time. Video chat rooms,
video conferencing, and remote controllable webcams are also popular. Many uses can be
found for personal webcams in and around the home, with and without two-way sound.
VoIP stands for Voice over IP, where IP refers to the Internet Protocol that underlies all
Internet communication. This phenomenon began as an optional two-way voice extension to
some of the Instant Messaging systems that took off around the year 2000. In recent years
many VoIP systems have become as easy to use and as convenient as a normal telephone.
The benefit is that, as the Internet carries the actual voice traffic, VoIP can be free or cost
much less than a normal telephone call, especially over long distances and especially for those
with always-on Internet connections such as cable or ADSL.
Voice quality can still vary from call to call but is often equal to and can even exceed that of
traditional calls.
Remaining problems for VoIP include emergency telephone number dialling and reliability.
Currently a few VoIP providers provide an emergency service but it is not universally available.
Traditional phones are line powered and operate during a power failure, VoIP does not do so
without a backup power source for the electronics.
Most VoIP providers offer unlimited national calling but the direction in VoIP is clearly toward
global coverage with unlimited minutes for a low monthly fee.
VoIP has also become increasingly popular within the gaming world, as a form of
communication between players. Popular gaming VoIP clients include Ventrilo and
Teamspeak, and there are others available also.
Censorship
Some governments, such as those of Cuba, Iran, North Korea, the People's Republic of China
and Saudi Arabia, restrict what people in their countries can access on the Internet, especially
political and religious content. This is accomplished through software that filters domains and
content so that they may not be easily accessed or obtained without elaborate circumvention.
In Norway, Finland and Sweden, major Internet service providers have voluntarily (possibly to
avoid such an arrangement being turned into law) agreed to restrict access to sites listed by
police. While this list of forbidden URLs is only supposed to contain addresses of known child
pornography sites, the content of the list is secret.
Many countries have enacted laws making the possession or distribution of certain material,
such as child pornography, illegal, but do not use filtering software.
There are many free and commercially available software programs with which a user can
choose to block offensive Web sites on individual computers or networks, such as to limit a
child's access to pornography or violence.
Externet
An extranet is a private network that uses Internet protocols, network connectivity, and
possibly the public telecommunication system to securely share part of an organization's
information or operations with suppliers, vendors, partners, customers or other businesses. An
extranet can be viewed as part of a company's Intranet that is extended to users outside the
company (e.g.: normally over the Internet). It has also been described as a "state of mind" in
which the Internet is perceived as a way to do business with a preapproved set of other
companies business-to-business (B2B), in isolation from all other Internet users. In contrast,
business-to-consumer (B2C) involves known server(s) of one or more companies,
communicating with previously unknown consumer users.
Briefly, an extranet can be understood as a private intranet mapped onto the Internet or
some other transmission system not accessible to the general public, but is managed by more
than one company's administrator(s). For example, military networks of different security levels
may map onto a common military radio transmission system that never connects to the
Internet. Any private network mapped onto a public one is a virtual private network (VPN). In
contrast, an intranet is a VPN under the control of a single company's administrator(s).
An argument has been made that "extranet" is just a buzzword for describing what institutions
have been doing for decades, that is, interconnecting to each other to create private networks
for sharing information. One of the differences that characterized an extranet, however, is that
its interconnections are over a shared network rather than through dedicated physical lines.
With respect to Internet Protocol networks, RFC 2547 states "If all the sites in a VPN are
owned by the same enterprise, the VPN is a corporate intranet. If the various sites in a VPN
are owned by different enterprises, the VPN is an extranet. A site can be in more than one
VPN; e.g., in an intranet and several extranets. We regard both intranets and extranets as
VPNs. In general, when we use the term VPN we will not be distinguishing between intranets
and extranets. Even if this argument is valid, the term "extranet" is still applied and can be
used to eliminate the use of the above description."
Another very common use of the term "extranet" is to designate the "private part" of a website,
where "registered users" can navigate, enabled by authentication mechanisms on a "login
page".
Intranet
An intranet is a private computer network that uses Internet protocols, network connectivity to
securely share part of an organization's information or operations with its employees.
Sometimes the term refers only to the most visible service, the internal website. The same
concepts and technologies of the Internet such as clients & servers running on the Internet
protocol suite are used to build an intranet. HTTP and other Internet protocols are commonly
used as well, such as FTP.There is often an attempt to use Internet technologies to provide
new interfaces with corporate 'legacy' data and information systems.
Intranets differ from "Extranets" in that the former is generally restricted to employees of the
organization while extranets can generally be accessed by customers, suppliers, or other
approved parties
Briefly, an intranet can be understood as "a private version of the Internet," or as a version
of the Internet confined to an organisation.
APPLET / SERVLET
An applet is a program written in the Java programming language that can be included in an HTML
page, much in the same way an image is included in a page. When you use a Java technology-enabled
browser to view a page that contains an applet, the applet's code is transferred to your system and
executed by the browser's Java Virtual Machine (JVM). An applet usually performs a very narrow
function that has no independent use. An applet is distinguished from "subroutine" by several features.
First, it executes only on the "client" platform environment of a system, as contrasted from "servlet". As
such, an applet provides functionality or performance beyond the default capabilities of its container (the
browser). Also, in contrast with a subroutine, certain capabilities are restricted by the container. An
applet is written in a language that is different from the scripting or HTML language which invokes it.
The applet is written in a compiled language, while the scripting language of the container is an
interpreted language, hence the greater performance or functionality of the applet. Unlike a "subroutine,"
a complete web component can be implemented as an applet.
Unlike a program, an applet cannot run independently; an applet usually features display and graphics
and often interacts with the human user. However, they are usually stateless and have restricted security
privileges. The applet must run in a container, which is provided by a host program, through a plug-in,
or a variety of other applications including mobile devices that support the applet programming model.
The applet API lets you take advantage of the close relationship that applets have with Web browsers.
The API is provided by the javax.swing.JApplet class and the java.applet.AppletContext interface.
Applets can use these APIs to do the following:
Java Servlet technology provides Web developers with a simple, consistent mechanism for extending the
functionality of a Web server and for accessing existing business systems. A servlet can almost be
thought of as an applet that runs on the server side--without a face. Java servlet make many Web
applications possible. The Servlet lifecycle consists of the following steps:
The traditional way of adding functionality to a Web Server is the Common Gateway Interface (CGI), a
language-independent interface that allows a server to start an external process which gets information
about a request through environment variables, the command line and its standard input stream and
writes response data to its standard output stream. Each request is answered in a separate process by a
separate instance of the CGI program, or CGI script (as it is often called because CGI programs are
usually written in interpreted languages like Perl). Servlet have several advantages over CGI:
• A Servlet does not run in a separate process. This removes the overhead of creating a new
process for each request.
• A Servlet stays in memory between requests. A CGI program (and probably also an extensive
runtime system or interpreter) needs to be loaded and started for each CGI request.
• There is only a single instance which answers all requests concurrently. This saves memory and
allows a Servlet to easily manage persistent data.
• A Servlet can be run by a Servlet Engine in a restrictive Sandbox (just like an Applet runs in a
Web Browser's Sandbox) which allows secure use of un trusted and potentially harmful Servlet.
Recently, application-layer firewalls have emerged as a defense against Web application attacks, which
are the most common type of intrusion, according to reports by antimalware vendors Sophos plc and
Symantec Corp. Traditional network firewalls can't detect application attacks because they piggy-back
on open ports used by legitimate applications. Network firewalls check ports and packet headers, but
they don't check applications and application data, which can hide malicious activity as it zips through
open firewall ports unnoticed. Since most Web traffic goes through either port 80 or port 443, blocking
these ports isn't realistic. A true application-layer firewall inspects the traffic from applications for
malicious code, such as SQL injection or cross-site scripting (XSS). Sure, this requires deep packet
inspection, but deep packet inspection looks only for things like malware and spyware embedded in
traffic, not necessarily at malicious code sent through an application. Unlike traditional network
firewalls, which only examine packet headers, deep packet inspection looks inside packets and their
contents. While this definitely beefs up the capability of firewalls, and shouldn't be discounted as a
defense against attacks, it still has some limitations. At a bare minimum, an application level firewall
should protect against injection attacks, like SQL injection and XSS, session hijacking, scanning and
crawling, cookie tampering and path traversal attempts. An application-level firewall can block Denial
of Service (DoS) attacks by checking for spikes or irregular traffic patterns and should also be able to
handle both standard HTTP, as well as SSL traffic. The second feature to look for in an application-level
firewall is its ability to integrate with identity and access management systems. This allows the firewall
to be tuned to allow employee access to certain Web applications, but not anybody else in the
organization. Some employees may need access to Web-based email or WebEx to do their jobs. This can
be adjusted if the firewall is integrated with the company's directory service, like Active Directory or
LDAP. Access to applications can be added to an employee's profile. An application-level firewall itself,
like its network firewall counterpart, should also have role-based access to only allow authorized system
administrators access for maintenance and upgrades. The third key issue for application-level firewalls is
their compatibility with a corporation's network. An application-level firewall is another piece of
equipment that can be a drag on a network. If not configured properly, or if it's incompatible with
corporate architecture, it can cause performance problems. Will it be a drag on your network, slowing
down visitors to your web sites, or will it be transparent, as it was invisible on your network?
Generally, application-level firewalls run in tandem with network firewalls, usually behind them inside
the network. Incoming traffic passes first through the network firewall, then through the application-
level firewall. Always check the firewall's throughput and thoroughly load test it in your environment
before considering a full production installation. Any slowdowns, bottlenecks or performance issues
should be straightened out before deployment to production. Finally, just like their network counterparts,
application-level firewalls should have the capability to log traffic. Besides being a security best
practice, it's essential for tracking down incidents and, in some cases, may be required for compliance.
Will the logging be adequate to track down incidents or produce reports of inappropriate access? PCI is
strict in its requirement of network monitoring. This is at the heart of an application-level firewall's
features.
BUSINESS INTELLIGENCE
Traditionality the retail industry has lagged behind other industries in adopting new technologies and
this holds true in its acceptance of business intelligence technologies. The competitive game is changing
for retail. As the industry continues to consolidate, retailers have begun to realize that using technology
to better understand customer buying behavior etc. Retailers are now paying significant attention to
business intelligence software, specifically in the areas of merchandise intelligence, customer
intelligence and operational intelligence. The organizations pass through five fundamentals stages as
they advance in their use of business intelligence.
• OPERATE: At the most basic level is the companies rife with information mavericks. If they go,
the knowledge goes with them. There are no processes and each request becomes as adhoc data
rebuild resulting in multiple versions of truth.
• CONSOLIDATE: At this stage, a company has pulled together its data at the department level.
However departmental interests and interdepartmental competition can skew the integrity of the
output.
• INTEGRATE: At this point, a company has adopted enterprise wide data and bases its decisions on
the more complex information. This company is beginning to have a true awareness of additional
opportunities for the use of business intelligence to improve processes and profits.
• OPTIMIZE: The Company’s knowledge workers are much focused on incremental process
improvements and refining the value-creation process. Everyone understands and user analysis,
trending, pattern analysis and predictive results to increase efficiency and effectiveness. The
extended value chain become increasingly critical to the organization including the customer,
suppliers and partners who constitute inter company communities.
• INNOVATE: This level represents a major, quantum break with the past. It exploits the
understanding of the value creation process acquired in the optimize stage and replicates that
efficiency with new products in new markets. Companies apply this expertise to new areas of
opportunity thus multiplying the no. of revenue streams flowing into the enterprise.
A successful business intelligence project team is like a four legged table, each leg holds up its share of
the weight. The four legs are:
1. PROJECT SPONSORSHIP AND GOVERANCE
IT and the business should form a BI steering committee to sponsor and govern design,
development, deployment and ongoing support. It needs both the CIO and a business executive to
commit budget, time and resources. The business sponsors needs the project to succeed. The CIO is
committed to what is being built and how.
2. PROJECT MANAGEMENT
It includes managing daily tasks, reporting status and communicating to the extended project team,
steering committee and affected business users. It includes three functions:
• Project Development Manager: Responsible for deliverables, managing team, resources,
monitoring tasks, reporting status and communications.
• Business Advisor: Works within the sponsoring business organization. Responsibilities for the
deliverables of the business resources on the projects extended team serves as the business
advocate on the project team and the project advocate within the business community.
• BI Project Advisor: Has enough expertise with architecture and technologies to guide the
project team on their use. Ensure that architecture, data models, database. ELT code and BI tools
are all being used effectively and conform to best standards.
3. DEVELOPMENT TEAM
• Business Requirements: The sub-team may have business people who understand IT systems or
IT people who understand the business. The team represents the business and their interests.
• BI Architecture: Develops the overall BI architecture, selects the appropriate technology,
creates the data models, map the overall data work flow from source system to BI analytics and
oversees the ELT and BI development teams from a technical perspective.
• ELT Development: Receives the business and data requirements as well as the target data
models to be used by BI analytics. Develops the ELT code needed to gather data from the
appropriate source systems into the BI database.
• BI Development: Create the reports or analytics that the business users will interacts with to do
their jobs. This is often a very iterative process and requires much interaction with the business
users.
2. GLOBAL REACH
The net being inherently global, reaching global customers is relatively easy on net.
5. DISINTERMEDIATION
Using the net, one can directly approach the customers and suppliers, cutting down the no. of
levels and in the process, cutting down the cost.
2. GLOBAL REACH
It permits commercial transactions to cross cultural and national boundaries far more
conveniently and cost effectively that is true in traditional business. The no of users it can obtain
is a measure of its reach.
3. UNIVERAL STANDARDS
The technical standards are shared by all nations around the world. It greatly lowers market entry
costs. It also reduces the search costs - the effort required to find suitable products.
4. RICHNESS
Information richness refers to the complexity and content of a message. Traditional markets,
national sale force and small retail stores have great richness. They are able to provide personal,
face to face service using aural and visual cues when making a sale. The richness of traditional
markets makes them a powerful selling or commercial environment.
5. INTERACTIVITY
This means that they allow for two way communication between merchant and consumer. It
allows an online merchant to engage a consumer in ways similar to a face to face experience but
on a much more massive global scale.
6. INFORMATION DENSITY
This is the total amount and quality of information available to all market participants,
consumers and merchants alike. E-business technologies reduce information collection, storage,
and processing and communication costs. These technologies increase greatly the currency,
accuracy and timeliness of information.
7. PERSONALIZATION / CUSTOMIZATION
An E-business technology permits personalization. Merchants can targets their marketing
messages to specify individuals by adjusting the message to a person’s name, interest and past
purchases. The technology also permits customization. Changing the delivered product or service
based on a user’s preferences or prior behavior. The result is a level of personalization and
customization unthinkable with existing commerce technologies.
BUSINESS MODELS
A business model is a set of planned activities designed to result in a profit in a market place. The
business model is at the centre of the business plan. A business plan is a document that describes a
firm’s business model. Business model aim to use and leverage the unique qualities of the internet and
the World Wide Web.
It defines how a company’s product or services fulfils the needs of customers. A company’s value
proposition is at the very heart of its business model.
2. REVENUE MODEL
It describes how the firm will earn revenue, generates profits, and produce a superior return on
invested capital. There are many revenue models.
1. In advertising revenue model, a company provides a forum for advertisements and receives fees
from advertisers. Ex www.yahoo.com
2. In subscription revenue model, a company offers its users content or services and charges a
subscription fee for access to some or all of its offerings. Ex www.wsj.com, www.sportsline.com
3. In transaction fee revenue model, a company receives a fee for enabling or executing a
transaction. Ex www.ebay.com
4. In sales revenue model, a company derives revenue by selling goods, information, or services.
Ex www.amazon.com, www.salesforce.com
5. In affiliate revenue model, a company steers business to an affiliate and receives a referral fee or
percentage of the revenue from any resulting sales. Ex www.mypoints.com
3. MARKET OPPORTUNITY
It refers to the company’s intended market space and the overall potential financial opportunities
available to the firm in that market space. A market space is the area of actual or potential
commercial value in which a company intends to operate.
4. COMPETITIVE ENVIRONMENT
It refers to the other companies operating in the same market space selling similar products. Firms
typically have both direct and indirect competitors. Direct competitors sell product and services that
are very similar and into the same market segment. Indirect competitors may be in different
industries but still compete indirectly.
5. COMPETITIVE ADVANTAGE
It is achieved by a firm what it can produce a superior product and bring the product to market at a
lower price than most of its competitors. An asymmetry exists whenever one participant in a market
has more resources than other participants. A first mover advantage is a competitive market
advantage for a firm that results from being the first into a market place with a serviceable product or
service. An unfair competitive advantage occurs when one firm develops an advantages based on a
factor that other firm’s can’t purchase. In perfect market, there are no competitive advantages or
asymmetric because all firms have equal access to all the factors of production. Companies are said
to leverage their competitive assets when they use their competitive advantages to achieve more
advantages in surrounding markets.
6. MARKET STRATEGY
It is the plan you put together that details exactly how you intend to enter a new market and attract
new customers.
7. ORGANIXATIONAL DEVELOPMENT
It describes how the company will organize the work that needs to be accomplished.
8. MANAGEMENT TEAM
It is responsibility for making the model work. A strong team gives a model instant credibility to
outside investors, immediate market-specific knowledge and experience in implementing business
plans. A strong team may not be able to salvage a week business model, but they should be able to
change the model and redefines the business as it becomes necessary.
This is the greatest advantage of e-business. The unknown and faceless customer including other
business, buying the product of a large MNC through distributers, channels, shops. Large MNC pay
a fortune for this information on customer buying patterns.
This information gives authentic data about the clients likes, dislikes and preference and this help the
company to focus sales promotion drives which are aimed at the right audience.
4. SCALABILITY
This means the web is open and offers round the clock access. This provides an access never known
before to the customers. This access is across locations and time zones. Thus a company is able to
handle much more customers on a wider geographical spread if it uses an e-business model. The
additional cost of serving additional customers come down drastically once a critical mass is
reached.
A company can make a huge savings in distribution, logistical and after sale support costs by using
e-business models. This is because the e-business model involve the customer in the business
interaction to such a level that they are able to avoid setting up the huge backbone of sales and
support force which ordinary would have to be setup.
It is important to know the right marketing strategies which would be required to sell successfully and
profitably over the web. Some of these are:
There is a wealth of research on pricing used as a tool to generate sales on the net. The biggest e-
trailer made it big by giving substantial discounts. Part of these discounts is attributed to the
distributor level commissions which are being passed on to the customer. Apart from this companies
have started giving things free on the net in order to get a critical mass of subscribers, which helps in
getting advertising revenues.
This is an old model of the seventies, which was used among mainframes and dumb terminals,
which is being revisited with a vengeance. The customer can log in over the net and access the s/w
from the web server of the company and need not download it into his computer, this goes one step
further in the age of the network pc where one need not use even a hard disk and all critical
application data is kept on the web and can be accessed anywhere in the world.
B2B MODELS
1. MARKETPLACE / EXCHANGE (B2B HUB)
It is a digital electronic marketplace where suppliers and commercial purchasers can conduct
transaction. For buyers, B2B hubs make it possible to gather information, check out suppliers,
collect prices and keep up to date on the latest happenings all in one place. Sellers on the other hand,
benefit from expanded access to buyers. The greater the number of potential buyers, the lower the
sales cost and the higher the changes of making a sale. Marketplace makes it significantly less
expensive and time consuming to identify potential suppliers, customers and partners and to do
business with each other. Vertical marketplaces serve specific industries such as steel, automobile,
while horizontal marketplace sell specific products and services to a wide range of companies.
Vertical marketplaces supply a smaller number of companies with products and services of specific
interests to their industry, while horizontal marketplaces supply companies in different industries
with a particular type of product and services. Ex of vertical marketplace is www.directAg.com,
www.e-steel.com. Ex of horizontal marketplace is www.tradeout.com.
2. E-DISTRIBUTOR
Companies that supply products and services directly to individual businesses are e-distributers
where as B2B hubs pull together many businesses making it possible for them to do business with
other companies. E-distributers are set up by one company seeking to serve many customers. The
more products and services a company makes available on its site, the more attractive that site is to
potential customers. The revenue is generated by sales of goods. Ex www.grainger.com
4. MATCHMAKER
Companies that make money by linking other businesses and taking a cut of any business that occurs
via a transaction or usage fee are called matchmakers. They are a form of the transaction brokers’
familiar in the B2C area. It helps businesses to find what they want and need on the web. The
revenue is generated through transaction fees. Ex www.iship.com
5. INFOMEDIARY
The term describe a new breed of company that would act as custodians, agents and brokers of
customer information, marketing it to businesses on customer’s behalf, while protecting their privacy
at the same time. In a company whose business model is premised upon gathering information about
consumers and selling it to other businesses. A vendor oriented infomediary sells the information it
gathers to vendors who use it to target products, services and promotions to particular consumers. It
is classified into two basic types i.e. Audience Broker and Lead Generators. Audience broker capture
information about customers and use it to help advertisers reach the most appropriate audiences for
their advertising. Revenue is through sales of information. Ex www.doubleclick.net. Lead generators
gather customer data from which they then create customer profiles and preferences. They then
direct vendors of product and services that fit these customer profiles to the customers. Revenue is
generated through referral fee. Ex www.autobytel.com
B2B MARKETPLACE
1. AGGREGATORS
In the aggregation model, one company aggregates buyers to form a virtual buying entity and
aggregates suppliers to constitute a virtual distributer. The aggregator takes the responsibility for
selection and fulfillment, pricing and marketing segmentation.
It focuses on producing a highly integrated value proposition through a managed process. Hubs have
been defined as neutral internet based intermediaries that focus on a specific industry or a specific
business process. Hubs host electronic markets and create value by reducing the cost of transactions
between sellers and buyers.
3. COMMUNITY OR ALLIANCE
In the community model, alliances are used to achieve high value integration without hierarchical
control. Members and end users play key roles as contributors and customers.
4. CONTENT
Content is the end product of this model of B2B. it has the purpose of facilitating trading. Revenue
can be generated from subscriptions, membership or advertising.
Once on net, opportunities are immense as companies can market their product to the whole world
without much additional cost.
2. GLOBALIZATION
The web can make one appear to be a big player which simply means that the playing field has been
leveled by e-business. Internets are accessed by millions of people and they are potential customers.
Selling through the web means cutting down on paper costs, customer support costs, support costs,
advertising cost and order processing cost.
4. CUSTOMER CONVENIENCE
Searchable content, shipping carts, promotions and interactivity and user friendly interfaces gives
customers convenience, generating more business. A customer can also see order status, delivery
status and get their receipts online.
5. KNOWLEDGE MANAGEMNT
Through database systems and information management, one can say who visit your site and how to
create better value for them.
The customer visits the mall by browsing the online catalogue – a very organized manner of
displaying products and their related information. Finding the right product becomes easy by using a
keyword search engine. Virtual malls may include a basic to an advanced search engine, product
relating system, control management, customer support system, bulletin boards, newsletters, etc.
2. CUSTOMER REGISTERS
The customer should have to register to become part of the site’s shopper registry. This allows
availing the shop’s complete services. The customer will be a part of the company’s growing
database which it can use for knowledge management and data mining.
3. CUSTOMER BUYS PRODUCTS
Through a shopping cart system, order details, shipping charges, taxes, additional charges and price
totals are presented in an organized manner. The customer can even change the quality of a certain
product. Virtual malls have a very comprehensive shopping system, complete with check out forms.
The merchant then process the order that is received from the previous stage and process it by filling
up necessary forms.
The credit card of the customer is authenticated through a payment gateway or a bank. Other
payment methods can be used.
6. OPERATIONS MANAGEMENT
When the order is passed on to the logistic people, the traditional business operations will still be
used. Things like inventory management, total quality management, ware housing optimization and
project management should still be incorporated even though it is an e-business. Getting the product
to the customer is still the most important aspect of e-commerce.
The product is then shipped to the customer. The customer should be able to tract his order / delivery
through the website. Virtual malls have a delivery tracking module on the website which allows a
customer to change the status of a particular order.
8. CUSTOMER RECEIVES
The product is received by the customer and is verified. The system should then tell the firm that the
order has been delivered.
It offers users powerful web search tools as well as an integrated package of content and services all
in one place. Portals do not sell anything directly and in that sense they can present themselves as
unbiased. Portal generate revenue primarily by charging advertisers for as placement, collecting
referral fees for steering customers to other sites and charging for premium services. Horizontal
portals define their market space to include all uses of the internal. Ex www.yahoo.com, www.aol.in,
www.msn.com. Vertical services as horizontal portals but are focused around a particular subject
matter or market segment. Ex www.iboats.com.
2. E-TAIRLER
Online retail stores are often called e-trailers. They come in all sizes and shapes. E-trailer are much
like the typical brick and mortar store front except that customers only have to dial into the internet
to check their inventory and place an order. Some e-trailers sometimes referred to as “Clicks and
Mortar” or “Clicks and Bricks” are subsidiaries of existing physical stores and carry the same
product. Several other variations of e-trailer such as online version of direct mail catalogs, online
malls, and manufactures direct online sales also exits. Virtual merchant is an online version of retail
store, where customers can shop at any hour of the day or night without leaving home or office. Ex
www.Amazon.com. Clicks and mortar is an online distribution channel for company that also has
physical stores. Ex www.walmart.com. Catalog merchant is an online version of mall. Ex
www.fashionmall.com.
3. CONTENT PROVIDER
“Information Content”, which can be defined broadly to include all forms of intellectual property.
Intellectual property refers to all forms of human expression that can be put into a tangible medium
such as text, cd or the web. Content provider distributes information content, retrieving and paying
for content is the second largest revenue source for B2C. Content provider makes money by
charging subscriber a subscription fee. Micropayment system technology such as qpass system
provides content providers with a cost effective method for processing high volumes of very small
monetary transactions. Micropayment systems have greatly enhanced the revenue model prospects
of content providers who wish by the download. Content provider also makes money by selling
advertising space on their sites. Not all online content providers charge for their information. Ex
www.cio.com, www.sportsline.com, www.thestandard.com. These popular sites make money in
other ways such as advertising and partner promotions on the site. The key to becoming a successful
content provider owes the content. Syndication is a major variation of the standard content provider
model. Ex www.intonetworks.com, www.intertainment.com, www.wsj.com.
4. TRANSACTION BROKER
Sites that process transactions for customer(s) normally handled in person by phone or by mail are
transaction brokers. The largest industries using this model are financial services, travel services and
job placement services. Ex www.e-trade.com, www.ameritrade.com. The online transaction broker’s
primary value propositions are saving money and time. Most transaction brokers provide timely
information and opinion. Fears of privacy invasion and the loss of control over personal financial
information also contribute to market resistance. Consequently the challenge for online brokers is to
overcome consumer fears by emphasizing the security and privacy measure in place. Transaction
brokers make money each time a transaction occurs. Ex www.monster.com. www.expedia.com,
www.datek.com.
5. MARKET CREATOR
Market creator builds a digital environment where buyers and sellers can meet, display product,
search for product and establish a price for products. Prior to the internet and the web, market
creators relied on physical places to establish a market. There were few private digital network
market places prior to the web. The web changed this by making it possible to separate markets from
physical space. Ex www.priceline.com, www.ebay.com. The market opportunity for market creators
is potentially vast but only if the firm has the financial resources and marketing plan to attract
sufficient sellers and buyers to the marketplace. Speed is often the key in such situations. The ability
to become operational quickly can make the difference between success and failure.
6. SERVICE PROVIDER
It offers services online. Some charge a fee while others generate revenue from other sources like
advertising. Many service providers are computer related. To complicate matters a bit. Most
financial transaction brokers provide services such as college tuition and pension planning. Travel
broker also provide vacation-planning services not just transaction with airlines and hotels. The basic
value proposition of services providers is that they offer consumer a valuable, convenient, time-
saving and low cost alternative to traditional services providers. Research has found for instance that
a major factor in predicting online buying behavior is time starvation. Service providers make
money through subscription fees, onetime payment for single use of the service. The market
opportunity for service providers is as large as the variety of services that can be provided and
potentially is equal to the market opportunity for physical goods. Ex www.xdrive.com,
www.mycfo.com.
7. COMMUNITY PROVIDER
They are sites that create a digital online environment where people with similar interests can
transact, communicate with likeminded people, receive interest related information and even pay out
fantasies by adopting online personalities. The basic value proposition is to create a fast, convenient,
one stop site where users can focus on their most important concerns and interests. They typically
rely on a hybrid revenue model that includes subscription fees, sales revenues, transaction fees,
advertising fee from other firms, who are attracted by a highly focused audience. Ex
www.about.com, www.ivillage.com, www.blackplanet.com, www.oxygen.com, www.fool.com.
CALL CENTER
More and more companies are under constant pressure to innovate in the development and provision of
new services for their customers. The internet adds even more pressure. Every service that is put online
requires a call center so that people are able to call in, in case of problems. The calling does not mean
automatically a phone call anymore. The internet makes it possible to offer many different possibilities,
but the telephone can’t be neglected. It offers a very direct way of communication and many people
have got used to it.
Regardless of what “Customer Care” is called in your company, it is the process when your customers
contact you when they only have their particular problem in mind. What customer wants is a single point
of contact providing convenience and satisfaction. They want the person that they contact to be able to
handle their needs without a lot of hand-offs and call-backs. This requires a call-center solution.
Customers do not want to go to a branch to be served, but expect that their wishes are executed from
anywhere and they want more direct access to their assets. Customers want to be able to manage all
aspects of their account through a single, consistent and efficient service process. This process could be
handled over a phone. In order to make a call center efficient, it needs to access multiple data sources
within the company and carry out concurrent processing in different application, without delaying the
customer who may be waiting on-line for a response. These customer service functions also require
powerful client processing characteristics at the desktop, if implemented in a traditional telephone call
center. In order to make a call center successful, it needs to be highly integrated and needs to create a
single customer view through integration of all relevant databases.
• EFFICIENCY
Efficiency, the ability of being effective without wasting time or effort or expense. When a customer
contacts your center, they would want a fast, efficient answer to their questions, they want the same
thing every customer desires and that is customer satisfaction.
• CUSTOMER SATISFACTION
Customer satisfaction occurs when a call center delivers what the customer wants, when and how
they want it. Persons highly skilled in customer service understands that the customer doesn’t always
articulate what they want, sometimes you must dig for it, investigate. Once you have determined the
reason why the customer contacted you in the first place, you will be able to determine ways to help
him/her. The more you know about the customers concern, the better you will be able to help them,
resulting to one satisfied customer.
• REVENUE GENERATION
Revenue generation is the lifeblood of any organization, good revenue generation will not happen
without satisfied customers and the more efficient the call center, the more time is available for
generating revenue. Efficiency can’t be achieved without Good revenue generation and Customer
satisfaction. For example, when a call center fails to seek a customer on the first attempt, revenue
isn’t maximize because customer who really wanted the service/product must call back to get what
they wanted. This creates inefficiency by duplication of effort; it also represents poor service as it
makes the customer do more work to get what they wanted when they initiated the first call. Our
company, Global Response produces quality agents that get the job done with little waste of time
and energy. Inspired and driven to satisfy customers’ needs, resulting to additional and continuous
revenue for our clients.
When systems are implemented with COTS (commercial off-the-shelf) components, update is
complicated by the imposition of a third party (i.e., the organization that developed the reusable
component may be outside the immediate control of the s/w engineering organization).
This is a firewall approach that validates connections before allowing data to be exchanged. What this
means is that the firewall doesn't simply allow or disallow packets but also determines whether the
connection between both ends is valid according to configurable rules, then opens a session and permits
traffic only from the allowed source and possibly only for a limited period of time. Whether a
connection is valid may for examples be based upon:
• Destination IP addresses and/or port
• Source IP address and/or port
• Time of day
• Protocol
• User
• Password
Every session of data exchange is validated and monitored and all traffic is disallowed unless a session
is open. Circuit Level Filtering takes control a step further than a Packet Filter. Among the advantages
of a circuit relay is that it can make up for the shortcomings of the ultra-simple and exploitable UDP
protocol, wherein the source address is never validated as a function of the protocol. IP spoofing can be
rendered much more difficult. A disadvantage is that Circuit Level Filtering operates at the Transport
Layer and may require substantial modification of the programming which normally provides transport
functions (e.g. Winsock).
To validate a session, a circuit level firewall examines each connection setup to ensure that it follows a
legitimate handshake for the transport layer protocol being used (the only widely used transport protocol
that uses a handshake are TCP). In addition, data packets are not forwarded until the handshake is
complete. The firewall maintains a table of valid connections (which includes complete session state and
sequencing information) and let’s network packets containing data pass through when network packet
information matches an entry in the virtual circuit table. Once a connection is terminated, its table entry
is removed, and that virtual circuit between the two peer transport layers is closed. When a connection is
set up, the circuit level firewall typically stores the following information about the connection:
• A unique session identifier for the connection, which is used for tracking purposes
• The state of the connection: handshake, established, or closing
• The sequencing information
• The source IP address, which is the address from which the data is being delivered
• The destination IP address, which is the address to which the data is being delivered
• The physical network interface through with the packet arrives
• The physical network interface through which the packet goes out
Using this information, the circuit level firewall checks the header information contained within each
network packet to determine whether the transmitting computer has permission to send data to the
receiving computer and whether the receiving computer has permission to receive that data. Circuit level
firewalls have only limited understanding of the protocols used in the network packets. They can only
detect one transport layer protocol, TCP. Like packet filters, circuit level firewalls work by applying a
rule set that is maintained in the TCP/IP kernel. Circuit level firewalls allow access through the firewall
with a minimal amount of scrutiny by building a limited form of connection state. Only those network
packets that are associated with an existing connection are allowed through the firewall. When a
connection establishment packet is received, the circuit level firewall checks its rule bases to determine
whether that connection should be allowed. If the connection is allowed, all network packets associated
with that connection are routed through the firewall as defined in the firewall server's routing table with
no further security checks. This method is very fast and provides a limited amount of state checking.
Circuit level firewalls can perform additional checks to ensure that a network packet has not been
spoofed and that the data contained within the transport protocol header complies with the definition for
that protocol, which allows the firewall to detect limited forms of modified packet data. Circuit level
firewalls often readdress network packets so that outgoing traffic appears to have originated from the
firewall rather than an internal host. As stated previously, this process of readdressing network packets
is called network address translation, and because circuit level firewalls maintain information about each
session, they can properly map external responses back to the appropriate internal host.
ADVANTAGES
1. In most cases, client-server architecture enables the roles and responsibilities of a computing system
to be distributed among several independent computers that are known to each other only through a
network. This creates an additional advantage to this architecture: greater ease of maintenance. For
example, it is possible to replace, repair, upgrade, or even relocate a server while its clients remain
both unaware and unaffected by that change. This independence from change is also referred to as
encapsulation.
2. All the data is stored on the servers, which generally have far greater security controls than most
clients. Servers can better control access and resources, to guarantee that only those clients with the
appropriate permissions may access and change data.
3. Since data storage is centralized, updates to that data are far easier to administer than what would be
possible under a P2P paradigm. Under P2P architecture, data updates may need to be distributed and
applied to each "peer" in the network, which is both time-consuming and error-prone, as there can be
thousands or even millions of peers.
4. Many mature client-server technologies are already available which were designed to ensure
security, 'friendliness' of the user interface, and ease of use.
5. It functions with multiple different clients of different capabilities.
DISADVANTAGES
1. Traffic congestion on the network has been an issue since the inception of the client-server
paradigm. As the number of simultaneous client requests to a given server increases, the server can
become severely overloaded. Contrast that to a P2P network, where its bandwidth actually increases
as more nodes are added, since the P2P network's overall bandwidth can be roughly computed as the
sum of the bandwidths of every node in that network.
2. The client-server paradigm lacks the robustness of a good P2P network. Under client-server, should
a critical server fail, clients’ requests cannot be fulfilled. In P2P networks, resources are usually
distributed among many nodes. Even if one or more nodes depart and abandon a downloading file,
for example, the remaining nodes should still have the data needed to complete the download.
Since the collaborative business model advocates a total systems approach for engineering, construction
and customer support for new tooling programs, the performance metrics should be adjusted to
recognize this broader perspective. Other additional performance measures should be evaluated are:
The cost saving benefits of the collaborative model is significant. The immediate short term savings on
tools are 40%. The following areas are:
Building trust and open communication between companies who are otherwise industry competitors
is difficult and requires the involvement of a neutral third party. The coalition of companies needs to
agree on a common mission, vision and operating principles. Further the coalition needs to develop a
business plan that outlines current capabilities, needed capabilities and growth areas, research &
development, marketing etc.
Many sensitive business decisions are required including ownership structure, governance, staffing
and membership. The bidding process when multiple coalition companies desire the same piece of
work needs to be managed within anti-trust regulations.
3. INTERNAL SOURCING
The process of sourcing tools and services within the coalition is critically important to be fair, avoid
anti-trust guidelines and still promote the development of nice players. Ideally, certain suppliers
would be identical as the preferred supplier because of their technical capability, but this is difficult
and can violet anti-trust laws. One approach is to use an independent facilitator that can help identify
appropriate sourcing, perhaps using customer input. A heuristic that achieves the desired facility is
one approach.
4. ANTI TRUST
Companies have to be concerned about sharing cost and pricing information with companies that are
otherwise competitors. The coalition can demonstrate that their collective businesses offer a
competitive product that justifies the collaboration, but the communication of certain information
must be managed. Individual companies still remain the right to intellectual property in their field of
services.
5. FINANCE
Internal financing decisions and identifying the control and flow of capital is important. Many shops
would prefer to have a purchase order directly with the customer. But this would result in multiple
purchase orders and tend to weaken the single-point-of-contact management. A mechanism is
needed that allows for coalition level decision making when a decision is best for the whole, but
perhaps not for an individual company. One such possibility is a central pool of funds to support cost
and revenue sharing.
Data mining leverages artificial intelligence and statistical techniques to build models. Data mining
models are built from situations where you know the outcome. Business problems that lend themselves
to data mining are predictive and descriptive in nature. Predictive models are used to predict an
outcome, referred to as the dependent or target variable, bases on the value of other variables in the data
set. The algorithm analyzes the value of all input variables and identifies which variables are significant
as predictors for a desired outcome. Descriptive models do not predict variables based on known
outcomes, but rather describe a particular pattern that has no known outcome. Common techniques
include data visualization where large volumes of data are reduced to a picture that can be easily
understood. Another common descriptive technique is clustering, where data are grouped into subjects
based on common attributes.
Data mining models are built as part of a data mining process- an ongoing process requires maintenance
throughout the life of the model. The data mining process is not linear but an iterative process where you
look back to the previous phase. The key to data mining is ensuring that you have a foundation of good,
quality data that is cleaned, consistent and accurate. A data warehouse provides the right foundation for
data mining.
ANALYTIC MODEL is a set of logical rules or a mathematical formula that represents pattern found
in data that are useful for a business purpose. Once a model has been built based on one set of data, it
can be reused to search for the discovered patterns in other similar data. Sometimes they are called
predictive models.
ASSOCIATION modeling technique is commonly referred to as affinity analysis and is used to identify
items that occur together during a particular event. Affinity analysis is commonly used to study market
baskets by identifying which combinations of products are most likely to be purchased together. Another
form of this technique is sequence analysis, a variation of affinity analysis. Using sequence analysis you
could begin to understand the orders in which customers tend to purchase specific products. These
results may be helpful in the early phases of establishing a potential cross selling strategy.
CLUSTERING is a type of modeling technique that can be used to place items into groups based on
like characteristics. The goal of attributes is to create groups of items that are similar bases in their
attributes within a given group but which are very different from items in other groups. It is frequently
used to create customer segments based on a customer’s behavior or other characteristics.
DECISION TREE technique produces a tree shaped structure that represents a set of decision to predict
a value of the target variable. This algorithm leverages a variety of techniques to separate or classify
data based upon rules.
LINEAR REGRESSION is a statistical technique used to find the best fitting linear relationship
between a numeric target variable and its set of predictor variables. It can be used to predict the amount
of over draft protection to offer a customer based on their account balances, year of service and other
characteristics.
LOGISTIC REGRESSION is a statistical technique used to find the best fitting linear relationship
between a categorical target variable and a set of predictors. It is commonly used to predict yes or no
question.
NEURAL NETWORKS is a non linear predictive modeling technique, loosely based on the structure
of the human brain that learns through training. This technique is commonly used to predict a future
outcome based on historical data. However, it frequently requires substantial expertise to understand the
rationable for the decision and predictions it makes. It is sometimes referred to as a black box because it
produces a model that is less understandable but often more accurate.
SCORE is an outcome of a model that represents a predicted or inferred value on some trait or
characteristic of interest. We can think of a source as the result of the model.
The Data Encryption Standard (DES) specifies a FIPS approved cryptographic algorithm as required by
FIPS. This publication provides a complete description of a mathematical algorithm for encrypting
(enciphering) and decrypting (deciphering) binary coded information. Encrypting data converts it to an
unintelligible form called cipher. Decrypting cipher converts the data back to its original form called
plaintext. The algorithm described in this standard specifies both enciphering and deciphering operations
which are based on a binary number called a key. A key consists of 64 binary digits ("O"s or "1"s) of
which 56 bits are randomly generated and used directly by the algorithm. The other 8 bits, which are not
used by the algorithm, are used for error detection. The 8 error detecting bits are set to make the parity
of each 8-bit byte of the key odd, i.e., there is an odd number of "1"s in each 8-bit byte. Authorized users
of encrypted computer data must have the key that was used to encipher the data in order to decrypt it.
The encryption algorithm specified in this standard is commonly known among those using the standard.
The unique key chosen for use in a particular application makes the results of encrypting data using the
algorithm unique. Selection of a different key causes the cipher that is produced for any given set of
inputs to be different. The cryptographic security of the data depends on the security provided for the
key used to encipher and decipher the data. Data can be recovered from cipher only by using exactly the
same key used to encipher it. Unauthorized recipients of the cipher who know the algorithm but do not
have the correct key cannot derive the original data algorithmically. However, anyone who does have
the key and the algorithm can easily decipher the cipher and obtain the original data. A standard
algorithm based on a secure key thus provides a basis for exchanging encrypted computer data by
issuing the key used to encipher it to those authorized to have the data. Data that is considered sensitive
by the responsible authority, data that has a high value, or data that represents a high value should be
cryptographically protected if it is vulnerable to unauthorized disclosure or undetected modification
during transmission or while in storage. A risk analysis should be performed under the direction of a
responsible authority to determine potential threats. The costs of providing cryptographic protection
using this standard as well as alternative method of providing this protection and their respective costs
should be projected. A responsible authority then should make a decision, based on these analyses,
whether or not to use cryptographic protection and this standard.
DIGITAL CERTIFICATES
Over the Internet, interaction takes place via an open network where there is no physical presence. Thus
we do not know the identity of the people with whom we communicate and exchange. Virtual
technology brings with it certain risks, such as identity theft (phishing), or the interception of our
messages by third parties, or the repudiation of a sale, payment or exchange. In this context, setting up
security services such as digital certification turns out to be necessary. A digital certificate acts like an
identity card on the Internet, creating a climate of trust between two distant entities (natural persons,
Web servers, routers) which need to authenticate themselves to communicate with each other and to
exchange confidential information. A certificate specifies the name of a person, company or entity, and
certifies that the public key included in the certificate belongs to it. Any digital certificate is provided by
a trustworthy third party or Certification Authority. This is an entity responsible for issuing, delivering
and managing digital certificates. The identity of the owner of a certificate is guaranteed by the
Certification Authority. The most widely accepted format for Digital Certificates is defined by the
CCITT X.509 international standard; thus certificates can be read or written by any application
complying with X.509. Digital Certificates can be used for a variety of electronic transactions including
e-mail, electronic commerce, groupware and electronic funds transfers. A Digital Certificate typically
contains the:
• Owner's public key
• Owner's name
• Expiration date of the public key
• Name of the issuer (the CA that issued the Digital Certificate
• Serial number of the Digital Certificate
• Digital signature of the issuer
Virtual malls, electronic banking, and other electronic services are becoming more commonplace,
offering the convenience and flexibility of round-the-clock service direct from your home. However,
your concerns about privacy and security might be preventing you from taking advantage of this new
medium for your personal business. Encryption alone is not enough, as it provides no proof of the
identity of the sender of the encrypted information. Without special safeguards, you risk being
impersonated online. Digital Certificates address this problem, providing an electronic means of
verifying someone's identity. Used in conjunction with encryption, Digital Certificates provide a more
complete security solution, assuring the identity of all parties involved in a transaction. Similarly, a
secure server must have its own Digital Certificate to assure users that the server is run by the
organization it claims to be affiliated with and that the content provided is legitimate.
A digital signature functions for electronic documents like a handwritten signature does for printed
documents. The signature is an unforgivable piece of data that asserts that a named person wrote or
otherwise agreed to the document to which the signature is attached. A digital signature actually
provides a greater degree of security than a handwritten signature. The recipient of a digitally signed
message can verify both that the message originated from the person whose signature is attached and
that the message has not been altered either intentionally or accidentally since it was signed.
Furthermore, secure digital signatures cannot be repudiated; the signer of a document cannot later
disown it by claiming the signature was forged. In other words, Digital Signatures enable
"authentication" of digital messages, assuring the recipient of a digital message of both the identity of
the sender and the integrity of the message.
Normally, a key expires after some period of time, such as one year, and a document signed with an
expired key should not be accepted. However, there are many cases where it is necessary for signed
documents to be regarded as legally valid for much longer than two years; long-term leases and
contracts are examples. By registering the contract with a digital time-stamping service at the time it is
signed, the signature can be validated even after the key expires. If all parties to the contract keep a copy
of the time-stamp, each can prove that the contract was signed with valid keys. In fact, the time-stamp
can prove the validity of a contract even if one signer's key gets compromised at some point after the
contract was signed. Any digitally signed document can be time-stamped; assuring that the validity of
the signature can be verified after the key expires. A digital time-stamping service (DTS) issues time-
stamps which associate a date and time with a digital document in a cryptographically strong way. The
digital time-stamp can be used at a later date to prove that an electronic document existed at the time
stated on its time-stamp. The use of a DTS would appear to be extremely important, if not essential, for
maintaining the validity of documents over many years.
As digital certificated are difficult to forge, non-repudiation has become possible on the internet. If a
person has sent out a certain message, it can be traced back much more easily through a PKI and the
signatures. The PKI is used to store the time when a certain message has been sent out, which can be
very important in some business cases. Digital signatures form the basis for formally legally binding
contracts in the course of e-business, since they provide electronically the same forensic effort that a
traditional paper document and a hand written signature there on provides. In order to use digital
signatures legally a framework needs to be created in all countries that define exactly what a signature is
and how it can be created.
E-AUCTIONS
Online auction sites are among the most popular C2C sites on the internet. Auctions are markets in
which prices are variable and based on the competition among participants who are buying or selling
products and services. Auctions are one type of dynamic pricing, in which the price of the product
varies, depending directly on the demand characteristics of the customer and the supply situation of the
seller. There are a wide variety of dynamically priced markets. In dynamic pricing, merchants change
their product prices based on both their understanding of how much value the customer attaches to the
product and their own desire to make a sale. Likewise, customers’ changes their offer to buy based on
both their perception of the seller desire to sell and their own need for the product. In contrast,
traditional mass market merchants generally use fixed pricing – one national price, everywhere for
everyone. Trigger pricing used in M-Commerce applications adjust prices based on the location of the
consumer. Utilization pricing adjust prices based on utilization of the product. Personalization pricing
adjusts prices based on the merchant’s estimate of how much the customer truly values the product. Ex
www.ebay.com, www.auction.amazon.com, www.auctions.yahoo.com, www.auctions.cnet.com,
www.oldandsold.com, www.teletrade.com.
BENEFITS OF AUCTIONS
1. LIQUIDITY
Sellers can find willing buyers and buyers can find sellers. The internet enormously increased the
liquidity of traditional auctions that usually required all participants to be present in a single room.
Now sellers and buyers can be located anywhere around the globe.
2. PRICE DISCOVERY
Buyers and sellers can quickly and efficiently develop prices for items that are difficult to assess,
where the price depends on demand and supply and where the product is rare.
3. PRICE TRANSPARENCY
Public internet auctions allow everyone in the world to see the asking and bidding prices for items. It
is difficult for merchants to engage in price discrimination when the items are available on auctions.
However, because even huge auction sites do not include all the world’s online auction items, there
still may be more than one world price for a given item.
4. MARKET EFFICIENCY
Auctions can and often do lead to reduced prices and hence reduced profits for merchants leading to
an increased in customer welfare – one measure to market efficiency. Online auctions can provide
consumers the chance to find real bargain at potentially give-away prices; they also provide access to
a very wide selection of goods that would be impossible for consumers to physically access by
visiting stores.
6. CONSUMER AGGREGATION
Sellers benefit from large auctions sites’ ability to aggregate a large no of consumers who are
motivated to purchase something in one market place. Auction-site search engines that lead
consumers directly to the products they are seeking make it very likely that consumers who visit a
specific auction really are interested and ready to buy at some price.
7. NETWORK EFFECTS
The large an auction site becomes in terms of visitors and product for sale, the more valuable it
becomes as a marketplace for everyone by providing liquidity and several other benefits.
RISKS OF AUCTIONS
1. DELAYED CONSUMPTION COSTS
Internet auctions can go for days and shipping will take additional time.
2. MONITORING COSTS
3. EQUIPMENT COSTS
Internet auctions require you to purchase a computer system, pay for internet access and learn a
complex operating system.
4. TRUST RISKS
Online auctions are the single largest source of internet fraud. Using auctions increases the risks of
experiencing a loss.
5. FULFILMENT COSTS
Typically, the buyers pay fulfillment costs of packing, shipping and insurance where as at physical
store these costs are included in the retail price.
TYPES OF AUCTIONS
1. ENGLISH AUCTIONS
They are the easiest to understand and the most common form of auction. Typically there is a single
item up for sale from a single seller. There is a time limit when the auction ends, a reserve price
below which the seller will not sell and a minimum incremental bid set. Multiple buyers bid against
one another until the auction time limit is reached. The highest bidder wins the item. They are
considered to be seller biased because multiple buyers compete against one another usually
anonymously.
They are typically used by sellers with many identical items to sell. Sellers start by listing a
minimum price or starting bid for one item and the no. of items for sale. Bidder specifies both a bid
price and the quantity they want to buy. Winning bidders pay the same price per item which is the
lowest successful bid. This market clearing price can be less than some bids. If there are more buyers
than items, the earliest successful bids get the goods. The auction is usually quite rapid and proxy
bidding is not used.
6. AUCTION AGGREGATORS
They use computer programs to search thousand of web auction sites, sourcing up information on
products, bids, auctions duration and bid increments. Consumers search auction aggregator sites for
product of interest and the site returns a list of both fixed price sales locations and auction locations
where the product is for sale. They work by sending web crawlers to thousand of auction sites every
night gathering all information on product listings.
E-BUSINESS MODELS
E-BUSINESS FUNDAMENTALS
E-BUSINESS ARCHITECTURE
WEB ARCHITECTURE & CGI
APPLET / SERVLET
E-PROCUREMENT SYSTEMS
E-AUCTIONS
E-TENDER
REVERSE AUCTIONS
E-MARKETING
RSA
DIGITAL SIGNATURE
Digital Certification
MIME
S-HTTP
IP Spoofing
Firewall Systems
E-PAYMENT SYSTEMS
SET PROTOCOLS
E-CHECK
E-CASH
SMART CARD
E-MARKETS
WEB ADVERTISING, ONLINE MARKET RESEARCH, MARKET MAKING
CYBER LAW
IT ACT OF INDIA
E-CASH
Electronic cash solutions use software to save the equivalent of cash onto a hard or a floppy disk. Coins
and bank notes are replaced by digitally signed files. The advantage of this system is that the cost of
passing on the money is nearly zero (the only real cost you have is the internet connection). In order to
receive the money, you need to go to a virtual automatic teller machine on the internet or to a real world
ATM, where we can get electronic cash by direct debit from the bank account or by credit card payment.
The difficulties with electronic cash are to implement it in a very secure way. As the money is stored in
files, it should be made clear that by copying the files the value of the cash is not increased nor should it
be possible to alter the amount of the digital money on our hard disk. Electronic coins and notes should
have digital marks that made it impossible to use them more than once. The use od encryption
technologies, digital signatures and electronic signatures helps to reduce the possibility of fraud.
In order to emulate coins and bank notes, digital money should not reveal the identity of the person who
has paid with it. Payment should not require a bank in between. Electronic money should be exchanged
directly between the two partners involved. Splitting up the value is also very important. Instead of one
digital bank note, you should be able to split it up into several bank notes and coins, which can be passed
on to different people. While many different companies are rushing to offer digital money products,
currently e-cash is cash is represented by two models. One is the on-line form of e-cash (introduced by
DigiCash) which allows for the completion of all types of internet transactions. The other form is off-
line; essentially a digitally encoded card that could be used for many of the same transactions as cash.
This off-line version (which also has on-line capabilities) is being tested by Mondex in partnership with
various banks.
The primary function of e-cash is to facilitate transactions on the Internet. Many of these transactions
may be small in size and would not be cost efficient through other payment mediums such as credit
cards. Thus, WWW sites in the future may charge $0.10 a visit or $0.25 to download a graphics file.
These types of payments, turning the Internet into a transaction oriented forum, require mediums that are
easy, cheap (from a merchants perspective), private, and secure. Electronic Cash is the natural solution,
and the companies that are pioneering these services claim that the products will meet the stated criteria.
By providing this type of payment mechanism, the incentives to provide worthwhile services and
products via the Internet should increase. To complete the digital money revolution an offline product is
also required for the pocket money/change that most people must carry for small transactions (e.g.
buying a newspaper, buying a cup of coffee, etc...).
The concept of electronic money is at least a decade old. When one person writes a check on his bank
account and gives the check to another person with an account at a different bank, the banks do not
transfer currency. The banks use electronic fund transfer. Electronic money, removes the middleman.
Instead of requesting the banks to transfer the funds through the mechanism of a check, the E-cash user
simply transfers the money from his bank account to the account of the receiver. The reality of E-cash is
only slightly more complicated, and these complications make the transactions both secure and private.
The user downloads electronic money from his bank account using special software and stores the E-
cash on his local hard drive. To pay a WWW merchant electronically, the E-cash user goes through the
software to pay the desired amount from the E-cash "wallet" to the merchant’s local hard drive
("wallet") after passing the transaction through an E-cash bank for authenticity verification. The
merchant can then pay its bills/payroll with this E-cash or upload it to the merchant's hard currency bank
account. The E-cash company makes money on each transaction from the merchant (this fee is very
small, however) and from royalties paid by banks which provide customers with E-cash
software/hardware for a small monthly fee. Transactions between individuals would not be subject to a
fee.
E-cash truly globalizes the economy, since the user can download money into his cyber-wallet in any
currency desired. A merchant can accept any currency and convert it to local currency when the cyber
cash is uploaded to the bank account. To the extent a user wants E-cash off-line all that is necessary is
smart card technology. The money is loaded onto the smartcard, and special electronic wallets are used
to offload the money onto other smartcards or directly to an on-line system. Smartcards have been used
successful in other countries for such transactions as phone calls for a number of years. The money
could also be removed from a smartcard and returned to a bank account. Visa is developing a related
product, the stored value card. This card comes in a variety of denominations, but functions more like a
debit card than E-cash.
In essence, E-cash combines the benefits of other transaction mediums. Thus, it is similar to debit/credit
cards, but E-cash allows individuals to conduct transactions with each other. It is similar to personal
checks, but it is feasible for very small transactions. While it appears superior to other forms, E-cash will
not completely replace paper currency. Use of E-cash will require special hardware, and while most
people will have access, not all will. However, E-cash presents special challenges for the existing
"middlemen" of the current paper currency society. More and more, banks and other financial
intermediaries will serve simply as storehouses for money, lenders, and processing/verifying electronic
transactions. Personal interaction with a teller or even visits to a bank ATM will become obsolete. All
one will have to do is turn on his computer.
DIGITAL PAYMENT REQUIREMENTS
In order to make a digital payment system successful, it needs to adhere to the following requirements:
E-CHECK
Internet cheques have no greater importance on the internet, so far, but still it is important to understand
the way they can be used. Electronic cheques work similarly to conventional cheques. The customer
receives digital documents from their banks and need to enter the amount of the payment, the currency
and the name of the payee for every payment transaction. In order to cash in the electronic cheque, it
needs to be digitally signed by the payer. ECheck, a new payment instrument combining the security,
speed and processing efficiencies of all-electronic transactions with the familiar and well-developed
legal infrastructure and business processes associated with paper checks, is the first and only electronic
payment mechanism chosen by the United States Treasury to make high-value payments over the public
Internet. An eCheck is the electronic version or representation of a paper check. It contains:
• contain the same information as paper checks contain
• are based on the same rich legal framework as paper checks
• can be linked with unlimited information and exchanged directly between parties
• can be used in any and all remote transactions where paper checks are used today
• enhance the functions and features provided by bank checking accounts
• expand on the usefulness of paper checks by providing value-added information
The FSTC Electronic Check (eCheck) is currently being piloted at the US Department of the Treasury.
The eCheck leverages the check payment system from the real to the virtual world with fewer manual
steps involved. It fits within current business practices, eliminating the need for expensive process re-
engineering. The eCheck system is highly secure and can be used by all bank customers who have
checking accounts. ECheck technology is software and hardware developed by FSTC members to:
• minimize start up expenses
• apply universal industry standards
• provide ubiquity for participants
ECheck contains the same information as paper checks and are based on the same legal framework. The
electronic cheques can be exchanged directly b/w parties and can replace all remote transactions, where
paper checks are used today. ECheck work as the same way traditional cheques work. The customer
writes the eCheck and gives the eCheck to the payee electronically. The payee deposits the electronic
cheque, receives credit and the payee’s bank ‘clears” the eCheck to the paying bank. The paying bank
validates the eCheck and charges the customer’s account for the cheque sum. ECheck have important
new features. They offer:
• the ability to conduct bank transactions, yet are safe enough to use on the Internet
• unlimited, but controlled, information carrying capability
• reduces fraud losses for all parties
• automatic verification of content and validity
• traditional checking features such as stop payments and easy reconciliation
• enhanced capabilities such as effective dating
ECheck offer the ability to conduct bank transactions in a safe way via the internet. The validity of the
eCheck can be verifies automatically by the bank, which reduces fraud losses for all parties involved.
Using the Financial Services Markup Language (FSML) and the use of digital signatures and certificates
make the system highly secure. ECheck are the most secure payments instrument or transaction ever
designed or developed. ECheck are designed to utilize state of the art security techniques of:
• authentication
• public key cryptography
• digital signatures
• certificate authorities
• duplicate detection
• encryption
E-CRM
E-CRM is not just your call center; self service web sites, sales force automation tool or the analysis of
customer’s purchasing behaviors. E-CRM is all of these initiatives working together to enable you to
more effectively respond to your customer’s needs and to market to them on a one-to-one basis. It is
about the customer not any individual piece of technology. If we evaluate and understand how our
customers behave and how we need to respond to them, then we can begin to understand the component
pieces of E-CRM. Today, there are many ways a customer can interact with a vendor. With today’s
technology it’s possible for each of these contact points to be driven from the same base of information
about the customer. However, it is not unusual for these contact points to be driven from discrete bases
of information which are not co-coordinated and do not have the same content. Integrated customer
information architecture to support all of these applications could prevent this lack of coordination.
The first need is to identify in delivery. True E-CRM is integrated customer information architecture.
Creating and maintaining this integrated information architecture is not a trivial process. The various
applications contributing to the architecture need to be identified. The data must then be extracted,
transformed and loaded into the environment. Replication strategies may need to be incorporated to keep
the applications in synchronization with each other. The next step is to segment and analyze what we
have. We need to understand where we make money. We need to know which channels are working and
which one are not. We need to understand what our competitors are doing. There are statistical analysis
techniques that can provide this insight. The tools to answer these questions are the true OLAP tools on
the market today. There is also a special subset of tools that facilitate the heavy duty statistical analysis
or data mining.
Once we better understand our customers, we need to be able to promote to them in a direct way. Tools
to support this area are fragmented and solution specific. Sales force automation (SFA) and call center
applications only address one piece. Personalization engines only cover the web. Broadcast engines only
deals with telephony. The challenge is to extract the necessary customer transaction data from these
discrete applications and incorporate the data in our CRM ready data warehouse. It is then that we have
“closed the loop” and can truly attain one-to-one and permission marketing relationship with our
customers.
HOW IT WORKS
• The seller gives the buyer their bank sort code and account no.
• The buyer then accesses their own bank account and sends the seller the money.
CLAWBACK
Funds sent by Electronic Fund Transfer can be “clawed back” by the sender provided the request is
made on the same working day the funds are transferred, therefore the funds do not really clear until the
nest working day after receipt.
CONCERNS
To access bank account and withdraw funds a person needs to know much more then just account no
and sort code.
• CONCISENESS: Keep your pages short and spread information on several pages.
• DYNAMIC SITES: Create dynamic sites that use new technologies to adapt information based on
user profiles.
• NICHE MARKETS: The internet is a series of niche markets and mass markets.
• KEEP BANNER SMALL: The message must be visible within a few seconds on low connections.
• AVOID COMPLEX ANIMATIONS: Animations are cute, but take up a lot of time for
downloading.
• MAKE IT READABLE: Don’t use funny fonts. Display your message in such a way that everyone
is able to read it.
• MAKE SURE THE LINK WORKS: The best banner ad is useless if the link leads into nirvana.
MEASUREMENT UNITS
• PAGE VIEW: An HTML page that has been successful downloads, including all embedded
elements.
• HITS: Every access to the web server, including HTML pages, graphics, sound, frames.
• VISITS: A sequence of page views performed by a single visitor. If the user does not view a page for
fifteen minutes then the visit is over.
• VISITOR: A visitor is a user that can be identified by certain properties such as e-mail address or
cookies.
• DIFFERENTIATION: Treat all customers on a personal basis. Address the values and needs of
every single customer.
• TRACKING: In order to understand your customers better it is necessary to tract down every
transaction for every individual customer.
• CUSTOMIZATION: Build product module, information part and service components that can be
adapted to the needs of every single customer.
• CUSTOMER SATISFACTION: Every dimension of satisfaction gets its own score, which then can
be compared to evaluate the strengths and weakness of your electronic business. The result can be
used to plan quality improvements and launch immediate updated of the service in case of problems.
The data can be gathered by evaluating log files and by asking customers to fill in a survey either on
the web or via e-mail.
• CUSTOMER VALUE ADDED: This index is generated by dividing your business overall customer
satisfaction by the sores of all businesses competing in a certain market segment. This will give you
an idea where your company is positioned in the market.
• COLD FUSION: Tool for rapid application development and site design.
• GROUP LENS: A collaborative filtering solution with rating services for content or products.
• WEB OBJECTS: A framework for developing e-business applications that need to access legacy
database. Provides a strong one-to-one technology to serve data to visitors.
• CLARIFICATION: Question and confirm any message that appears to contain a critical mistake in
typing.
• CROSS BORDERS: The internet is open to any culture and nation. Be sure not to offend your target
audience.
• LOG FILES: Don’t rely on web server log files. Try to find more meaningful data.
• SPAM: Never misuse e-mail to spam. It provokes more anger than response.
CHOOSING AN ISP
• RELIABILITY: An ISP should be up and running more than 99.9 percent of the time each year.
• PERFORMANCE: Don’t believe the marketing hype of the ISPs. Get performance data from third
parties.
• PRICE: price is not everything. Look out for an ISP that offers complete service.
• TECH SUPPORT: Establish the ISP as your partner. Create strong links b/w your company and the
ISP.
The FO-market making is installed locally at the client and includes all modules needed for a rapid
integration of existing contracts into the system. Due to its open architecture, FO-market making easily
interfaces via XML standards. The integration of FO-link brings full control over e-markets.
The bi-directional messaging between the modules guarantees high speed and controlled price
publishing immediate position update and full control over e-markets.
E-MARKETING
E-marketing is essentially part of marketing. So the place to begin defining E-marketing is to consider
where it fits within the subject of marketing. So let's start with a definition of marketing. The American
Marketing Association (AMA) definition (2004) is as follows: Marketing is an organizational function
and a set of processes for creating, communicating and delivering value to customers and for managing
customer relationships in ways that benefit the organization and its stakeholders. Therefore E-marketing
by its very nature is one aspect of an organizational function and a set of processes for creating,
communicating and delivering value to customers and for managing customer relationships in ways that
benefit the organization and its stakeholders. As such an aspect, E-marketing has its own approaches and
tools that contribute to the achievement of marketing goals and objectives.
Traditional marketing was focusing on target groups and creating a positive image for that particular
group. Communication in advertising was one way only. The marketing team could not get immediate
results on the customer reactions. In the pre-information society this was fine, as there was time to do
surveys and publish the results, which influenced the company strategy and the products.
In the information society everything has started to flow. Products, strategies, prices, everything depends
on the customer’s needs. Everything becomes much more customer centric. The demands of the
customer directly affect product design, marketing strategies and the product pricing. As marketing
traditionally has direct ties to the customers, the information flowing back from the customers in real-
time needs to be passed on to the appropriate department within the company to react in real time to the
ever faster changing demands of the customers.
The internet allows companies to react to individual customer demands. All customers can be treated in
their preferred way. One-to-one marketing has become the standard way of dealing with customers over
the internet. One-to-many marketing does not work anymore in internet time.
WHAT ARE THE E-MARKETING TOOLS?
• A company can distribute via the Internet.
• A company can use the Internet as a way of building and maintaining a customer relationship.
• The money collection part of a transaction could be done online.
• Leads can be generated by attracting potential customers to sign-up for short periods of time,
before signing up for the long-term.
• The Internet could be used for advertising.
• Finally, the web can be used as a way of collecting direct responses e.g. as part of a voting
system for a game show.
• Reach
The nature of the internet means businesses now have a truly global reach. While traditional media costs
limit this kind of reach to huge multinationals, e-marketing opens up new avenues for smaller
businesses, on a much smaller budget, to access potential consumers from all over the world.
• Scope
Internet marketing allows the marketer to reach consumers in a wide range of ways and enables them to
offer a wide range of products and services. E-marketing includes, among other things, information
management, public relations, customer service and sales. With the range of new technologies becoming
available all the time, this scope can only grow.
• Interactivity
Whereas traditional marketing is largely about getting a brand’s message out there, E-marketing
facilitates conversations between companies and consumers. With a two way communication channel,
companies can feed off of the responses of their consumers, making them more dynamic and adaptive.
• Immediacy
Internet marketing is able to, in ways never before imagined, provide an immediate impact. Imagine
you’re reading your favorite magazine. You see a double-page advert for some new product or service,
maybe BMW’s latest luxury sedan or Apple’s latest iPod offering. With this kind of traditional media,
it’s not that easy for you, the consumer, to take the step from hearing about a product to actual
acquisition. With E-marketing, it’s easy to make that step as simple as possible, meaning that within a
few short clicks you could have booked a test drive or ordered the iPod. And all of this can happen
regardless of normal office hours. Effectively, Internet marketing makes business hours 24 hours per
day, 7 days per week for every week of the year. By closing the gap between providing information and
eliciting a consumer reaction, the consumer’s buying cycle is speeded up and advertising spend can go
much further in creating immediate leads.
E-SERVICE
An E-Service is a service or resources that can be accessed on the net by people, business and devices.
Several e-services can be combined automatically to perform virtually any kind of task or transaction. In
order to understand better the new opportunities it is necessary to look at today’s business on the
internet. Most internet business is based on web servers and browsers that communicate and exchange
information and follow pre-defined processes. The web enabled star-ups rock whole industries by
reaching out for customers that were not accessible to small companies before. Slowly companies have
started to think about their business differently. They adapt the rules of the start-ups and redefine their
customer-services. Customer centric business has become more important and customers have been
enabled through the web to serve themselves.
The open service paradigm developed by HP makes electronic services more modular, which allows
them to assemble on the fly as they are based on the open-services interface. They can be combined
more easily to offer new types of services. It is expected that the shift in paradigm will be followed in
the business world and in the IT area. Websites will become less important. The automated services will
work more likely in the background. With e-services this will become reality. By implementing e-
services it has become possible to offer traditional services ex banking, via a wider variety of devices
and implement new services. E-services will help to ensure the availability and security of these services
(processing power, data storage and data mining). E-services will give companies much more flexibility
in the way they manage their It infrastructures making more efficient use of resources both in-house and
outside. The IT department will transform to a service provider, which will use outsourcing strategically
to lower costs and gain flexibility. It will enable e-services of all types and plan profitable e-services
solutions. Another interesting field for the paradigm of e-services is the pay-per-use e-services will be
tightly woven into daily life. People will plug into them via e-services utilities. E-services are highly
modular, making it attractive to a large group of customers, who do not want to buy enormous,
monolithic systems. Customers are able to subscribe to the specific services they want to use. This
reduces the initial cost for accessing a service and companies will be able to generate more stable profit
streams as the money is coming on a more regular basis and from more customers. Another advantage of
the e-service is that they can be developed, tested and put on the market much more quickly because of
their modular architecture. E-services make it possible to focus on the real work and neglect the
underlying technology and processes. End users will be able to take advantage of much more
sophisticated services because they don’t have to buy the whole thing.
E-TENDER
E-Tendering can provide for:
MOD encourages the use of e-tendering for some competition but the ability to do so is not yet
widespread throughout the industry. MOD aspires to introduce a corporate capability to undertake e-
tendering, which ideally will be a Government-wide system.
WHAT IS E-TENDER?
The exchange of information by digital files and electronic communications has been normal practice
within the defense sector for sometimes; indeed tender documentation has often been supported by the
use of floppy disk, CD-Rom or E-Mail. E-tendering is more fundamental. It is the conduct of the
complete tendering exercise from the advertising of the requirement through to the placing of the
contract, including the exchange of all relevant documents all by electronic communication. Ultimately
contract management and the monitoring of contract performance will be conducted by electronic
communication.
BENEFITS
• Making the government easier for industry to do business with.
• Opportunities to stimulate increased interest in all market by reducing the burden that tendering to
Government can be.
• Efficient and effective electronic interface b/w industry and MOD leading to reduced costs and
timesaving on both sides.
• Quick and accurate pre-qualification and evaluation which enables the automatic rejection of
Industry partners that fail to meet stipulated fixed criteria.
• Opportunity for the transmission of quality information to and from industry to enable a clear
understanding of the requirement and proposals.
• Opportunities to respond quickly to any questions and points of clarification during the tender
period.
• Reduction in the traditionally labor intensive tasks of receipt, recording & distribution of tender
submissions.
• Reducing the paper trail on tendering exercises, reducing costs to the MOD and industry alike and
supporting “green” issues.
• Providing a clearer audit trail demonstrating integrity.
• Provision of quality management information.
• Improved opportunity for like comparison of qualitative and quantitative information resulting in a
faster more accurate evaluation of tenders.
WHAT TENDERING TASKS CAN BE DONE ELECTRONICALLY
With the improved capability across some areas of the MOD and industry, it is now possible to enable
the electronic conduct of competitive and single tender responses as well as acceptances and declines.
The following conditions should be satisfied.
• Electronic signatures for documents originated from industry are created and managed by PKI,
backed by a commercial provider that has been approved by the MOD PKI policy management
authority.
• Electronic signatures for documents originated from the MOD and created and managed by a PKI or
authorized by the MOD PKI policy management authority.
• The security and operating procedure of MOD and industry internal information system are
maintained.
• The current principles and not the entire practice of the MOD tender board are fully replicated by the
use of a “Virtual” tender box which restricts access to tender until after the due date and time for
receipt.
• The integrity of stored tender documentation is maintained through the use of an appropriate
technical infrastructure.
If these conditions are fully met, the requirement for the paper ‘Master Copy” is no longer necessary as
there is no legal requirement for paper documentation, provided that electronic information is
sufficiently robust to enable it to be produced as evidence. The requirement for a paper master copy of
contracts is likely to remain until confidence is an electronic repository for contracts has been
developed.
FIREWALL SYSTEMS
A firewall system is a secure host that acts as a barrier between your internal network and outside
networks. The internal network treats every other network as un trusted. You should consider this setup
as mandatory between your internal network and any external networks, such as the Internet, with which
you communicate. A firewall acts as a gateway and as a barrier. A firewall acts as a gateway that passes
data between the networks. A firewall acts as a barrier that blocks the free passage of data to and from
the network. The firewall requires a user on the internal network to log in to the firewall system to
access hosts on remote networks. Similarly, a user on an outside network must first log in to the firewall
system before being granted access to a host on the internal network. A firewall can also be useful
between some internal networks. For example, you can set up a firewall or a secure gateway computer to
restrict the transfer of packets. The gateway can forbid packet exchange between two networks, unless
the gateway computer is the source address or the destination address of the packet. A firewall should
also be set up to forward packets for particular protocols only. For example, you can allow packets for
transferring mail, but not allow packets for the telnet or the rlogin command. ASET, when run at high
security, disables the forwarding of Internet Protocol (IP) packets.
In addition, all electronic mail that is sent from the internal network is first sent to the firewall system.
The firewall then transfers the mail to a host on an external network. The firewall system also receives
all incoming electronic mail, and distributes the mail to the hosts on the internal network.
The firewall is a system of hardware and software components that define which connections are
allowed to pass back and forth between communication partners. By using a firewall system, for
example, between your intranet and the Internet, you can allow a defined set of services to pass through
the different network zones while keeping other services out. For example, you can allow users in your
company's intranet to use Internet services such as mail or http, but not other services such as telnet. The
graphic below shows an example firewall scenario. Note that the machines in the so-called
"demilitarized zone" are not directly accessible from either the internal or the external networks. The
routers and packet filters are configured to allow only connections for specified network services.
There are two primary firewall types:
1. Packet filters: The functions used for packet filtering are typically available with routers. The
router's primary function is to route network traffic based on the source or destination IP addresses,
TCP ports, or protocols used. In this way, certain requests are routed to the server that can best
handle the request. For example, mail requests are routed to the company's mail server; ftp (file
transfer protocol) requests are routed to the company's ftp server. By using the router’s packet
filtering functions, you can also restrict traffic based on this information, for example, to completely
block requests using undesired protocols, for example telnet. However, the packet filter is not able to
filter information sent at the application level.
2. Application-level gateways: Contrary to packet filters, application-level gateways or proxies work
at the application level. They are capable of permitting or rejecting requests based on the content of
the network traffic.
IPSEC PROTOCOL
IPSEC is a framework for security that operates at the Network Layer by extending the IP packet header
(using additional protocol numbers, not options). This gives it the ability to encrypt any higher layer
protocol, including arbitrary TCP and UDP sessions, so it offers the greatest flexibility of all the existing
TCP/IP cryptosystems. Flexibility, however, often comes at the price of complexity, and IPSEC is not
an exception. Configuring which addresses and ports to encrypt using which IPSEC options often begins
to look like configuring packet filtering, then add in the additional complexities of key management.
While conceptually simple, setting up IPSEC is much more complex that installing SSH, for example.
IPSEC also has the disadvantage of requiring operating system support, since most O/S kernels don't
allow direct manipulation of IP headers. IPSEC defines a "Security Association" (SA) as its primitive
means of protecting IP packets. An SA is defined by the packet's destination IP address and a 32-bit
Security Parameter Index (SPI), that functions somewhat like a TCP or UDP port number, in that it
allows multiple SAs to a single destination address. SAs can operate in transport mode, where the
IPSEC data field begins with upper level packet headers (usually TCP, UDP, or ICMP), or in tunnel
mode, where the IPSEC data field begins with an entirely new IP packet header, ala RFC 2003.
Furthermore, SAs can be encapsulated within SAs, forming SA bundles, allowing layered IPSEC
protection.
IPsec is designed to provide interoperable, high quality, cryptographically-based security for IPv4 and
IPv6. The set of security services offered includes access control, connectionless integrity, data origin
authentication, protection against replays (a form of partial sequence integrity), confidentiality
(encryption), and limited traffic flow confidentiality. These services are provided at the IP layer,
offering protection for IP and/or upper layer protocols. These objectives are met through the use of two
traffic security protocols, the Authentication Header (AH) and the Encapsulating Security Payload
(ESP), and through the use of cryptographic key management procedures and protocols. The set of IPsec
protocols employed in any context, and the ways in which they are employed, will be determined by the
security and system requirements of users, applications, and/or sites/organizations. When these
mechanisms are correctly implemented and deployed, they ought not to adversely affect users, hosts,
and other Internet components that do not employ these security mechanisms for protection of their
traffic. These mechanisms also are designed to be algorithm-independent. This modularity permits
selection of different sets of algorithms without affecting the other parts of the implementation. For
example, different user communities may select different sets of algorithms (creating cliques) if
required. A standard set of default algorithms is specified to facilitate interoperability in the global
Internet. The use of these algorithms, in conjunction with IPsec traffic protection and key management
protocols, is intended to permit system and application developers to deploy high quality, Internet layer,
cryptographic security technology.
IPSEC PROTOCOLS
To provide security for the IP layer, IPSec defines two protocols: Authentication Header (AH) and
Encapsulating Security Payload (ESP). These protocols provide security services for the SA. Each SA is
identified by the Security Parameters Index (SPI), IP destination address, and security protocol (AH or
ESP) identifier. The SPI is a unique, identifying value in an SA that is used to distinguish among
multiple SAs on the receiving computer. For example, IPSec communication between two computers
requires two SAs on each computer. One SA services inbound traffic and the other services outbound
traffic. Because the addresses of the IPSec peers for the two SAs are the same, the SPI is used to
distinguish between the inbound and outbound SA. Because the encryption keys differ for each SA, each
SA must be uniquely identified.
ALGORITHMS AND METHODS
The IPSec protocols use authentication, encryption, and key exchange algorithms. Two authentication or
keyed hash algorithms, HMAC-MD5 (Hash Message Authentication Code - MD5) and HMAC-SHA-1,
are used with both the AH and ESP protocols, The DES and 3DES encryption algorithms are used with
ESP. The authentication methods for IPSec, as defined by the IKE protocol, are grouped into three
categories: digital signature, public-key, and pre-shared key.
IP SPOOFING
Criminals have long employed the tactic of masking their true identity, from disguises to aliases to
caller-id blocking. It should come as no surprise then, that criminals who conduct their nefarious
activities on networks and computers should employ such techniques. IP spoofing is one of the most
common forms of on-line camouflage. In IP spoofing, an attacker gains unauthorized access to a
computer or a network by making it appear that a malicious message has come from a trusted machine
by “spoofing” the IP address of that machine.
Internet protocol (IP) is a network protocol operating at layer 3 (network) of the OSI model. It is a
connectionless model, meaning there is no information regarding transaction state, which is used to
route packets on a network. Additionally, there is no method in place to ensure that a packet is properly
delivered to the destination.
Examining the IP header, we can see that the first 12 bytes (or the top 3 rows of the header) contain
various information about the packet. The next 8 bytes (the next 2 rows), however, contains the source
and destination IP addresses. Using one of several tools, an attacker can easily modify these addresses –
specifically the “source address” field. It's important to note that each datagram is sent independent of
all others due to the stateless nature of IP. IP can be thought of as a routing wrapper for layer 4
(transport), which contains the Transmission Control Protocol (TCP). Unlike IP, TCP uses a connection-
oriented design. This means that the participants in a TCP session must first build a connection - via the
3-way handshake (SYN-SYN/ACK-ACK) - then update one another on progress - via sequences and
acknowledgements. This “conversation”, ensures data reliability, since the sender receives an OK from
the recipient after each packet exchange.
As you can see above, a TCP header is very different from an IP header. We are concerned with the first
12 bytes of the TCP packet, which contain port and sequencing information. Much like an IP datagram,
TCP packets can be manipulated using software. The source and destination ports normally depend on
the network application in use (for example, HTTP via port 80). What's important for our understanding
of spoofing are the sequence and acknowledgement numbers. The data contained in these fields ensures
packet delivery by determining whether or not a packet needs to be resent. The sequence number is the
number of the first byte in the current packet, which is relevant to the data stream. The
acknowledgement number, in turn, contains the value of the next expected sequence number in the
stream. This relationship confirms, on both ends, that the proper packets were received. It’s quite
different than IP, since transaction state is closely monitored.
There are a few variations on the types of attacks that successfully employ IP spoofing. Although some
are relatively dated, others are very pertinent to current security concerns.
Non-Blind Spoofing: This type of attack takes place when the attacker is on the same subnet as the
victim. The sequence and acknowledgement numbers can be sniffed, eliminating the potential difficulty
of calculating them accurately. The biggest threat of spoofing in this instance would be session
hijacking. This is accomplished by corrupting the data stream of an established connection, then re-
establishing it based on correct sequence and acknowledgement numbers with the attack machine. Using
this technique, an attacker could effectively bypass any authentication measures taken place to build the
connection.
Blind Spoofing: This is a more sophisticated attack, because the sequence and acknowledgement
numbers are unreachable. In order to circumvent this, several packets are sent to the target machine in
order to sample sequence numbers. While not the case today, machines in the past used basic techniques
for generating sequence numbers. It was relatively easy to discover the exact formula by studying
packets and TCP sessions.
Man in the Middle Attack: Both types of spoofing are forms of a common security violation known as
a man in the middle (MITM) attack. In these attacks, a malicious party intercepts a legitimate
communication between two friendly parties. The malicious host then controls the flow of
communication and can eliminate or alter the information sent by one of the original participants
without the knowledge of either the original sender or the recipient. In this way, an attacker can fool a
victim into disclosing confidential information by “spoofing” the identity of the original sender, who is
presumably trusted by the recipient.
Denial of Service Attack: IP spoofing is almost always used in what is currently one of the most
difficult attacks to defend against – denial of service attacks, or DoS. Since crackers are concerned only
with consuming bandwidth and resources, they need not worry about properly completing handshakes
and transactions. Rather, they wish to flood the victim with as many packets as possible in a short
amount of time. In order to prolong the effectiveness of the attack, they spoof source IP addresses to
make tracing and stopping the DoS as difficult as possible. When multiple compromised hosts are
participating in the attack, all sending spoofed traffic; it is very challenging to quickly block traffic.
Misconceptions of IP Spoofing: While some of the attacks described above are a bit outdated, such as
session hijacking for host-based authentication services, IP spoofing is still prevalent in network
scanning and probes, as well as denial of service floods. However, the technique does not allow for
anonymous Internet access, which is a common misconception for those unfamiliar with the practice.
Any sort of spoofing beyond simple floods is relatively advanced and used in very specific instances
such as evasion and connection hijacking.
There are a few precautions that can be taken to limit IP spoofing risks on your network, such as:
Filtering at the Router - Implementing ingress and egress filtering on your border routers is a great
place to start your spoofing defense. You will need to implement an ACL (access control list) that
blocks private IP addresses on your downstream interface. Additionally, this interface should not accept
addresses with your internal range as the source, as this is a common spoofing technique used to
circumvent firewalls. On the upstream interface, you should restrict source addresses outside of your
valid range, which will prevent someone on your network from sending spoofed traffic to the Internet.
Encryption and Authentication - Implementing encryption and authentication will also reduce
spoofing threats. Both of these features are included in Ipv6, which will eliminate current spoofing
threats. Additionally, you should eliminate all host-based authentication measures, which are sometimes
common for machines on the same subnet. Ensure that the proper authentication measures are in place
and carried out over a secure (encrypted) channel.
IT ACT 2000
The first cyber law was passed on October 17, 2000 in India. The purpose of the IT Act 2000 as
mentioned in the language of the act: “to provide legal recognition for transactions carried out by means
of electronic data interchange and other means of electronic communication, commonly reffered to as
“electronic commerce”, which involves the use of alternatives to paper based methods of
communication and storage of information to facilitate electronic filing of documents with the
Government agencies and further to amend the Indian Penal Code, the Indian Evidence Act, 1872, the
Banker’s book Evidence Act 1891 and the Reserve Bank of India Act 1934 and for matters connected
there with or incidental thereto”.
• MICRO PAYMENTS
Transaction with a value of less than approximately 5 Euro or Dollar are suitable payment solutions
are based on the electronic cash principle as the transaction costs for these systems are nearly zero.
• CONSUMER PAYMENTS
Typical consumer payments are executed by credit card transaction where the transaction value is
between about 5 and 500 Euro or Dollar.
• BUSINESS PAYMENTS
Direct debit or invoices seem to be the most appropriate solutions where transaction with a value of
more than 500 Euro or Dollar.
Over the last few years, many developers have tried to push micro payment solutions to the internet, but
only very few have succeeded. The problem was never the technical implementation, but the internet
itself. Every company on the internet gives away small pieces of information for free. So it is hard to
justify the need to pay for small bits of information, even if the price is only a fraction of a cent. The
other issue is a psychological problem. If you have the choice of paying a one-time fee of 20 Dollars or
Euro or paying 50 cents for every transaction, about 80 percent of the people will either pay the one-
time fee or use the service only very seldom as it requires a new payment each time. It makes financial
calculations more difficult as you do not know in advance how much money the service will cost and
spending money means always thinking about it for a while.
The 1982 standards do not allow EDI to be reliably transmitted through Internet e-mail, since EDI
messages can violate all of these restrictions. There are a number of other types of messages and
services that have are supported by other more recently designed e-mail standards. A new Internet mail
standard was approved in June of 1992. The new standard is called MIME. MIME is an acronym for
Multipurpose Internet Mail Extensions. It builds on the older standard by standardizing additional fields
for mail message headers that describe new types of content and organization for messages. MIME
allows mail messages to contain:
• Multiple objects in a single message.
• Text having unlimited line length or overall length.
• Character sets other than ASCII, allowing non-English language messages.
• Multi-font messages.
• Binary or application specific files.
• Images, Audio, Video and multi-media messages.
MIME is an extensible mechanism. It is expected that the set of content-type/subtype pairs and their
associated parameters will grow with time. Several other MIME fields, such as character set names, are
likely to have new values defined over time. To ensure that the set of such values develops in an orderly
and public manner, MIME defines a registration process that uses the Internet Assigned Numbers
Authority (IANA) as a central registry for such values. To promote interoperability between
implementations, the MIME standard document specifies a minimal subset of the above mechanisms
that are required for an implementation to claim to conform to the MIME standard. MIME allows
messages to contain multiple objects. When multiple objects are in a MIME message, they are
represented in a form called a body part. A body part has a header and a body, so it makes sense to speak
about the body of a body part. Also, body parts can be nested in bodies that contain one or multiple body
parts.
MIME was defined in 1992 by the Internet Engineering Task Force (IETF). A new version, called
S/MIME, supports encrypted messages. New MIME data types are registered with the Internet Assigned
Numbers Authority (IANA). MIME is specified in detail in Internet Request for Comments 1521 and
1522, which amend the original mail protocol specification, RFC 821 (the Simple Mail Transport
Protocol) and the ASCII messaging header, RFC 822
All Internet traffic travels in the form of packets. A packet is a quantity of data of limited size, kept
small for easy handling. When larger amounts of continuous data must be sent, it is broken up into
numbered packets for transmission and reassembled at the receiving end. Your entire file downloads,
Web page retrievals, emails -- all these Internet communications always occur in packets. A packet is a
series of digital numbers basically, which conveys these things:
• The data, acknowledgment, request or command from the originating system
• The source IP address and port
• The destination IP address and port
• Information about the protocol (set of rules) by which the packet is to be handled
• Error checking information
• Usually, some sort of information about the type and status of the data being sent
• Often, a few other things too - which don't matter for our purposes here.
An IP packet filter firewall allows you to create a set of rules that either discard or accept traffic over a
network connection. The firewall itself does not affect this traffic in any way. Because a packet filter can
only discard traffic that is sent to it, the device with the packet filter must either perform IP routing or be
the destination for the traffic. A packet filter has a set of rules with accept or deny actions. When the
packet filter receives a packet of information, the filter compares the packet to your pre-configured rule
set. At the first match, the packet filter either accepts or denies the packet of information. Most packet
filters have an implicit deny all rules at the bottom of the rules file.
In packet filtering, only the protocol and the address information of each packet is examined. Its
contents and context (its relation to other packets and to the intended application) are ignored. The
firewall pays no attention to applications on the host or local network and it "knows" nothing about the
sources of incoming data.
Filtering consists of examining incoming or outgoing packets and allowing or disallowing their
transmission or acceptance on the basis of a set of configurable rules, called policies. Packet filtering
policies may be based upon any of the following:
• Allowing or disallowing packets on the basis of the source IP address
• Allowing or disallowing packets on the basis of their destination port
• Allowing or disallowing packets according to protocol.
All packet filters have a common problem: the trust is based on IP addresses. Although this security type
is not sufficient for an entire network, this type of security is acceptable on a component level. Most IP
packet filters are stateless, which means they do not remember anything about the packets they
previously process. A packet filter with state can keep some information about previous traffic, which
gives you the ability to configure that only replies to requests from the internal network are allowed
from the Internet. Stateless packet filters are vulnerable to spoofing since the source IP address and
ACK bit in the packet's header can be easily forged by attackers. Packet filtering alone is very effective
as far as it goes but it is not foolproof security. It can potentially block all traffic, which in a sense is
absolute security. But for any useful networking to occur, it must of course allow some packets to pass.
Its weaknesses are:
• Address information in a packet can potentially be falsified or "spoofed" by the sender
• The data or requests contained in allowed packets may ultimately cause unwanted things to happen,
as where a hacker may exploit a known bug in a targeted Web server program to make it do his
bidding, or use an ill-gotten password to gain control or access.
PRM came above because there is a need for businesses that deal with complex business to business
relationships outside of the enterprise. It has become one of the core processes of driving revenue to the
end customer. The primary economic driver of PRM is the need to archive maximum market coverage
and penetration in minimum time. Partners can increase coverage while reducing the cost of coverage.
There are layers of complexity with their partner’s channels. In addition, there are layers of complexity
within those relationships. The tremendous volume of business being driven through channels is itself a
driver. The biggest thing that is driving the creation of PRM came from two things.
1. The rise of internet having a universal network that allowed multiple companies to work together
without having to co-ordinate their entire technical infrastructure.
2. It is the re rise of the value added in the channel.
Any industry that uses some kind of partnership to help them sell their products is a good candidate for a
PRM solution. Businesses have always had a love/hate relationship with channels and channels partners.
Sure partners are needed to reach target markets and add services that customers want. As multi channel
strategies gain momentum, it’s clear that indirect channels remain a vital element in most industries.
Despite changes in the role of channel partners, which has shifted to services and more complex sales,
channels still account for roughly half of all global commerce. Majority of channel managers reflects
their interest in sales and marketing as well as channel management. Previous research focused solely on
channel partners revealed more of an interest in sale / marketing content and tools to make selling and
service processes more effective. Full function PRM vendors provide arrange of applications to support
the partner relationship life cycle. ECommerce vendors started with applications designed for channels,
supporting purchasing processes from partners to vendor, customer to partner or both. These vendors
have added more PRM functionality overtime and increasingly compete with full time functions PRM
vendors. Content management vendors’ focus on the organization and distribution of web based content
to help channel partners to sell more effectively. Especially vendors offer specific applications that can
be highly valuable to channel managers and/or partners. Market place vendors also have a role in PRM,
since it’s possible to have effective channel relationship via a many to many marketplace, not just in a
vendor centric extranet environment.
PRM BEST PRACTICES
• Business executive formally sponsors the project, provides direction on the specific business goals to
be accomplished and resolves critical issues.
• Project team performs a thorough analysis of short and long term requirements, soliciting input from
all key stake holders but especially channel partners.
• Project team selects solution partners’ bases on the strength of the technology and commitment to
services and support.
• Project managers staff the team with competent and committed professionals with expertise in all
critical functional and technical areas.
• Project team implements a pilot or prototype first, and then rolls out applications and user groups in
phases.
PRM is a leading edge but no longer bleeding edge, strategy and technology. To gain a competitive edge
companies must determine the key needs of their channel partners and then select and implement the
most appropriate PRM applications. PRM is a critical e-Business strategy in this increasingly multi
channel world.
Public/private key pairs are used for asymmetric encryption. Asymmetric encryption is used mainly to
encrypt and decrypt session keys and digital signatures. Asymmetric encryption uses public key
encryption algorithms. Public key algorithms use two different keys: a public key and a private key. The
private key member of the pair must be kept private and secure. The public key, however, can be
distributed to anyone who requests it. The public key of a key pair is often distributed by means of a
digital certificate. When one key of a key pair is used to encrypt a message, the other key from that pair
is required to decrypt the message. Thus if user A's public key is used to encrypt data, only user A (or
someone who has access to user A's private key) can decrypt the data. If user A's private key is used to
encrypt a piece of data, only user A's public key will decrypt the data, thus indicating that user A (or
someone with access to user A's private key) did the encryption. If the private key is used to sign a
message, the public key from that pair must be used to validate the signature. Unfortunately, public key
algorithms are very slow, roughly 1,000 times slower than symmetric algorithms. It is impractical to use
them to encrypt large amounts of data. In practice, public key algorithms are used to encrypt session
keys. Symmetric algorithms are used for encryption/decryption of most data.
The encryption process is basically mathematical. You take a chunk of data and run a mathematical
equation on it, and the output is your encrypted chunk of data. Digital “keys” are actually mathematical
values that become part of that mathematical equation you use to encrypt your data. The reason
asymmetrical encryption works is that the calculations required to encrypt the data using the first key are
very easy, but the calculations required to reverse this process are very difficult. In order to decrypt the
data in a reasonable period of time, you must run another mathematical equation on it using the second
digital key. The encryption process is basically mathematical. You take a chunk of data and run a
mathematical equation on it, and the output is your encrypted chunk of data. Digital “keys” are actually
mathematical values that become part of that mathematical equation you use to encrypt your data. The
reason asymmetrical encryption works is that the calculations required to encrypt the data using the first
key are very easy, but the calculations required to reverse this process are very difficult. In order to
decrypt the data in a reasonable period of time, you must run another mathematical equation on it using
the second digital key. Having two separate keys—one that encrypts and another that decrypts the data
—is really convenient for a number of situations. For example, let's say you want people to be able to
send you encrypted email. What you would do is get a pair of encryption/decryption keys, make the
encryption key available to the public, and keep the decryption key for yourself. The publicly available
key is, logically, called the “public key,” and the privately available key is the “private key” (hence the
term public/private key encryption). Now anyone can use your public key to encrypt email messages to
you, but only you alone can use your private key for decryption. In theory, nobody but you will be able
to these messages because nobody else will have access to your private key.
REVERSE AUCTIONS
• Reverse Auctions are competitions held “on-line”, with the bid prices visible to all bidders, unless a
ranked auction is held, in which bidders only know their rank relative to other bidders.
• Simple commodity items or services where the market place is highly competitive are most suitable
for reverse-auction, yet any item with clearly defined requirements and more than one source of
supply should be considered.
• It is essential that advertisements for competitions to be run on a reverse auction basis state this
clearly, along with the criteria for selection.
• European Union public procurement directives do not currently recognize the technique of reverse
auction, but are being amended to do so.
ADVERTISING
It is essential that advertise for goods and services where a reverse auction is being considered clearly
state:
• That the ultimate selection may be made on the basis of a reverse auction.
• The evaluation criteria including any weighting between fixed elements and the variable elements of
price.
• Information on the process itself, including details of any third party service provider.
• Conditions of bidding including the minimum decrements permitted.
• Equipment / technical issues.
BENEFITS
• SPEED
The specific time frame for the auction event forces the key players to focus on the bidding process
and to make rather than postpone key decision that led to the optimal proposal.
• UNIFYING FORCE
Early adopters are distinguishing themselves in the market place. Buyers are achieving breakthrough
levels in supplier’s performance and top suppliers are gaining market share faster and more
efficiently.
RISKS
• Transparency reveals information on the buyers strategy and may mislead or weaken suppliers
response.
• Transparency weakens ability for buyers to negotiate to desired price level if not attained through
reverse auction.
• Price levels may be higher than expected by suppliers.
• Technology is allowed to drive rather than enable the result.
• Select a non-proven, new supplier for wide application, diminishing the importance of loyalty and
service from established suppliers.
• Lose credibility in the marketplace by not following through on the stated strategy.
• Technical meltdown / issues may lead to an incomplete and inaccurate result.
RSA
In 1975, three researchers at the MIT developed an algol to implement public key cryptography. Ron
Rivest, Adi Shamir and Leonard Adleman invented the RSA system. The RSA algorithm generates
initially two distinct keys for each user. One of the keys is defined as the public key. The public key can
be distributed freely to anyone using any means. The public key can’t be used to decrypt any message; it
can only be used to encrypt messages that can be sent to the owner of the public key. Only the person
with the other key called the private key is able to decrypt messages that are encrypted with the public
key.
In most cases RSA is not used to encrypt messages because of the timely computations it requires. For
most messages it would become infeasible, as the time required in encrypting and decrypting would be
too long. Instead, RSA is used to encrypt the symmetric key, which encrypted the message. The SSL
standard which is used to encrypt web pages use this features (the URLs use https:// instead of http://).
The key is generated on the web browser and then sent to the web server. To make the transmission of
the key secure, the web server sends its public key to the web browser. The web browser decides on a
symmetric key and encrypts the message with the public key of the web server and sends it back. The
web server is the only instance that is able to decrypt the public key with its private key. The RSA key is
used as an envelop for the symmetric key. Through this system it is possible to choose symmetric keys
at random. If one is able to break into an encrypted message, it would not give any information about the
keys used in the other messages.
RSA works as follows: take two large primes, p and q, and find their product n = pq; n is called the
modulus. Choose a number, e, less than n and relatively prime to (p-1) (q-1), which means that e and (p-
1) (q-1) have no common factors except 1. Find another number d such that (ed - 1) is divisible by (p-1)
(q-1). The values e and d are called the public and private exponents, respectively. The public key is the
pair (n,e); the private key is (n,d). The factors p and q maybe kept with the private key, or destroyed. It
is difficult (presumably) to obtain the private key d from the public key (n, e). If one could factor n into p
and q, however, then one could obtain the private key d. Thus the security of RSA is related to the
assumption that factoring is difficult
SET provides some privacy features which make it harder to gain information on the customer. SET
defines more than just encryption. Transaction flows, message formats and encryption algorithms are
provided as standard in order to guarantee the integrity & confidentiality of the managers and the
authentication of the users. Additional security will be introduced in SET2.0, when smart cards will be
supported. Several pilots for the C-SET are at moment of writing (Chip-secured Secure Electronic
Transaction). SET was developed in 1996 by master card and visa. The SET specifications include the
following:
• HIGHLY SECURE
The transmission of credit card information can be transmitted over public networks using strong
encryption technique.
• LOW VISIBILITY
Only the information a partner needs to see is displayed. The merchant does not need to see the
credit card information and the bank does not need to see which orders have been placed.
• RECOGNIZED STANDARDS
Transaction flow the message formats, integrity, authentication, confidentiality and the encryption
algorithms are all defined in the SET standard.
• NON-REPUDIATION
The SET standard defines a public key infrastructure, which is used for verification of the
participants and to encrypt / decrypt the messages sent between the partners. A digital signature is
used to identify the participants.
S-HTTP
S-HTTP was designed by E. Rescorla and A. Schiffman of EIT to secure HTTP connections. S-HTTP
provides a wide variety of mechanisms to provide for confidentiality, authentication, and integrity.
Secure HTTP (S-HTTP) is a secure message-oriented communications protocol designed for use in
conjunction with HTTP. S-HTTP is designed to coexist with HTTP's messaging model and to be easily
integrated with HTTP applications. Secure HTTP provides a variety of security mechanisms to HTTP
clients and servers, providing the security service options appropriate to the wide range of potential end
uses possible for the World-Wide Web (WWW). S-HTTP provides symmetric capabilities to both client
and server (in that equal treatment is given to both requests and replies, as well as for the preferences of
both parties) while preserving the transaction model and implementation characteristics of HTTP.
Several cryptographic message format standards may be incorporated into S-HTTP clients and servers.
HTTPS (S-HTTP) supports interoperation among a variety of implementations, and is compatible with
HTTP. S-HTTP aware clients can communicate with S-HTTP oblivious servers and vice-versa, although
such transactions obviously would not use S-HTTP security features. S-HTTP does not require client-
side public key certificates (or public keys), as it supports symmetric key-only operation modes. This is
significant because it means that spontaneous private transactions can occur without requiring individual
users to have an established public key. While S-HTTP is able to take advantage of ubiquitous
certification infrastructures, its deployment does not require it. S-HTTP supports end-to-end secure
transactions. Clients may be "primed" to initiate a secure transaction (typically using information
supplied in message headers); this may be used to support encryption of fill-out forms, for example.
With S-HTTP, no sensitive data need ever be sent over the network in the clear. SHTTP provides full
flexibility of cryptographic algorithms, modes and parameters. Option negotiation is used to allow
clients and servers to agree on transaction modes cryptographic algorithms (RSA vs. DSA for signing,
DES vs. RC2 for encrypting, etc.); and certificate selection. S-HTTP attempts to avoid presuming a
particular trust model, although its designers admit to a conscious effort to facilitate multiply-rooted
hierarchical trust, and anticipate that principals may have many public key certificates. HTTPS differs
from Digest-Authentication in that it provides support for public key cryptography and consequently
digital signature capability, as well as providing confidentiality. Another popular way of making secured
web communication is HTTPS, which is the HTTP runs on top of TLS or SSL for secured transactions.
Syntactically, Secure HTTP messages are the same as HTTP, consisting of a request or status line
followed by headers and a body. However, the range of headers is different and the bodies are typically
cryptographically enhanced. S-HTTP messages, just as the HTTP messages, consist of requests from
client to server and responses from server to client. The request message has the following format:
Request Line General header Request header Entity header Message Body
In order to differentiate S-HTTP messages from HTTP messages and allow for special processing, the
request line should use the special Secure" method and use the protocol designator "Secure-HTTP/1.4".
Consequently, Secure-HTTP and HTTP processing can be intermixed on the same TCP port, e.g. port
80. In order to prevent leakage of potentially sensitive information Request-URI should be "*". S-HTTP
responses should use the protocol designator "Secure-HTTP/1.4". The response message has the
following format:
Status Line General header Response header Entity header Message Body
Note that the status in the Secure HTTP response line does not indicate anything about the success or
failure of the unwrapped HTTP request. Servers should always use 200 OK provided that the Secure
HTTP processing is successful. This prevents analysis of success or failure for any request, which the
correct recipient can determine from the encapsulated data. All case variations should be accepted.
SMART CARDS
Depending on the type of the application, different levels of memory on the smart card are necessary. If
you want to put data or applications on the smart card only once, it is sufficient to put a little chip on the
card that contains ROM. It program needs to store temporary information on the card, RAM should be
used. Once the smart card has been removed from the terminal, the information is lost. Most
applications require EEPROM which allows data and applications to be stored permanently on the smart
card. Other than with ROM only smart cards, the applications and data can be loaded, executed and
removed onto the card at any time.
Smart cards have an embedded microchip instead of magnetic strip. The chip contains all the
information a magnetic strip contains but offers the possibility of manipulating the data and executing
applications on the card. Three types of smart cards have established themselves:
• CONTACT CARDS: Smart cards that need to inserted into a reader in order to work such as a small
card reader or automatic teller machine.
• CONTACTLESS CARDS: Contactless cards don’t need to be inserted into a reader. Just waving
them near a reader is sufficient for the card to exchange data. This type of card is used for opening
doors.
• COMBI CARDS: Combi cards contain both technologies and allow a wider range of applications.
Generally 128 or 256 Mb EEPROM is used in computers but smart cards can store up to 16Kb. The
newer releases of smart cards are able to hold more than single applications. In order to allow multi-
functionality, it is necessary to ensure security for every application. If an application runs on the card, it
should not be allowed to view data stored by other applications on the same card. Each application needs
to have its own compartment on the smart card. The limitation to multi functionality is the amount of
memory on the smart card itself. Information on smart cards can be accessed in four different ways,
depending on the type of application we want to provide and the type of memory we are using:
• READ ONLY: Information can only be read from the smart card.
• EXECUTION ONLY: Programs can be executed only without seeing any information.
Security is the major issue with smart cards. If a hacker is able to copy or manipulate the content of the
card to another one, it may destroy the business of the smart card application issuer. This means security
functions have to be at the core of all smart cards. However, different applications require different
levels of security and absolute security can’t be guaranteed. In order to make the smart card secure
against manipulation, the basis to ensuring effective protection against manipulation or copying of smart
card requires a secure hardware where by physical countermeasures need to be taken. A secure operating
system and system security is necessary, which means that the communication between all components
involved in the security system is encrypted. The overall level of security is only as good as that of the
weakest element in the chain. Common threats for smart cards are loss of authenticity, integrity,
confidentiality and availability. Smart cards are protected by the PIN (Personal Identification Number)
code. Smart card applications become more popular as they enable customers to pay for goods and
services.
SSL uses these protocols to address the tasks as described above. The SSL record protocol is responsible
for data encryption and integrity. As can be seen in Figure, it is also used to encapsulate data sent by
other SSL protocols, and therefore, it is also involved in the tasks associated with the SSL check data.
The other three protocols cover the areas of session management, cryptographic parameter management
and transfer of SSL messages between the client and the server. Prior to going into a more detailed
discussion of the role of individual protocols and their functions let us describe two fundamental
concepts related to the use of SSL.
• Hyper Text Markup Language (HTML) is the common representation language for hypertext
documents on the Web. HTML is an application of the Standard Generalized Markup Language,
which specifies a formal meta-language for defining document markup systems. An SGML
Document Type Definition (DTD) specifies valid tag names and element attributes. HTML consists
of embedded content separated by hierarchical case sensitive start and end tag names which may
contain embedded element attributes in the start tag. These attributes may be required, optional, or
empty. In addition, documents can be inter or intra linked by establishing source and target anchor
points. HTML files are viewed using a WWW client browser, the primary user interface to the Web.
HTML allows for embedding of images, sounds, video streams, form fields and simple text
formatting. References, called hyperlinks, to other objects are embedded using URLs. When an
object is selected by a hyperlink, the browser takes an action based on the URL's type, e.g., retrieve a
file, connect to another Web site and display a HTML file stored there, or launch an application such
as an E-mail or newsgroup reader.
• Universal Resource Identifier (URI) - an IETF addressing protocol for objects in the WWW. There
are two types of Uri’s, Universal Resource Names (URN) and the Universal Resource Locators
(URL). URLs are location dependent and contain four distinct parts: the protocol type, the machine
name, the directory path and the file name. There are several kinds of URLs: file URLs, FTP URLs,
Gopher URLs, News URLs, and HTTP URLs. URLs may be relative to a directory or offsets into a
document. Arguments to CGI programs may be embedded in URLs after the ‘?’ character.
• Hyper Text Transfer Protocol (HTTP) - an application-level network protocol for the WWW. It is
describes as a "generic stateless object-oriented protocol." Stateless means neither the client nor the
server store information about the state of the other side of an ongoing connection. Statelessness is a
scalability property but is not necessarily efficient since HTTP sets up a new connection for each
request, which is not desirable for situations requiring sessions or transactions.
1. In HTTP, commands can be associated with particular types of network objects (files,
documents, network services). Commands are provided for
CGI programs are executable programs that run on the Web server. They can be written in any scripting
language or programming language available to be executed on a Web server, including C, C++,
Fortran, PERL, TCL, Unix shells, Visual Basic, and others. Security precautions typically require that
CGI programs be run from a specified directory under control of the Web system administrator, that is,
they must be registered with the system. Arguments to CGI programs are transmitted from client to
server via environment variables encoded in URLs. The CGI program typically returns HTML pages
that it constructs on the fly. Some problems with CGI are:
• The CGI interface requires the server to execute a program
• The CGI interface does not provide a way to share data and communications resources so if a
program must access an external resource, it must open and close that resource. It is difficult to
construct transactional interactions using CGI.