1 electronic commerce Marilyn Greenstein Miklos VasarhelyiSecond edition Marilyn Greenstein Miklos Vasarhelyi

2 Table Of Contents 1.Overview of Electronic Commerce 5 2. The Electronization of Business 26 3. B2B Process and Strategies 4. Electronic Commerce and the Role of Independent Third-Parties 5. The Regulatory Environment 159 6. EDI, Electronic Commerce and the Internet 7. Risks of Insecure Systems 7. Risks of Insecure Systems 222

3 8. Risk Management 9. Internet Security Standards 10. Cryptography & Authentication 11. Firewalls 12. Electronic Commerce Payment Mediums 392 13. Intelligent Agents 14. Web-Based Marketing

4 electronic commerce Marilyn Greenstein Miklos VasarhelyiSecond edition Marilyn Greenstein Miklos Vasarhelyi

5 Chapter 1 Overview of Electronic Commerce

6 Overview of Electronic CommerceDefined Potential Benefits Enablers Effects on Business Models Security Textbook Organization of Topics Implications for the Accounting Profession

7 What is electronic commerce?The use of electronic mediums (telecommunications) to engage in the exchange, including buying and selling, of products and services requiring transportation, either physically or digitally, from location to location.

8 How is electronic commerce different from electronic business?Electronic Commerce is a subset of electronic business. Electronic business also includes the exchange of information not directly related to the actual buying and selling of goods and services.

9 Why should a business engage in electronic commerce?Potential Benefits include: Saving money and resources Reaching more business partners Reaching geographically dispersed customers Reducing procurement costs Reducing costs of purchases Reducing inventory Improving cycle times Improving customer service, and Reducing sales and marketing costs

10 How can procurement costs be reduced?Procurement costs can be lowered by Electronic Data Interchange: Consolidating purchases Developing relationships with key suppliers Negotiating volume discounts Better integrating the manufacturing processes Procurement Costs can be lowered further by Internet commerce: Increasing the ability to reach and transact with new partners Decreasing data transmission costs

11 How can inventory costs be reduced?Inventory costs can be lowered by savings in: Storage Costs Handling Costs Insurance Costs Administrative Costs Reduction in cycle time because of shared design specifications Reduced fixed overhead costs assigned to each unit Most of these cost reductions result from greater collaboration and information sharing between business partners.

12 How is customer service improved?Customers note benefits to include: Increased Choice of Vendors Convenience for shopping from home or work Greater amounts of information on demand More competitive prices and increased price comparison capabilities Greater customization in the delivery of service Easy ways to check on order status Hassle-free return procedures

13 What is the Internet and the WWW?Internet is a network of networks = the backbone 1969 Leonard Keinrock’s packet switching theory Internet emerged because of the following three forces Powerful and inexpensive technologies Availability of telecommunications Spread of digital information In 1990 Tim Berners-Lee developed the capabilities that are now described as the World Wide Web (WWW) portion of the Internet which allows: Hypertext linking Software Portability Network and Socket Programming. Karl Salnoske, IBM, 1998

14 Is doing business on the Internet a strategic business issue or a technical issue?Because electronic commerce requires industry process reengineering, doing business successfully on the Internet involves rethinking our business strategies so that Internet activities are closely tied to business goals. It is more than a new technology.

15 Air Products E-Business InitiativesValue-Added Marketing Selling New Channels Procurement Becoming a Knowledge Leader Storefronts on B2B Portals

16 Traditional Value ChainFigure 1-5 Traditional Value Chain Inbound Purchases and Logistics Production Outbound Logistics Supplier Customer

17 Figure 1-6 The new value chainSales and Marketing CUSTOMER Information system Inbound Production Outbound Service CRM

18 Figure 1-7 The expanded ICDT modelVirtual Information Space Communication Transaction Distribution Market LEGAL AND SELF-REGULATORY ENVIRONMENT Taxes Privacy Adapted from Angehrn, 1997

19 ICDT Business Strategy ModelInternet Information: Is it accurate, current, only available to authorized parties, easy to find, and accessible without wait? Internet Communication: Are you building a consistent experience, relationship and trust? Is it secure and private? Internet Distribution: Are you only delivering to authorized parties in a reliable fashion? Internet Transactions: Are they secure, accurate, with integrity, reliable, from reputable partners, and private?

20 EXISTING MARKET SPACE OPEN PROCESSESFigure 1-8 Three pillars of electronic commerce EXISTING MARKET SPACE OPEN PROCESSES ELECTRONIC INFORMATION RELATIONSHIPS TRANSACTIONS Source: Peter Fingar, 1998

21 Electronic RelationshipsTo attract repeat visitors away from competitors, your site must: Be innovative. Add value. Provide information and interaction not otherwise available. Create forums for opinion-building activities Peter Fingar, 1998 Integrity are the agreed upon elements - correctly and accurately capturing all of the necessary information the processing and storage procedures do not allow the altering of the data The transacting parties are authenticated - that the parties are who they say they are The electronic data are protected from unauthorized disclosure

22 What security breaches are most common for web-based companies?Virus and malicious code infections Abuse of computer access controls Physical theft, sabotage, destruction Denial of Service Attacks on bugs in Web Servers Attacks related to insecure passwords Electronic theft, sabotage, destruction Fraud

23 What security breaches are most common for ERP-using companies?Revenue loss Information loss Data integrity loss Theft of trade secrets or data Infection with a computer virus Manipulation of internal systems Your entire system is only as strong as the weakest link in the chain!

24 Accounting ProfessionalsImplications for Accounting Professionals Electronic commerce causes changes in business’: Value chain: customer is new focus Ways to do business: strategies New business partners: suppliers and customers Accounting Professionals must adapt their: Methods and Technology used for assurance functions: systems reliability and integrity Transaction analysis to be in real-time Train themselves in the new technologies

25 electronic commerce Marilyn Greenstein Miklos VasarhelyiSecond edition Marilyn Greenstein Miklos Vasarhelyi

26 Chapter 2 Electronization of Business

27 Overview Electronization of BusinessPrinciples and Axioms Effects on Business Management Issues New Paradigms and Metaphors The Theory of Electronization E-Business Methods and Tools New Business Models, Processes and Tools Industries and Their Continuing Evolution Implications for the Accounting Profession

28 Electronization of Business Advertising Pre-sale care Sale DeliveryPayment Accounting E-care Auditing Web advertising Customization Banners Voice Reply Auto Responder Web-based E-Catalog Shopping Carts Credit card E-cash Micropayments Continuous Integrity Reliability Bitable Non-bitable Automatic Confirmation Inventory Manufacturing Tracking B2B Purchasing Open EDI Extranets Consortia Tech support Lead Follows Help desk Purchasing Marketing Individual targeting Virtual communities Customer party lines Logistics Finance E-banking E-hedging E-Trading Human Resources

29 Electronization of Business: Changes to the Value ChainMajor changes include: Deconstruction Metamarkets Disintermediation Reintermediation Industry Morphing Cannibalization Technointensification Rechanneling

30 Figure 2-1 The interorganizational value chainBuyer Value Chain Supplier Channel Value Chain Firm Value Chain value chain Shared Intranets Intranet Internet Upstream Firm Downstream value value value

31 Figure 2-2 Leaping over links in the value chain with ExtranetsChannel Value Chain Buyer Value Chain Firm Value Chain Supplier Value Chain Shared Extranet Intranet Internet Intranets Upstream value Firm Value Downstream Value

32 What is the Internal Value Chain?Passing value from inputs (materials, patents, services, etc.) to customers Involves all aspects of a business: R&D, production planning, production, financing, accounting, auditing, etc. Customer’s define value from their experience of working with your company - more than just your product or service.

33 What are Bitable Goods? Goods able to be transmitted over telecommunication channels also called digital inventory or service Most common bitable goods: Financial products Software Music Videos Information

34 What are E-Commodities?Goods able to be purchased without being sensed or tried on by the consumer. Non-e-commodity goods/services may become e-commodities due to factors such as: Reputation of the vendor, Experience by the consumer, Distance from the source Availability of the good Ability to “try it” digitally online (like music).

35 What is Deconstruction?Methodological, progressive outsourcing or alliancing-out of internal processes Allows sharing of proceeds without having to dedicate substantive resources Can create meta-markets: Customer does not see/care that it is a network of organizations providing the product/service to them.

36 What are Disintermediation and Reintermediation?Disintermediation: elimination of middle functions that do not add incremental value once the new technology is being used: Travel or insurance agents Securities brokers Pharmacists Reintermediation: new markets or brokerages that evolve from the new technology Infomediaries such as eBay, CDNow, Amazon These situations create some interesting revenue recognition questions.

37 What is Industry Morphing?Deconstructing and reconstructing value propositions: taking pieces and re-bundling them into new opportunities. Examples: GE and Intuit Cannibalization: Permanent replacement Examples: Telephony, securities trading, banking Channel Conflict: the tug-of-war of sales between alternative channels you offer your customers: which channel has preference?

38 What is meant by Technointensification?Businesses are Increasing their use of technology Increasing their capitalization of IT resources Decreasing their use of human resources Relying more often and extensively on 3rd parties for IT resources Hiring and training more people in IT functions Producing items with a higher value per pound Executing processes more rapidly and efficiently Providing availability Risking highly vulnerable downtime

39 What is Rechanneling? Changing the focus on internal processes, products or services in order to optimize the expected cash inflows: Chassis shop also a welding shop Book stores using both physical and online storefronts to compete in new ways

40 Figure 2-3 Breaking up the value contentsOne traditional product Outsourcing Alliances Competitors Info Product Financing Logistic R&D Into many new products Manufacturing

41 E-Business Evolutionary StagesFrom Lowest to Highest Level of Evolution: Having a Web Presence Information only Basic Functionality Allows contact with organization and scripting Functional Connected to Web-server database with active Web pages Competent Involves extranets with partners, and practices individualized marketing, utilizes knowledge-based tools

42 How is E-Business Changing Traditional Business?Globalization of markets One-to-one marketing Customization of site and product Integration of systems with clients New forms of E-Service UPS setting up new computers Commoditization of products Low margins and brand differentiations

43 How is E-Business Changing Business Processes?Increased pre-and post- sale care of customers Increased use of databases and user interfaces Flatter organizational structures Development and use of customer profiles Increased reliance on cooperation software Faster product-to-market strategies Increased reliance on third parties Faster turnaround of cash flows

44 Successful Dot.coms’ List of Do’sAvoid excessive promotional expenditures Outsource processes when no/little internal expertise Consider long run tradeoff between high startup costs and low incremental costs Pay close attention to Supply and Demand forces and laws Plan for progressive increases in cash flows and earnings to position your company for growth. Do not value your company by price/earnings ratios Utilize well-known, competent management Realize that funding is becoming more competitive

45 Three examples of the E-Business paradigm shiftVictoria’s Secret Online fashion shows and the Super Bowl Financial Instrument Brokerage Industry More individual investors More online brokerages New bundling of products and services The Wellness Industry Online pharmacies, wellness sites, disease portals, pharmaceutical sites, B2B medical provisioning sites Disintermediation of pharmacists, democratization of medicine due to information sharing, e-Diagnostics, internationalization of medicine, doctor comparison and recommendation.

46 Figure 2-7 The new health care value chain for pharmaceuticalsResearch Logistics Marketing Strategy Others Product tailoring Personalized websites and marketing Bypassing doctors, pharmacies, HMO’s Nation-level products Buying research Changing Value chain Joint sourcing Buying up pharmacies, distributors, HMO’s Supplying metamarkets Joint products Int’l price equalization Disease erradication monitoring Implanted devices Expert systems Outsourcing Continuous monitored trials DNA mapping Transparent Telemetering for trials Global Outsourcing Product Tracking Modular manufacturing Supplier-managed inventory Joint projects with competitors

47 What are the effects of the electronization of business processes?Creating products and services that are: Faster, Cheaper, and Better Reinventing Marketing and Advertising eCare is at the core of making electronization successful for a business

48 What can modern Banner Advertisements do?Determine the geographic location of the target (e.g., mobile opportunities) Link products with recent purchases Link target with other people in a social network Explore complex events (weddings, etc.)

49 What is involved in E-Care Services?An intelligent combination of , Web-based support, and telephone support Goal: to be more effective and more efficient than traditional marketing and relationship management techniques.

50 New E-Business PrinciplesInformation is abundant, eyeballs are limited New paradigms exist: Examples: Giving away goods/services, not protecting software against privacy invasions, paying for users and site visitors. Your customers and suppliers are also your competitors and allies. Entire product cycles can be created without the ownership of inventory or production capacity. Pricing models are changing and flexible.

51 Figure 2-9 Three key success factors for E-BusinessesTechnology: The World Wide Web Facilitating Services: Delivery, Escrow, Price Comparisons Business Model: E-Catalog, Auctions, Name your price

52 What are the new B2B E-Business models?E-Catalogs Auction Models where the products and values are not standardized Commodity Auctions where the products and values are more homogeneous Most common phenomena: disintermediation, reintermediation, and cannibalization

53 What are the new B2B E-Business Tools?E-Catalogs Tracking of Shipments Inventory Management and Joint Provisioning Database Marketing Allows for timely, geographic, customer focus. Data Warehousing and Data Mining Profiling Continuous Reporting Continuous Auditing: Webtrust, Systrust

54 What are E-Catalogs? One resource presents many products and prices to buyers Can link many organizations on one list Can manage flexible/variable pricing and promotions Database features include: Data categorization, parameterization, collection, normalization, and cleansing; high-volume scanning and image processing; custom designing; dynamic printed output; preprogrammed query capabilities; buying suggesting models; incomplete information search algorithms and filtering Examples: a21.com, Cohera.com

55 Where can we find data mining and data warehousing in use?Credit card companies for approvals Supermarkets for inventory management E-Tailers for suggestions for complimentary product purchases Mobile Commerce Advertisements for routing of consumer’s activities. Buy gas around the corner and get 15% off

56 What is Profiling? Profiling: evaluating complex data trends to create stereotypes for marketing or pricing strategies Amazon’s jaboom.com Land’s End’s virtual model

57 What is Fragmentation? Fragmentation refers to the loss of information due to disconnected profiling efforts Many companies are interested in sharing data to learn about market opportunities Societal reduction of fragmentation may create serious privacy concerns

58 What is continuous reporting?Continuous reporting is the real-time disclosure of transaction data. It is possible because of: Interconnectivity of processes Use of Enterprise Resource Planning (ERP) systems Evolution of user interfaces connected to the Internet and corporate databases. Statutory protection of stockholders from misleading financial disclosures motivate many businesses to disclose non-financial rather than financial measures on their web sites.

59 What are the new E-Business models?E-Business models are distinguished by their value proposition (product/service), their source(s) of revenue, and their costs structures. Three new models (and examples thereof) are: Auctions – eBay Reverse Auctions – Priceline Buyers Club – mercata.com

60 What are E-Business revenue sources?The most common sources of revenue include: Sales made on the Internet Advertising fees Subscription fees Transaction fees

61 Which business processes are most affected by E-Business?Six business processes significantly affected by E-Business are: Marketing and Advertising Production and Logistics E-Care (Customer Services) Finance Human Resources Research and Development

62 How are Marketing and Advertising changed?More one-to-one marketing strategies Mining and Profiling, targeted banners, personalized sites, suggestion models, m-Commerce promotions Emphasizing Brand Variable pricing Affiliation agreements New bundling Customizing Web presences Customizing products, Adding information value to the product/service

63 How are Production and Logistics changed?Internetworking provides efficiency opportunities in: Production, Storage, Distribution, Acquisition Supply Chain Management has utilized: Electronic catalogs Product tracking Web-managed distribution of cargo Supplier-managed inventory Distributed and shared manufacturing processes Shared inventory management

64 How has Customer Care changed?Customer relationship management (CRM) software has focused on: Sales force Marketing Call- center needs By collecting, mining, and reporting data back to the managers. Acquiring a new customer is 8 times more expensive, on average, than keeping a customer.

65 How has Finance changed?Finance uses legacy and ERP systems for: Performance measurements and evaluation Accountants understand business processes; develop, collect and analyze measurements for them, and advise management. Assurance New metrics are needed because of the increased speed and volume of business transactions between new partners and increased legal complexities. Financial Management Heading towards paperless, continuous risk assessments, testing, and reporting that is integrated with external partners in Extranets.

66 Figure 2-11 Process monitoring and AssuranceAlarms From External Info. Analytical exception tests To other stakeholder To auditors To operations To scorecard Internal/External monitoring metrics Strategic and tactical metrics Monitoring IT structure Corporate IT structure

67 How has Human Resources changed?Become much more self-service Administrative activities Career management Value of employment (compensation, benefits) Payroll Employee services Health management Application Service Providers (ASPs) used extensively.

68 How has Research and Development (R&D) changed?Groupware for distance work Large, powerful databases Telemetering and sensing Visualization software Powerful supercomputers Knowledge management systems for greater sharing of information

69 Which industries are most affected by electronization?Industries with bitable products/services are most affected: Financial sector: brokerages, banking, and insurance Software Retail: especially with industry-specialized portals Large Manufacturers are increasing their market range, reducing their costs and increasing the rapidity and efficiency of their processes Services: traditional (accounting, data entry, programming) and new e-Care

70 Implications for the Accounting ProfessionAccountants need to focus on: Providing more real value to their clients Emphasize continuous reporting Emphasize continuous assurance Develop new assurance products Using the Internet to move the work to lower labor-cost markets

71 electronic commerce Marilyn Greenstein Miklos VasarhelyiSecond edition Marilyn Greenstein Miklos Vasarhelyi

72 Business-to-Business Processes and StrategiesChapter 3 Business-to-Business Processes and Strategies

73 Overview B2B Processes and StrategiesFrom B2C to B2B Using Corporate Nets B2B Processes and Advantages Emerging B2B Problems Electronic Markets Strategy A Schemata to Analyze E-Business Strategy Implications for the Accounting Profession

74 B2B B2C Figure 3-1 B2B and B2C electronization focus Purchasingand Supply Chain Focus Market Formation and Structure Purchasing B2C Individual targeting Customization Web Advertising Virtual communities Marketing Advertising B2B has larger volume of transactions, but lower margin per transaction. Customer party lines

75 What is meant by Corporate Nets?Internetworking: Connecting through computer networks Can be fixed or mobile or both Bring the processing to the individual rather than the individual to the computer. Intranets = Within an organization Extranets – Between organizations Value is derived from Highly customized end user connections Highly orchestrated high value chain elements Common infrastructure utilizing modularity

76 More about Intranets Initial use: to pool expensive resources and optimize their utilization Next phase: to enhance corporate communications through and file sharing Newest phase: utilizing the Internet and the TCP/IP protocol (servers, browsers, routers, etc.) to enhance efficiency

77 Information space: Distribution Transaction IntranetFigure 3-2 Angehrn’s ICDT model applied to Intranets Information space: HR data, Production, Inventory, etc. Distribution Space: Corporate documents, Software, Training, Support Transaction space: Vouchers, Claims, Internal purchases, Orders Intranet Communication Space: , Data sharing, Groupware applications

78 Information space: Distribution Transaction Internal CorporationFigure 3-2 Angehrn’s ICDT model applied to Extranets Information space: HR data, Production, Inventory, etc. Internal Corporation Distribution Space: Corporate documents, Software, Training, Support Transaction space: Vouchers, Claims, Internal purchases, Orders Extranet Communication Space: , Data sharing, Groupware applications Trading Partners

79 More about Extranets Components include:Enterprise Resource Planning (ERP) systems Legacy systems: , data sharing, groupware applications Middleware: to allow seamless interfaces with business partner information systems Intranets of business partners Common Extranet applications include: Application Service Providers (ASPs): common platforms for outsourced processing that allow rapid product deployment, low capital investment and little residual onus Customer Care Extranets: dedicated to eCare of customer communications and support Supplier-managed Inventory: allow suppliers to utilize Just-In-Time technologies

80 Examples of Extranets ARCO Taco Bell Canadian Coast Guard MicrosoftChubb Corporation Eastman Kodak Harley Davidson NN Financial National Semiconductor Taco Bell Microsoft Texas Instruments Toro Co. GE Lighting GE Industrial Systems ISIS Communications 2000

81 Newest Trends in ExtranetsDirect electronic dealings with potential and existing partners Transacting through electronic markets Formation of electronic consortia Hub-free peer-to-peer structures

82 Business-to-Business (B2B) CommerceB2B Defined: Business purchases between commercial entities as intermediate process(es) of value addition until product(s), or derivative(s) thereof, is(are) delivered to the consumer. Evolved from manual processes, to electronic data interchange (EDI) to Web-based combinations. Different from B2C: involves more investment and brand is less of a factor in this domain

83 Top Ten B2B Businesses Forrester ResearchIntel Cisco Dell Boise Cascade W.W. Grainger 3 Com IBM Gateway 2000 Sabre Group Office Depot

84 Dimensions of Market Factors That Affect B2B CommerceCurrent size of the market and the effect of electronization on the size of the market Expected speed of deployment of the electronic solution(s) Ownership of the electronic market Business model, nature of the market platform and the revenue sources for the market makers Criteria for the admission of players Visibility of entities Nature of the market platform and the degree of IT integration Form of settlement arrangements

85 Comparing EDI to Internet B2B SolutionsRigid definition of trading partners Expensive investment in protocol and proprietary channels with monthly and per transaction fees Low connectivity/data sharing options More inherent security TCP/IP: Low incremental costs Real-Time connectivity Flexible Data Sharing Less Inherent Security (but can be built in)

86 What are Vertical and Horizontal B2B Markets?Vertical Markets Focus on one industry Have multiple purposes: transactions, job postings, industry news, technical advice, information services, etc. Horizontal Markets Business model of economy of scale with less specific industry specialization Offer one type of service or product across industries

87 Newest Features of B2B MarketsCustomized middleware to smooth interfaces between trading partners Peer-to-Peer computing allow for shared markets without a centralized market or exchange Use of Intelligent agents Price comparison agents, buying and selling agents, fraud detection agents

88 What are the emerging problems in the B2B environment?Antitrust issues Control issues on the market sites Virus and security problems Privacy of data issues

89 B2B Examples from Three IndustriesAuto Industry: Covisint Airline Industry Professional Services Firms Accenture, iPlanet, and Sun Microsystems PriceWaterhouseCoopers and Informatica

90 Internet Business StrategiesStrategies are a function of factors such as: Type of business entity Stage of business (startup, growth, mature, declining) Sector of the economy Product pricing strategy Income and prestige objectives of management Management exit strategies Funding sources and processes

91 Figure 3-9 Funding sources and processesFinancing Definition Average Range Who Typically Plays Seed Prove of concept 25-500K Angel individuals/groups Early stage VCs Start-up Complete product and initial marketing 500K-3M Early-stage VC’s First Full scale production & sales 1.5-5M Venture capitalists Second Working capital for business expansion 3-10M Private placement firms Third Expansion capital to achieve break-even 5-30M Bridge Go public in 6-12 months 3-20M Mezzanine financing firms Investment Bankers Go Public Equity capital Wide range Public Market Participants

92 Internet Business Plans and FormsGeneric description of the business idea Plan of action Assessment of the market Pro-Forma set of financial statements Description of the management team Organizational morphing: businesses that are acquired or merged with other businesses

93 Why do some failing companies choose to close their doors rather than merge?They do not have a sustainable business model They do not have a set of built-up assets They ran out of money before options were considered Venture Capitalists are too busy to notice them There is less of a market for Internet expertise than there used to be Many potential acquirers are using a “wait and see” strategy

94 Electronization Strategy Parameters Kanter, HBR, 2001Use relevant corporate standards for Internet businesses Consider the separate elements within your value chain. Focus on a few, visible electronization efforts. Take the revolution seriously, and focus on customer care and service. Work with flexible vendors who are not afraid of constantly morphing with you and the marketplace. Rethink and reengineer your business processes. Offer incentives for cooperation between parties. Create and disseminate easy-to-use tools. Create and use relevant corporate benchmarks to evaluate performance.

95 Traditional Strategic Thinking and Corporate CompetenciesCore Competency refers to a business’ value proposition that Provides access to a variety of markets Significantly contributes to the customer’s perceptions of the end product benefits Difficult to imitate by competitors

96 Figure 3-10 Core CompetenciesCompetence # 1 # 2 # 3 Core Product 1 Core Product 2 Bus. #1 Bus. #2 Bus. #3 1 2 3 4 5 6 End products Core Product from Competitor Decon- structed Core # 1 Structed Core #2 competence

97 Figure 3-11 Competitive factors and forcesThreat of new entrants Attacks to chains of the value chain (deconstruction) Entrants from other industries Bargaining power of suppliers Bargaining power of customers Positioning by competitors Alliances with competitors B2B market participation with competitors Threat of substitutes

98 New Economy Thinking Deconstructing the Value Chain Judo StrategyReengineer, rebundle, and create synergies Judo Strategy Turn the dominant players strengths against them Flexibility principle: do not attack head-on Leverage principle: small businesses do not have the impact that large businesses have

99 New Economy Corporate Strategic PlaysA corporation can achieve an electronic channel through: Acquisition Development: independent building Deconstruction: subdivide and conquer Aligning and Affiliating with Partners: meet your enemies

100 Figure 3-12 E-thinking strategiesStage of the business New business Established business Industry leader E-Objective New channel Process improvement New e-Product De-(re)construction Strategy of electronization Create entity Acquire existing business Alliance and affiliation Buy part of the company Create joint income targets Use Joint Platforms

101 What are Free Play Strategies?Free play strategies offer free services or space to post information on the Internet Free plays typically rely on advertising or other sponsorships Free web hosting Free commonware space Free e-Commerce platform Free internet telephony

102 Schemata to Analyze E-Business StrategySource of Income Sustainable, acrooss-the-value-chain, exit strategy, residual value, information gathering play? Market Size: existing and future Overall estimation, segmentation, and acquisition rates Market form # suppliers compared to # buyers Centralized broker or peer-to-peer? Cost Structures Type of Product/Service provided Innovation along the Value Chain

103 Implications for the Accounting ProfessionExpertise is needed to understand The B2B markets The new business models The new business strategies The reliability, integrity and security issues of the entire set of internetworks: Operating system Program code Internet protocols Encryption methods Firewall configurations

104 electronic commerce Marilyn Greenstein Miklos VasarhelyiSecond edition Marilyn Greenstein Miklos Vasarhelyi

105 Chapter 4 Electronic Commerce and the Role ofIndependent Third Parties

106 Electronic Commerce and the Role of Independent Third PartiesConsulting Practices and Independence CPA Vision Project: Necessary Professional Skills New Assurance Services E-Commerce Effects on Traditional Assurance Third-Party Assurance of Web-Based E-Commerce Trust in Electronic Relationships Website Seal Options Implications for the Accounting Profession

107 Should accountants provide E-Commerce assurance services?Accountants are known for their ability to: Be objective Be independent Make opinions on the financial accuracy of other entity’s reports Assess risks Report on the system of internal controls

108 AICPA Principles of the Code of Professional ConductAmerican Institute of Certified Public Accountants (AICPA) requires: Integrity Due care, objectivity and independence so that the public derives trust from their opinions Objectivity Impartial, intelligent, honest, free of conflict-to-interests state of mind that lends value Independence No interest in the client’s firm

109 Independence Standards Board of the SECAuditors will on an annual basis: Disclose to the audit committee all relationships in writing Confirm in writing that they are independent Discuss independence with the audit committee

110 What is causing pressures on Auditor Independence?Growing Aggression in the financial marketplace Multi-disciplinary service offerings by audit firms Loss-leading audits Changes in audit firm culture Increased scrutiny Earnscliffe Research and Communication, 1999

111 Independence Within Firm: One Team Consults and Another AuditsDesign Firewall and Access Controls Install Firewall and Access Controls Evaluate Adequacy of Firewall and Access Control System Issue Opinion of Adequacy of Firewall and Access Control System ONE TEAM DOES THIS ANOTHER TEAM DOES THIS

112 What is the CPA Vision Project?CPAs are the trusted professions who enable people and organizations to shape their future. Combining insight with integrity, CPAs deliver value by: Communicating the total picture with clarity and objectivity Translating complex information into critical knowledge Anticipating and creating opportunities Designing pathways that transform vision into reality

113 What are the top 5 Core Services provided by the CPA Profession?Assurance and information integrity Management consulting and performance measurement Technology services Financial planning International services

114 Why are new assurances needed?Stagnant Audit Revenues & Smaller Audit Teams Increasing & Changing Technology Requirements Client Business Environment New Market for Accounting Profession

115 Robert Elliot’s Special Committee on Assurance Services (SCAS)New assurance service opportunities require: Identifying a customer with a need Finding a CPA to fill that need Customer’s perception is that value received exceeds costs involved Best new assurance services areas: Electronic commerce Elder care Health care performance Systems reliability Entity performance Risk identification and impact analysis

116 Elliot Report: New Knowledge and Skills Needed by Accountants:Intentional attacks Transmission failures Lack of authentication Loss of trust Theft of identity Encryption Risks associated with electronic cash Software Agents Sensors Preventative and detective controls Systems reliability

117 AICPA’s Top 10 Technologies and Emerging TechnologiesSecurity and Encryption XML Communications technologies – bandwidth Mobile, wireless and remote connectivity Electronic authentication and authorization Database Emerging Technologies Government regulations Business service providers E-Learning Electronic Evidence M-Commerce

118 The Three Waves of Electronic CommerceFirst Wave: Traditional EDI - Ordering Shipping Invoicing Inventory Established partners only Second Wave: Electronic Commerce Elements in 1st wave plus: Online shopping Online payments Increased Information Sharing New partners allowed Interactive Websites Third Wave: Electronic Society Elements in 2nd wave plus: Cashless transactions Transaction integrity Intelligent Agents Continuous testing Wireless capabilities

119 The Challenge of E-Commerce: Openness with SecurityIntegrity controls and signals Data elements are correct and agreed-upon Security controls Parties are authenticated and data is not accessible to unauthorized parties Methods to solve trading partner disputes Nonrepudiation Digital signatures Integrity checks

120 What are Accountants’ Competitive Advantages?Access to existing client relationships Reputation for independence and objectivity Familiarity with controls for the financial reporting system. Extensive experience in: Evaluating evidence Planning statistically sound validation processes as functions of the effectiveness of the systems of internal controls Reporting to third parties

121 E-Commerce Systems Reliability AssuranceAll parties to eCommerce need server and information reliability assurances. Server reliability includes access to the needed databases and processing systems through telecommunications links and authorization. Information is accessible if an authorized user can retrieve what they need. Information reliability is when the information is both accurate and current.

122 Figure 4-6 Reliable information systemsCompany’s Internal Databases and Processing Systems Internet/Web Page/Link has Information about: Products and Inventory Prices and Orders and Shipping Server reliability Users read information and make decisions. Users need assurance of information reliability.

123 Assurance Support from the Internal Control FrameworkCOSO’s 1992 Internal Control Framework SAS No. 78 Internal Control Definitions Factors complicating internal control: Online, real-time access to information Decreasing time lag between events Increasing Expectations by Users of Information Accountants need to shift from detection and correction to prevention strategies.

124 Figure 4-7 Time lag in information disseminationData Collection and Entry Assurance Over Processes Is Necessary Information Systems Processing TIME LAG Reports Stakeholders

125 Elliot Report DefinitionsIntegrity and security assurance is concerned with “the security and integrity of networks involved in the public exchange of information.” Systems reliability assurance is concerned with “the reliability of an entity’s internal database on which an outsider might rely.”

126 Risk Assessment AssuranceRisk assessment assurance is the process of identifying analyzing and managing risks that affect the achievement of management objectives. It involves: Identification of control weaknesses Mapping weaknesses against business risks and technology risks Determining whether the risks are being reasonably mitigated.

127 Effects of E-Commerce on the Traditional Assurance FunctionSAS No. 78: Defines the relationships between internal control system, assessment of risk, and audit planning procedures. Continuous process auditing either around or through the computer to determine: Data collection, transmission and storage Authentication of transaction parties Control Agents

128 Figure 4-8 AIS activities within the customer-oriented value chain.Sales and Marketing CUSTOMER Revenue Sharing Inbound Purchases Production Outbound Logistics Service Fee Based Services Digital Products and Services

129 Figure 4-9 Revenue generating advertising techniquesE-Commerce Advertising Model Model 1: Pay for Results - Model 2: Revenue Sharing Site w/ Banner Ad Business Site Click-through Businesses can pay for # click- throughs or by # new purchases from click-through Portal site Fee earned by advertising site Fee earned By portal Portals provide “free” ad space. If a visitor clicks-through, then a fee is charged to the business.

130 Figure 4-11 Verifying digital assets versus physical assetsOffline books Inventory Control Over Physical Assets Losses result from physical theft and known quantities can be counted Losses result from digital theft and quantities are not known. Losses occur from lost revenue rather than lost assets! Online books Digital

131 Figure 4-12 Major concerns of consumers and business partnersSecurity of Data Privacy Business Policies Transaction Processing Integrity Systems Reliability

132 Third-Party AssuranceSecurity of data transmitted and stored Business policies over shipping, billing, payments, returns, taxes, etc. Transaction processing integrity: Orders are processed as policy states No lost orders Accurate and timely transaction and account information Privacy of data What is collected? How will it be used? Do customers have access? Is the privacy policy followed? Systems Reliability

133 Figure 4-13 E-commerce, trust and third party assuranceTrading Partner B’s Propensity to Trust Trust Trading Partner B’s Perceived Risk Risk Taking in Relationships by Trading Partner B Outcomes Ability Benevolence Integrity Source Credibility Of Communication Trading Partner A Third Party Trust > Perceived Yes Searches for Other Less Risky Partners No Based on Mayer, Davis and Schoorman’s 1995 Model of Organizational Trust Factors of Perceived Trustworthiness

134 When will third-party assurance contracting occur?Will occur when: The strength of the signal can be detected The signal can turn into tangible benefits The total cost of purchasing the signal is less than the total expected direct and indirect positive outcomes.

135 Web Site Assurance Seal Options

136 Better Business Bureau OnlinePrivate Non-Profit with a focus on voluntary self-regulation with regards to business policies, practices, advertising ethics, etc. Fee = f(number of employees) Membership = f (low customer complaints) Three seals: Reliability, Privacy, and Kid’s Privacy

137 Better Business Bureau OnlinePrivacy Seal involves verification that Website posts explanations of and protects information collection, uses, and choices available to the customer; agrees to an independent audit, and participation in the dispute resolution service Kid’s Privacy Seal involves verification of parental consent, warnings and explanations, and restrictions on data collection , hyper linking and sending .

138 Web Site Assurance Seal OptionsPrivate Non-Profit (Electronic Frontier Foundation) Focus on Privacy Policies (what, why, when, and choices available to customers, security utilized, etc.) Fee = f (Revenues) Membership involves posting an easily visible privacy policy, minimizing customer complaints, and agreeing to compliance reviews Different rules for children under 13 years

139 Web Site Assurance Seal OptionsDifferent rules for children under 13 years: Need prior verifiable consent from parents Cannot use prizes or raffles to entice children Cannot let children publicly post personal information Any information collected can only be used for original purpose

140 Web Site Assurance Seal OptionsPrivate For-Profit (RSA Data Security, Inc. spin-off) Security focus utilizing digital certificates: Transmitting with encryption, and Authenticating message source/destination. Three classes of certificates Class 3 confirms business name, address, telephone numbers, domain name, and any other industry-deemed information

141 Web Site Assurance Seal OptionsPrivate For-Profit Weekly ratings of e-Businesses on 10 dimensions Monitors at point of sale and after expected delivery date Ease of ordering, product selection and information, price, website navigation and looks, shipping and handling, on-time delivery, product representation, level and quality of customer support, and privacy policy Provides company profiles Ordering, delivery and payment methods, special features, and whether/not Veri-Sign is utilized.

142 Web Site Assurance Seal OptionsAICPA/CICA partnership Focus on: Business and Information Privacy and Practices, Transaction Integrity, and Information Protection Provides services for B2C transactions, online privacy, ISPs, and certification authorities In partnership with Veri-Sign CPAs must be trained/approved to offer seal Seal refreshed often (e.g., every 90 days or so)

143 Web Site Assurance Seal OptionsBusiness and Information Privacy and Practices: Time frames for order fulfillment and backorder notice, delivery methods, payment terms and methods, cancellation and return procedures, full description of services, methods for information gathering and compiling, warranty and support information, and privacy policy details.

144 Web Site Assurance Seal OptionsTransaction Integrity: Controls exist for order acknowledgement, accuracy, completeness, and prompt delivery; Current accurate information on prices, backorders, billing, payments, Prompt error corrections Maintenance of controls.

145 Web Site Assurance Seal OptionsInformation Protection: Appropriate data encryption during transmission and storage Appropriate firewall mechanisms Customer notice of uses of private information Minimal use of customer information by necessary employees only Virus prevention tactics

146 Web Site Assurance Seal OptionsWebTrust Online Privacy Program (version 3.0): Reviews collection, storage and dissemination of customer information. Checks compliance with stated privacy policy Checks controls over privacy Checks the control environment Checks for monitoring for compliance with stated privacy procedures.

147 AICPA’s privacy criteria for WebTrustDisclosures Kinds and sources of information collected/maintained Distribution to third parties Opportunities and consequences of Opting Out/In Methods to review, correct, and/or remove private information Use of cookies or other tracking methods Company contact information and methods Compliance with applicable laws, regulations or self-regulations Dispute resolution processes Methods to communicate changes in practices

148 AICPA’s privacy criteria for WebTrustPolicies, Goals, and Objectives Notice Choice Access Security Enforcement and consumer recourse Employee buy-in and monitoring Accountability for privacy policy has been assigned Adequate security of programs and data during backup, offsite storage and restoration processes Compliance with documented privacy objectives, policies, and standards

149 AICPA’s privacy criteria for WebTrustSecurity Procedures related to Privacy Establish new users and authenticate authorized users, both internal and external. Maintain accurate and complete user information and to allow users to change, update, or delete contents Procedures to limit remote access to internal network Encryption capabilities for sensitive/private data, transmitted and stored Private information is not disclosed to non-essential third parties unless customers are notified prior, and the third party privacy policies are consistent. Customer permission is obtained before any data is stored, altered or copied to the customer’s computer Procedures to inform and allow choice from customers of changes in privacy policies

150 AICPA’s privacy criteria for WebTrustMonitoring/Performance Procedures and Measures Maintenance of security procedures for all e-Commerce systems. Maintenance of privacy policy disclosures with respect to current laws and regulations. Updates and tests of the security incident policies whenever there are technology changes, network structure changes, or new information. Effective monitoring and follow-up on all security breaches.

151 Web Site Assurance Seal OptionsWebTrust Seal for Internet Service Providers: Ongoing Web server and related technology configuration and maintenance. Appropriate tailoring of ISP propriety order-taking and fulfillment software. Web server acquisition, configuration, and implementation Telecommunications security Internet firewall configurations, maintenance, and monitoring. Web hosting

152 Web Site Assurance Seal OptionsWebTrust Seal for Certification Authorities: Business practices disclosure with regards to its key and certificate life-cycle management business and information privacy practices Service integrity maintenance that subscriber information is properly authenticated and integrity of keys/certificates is maintained Environmental Controls on data shared with related parties, and systems development, maintenance and operation.

153 Assurance Report contains the following paragraphs:Scope of engagement Responsibility for disclosures, controls and opinion rendered Compliance with attestation standards Disclaimer for non-detected fraud or errors Opinion Meaning of the WebTrust seal Disclaimer for quality of corporation’s goods or services.

154 Web Site Assurance Seal OptionsAICPA/CICA partnership Focus on: Business-to-Business trading relationships. A reliable system is “one that is capable of operating without material error, fault, or failure during a specified period in a specified environment.” Availability, Security, Integrity, and Maintainability

155 Figure 4-18 Comparison of SealsCost Privacy Security Policy Transaction SEAL Integrity Low light BBB YES Trust-e Low YES BizRate Very Low Low-to- Med. YES YES Veri- Sign No on storage Yes on transmiss. Lightly Covered Web- Trust High YES YES YES YES Sys- Trust YES YES High YES YES YES YES

156 Accounting ProfessionImplications for the Accounting Profession Accountants need more expertise in: Business processes Transaction processing integrity Information protection Supporting internal controls New skills are needed for E-Commerce technology skills New assurance functions: continuous assurance, systems reliability, risk identification, impact analysis, website assurance Auditing through the computer Provision of e-Commerce business solutions Maintaining their roles as independent, trusted third parties.

157 Implications for the Accounting ProfessionNew knowledge is needed about: Programming and Operating systems Networks and Authentication Firewalls and other security Certified Information Technology Professional (CITP) Designation by the AICPA Business expertise in relevant areas Life-long learning in relevant areas Examination New Consulting and International Services International taxation and regulation Alignment of business and e-Commerce strategies Integration of internal systems with e-Commerce systems Performing outsourced transaction processing Providing certification authority services

158 electronic commerce Marilyn Greenstein Miklos VasarhelyiSecond edition Marilyn Greenstein Miklos Vasarhelyi

159 Chapter 5 The Regulatory Environment

160 The Regulatory EnvironmentPrinciple Players on the Internet Primary International and Legal Issues Cryptography Issues Privacy Issues Web Linking Internet Sales Tax Electronic Agreements and Digital Signatures Spam Mail Online Auctions and Content Filtering Implications for the Accounting Profession

161 Three Types of Internet UsersRegulators Businesses Private Citizens

162 Primary Regulation IssuesEncryption Privacy Inappropriate web linking Domain name disputes Tax policies Electronic agreements Content responsibility of online auctions Which jurisdiction applies?

163 Cryptography Cryptography is a mathematical encoding that transforms readable messages into unreadable formats (cyphertext). Key length (size) determines the difficulty to crack the code. Encryption is the coding Decryption is the decoding

164 Cryptography Regulatory Issues:Domestic use, Importation and Exportation rules Rules differ by country US is “looser” than China, Belarus, Kazakhstan and Pakistan Use of encryption by criminals, terrorists, and money launderers. Ability of law enforcement to obtain decrypted forms of encrypted messages, either through a key recovery or a key escrow system).

165 Cryptography Key escrow systems involves a central repository that contains all encryption keys. Key recovery systems have some mechanism that will provide authorized law enforcement agencies the ability to recover and use the key (e.g., trusted third party). Issues: How will sufficient controls be created and maintained to protect citizens from law enforcement abuse of authority? How is it possible to enforce internationally? INTERPOL prefers a key recovery system.

166 Privacy of Private CitizensInformation Privacy: the right to have one’s personal or business data be kept confidential. Privacy Groups: Center for Democracy and Technology Electronic Frontier Foundation Electronic Privacy Information Center Privacy International Privacy Rights Clearinghouse Online Privacy Alliance

167 Figure 5-1 Percentage of US sites that post privacy policies and link from home pages 0.62 0.97 0.76 0.94 Random Sample Most Popular Sites Post a Privacy Policy. Links the Privacy Policy from the Home Page Source: FTC, 2000

168 Privacy of Private CitizensFederal Trade Commission (FTC) Five Core Principles of Privacy Protection: Notice Choice Access Integrity and Security Enforcement Regulatory Issues: Self-regulation or government regulation? If government regulation, which one? Differences exist between countries, US “looser” than European Union How do we protect children’s privacy?

169 Figure 5-2 Percentage of US sites that collect personally identifiable information and utilize the FTC principles 55% 89% 50% 67% 43% 83% 74% 20% 42% 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 Notice Choice Access Security All 4 to some extent Random Sample Most Popular Source: FTC, 2000

170 Random Sample Most PopularFigure 5-3 Percentage of US sites that collect personally identifiable information and implement choice options Random Sample (detail of the 50% who offer choice) Opt-In 25% Opt-Out 71% Unclear 4% Most Popular 75% 16% 9% (detail of the 67% who Source: FTC, 2000

171 Privacy and Security From the FTC’s 2000 study:Only 39% of the random sample (54% of the most popular sites) take steps to provide security during transmission. Only 29% of the random sample (48% of the most popular sites) take steps to provide security after receipt. Only 8% of the random sample (45% of the most popular sites) display some sort of privacy seal from an independent third party.

172 Children’s Privacy RegulationFTC’s 1998 study found that 89% of children’s sites were collecting private information on children: and postal addresses Telephone numbers and Social security numbers Age, date of birth , and Gender Education Interests and Hobbies Enticements such as prizes, raffles or contests are used often.

173 Children’s Privacy RegulationChildren’s Online Privacy Protection Act (COPPA, 2000) Websites directed towards children must post their privacy policies Get parental consent before collecting, using or disclosing personal information about a child. Get new consent when privacy policies change in a material way Allow parents to review personal information collected Allow parents to revoke their consent and delete their information.

174 Adults’ Privacy Rights and the EU’s Directive1998 European Union Privacy Directive states that personal data on the Internet must be: Collected only for specified purpose Processed fairly and lawfully Kept accurate and current Destroyed after stated purpose is fulfilled. Users have the right to access their information for correction, erasure or blockage, choose to opt in or out, oppose automated decisions, and have judicial remedy and compensation.

175 EU Privacy Directive Affects US Companies doing Business with the EUEU citizens have greater privacy rights than US citizens US and the EU developed a “safe harbor” for US businesses in 2000: Notice Choice Transfers to third parties Access Security Data integrity Enforcement

176 More on Privacy: Past and Current EventsToysmart.com selling its customer list More.com passed customer’s prescription information to HealthCentral Carnivore: FBI’s Internet sniffing code Argument with Earthlink.com exposed a high level of citizen monitoring.

177 Web-Linking Legal problems occur when:Inappropriately referencing a linked site Not referencing the site from which you copied information to your site Displaying another site’s information without the original advertisements Unauthorized use of trademarks in metatags Unauthorized display of registered trademarks

178 Web-Linking and DefamationDefamation occurs when an individual makes a false statement about another individual or business that is damaging to their reputation. The issue: whose rights prevail? The right to free speech? The right to be safe from harassment? It’s not black and white: Can opinions be separated from facts?

179 Web linking without Proper ReferencingLinking using framing involves: Not carrying the original site’s advertisements to the new site TotalNews case of copyright and trademark infringement, unfair competition, and wrongful interference.

180 Web linking using MetatagsCorporations attempt to increase the visits to their sites by putting well-recognized and often-queried trademarks in the HTML metatags that are labeled as keywords for search engines. Trademarks include words, names, symbols, logos, and graphical designs. Federally registered trademarks bear an ®

181 Trademark InfringementTrademark is displayed on the website without explicit permission granted by the owner of the trademark And Trademark display causes either A likelihood of confusion Similarity to something else, malicious intent, actual evidence of confusion Or tarnishes the value of the trademark Association with inferior quality, alteration of the trademark, or representing the trademark in an attack.

182 Linking to Illegal FilesDownloading of copyrighted materials, such as music, increases your risks of litigation: Napster cases MP3.com cases

183 Domain Name Disputes Top level domains (e.g., .com, .org)Internet Corporation for Assigned Names and Numbers (ICANN) – nonprofit organization Many domain name registrants, such as Network Solutions, Inc. 1999 Anticybersquatting Consumer Protection Act Does not allow domain names to be held hostage or used if they are established trademarks. Does not allow similar or identical trademarks to share a domain name. Changed the domain name assignment from “first come, first served” to “who utilized the name for business purposes first”

184 Internet Sales Taxes It is an interstate taxation problem: which jurisdiction applies? There are over 30,000 tax jurisdictions in the US alone. 1998 Internet Tax Freedom Act No state/local sales taxes on Internet services provision or use. Does not apply if the buyer and seller are in the same state and the seller has a corporate presence (if no corporate presence, then a use tax applies). A future federal sales tax may be the only solution in the future to this problem.

185 International Tax IssuesDifferent countries have different opinions and tax systems: European Union prefers a value-added tax, but still has to resolve different rates in different countries within the EU. China prefers sales taxes on Internet transactions. Corporate Presence: Differing definitions between countries. Global infrastructures: what if company building is in one country, and web server is in another? Organization for Economic Cooperation and Development (OECD) is working on a global definition of physical presence

186 Electronic Agreements and Digital SignaturesAmerican Bar Association (ABA) details important aspects of digital signatures: Signature and document authentication Affirmative act Efficiency 2000 Electronic Signatures Act (E-Sign) Allows but does not require electronic signatures for contracts for international and interstate contracts Electronic record should accurately reflect the written document information and stay accessible to all parties. Wills, trusts, family matters such as divorce, transportation of hazardous materials, recalls of products, cancellation of insurance do not apply.

187 1999 Uniform Electronic Transactions Act (UETA)National Conference of Commissioners on Uniform State Laws (NCCUSL) 22 states have adopted this attempt at a common standard, similar to E-Sign Provides standards for electronic contract acceptance, accuracy and integrity, enforcement, and electronic agents.

188 1999 Uniform Computer Information Transactions Act (UCITA)National Conference of Commissioners on Uniform State Laws (NCCUSL) 2 states have adopted this attempt at a common business transactions standard Clarifies the UCC law in terms of computer information transactions Makes the law uniform among various jurisdictions

189 International Digital Signature EnvironmentMany countries have passed digital signature laws: Argentina, Australia, Austria, Canada, Columbia, Estonia, European Union, Finland, Germany, Hong Kong, Ireland, Japan, Malaysia, Philippines, Singapore, Switzerland Many more are currently in process.

190 SPAM s Spam mail is the mass sending of unsolicited advertisements. addresses may be purchased lists or may be retrieved from intelligent agents. Cost of sending SPAM is very low Costs to recipients is high on network loads

191 Online Auctions and Content FilteringWhat does an e-marketplace do when found to be supporting “unethical” transactions? Filter (censor) incoming packets Filter (censor) outgoing packets depending on the recipient (IP information such as country code) Who should determine the limits? Web site owners? Web site users? Government regulation?

192 Implications for the Accounting ProfessionExpansion of legal skill sets, resources and services are warranted from: Increased liability exposures Taxation, Privacy, Intellectual property, Cryptography, Digital signatures, Acceptable business practices New liability exposures More complex risk assessments Changing legal and regulatory environments Increased opportunities for new services: Consulting in system design Certificate authority role in society

193 electronic commerce Marilyn Greenstein Miklos VasarhelyiSecond edition Marilyn Greenstein Miklos Vasarhelyi

194 Chapter 6 EDI, Electronic Commerce, And the Internet

195 EDI, Electronic Commerce and the InternetTraditional EDI Systems Value Added Networks (VANs) Financial EDI EDI Systems and the Internet XML and XBRL for Web-Based EDI Implications for the Accounting Profession

196 What is EDI? EDI refers to the exchange of electronic business documents between applications. EDI Characteristics: Identified trading partners Expensive initial investments Dedicated leased line or utilization of a Value Added Network Standard, inflexible data sharing US standard: ANSI’s x12 UN standard: EDIFACT Batch connectivity Low transaction costs

197 EDI Growth During the 1990’s, EDI use grew 30% each yearCurrently growing at 15% per year 1999 total EDI transaction value $3 trillion Estimated 2003 value $4 trillion

198 Buying Company – NON-EDI - Selling Company1) Identify Need- purchase requisition 2) Research Vendors – vendor file 3) Select Vendor 4) Place Order – purchase order 12) Receive Payment prepare deposit and update records 5) Receive purchase order prepare sales order, check credit, and check inventory 6) Pick and ship inventory shipping notification bill of lading 8) Prepare and send Invoice 7) Receive inventory (verify accuracy) 9) Receive Invoice 10) Prepare check and remittance advice 11) Mail check and

199 Buying Company Partial EDI Selling Company1) Identify Need 2) Research Vendors 3) Select Vendor 12) Receive Payment prepare deposit and update records check credit, and check inventory 6) Pick and ship inventory shipping notification bill of lading 8) Prepare and send Invoice 10) Prepare check and remittance advice 11) Mail check and EDI 5) Receive purchase order prepare sales order, 4) Place Order 7) Receive inventory (verify accuracy) 9) Receive Invoice

200 Buying Company FULL EDI Selling Company1) Identify Need 2) Research Vendors 3) Select Vendor 4) Place Order 6) Pick and ship inventory shipping notification bill of lading 8) Prepare and send Invoice 12) Receive Payment prepare deposit and update records 7) Receive inventory (verify accuracy) 9) Receive Invoice 10) Prepare check and remittance advice 11) Mail check and EDI 5) Receive purchase order prepare sales order, check credit, and check inventory

201 What are VANs? Value Added Networks (VANs)Third-party network services EDI translation software Security assurances Independent audit trails Reliable transmission (redundant systems) EDI systems development assistance Employee training Exact, explicit contracts with trading partners Authorized data sharing

202 Figure 6-5 ANSI ASC X12 translationPurchase Order Sales Order Outbound Translation Inbound Company X Company Y Company Z . ASC X12 Format

203 Figure 6-6 ANSI ASC X12 formattingInterchange Control Header – electronic envelope Functional Group Header – type of document Transaction Set Header – specific document Data Segment Header – fields identified Data Elements – contents of field Data Segment Footer – end of fields Transaction Set Footer – end of document Functional Group Footer – end of document set Interchange Control Footer – close the envelope

204 EDI in practice FACNET – Federal Acquisition Computer NetworkBetter information with fewer resources consumed More contracting opportunities with customers Taxpayers realize greater return AVNET – Aviation Network Project Increased productivity with eliminated steps Better information and cash management Improved trust and relationship with partners Lessons learned: Top management support is essential Quality application development Strong audit and control procedures Industry standards

205 Figure 6-7 Department of Defense sample transaction setsTrading Partner Response to RFQ (843) Request for Quotation (840) Purchase Order (850) Contract Award (838) Project Cost Reporting (839) PO Acknowledgment (855) Order Status Report (870) Shipping Notice (858) Material Safety Data Sheet (848) Shipping Schedule (862) PO Change (860) Order Status Inquiry (869) Receiving Advice (861) Payment Order (820) Invoice (810) PO Change Acknowledgment (865)

206 What are the Advantages of EDI?Lower processing costs Tighter relationships between suppliers and customers Lowered error rates Decreased lead and cycle times Decreased inventory shortages and problems Increased product differentiation Better information for all trading partners

207 What is Financial EDI? Financial EDI is theelectronic exchange of payments, payment-related information, or financially related documents in standard formats between established business partners. Automated Clearing House (ACH) network between financial institutions for electronic payments Large cost savings over paper checks Faster access to funds (loss of float for payor)

208 Figure 6-8 Trends and Statistics about Financial EDIDuring the 1990’s: ACH payments increased from $1.5 to $6.25 billion Debit card payments from $188 million to almost $7 billion Direct deposit of payroll increased from 10% to 56%, with more than $3 billion direct deposits made in 1999 Almost $2 billion consumer bills were electronic payments, saving consumers $600 million in postage The federal government made 96% of payroll payments and 76% of social security payments by direct deposit. The federal government’s electronic federal tax payment system has more than 3 million businesses enrolled, collecting more than $ 1.3 trillion in 1999. 90% of all dollars that move through payment systems do so electronically

209 Figure 6-9 The ACH networkPayor (Originator) Originator’s Financial Institution Automated Clearing House Receiver’s Financial Institution Payee (Receiver) Transaction Data (Amount & Remittance Advice) Forwarded Transaction Data & Funds Available Statement Authorization to transfer funds electronically

210 EDI Systems and the InternetUtilizing the Internet (involving Browsers and a markup language, e.g., HTML) for electronic transactions: Much lower initial investment costs More connectivity: greater sharing and tracking of data Allows for new partners More flexibility with XML Creates serious security concerns Risk of loss of packets or sniffed packets Loss of third-party audit trails and authentication Electronic Data Interchange – Internet Integration (EDIINT) currently defining standards for encryption and digital certificates

211 Figure 6-1- Comparison of EDI systemsSharing of Data Connectivity Non-EDI systems Fully Integrated EDI Partially Web-based Full Web-EDI w/ Intelligent Agents

212 EDI-Web Browser Translation SoftwareMany VANs providing services Low cost example: Harbinger’s Express XML is extensible markup language Provides a universal data format Allows data objects to be serialized into text streams Is easy to parse, so it can be used to pass data between processes Allows for custom tags, which can be passed easily over a variety of network protocols Has companion standards to support browser presentation, hyperlinks, and querying Jonathon Rich, Cambridge Technology Partners, June 1999

213 Figure 6-11 Web-Based EDI translation and VANsSMALL BUSINESS WITH A WEB BROWSER LARGE BUSINESS USING EDI Select Forms Data sent and received As ASC X12 and received as web-browser forms Library of Web-based forms with two-way EDI Translation capabilities Ability to customize forms and applications

214 Standardized Document Type Definitions (DTDs)Xschema – from the W3C for vertical industries adXML – to automate online advertising market AIML - astronomical instrument markup language used by NASA cmdXML – for construction and manufacturing distribution data exchange RIXML – Research Information Exchange Markup Language for financial services firms

215 Figure 6-12 Characteristics and benefits of XML/EDIXML EDI = XML/EDI Tagging standard Business language A standard frame Script attachment Business processes to exchange data Transaction validation Trading partner of different natures profiles Search techniques Logging + archiving So the information, Linking + reference Acknowledgements be it transaction data Multimedia Application APIs can be used to improve World Wide Web Transaction each business’ Authoring tools expertise competitive advantage.

216 XBRL and EDI XBRL is eXtensible Business Reporting LanguageBased on XML Goal is to provide a standard for the exchange of financial information, such as annual and quarterly financial statements, general ledger information and audit schedules For highly aggregated data Currently being tested by 6 global Fortune 1000 firms

217 XBRL and EDI XBRL specification: definition, taxonomies, and how to build XBR instance documents XBRL schema: the physical XSL and DTD files that express how instance documents and taxonomies are to be built XBRL taxonomy: the vocabulary or dictionary created by a group XBRL instance document: a business report prepared to the XBRL specification

218 Elements of Insight.com’s Web/EDI solutionReal-time EDI inventory links with suppliers Integrated delivery links with FedEx Web-Based Sales

219 Figure 6-14 Insight’s Web-based ordering systemInternet-EDI Illustration Insight’s Computer Inventory System & Customer Database Inventory Data Suppliers’ Inventory Data base Order Data 94% of all Sales are Drop/Ship Goods Shipping data Price quotes, item searches, credit card payments, account history, and trace shipments Insight’s Warehouse 6% of all shipments Home Shoppers Business Shoppers Insight’s Shipper Fed Ex

220 Implications for the Accounting ProfessionEDI/Internet Solutions increase the demand for accountants to know How the audit has become more complex The risks surrounding Internet business processes Reliance on data from the Value Added Network Trading partners’ data integrity and system reliability Encryption of data Authentication of trading partners Digital Signatures and Nonrepudiation Firewalls

221 electronic commerce Marilyn Greenstein Miklos VasarhelyiSecond edition Marilyn Greenstein Miklos Vasarhelyi

222 Chapter 7 Risks of Insecure Systems

223 Risks of Insecure SystemsOverview of Internet Transaction Risks Internet and Intranet Risks Risks from Transferring Data Between Business Partners Risks from Confidentially Maintained Archival, Master, or Reference File Data Viruses and Malicious Code Overflows Implications for the Accounting Profession

224 The Paradox Open Systems and Personalization Privacy and Security

225 It’s a risk-filled environment!Internet Real Businesses Real Customers False businesses customers Unauthorized Ears: The Listening Perpetrators Actions: The Active Perpetrator

226 Risks of Insecure SystemsOverview of Internet Transaction Risks Internet and Intranet Risks Risks from Transferring Data Between Business Partners Risks from Confidentially Maintained Archival, Master, or Reference File Data Viruses and Malicious Code Overflows Implications for the Accounting Profession

227 What is risk? Risk is defined as:The possibility of loss of confidential data or the destruction, generation, or use of data or programs that physically, mentally, or financially harm another party, and may harm the hardware as well. A threat is defined as: Anyone or anything, internal or external, foreign or domestic, state-sponsored or acting independently, with the capability, technology, opportunity, and intent to do harm.

228 2000 CSI/FBI study results For frequent attacks59% report the Internet as the source 38% report internal systems as source External attacks are increasing External hackers are looking to Probe internal systems Compromise trade secrets, documents, and messages Introduce viruses Average loss is approximately $1 million

229 2000 CSI/FBI study results 8 Biometrics 36 Digital Ids 39 PCMCIA 50Intrusion Detection Encrypted Login 54 Reusable Passwords 62 Encrypted Files 78 Firewalls 90 Physical Security 92 Access Control 100% Anti-Virus Software % of Firms Security Technologies Used

230 2000 CSI/FBI study results Computer Crimes # Firms Reporting CostsAverage Costs for 2000 Active Wiretapping 1 $ 5,000,000 Theft of proprietary information 22 1,136,409 Unauthorized insider access 20 1,000,050 Financial fraud 34 617,661 Sabotage of data or networks 28 535,750 System penetration by outsider 29 172,448 Insider abuse of Internet access 91 164,837 Telecom fraud 19 157,947 Denial of service attack 46 108,717 Virus 162 61,729 Telecom eavesdropping 15 33,346 Laptop theft 174 6,899

231 What are the risks to online customers?Malicious web sites to steal IDs and credit card information Man in the Middle Attacks to steal information or spy/steal files from PC Hacking into customer data stored on seller’s or ISP’s web server Cookies used for more than personalization Personalization has benefits of decreasing search time and eliminating personal data re-entry Beware of party line businesses (DoubleClick)

232 Cookies Web Site Visited (Host) DoubleClick cookie.txtSubsequent Visits Initial Visit Retrieves your data from all their associated sites Assign a cookie ID cookie.txt Party Line User Surfing the Web (Client)

233 What are the risks to online selling agents?Customer Impersonation False ordering techniques Denial of Service Attacks Distributed Denial of Service Attacks Data Theft 24% reported to CSI/FBI losses of proprietary information of average cost of $1 million.

234 Denial of Service: “Syn-Ack” AttacksStep 1: SYN messages Target of Attack Sender(s) Ports are half-opened & memory buffers are filled Step 2: SYN/ACK Ports cannot be used until session request times out. Step 3: ACK packet code is not sent

235 Intranet-Associated Risks- part 1Maintenance and Security is difficult USPS has 35,000 locations with 10,000 networks and 800,000 employees 25% of firms report incidents to the authorities 52% cite fear of negative publicity; don’t report 39% cite fear that a competitor would exploit the information about the incident if they reported Sabotage by former employees 81% believe this type of attack is likely Threats from current employees 71% experienced unauthorized accesses Internal control systems are easy on top managers Negligent hiring is cause of most risk: do background checks and credit checks

236 Figure 7-6 Internal controls, override capability, and organizational hierarchyTOP- LEVEL MANAGERS Number of Control Mechanisms Ability to Override Controls MIDDLE-LEVEL MANAGERS OPERATIONAL-LEVEL EMPLOYEES

237 Intranet-Associated Risks- part 2Sniffers Can be downloaded for free Virtual private networks (VPNs) are at risk if a session key has been obtained 38% B2C and 56% of B2B utilize VPNs Financial Fraud Downloading of Data Unauthorized access and copying of data can be reduced through user access control tables Spoofing Posing as another valid Intranet user Social Engineering Posing as a valid Intranet IT staff person

238 What are Extranets? Extranets are group networks that connect business partners with the following traits: Higher levels of data sharing That cross corporate boundaries Meshing different corporate cultures and systems of controls. Extranet’s weakest link: employees with access and unencrypted data stored on Web servers Source: Whatis.com

239 Figure 7-7 Intranets, Extranets, and the InternetISP Company A’s Intranet Company C’s Company B’s Campus Government Agency Intranet Individual Network Subscribers INTERNET Extranet

240 What are the risks associated with Extranets?Data interception Lack of message origin authentication Lack of proof of delivery Lack of verification of message integrity Unauthorized viewing of messages Untimely delivery of messages

241 What are the risks associated with archival, master and reference file data?Weaknesses in firewall architecture or functionality Destruction of data Alteration of data Unauthorized use of data Alteration of applications

242 Firewall controls Most Data Trans- action Web ServerSensitive Data Trans- action Web Server Internet Firewall - Level 1 Firewall-Level 2 Access Controls

243 What is a virus? A Virus is a malicious programming thatReplicates itself Is an unauthorized parasite on program or macro code Performs unrequested and oftentimes destructive acts Viruses can infect: Boot sectors Executable files Macro templates or macros Viruses can act at once, act at a later time, or act over a period of time.

244 Special types of virusesTrojan horses Do not replicate (makes them harder to detect) Attaches itself to a seemingly legitimate program or file\ Hoaxes Usually s that ask you to send them on to others (claiming a false FCC issuance) Clog up systems to deny service quality Buffer overflows Exploit holes in the resource handling section of operating systems, e.g., by writing too many characters into a word buffer array Can crash your system

245 Implications for Accounting ProfessionalsAccountants need to understand the new risks associated with networked systems: The configuration and Internet-working infrastructure, including all data access methods The exact number of intranets, servers, and Internet gateway servers The data processing at each Intranet and Internet piece (including VANs), assessing the the integrity and reliability of each system The security methods employed over each of the Intranets, and the location and configuration of all firewalls Know which Intranets are within the domain of the audit engagement

246 electronic commerce Marilyn Greenstein Miklos VasarhelyiSecond edition Marilyn Greenstein Miklos Vasarhelyi

247 Chapter 8 Risk Management

248 Risk Management Risk Management Paradigm and MethodologyControl Weakness versus Control Risk Role of the Internal Control System Disaster Recovery Plans Implications for the Accounting Profession

249 What is risk management?Risk management is a methodology for Assessing the potential of future events that can cause adverse affects Implementing cost-efficient strategies that can deal with these risks. Only 16% of firms conduct a risk analysis of future civil liability from customers, partners and stockholders CSI/FBI Survey, 2000

250 What is a control weakness? How does it differ from control risk?Control weakness is when the a risk is present, a relevant controls are missing and the cost of the control for that risk is less than the expected benefits. Control risk is the uncertain expectation that the cost of the risk-relevant controls would exceed the expected benefits. Residual risk is the inherent risk that will always exist due to unpredictable events.

251 Figure 8-1 High RISK LEVELS Low Clear Weakness Security Gap:When Practices Don’t Follow Policy Control weakness or control risk? Allowable Risk Inherent Control Risk Low High COST OF CONTROLS

252 Human Aspects of Internal ControlsSocial controls are the internal controls placed on human employees and stakeholders. Culture management is the management system of social controls. Major human risks: Bad judgment, errors, fraud, and virus damage Excessively Tight Social Controls create new risks: Inefficient operations, reduced flexibility, excessive control costs and a negative culture.

253 Figure 8-2 Characteristics of good risk management controlsRedundancy: combining passive and active, formal and informal, preventative policies and audits Consistency: policies are modeled by management, supported by redundant controls Clearly written policies that are widely communicated and enforced Fairness in perception and application across individuals Not too detailed nor too restrictive Not a replacement for trust in employees Helpful rather than adversarial or punitive Two-way communication channels for risks, incidents and opportunities Supportive of valid organizational learning FEI, 1997

254 Figure 8-3 Risk Management ParadigmCorrective actions 5. Control Proactive vs. Reactive Tracking devices 4. Monitor 1. Identify Communication Network Assign available resources 2. Analyze Assess probabilities and priorities 3. Plan Source: Adapted from SEI’s Risk Management Paradigm

255 What are the objectives of disaster recovery planning?Assessment of vulnerabilities Prevention and reduction of risk: continuous improvement as the system changes Creation of cost-effective solutions Minimization of business interruption and assurance of business continuity Security alternative Internet access models Recovery of lost data Providing disaster recovery procedures Training employees for disaster recovery scenarios End-to-end recovery for e-Commerce applications

256 What are second site backup alternatives?Goal is continuation of services: so test with drills! 47% of companies want 24 hour recovery Internal extra capacity within company Mutual aid pact between companies with excess capacity and compatible platforms Cold Site/Crate and Ship: leased space and contingent contracts with vendors Hot Site/Remote Mirroring: owned/leased space with running platform. Remote mirroring is with data backups already loaded.

257 Implications for the Accounting ProfessionAccountants need strong skills in: Risk assessment of Internet, Intranets, and effects of trading partners’ systems Internal controls for Internet and Intranet processes and storage Ability to understand the effects of changes in the environment, the organization and in technologies.

258 Internal Control Internal control is an ongoing management process designed to provide reasonable assurance concerning: Reliability of financial reporting Effectiveness and efficiency of operations Compliance with applicable laws and regulations This involves risk assessment, and the design, implementation and maintenance of internal controls.

259 Internal Control FrameworkMonitoring Your Organization Your Information and Communication Your Culture: Policies/Procedures Assessing Your Risks Understanding Your Environment COSO, 1992 3

260 Internal Control Environment- Management integrity, ethical values, competence, philosophy, operating style, assignment of authority and responsibility, and human resource policies and practices. - Attentiveness and directives from the Board of Directors and the Audit Committee Risk Assessment - External factors: new technologies, new competitor strategies, new regulations, natural disasters, and the world economy. - Internal factors: IS disruptions, ineffective personnel, management weaknesses or changes, and inadequate access controls. Control activities: general and application controls Information and communication systems Monitoring with documentation of incidents

261 Internal Control ActivitiesGENERAL CONTROLS APPLICATION Data Center Controls System Software Controls Access Security Application System Development & Maintenance Controls Sales Order Processing Accounts Payable Accounts Receivable Cash Disbursements Fixed Asset Management Payroll Human Resources Purchasing Production Cost Accounting Marketing

262 electronic commerce Marilyn Greenstein Miklos VasarhelyiSecond edition Marilyn Greenstein Miklos Vasarhelyi

263 Chapter 9 Internet Standards, Protocols, and Languages

264 Internet Standards, Protocols, and LanguagesThe Role of Standards The Global Environment and Standard Setting Standard-Setting Issues, Committees, Structures and Interfaces Internet Protocols and Languages Implications for the Accounting Profession

265 What are some of the amazing aspects of the Internet?Tremendous size and use High growth rate Interconnection of different hardware, software, telecommunications, multiple cultures and languages Lack of designated ownership How is this possible? Because of common, agreed-upon standards for development and operation

266 Figure 9-1 Time line of major standard setting bodies and internet societies ANSI ANSI’s IETF & Nat’l Bureau WWW NII/GII founded ASC X12 IRTF of Standards functioning founded founded founded (renamed NIST) ISOC founded OBI ISO IAB UN/EDIFACT WWW WWWC founded founded founded standard prototyped founded CEFACT approved migration started

267 Internet Standards ANSIANSI - American National Standards Institute Private nonprofit organization Voluntary consensus standard setting process ASC – Accredited Standards Committee 1979 X12 uniform data standards for interindustry EDI Has developed over 275 standard transaction sets

268 Internet Standards UN/EDIFACTUnited Nations / Electronic Data Interchange for Administration, Commerce, and Transport Challenges the US ASC X12 data standard Is used throughout the world ASCX12 is migrating towards UN/EDIFACT XML and XBRL are encouraging possibilities for new common standards

269 US and International Standard Setting BodiesUN ECE – United Nations Economic Commission for Europe CEFACT – Centre for Facilitation of Procedures and Practices for Administration, Commerce, and Transport Goal: to simplify business processes and procedures ISO – International Organization for Standardization – over 120 member countries Goal: to encourage and enhance global trade NIST – National Institute of Standards and Technology

270 Figure 9-2 Relationships among major standard-setting bodiesUN/ECE ISO Technical Liaisons Permanent Council Member & Technical Management Board Member CEFACT ANSI NIST Liaisons Regional EDIFACT Coordinators (Rapporteurs) ASC X12 Africa Asia Austral. & NZ East & Central Europe West Europe Pan Amer. Member

271 Internet Specific CommitteesISOC – Internet Society Nongovernmental, international nonprofit with voluntary, consensus standard setting processes IAB – Internet Architecture Board IETF – Internet Engineering Task Force IESG – Internet Engineering Steering Group IRTF – Internet Research Task Force RFC - Requests for Comments on new protocols ICANN – Internet Corporation for Assigned Names and Numbers Responsible for domain registration functions Passed new extensions in November, 2000: .biz, .info, .name, .pro, .museum, .aero, and .coop

272 Figure 9-3 ISOC, IAB, and related committeesNominates members IESG IETF IAB IRTF RFC Appoints Chair Appoints Chair Liaison Chair Chair Editor IAB Meetings

273 World Wide Web Specific CommitteesW3C – World Wide Web Consortium Seed funded by DARPA, CERN, UN/ECE Goal: to lead the advancement of the Internet through common protocols to ensure its interoperability OBI – Open Buying on the Internet Group of Fortune 500 companies To encourage B2B marketplace on the Web GIIC - Global Information Infrastructure Commission Communication link between organizations and committees Strong ties with the World Bank and industry leaders Reducing the Digital Divide is one of lead projects

274 Figure 9-4 Levels of access to technology by region Source: GIIC, 2000514 230 311 608.0 $20,440 European Union 661 256 459 1509.0 $20,314 United States 123 45 34 15.0 $6,340 Latin America and Caribbean 200 23 $5,510 Europe and Central Asia 81 8 10 0.4 $4,630 Middle East and North Africa 70 25 14 2.0 $3,280 East Asia and the Pacific 19 1 3 0.2 $1,940 South Asia 5 $1,440 Sub-Sahar. Africa Phone Lines Per 1,000 Mobile Phones PCs per 1,000 Net Hosts per 10k GNP/Capita Region

275 Internet Security Committees and OrganizationsSEI – Software Engineering Institute Carnegie Mellon University CERT – Computer Emergency Response Team NSS – Network Systems Survivability FIRST - Forum of Incident Response + Security Teams ICSA – International Computer Security Association – independent, for profit company US Government Agencies NIST’s CSRC – Computer Security Resource Clearinghouse CSTC – Computer Security Technology Center CIAC – Computer Incident Advisory Capability FedCIRC – Federal Computer Incident Response Capability Advanced Security Projects Secure Systems Services

276 What is the difference between a protocol and a computer language?Protocols are agreed-upon methods of communicating and transmitting data between telecommunication devices. Computer languages focus on communicating with the computer and its operating system.

277 Internet Security Protocols and LanguagesInteroperability: the capability for applications running on different computers to exchange information and operate cooperatively. OSI – Open Systems Interconnections 1984 model for the standardization of data communication procedures that support interoperability

278 UPPER LAYERS LOWER LAYERS Figure 9-5 OSI model APPLICATION LAYERPRESENTATION LAYER UPPER LAYERS SESSION LAYER TRANSPORT LAYER NETWORK LAYER DATA LINK LAYER PHYSICAL LAYER LOWER LAYERS

279 OSI Model Layers Application layer: connects operating system to system and user applications Presentation layer: controls the syntax (format) of the data transferred – HTML Session layer: Establishes and maintains connections, checks on packets integrity Transport layer: IP addresses determine ultimate end node of the Internet Network layer: TCP controls the packet routing on the Internet – can be connection/connectionless Data link layer: controls data transmission from one computer to the next- can be connection or connectionless Physical layer: controls the transfer of bits from the computer to the telecommunications medium

280 The TCP/IP Protocol Works in the network and session layersGuarantees delivery of all data packets Is built into the UNIX operating system Microsoft Windows interface: Winsock IP address must be present for sender and receiver for TCP/IP to work IPv4 is 32 bits, has 4-byte sections 3 classes for large, medium and small networks 2 classes for special and experimental purposes IPv6 has 126 bits to accommodate more hosts Domain names (Universal Resource Locators) help transform these streams of numbers into meaningful code: Disney.com

281 Figure 9-6 The IPv4 protocol CLASS A B C 10 110 Network Identifier 7 bits Host Identifier 16 bits: 216 = 65,536 possible hosts Network Identifier 14 bits 24 bits: 224 = 16,777,216 possible hosts Host 8 bits: 28 = 256 21 bits Order of Bits

282 Figure 9-7 IP address trackingA suspicious message is received and an investigation reveals that the true IP address of the sender is A domain name service that maintains a list of registered domains determines that this message was sent by a business department server at Lehigh University – computer node 102 If Lehigh can track a specific computer assigned to nod 102, Then they can pinpoint the computer from which the message was sent: = Lehigh University = Business faculty server 102 = Individual computer node (so who was it?)

283 What are the common top level domain name extensions?Top level domain names (managed by ICANN): .edu = higher education organizations .com = commercial organizations .net = Network providers .org = Nonprofit organizations .es, .uk, .ca, .de = countries (Spain, United Kingdom, Canada, Germany) .gov = government agency New Global Top Level Domain Names: Generic Top Level Domain Memorandum of Understanding (gTLD): .biz, .info, .name, .pro, .museum, .aero, .coop

284 What is Telnet? What is FTP?Both run on top of TCP/IP in Session layer Both allow remote access and activity Usually use a combination of user-id and password to enter the network Telnet - allows remote terminal emulations and logins File Transfer Protocol (FTP) file transfers to a server: for file uploads and downloads

285 What are NTTP, HTTP and HTTP 1.1?NTTP – Network News Transfer Protocol for the News Industry to transfer and search for articles on the Internet Hypertext Transfer Protocol - (HTTP) Basic WWW protocol: request/response Runs on top of the TCP protocol in Presentation layer Defines message formats and transmissions Defines web server and browser commands PEP Protocol Extension Protocol allows dynamic interactions for transaction-based applications HTTP- 1.1 the next generation! RFC 2774 S-HTTP (EIT) – secures message (lock at bottom of your browser screen) produces a digital signature

286 What are SGML and HTML? SGML – standard generalized markup languageIndependent of Hardware and Software Data encoding system that promotes data sharing by tagging data with: Data – structure – format (look) DTD: document type definition are the rules for SGML HTML – hypertext markup language Encodes and recognizes documents Not as flexible as SGML XML – allows customized tags: (WWW3) License-free, platform independent, well-supported. Really helps the growth of Web EDI solutions

287 What is XML? XML – eXtensible Markup Language (WWW3)Allows customized tags: More flexible than HTML License-free, platform independent, well-supported. Supports Web/EDI solutions Method for putting structured data into a text file that is not meant to be read as is: Uses the tags to delimit the data, leaving the interpretation of the data to the application that reads it Is a family of technologies: XLink, XFragments, Xpointer Requires more bits than comparable binary formats

288 Figure 9.8 XML code Cosmic Graphics Inc. 1317 Star Blvd. Kemah Texas 77571 20000 wholesaler Cynthia Barker

289 What are DOM and DHTML? DOM: – object representation in a web pageScripting-language neutral Implementation-neutral interface Allows programs and scripts to access and dynamically change a document’s content, style and structure With cookies, delivers a personalized screen Specifications are found in OMG IDL: Object Management Group Interface Definition Language DHTML – allows different users to see different screens. Requires DOM to be able to make the changes

290 What is XHTML? XHTML: Provides a document type that can be shared across personal digital assistants, mobile phones, vending machines, desktops, and televisions. Allows simple content authoring.

291 What is Java? JAVA is a platform neutral object-oriented programming language, not a protocol Developed by SUN Microsystems in 1995 Platform neutral Benefit: runs anywhere Costs: less efficient in processing due to the additional processing layer and the need for a JAVA interpreter (termed the virtual machine), Portable: Write Once, Run Anywhere Supports GUIs and client/server applications Similar to C++ Hot Java – first Java- enabled web browser with “applets” MID: Sun’s wireless JAVA profile for PDAs and cell phones

292 Messaging (e-mail) ProtocolsBasic Mail Protocols: SMTP: Protocol to pass s from server to server on the Internet POP2: SMTP server to desktop “store + forward”: messages are downloaded periodically POP3: Newer version of POP2 without the need to have an SMTP server. s are downloaded, read, and discarded IMAP4: Remote file server: read the files from the server – no downloading ACAP: IMAP capabilities plus user preferences are stored on the server: great for traveling workers!

293 Security-Enhanced Mail ProtocolsX400 – Protocol that requires messages to pass through known, trusted carriers such as AT&T or MCI PEM – Privacy Enhanced Mail Protocol Origin authentication and Nonrepudiation, Message integrity and Confidentiality MIME – Multipurpose Internet Mail Extension protocol – allows multimedia MOSS – MIME Object Security Services Adds some security to MIME Allows ASCII and non-ASCII message formats

294 Security-Enhanced Mail ProtocolsS/MIME – alternative to MIME/MOSS Developed by RSA Data Security based on public keys Adds digital signatures and encryption; MSP – mail protocol of the US Government PGP- Pretty Good Privacy Developed by Phillip Zimmerman Uses public key encryption technology For individuals there is a free download available go to MIT’s web site for the PGPv6.5

295 Figure 9-11 Integration of S/MIME and MSPSYSTEM PRIOR TO INTEGRATING S/MIME AND MSP DOD User Message E - mail Unsecured Message For Non-DOD USER Gateway Computer Strips off Security Message MSP with Security DoD’s customized Encryption algorithms SYSTEM WITH S/MIME AND MSP INTEGRATED DOD User Secure Message Message With Security Secure Message For Non-DOD USER Merged MSP Gateway Computer Checks Security Repository of acceptable encryption algorithms

296 What is S-HTTP and SSL? S-HTTP is a method of secure transmissionDeveloped by a private organization, Enterprise Integration Technologies (EIT) Uses encryption and produces a digital signature SSL - Secure Sockets Layer, creates a secure session with a web server - Developed by Netscape - Uses public and private key encryption - Does not produce a digital signature - Can be used with S-HTTP for enhanced security

297 What is SET? SET: Secure Electronic TransmissionUses public and private key encryption (DES and RSA) Ensures confidentiality and integrity Authenticates both merchants and cardholders Is interoperable with other protocols 13 European and 5 Asian countries have adopted SET US companies use the SSL/S-HTTP combination

298 History of SET Two incompatible protocols were made:STT: Secure Transaction Technology protocol developed by Microsoft and Visa SEPP: Secure Electronic Payment Protocol developed by IBM, Netscape, GTE, Cybercash and MasterCard SET is the new jointly created standard

299 Figure 9-12 The role of SET in the electronic shopping experienceCardholder browses Cardholder fills Cardholder selects through merchandise order form after items to be via some form of possible price purchased catalog negotiation Cardholder gives order and payment instructions and digitally signs them Merchant requests Cardholder selects payment authorization payment mechanism from cardholder’s financial institution Merchant requests Confirmation sent by Merchant ships goods payment from merchant to to cardholder cardholder’s financial cardholder institution Source: SET Specification, 1997

300 Comparison of FeaturesSSL SET Encryption of data during transmission? Yes Confirmation of message integrity? Authentication of merchant? Authentication of consumer? * can be used in SSLv3 No* Transmission of specific data only on a “need to know” basis? No Inclusion of bank or trusted third party in transactions? No need for merchant to secure credit card data internally?

301 Mobile Protocols Mobile devices include digital phones, pagers, and personal digital assistants Mobile Internet access is used for , electronic payments and vending machine use. WAP: Wireless Application Protocol Developed by Ericsson, Motorola, Nokia, and Unwired Planet Challenges include: Smaller display, limited memory, and slow processing HTML tags do not all translate well to the small screens Transmission security is a huge concern WML: Wireless Markup Language has been developed to overcome some of these challenges WTLS: Wireless Transport Layer Security Specification adds security through encryption and authentication

302 Implications for the Accounting ProfessionAccountants need to understand Internet protocols to be able to evaluate a client’s information system reliability and security. Accountants need to become more active in Internet standard-setting processes.

303 electronic commerce Marilyn Greenstein Miklos VasarhelyiSecond edition Marilyn Greenstein Miklos Vasarhelyi

304 Chapter 10 Cryptography and Authentication

305 Cryptography and AuthenticationSecurity Issues Encryption Techniques, Key Infrastructures and Key Management Digital Signature Technology Role of Certificate Authorities in Key Management Implications for the Accounting Profession

306 What does the Electronic Signatures in Global and National Commerce Act do?Clarifies the legal validity of electronic contracts, signatures, notices, and other records Allows contracting parties to choose the technology they want to use for authenticating their transactions without government intervention It provides entrepreneurs with the legal certainty they need to trust their e-Businesses On-line consumers have the same legal protections as off-line consumers.

307 What are the 5 security services that ensure reliable, trustworthy transmission of business messages? Confidentiality Integrity Nonrepudiation Authentication Authorization (Access Control)

308 Figure 10-1 Primary security issues, objectives and techniquesFirewalls, Passwords Biometric devices Limiting entry to authorized users Access Controls Bi-directional hashing Digital signatures Transaction certificates Time stamps, confirmations Proof of origin, receipt, and contents (sender cannot falsely deny sending or receiving the message) Non-repudiation Digital Signatures Challenge-response Passwords / Biometrics Origin verification Authentication Hashing (Digest) Detecting message tampering Message Integrity Encryption Privacy of message Confidentiality TECHNIQUES OBJECTIVE SECURITY

309 What is Confidentiality?Confidentiality refers to the unavailability of a message to non-authorized readers. On the Internet, that involves making the message uninterruptible by others, usually through encryption.

310 What is Integrity? Integrity refers to the confidence that the contents of the message received are exactly the same as the contents of the message sent by the sender. Verification of integrity involves calculating and verifying a hash total of the message by both the sender and the receiver’s determination, similar to a check-sum digit. SHA-1 – Secure Hash Algorithm 1 is the only ISO/ANSI accredited standard hashing algorithm.

311 What is Authentication?Authentication refers to the confidence that the message received really came from who the sender claims to be. For Internet messages, authentication involves showing one, two or three of the following factors: Something only you have (token) Something only you know (PIN) Something only you are (fingerprints or signature) Common authentication measures include: Tokens, Digital signatures, biometric devices, challenge-response systems, bi-directional digests, one-time-passwords, transaction certificates and smart cards

312 What is Nonrepudiation?Repudiation refers to the ability to refuse to accept an obligation. Nonrepudiation eliminates the ability of a party to refuse to accept or acknowledge that a communication or transaction has occurred. Nonrepudiation involves Proof of origin (sender authentication) Proof of receipt (recipient authentication) Proof of content dispute (message integrity)

313 What are Access Controls?Access controls refer to restricting unauthorized parties from entry to data sharing. Common access controls include passwords, authentication controls, and firewalls.

314 Encryption TechniquesEncryption is the transformation of data via a one-way mathematical function, into a form that is unreadable by anyone who does not possess the appropriate key. Key: binary code used to transform the data Cleartext: message in readable form Ciphertext: encrypted message

315 What determines Cryptography Strength?Security application and platform quality The cryptographic algorithm The length of the key (direct relationship to strength of security: longer is better) The protocol used to generate/manage the keys Private key storage

316 What is symmetric encryption?Common secret key: so how do you share it? Fast speed and difficult to crack. Based on stream and/or block methods. Single DES: developed by IBM in 1977; 56 bits Scrambles a 64-bit block once and then divides it into two Scrambles each half 16 times, and then applies the inverse of the original scramble Can be cracked in less than a day Triple DES: encrypts-decrypts-encrypts with 2 keys NIST’s new standard: AES – 128, 192, 256 bit keys “Rijndael” winner of the international competition

317 Single Symmetric Encryption MethodCleartext Message Encoded encrypt decrypt identical keys Sender Receiver

318 Triple Symmetric Encryption MethodCleartext Message Encoded encrypt Double Key A Key B decrypt Sender Receiver Triple Transmitted

319 Other symmetric encryptionsSkipjack National Security Agency (NSA) 80-bit key Placed on the Clipper Chip “Split-key” requiring two authorized escrow parties to provide a password in order to recover the escrowed key. RSA Data Security’s RC2, RC4, RC5, RC6 Both block and stream ciphers are used Key lengths can vary from 0 to 2, 048 bits, blocks can vary from 32 to 128 bits, and scrambling rounds from times. RC6 finished in the top 5 finalists in the international competition in the year 2000 Chapter 10 Appendix A explains this algorithm

320 What is asymmetric encryption?1976 Stanford’s Diffie-Hellman Algorithm The sender and receiver generate a shared secret key over an insecure telecommunications line Each party determines a secret value, and applies a function to create a derived value, which is shared No party shares their secret value, so no party has all four pieces of information. The algorithm creates a common, secret key from a combination of the private and the shared information. Downfall: vulnerable to Man-in-the-Middle attacks

321 Figure 10-4 Diffie-Hellman public key cryptographya,B b,A Cleartext Message Encoded Determine Secret Value a Calculate Public value A Make Public value A available encrypt decrypt identical keys generated Transmitted Sender Receiver Determine Secret Value b Calculate Public value B Make Public value B available Retrieve Public A Compute shared secret key Retrieve Public B

322 Figure 10-5 Man-in-the-middle attack on public key cryptographyClear- text Encoded Message Public A is communicated Retrieve Z and computer Key from a and Z encrypt decrypt Sender Receiver Masquerader Determines Secret Z Replaces A and B with Z Compute Key (z,A) Key (z,B) Cleartext Bad guy can read and alter Identical keys Key (b,Z) Public B is Key from b and Z

323 What are Public-Private Key Pairs?Combination of public and private key characteristics Uses a one-way function with a trap door (key) Usually involves factoring large prime numbers Easy to perform in one direction, but time consuming in the other direction Party A gives their public key to Party B and keeps their Party A private key Party B gives their public key to Party A and keeps their Party B private key RSA is well-known key pair technology

324 Professor Student Confidentiality without origin authenticationFigure 10-6 Key pairs used to provide confidentiality Confidentiality without origin authentication Student Professor Professor’s Public Key Private Key Encoded Message Transmitted decrypt Penelope’s medical condition encrypt Reading Of

325 Origin Authentication because only the professor has the professor’s private keyStudent Professor’s Private Key Public Encoded Message Transmitted decrypt Professor Requesting A Meeting encrypt Penelope’s Reading Of the Request Figure 10-7 Key pairs used to authenticate sender

326 Origin authentication and confidentiality but way too slowFigure 10-8 Double key pairs used to provide confidentiality and authentication of sender Professor Penelope’s Private Key Penelope’s Public Key Student Prof sending her grade. Prof’s Private Key Prof’s Public Key Double encoded message Penny reading her grade encrypt encrypt decrypt decrypt Origin authentication and confidentiality but way too slow

327 Figure 10-9 Solution: Symmetric and key pair combinationSender Receiver DES key encrypted with public Recipient’s Public Key Recipient’s Private Key Random DES key Random DES key encrypt decrypt Clear Text Clear Text encrypt DES Encoded Message decrypt

328 Let’s Recap the Top 5 Message Security ServicesConfidentiality Authentication of sender Authentication of receiver Message Integrity Non-repudiation

329 What are Digital Wrappers?Digital Wrappers are encryption that envelopes and seals a digital asset against unauthorized access Digital music Software Digital books Wrappers can be engineered to decrypt Once As many times as owner decides Over a period of time

330 What is Elliptic Curve Cryptography (ECC)?ECC is a one-way elliptical curve discrete logarithmic function (more difficult to solve than the algorithm RSA currently uses). Smaller key size, so faster processing: 160-bit key offers same security as RSA’s 1,024-bit Great for smaller memory and processing devices such as cell phones and PDAs. RSA has patent for creating inter-operability between two competing but incompatible ECC methods.

331 What are Integrity Checks?Integrity Checks are designed to be a detective control to verify that a message has not changed without authorization of the sender. Integrity checks are typically hash digests. Hash digests are mathematical representations of the message that have the following characteristics: Similar to an accounting check-sum control The full data set cannot be reproduced from the hash No two data sets will result in the same hash Used to determine if a message has been altered Can be used with encrypted and nonencrypted data

332 What are Digital Signatures?Digital signatures are message digests (hashes) that are encrypted with the sender’s private key. Digital signatures: Bind the message origin to the exact contents of the message. Establish sender authentication and message integrity (nonrepudiation) Current standards: NIST’s DSA (Digital Signature Algorithm) (FIPS 186) X rDSA (Reversible Digital Signature Algorithm), X9.62 ECDSA (Elliptic Curve Digital Signature Algorithm)

333 What are one-time pads? Original one-time pad created by Gilbert Vernam in 1917, where key was the same length as the message. Lyman Morehouse solved this key length problem by using 2 shorter keys which together = one longer key. These algorithms are unbreakable because there is no “back-door”. Chapter 10 Appendix B explains the XOR algorithm used in one-time pads

334 Sender Receiver Figure 10-12 Encryption techniques providingmessage integrity, authentication and confidentiality Clear Text Random DES key Recipient’s Public Key Private Key encrypt Encoded Message encrypted with public decrypt Random DES Sender Receiver Calculate digest R-calculate and Verify Digest Sender’s

335 Information on digital certificates (some have free products!):Baltimore Technologies GlobalSign (partnership with Verisign) Thawte VeriSign RSA Security

336 What are some good encryption practices?Password length, complexity, and maintenance Key length: at least 64 bits Key management policies Compressed files: compress, then encrypt Message contents: if message might be guessed, add meaningless characters

337 What is a public key infrastructure (PKI)?PKIs are systems that manage key pairs, verify key holders/users and issues digital certificates. Certification Authority (CA) Issues/Revokes key certificates Publishes certificate revocation lists (CRLs) Registration authority (RA) Registers and attests to CAs on the identity of CA users Certificate Repository (CR) Public database holding certificates and CRLs.

338 What is a certification authority?Certification Authorities: Issue certificates Various grades of certificates Link users to their public keys, and sometimes to their private keys Verify the identities of the key users Manage key pairs: various methods exist Industry standard is ITU-T.X509 ISO will soon replace current standard

339 Certificate Authority Internet Merchant bearing a certificate Customer4 Certificate Authority 2 Verify the customer Verify the storefront 1 Customer interest Internet Merchant bearing a certificate Customer 3 Sharing of Purchase Information

340 Figure 10-13 X.509 version 3 certificate formatTo Be Signed Certificate Algorithm Identifier Signature Version Optional Parameters Object ID Extensions Subject Public Key Info. Validity Time Period Issuer Serial Number Extension Criticality Flag Value Counter of certificates issued by this CA CA’s DN User DN=Distinguished Name

341 What would you want to know before engaging a CA?Certification practice statement (CPS) States CA organizational policies Certificate policy (CP) States authorized uses of certificates Explains application processes Explains key management processes

342 Figure 10-14 General certification authorityPublic Certificate Authority • Verify individual Issue certificate Maintain public key & certificate Individual Generate own key pair Keep private key Provide key generating software Proof of identification Certificate SCENARIO A

343 Figure 10-14 General certification authoritySCENARIO B Private Certificate Customer or Provide key generating software Authority Trading Partner Proof of identification • Verify individual • Generate own key • Generate key pairs pair for employees • Keep private key Certificate • Escrow private keys for employees Employee Send private key & certificate • Issue certificate • Keep private key • Maintain public key & certificate

344 Figure 10-14 General certification authoritySCENARIO C Public Certificate Provide individual user identification, Authority public keys and certificates • Verify individuals • Verify certificate • Maintain public Provide key generation key & certificate software & criteria for certificate Provide key generating software Customer or Private Certificate Trading Partner Proof of identification Authority • Generate own key • Verify individual pair • Generate key pairs • Keep private key Certificate for employees • Escrow private keys Employee for employees • Issue certificate • Keep private key Send private key & certificate • Maintain public key & certificate

345 What does key management involve?Key generation Key registration Key escrow and recovery Key pair Encryption pair Key updates and replacement Key revocation and destruction

346 Additional Authentication MethodsOne-time passwords Smart Cards Two-factor identification Challenge-response Valid password/thumbprint provided Calculation of current password by smartcard/token Display of current password Entry of current password by user Authentication by host computer using all three data Biometrics

347 Implications for the Accounting ProfessionAccountants need skills to understand Confidentiality Message Integrity Authentication Nonrepudiation Access Controls Internal Control and Risk Analysis

348 electronic commerce Marilyn Greenstein Miklos VasarhelyiSecond edition Marilyn Greenstein Miklos Vasarhelyi

349 Chapter 11 Firewalls

350 Firewalls Firewalls Defined TCP/IP and Open Systems InterconnectComponents and Typical Functionality of Firewalls Personal Firewalls Network Topology and Demilitarized Zones Securing the Firewall Factors to Consider in Firewall Design In-House Solutions versus Commercial Security Software Limitations of the Security Prevention Provided by Firewalls Implications for the Accounting Profession

351 What are firewalls? Firewalls are a system, or a group of systems, that enforces an access control policy between two networks. Firewalls should have the following characteristics: All traffic in either direction should be tested by the firewall. Only authorized traffic as defined by the local security policy is allowed to pass through it. The firewall system is immune to penetration. Cheswick and Belloven, 1994 From the 2000 CSI/FBI study: 58% of companies had security incidents from outside perpetrators 59% reported that their Internet connection was a frequent point of attack. 78% reported the use of firewalls.

352 Transmission Control Protocol/Internet Protocol (TCP/IP)The TCP/IP stack includes: Physical/Network layer IP layer Transport layer Application layer TCP/IP stack involves interfaces with hardware, operating systems and applications.

353 TCP/IP Stack Physical/Network LayerAccepts packets and transmits them over the network, mapping each computer’s network interface card (NIC) to a programmed IP address. Physical Networking protocols include Ethernet, Token Ring, Fiber distribution Data Interface, etc. Logical networking protocols include Address Resolution Protocol, Reverse Address Resolution Protocol

354 TCP/IP Stack IP Layer IP layerRoutes packets across the network, choosing the fastest path Protocols include Routing Information Protocol (RIP) Open Shortest Path First (OSPF), Border Gateway Protocol (BGP), Interior Gateway Routing Protocol (IGRP), etc.

355 TCP/IP Stack Transport LayerManages the virtual session between the two computers: receives packets, organizes them, and sends acknowledgements (ACK) back to the sender, asking for any lost packets. Manages the transmission/reception of User Datagram Protocol (UDP) packets

356 TCP/IP Stack Application LayerManages the networking applications, formatting data for transmission on the network For example, Universal Resource Locators (URL) hyperlinks involve HTTP and HTML protocols

357 Figure 11-1 TCP/IP and OSI modelsTCP/IP STACK OSI MODEL APPLICATION APPLICATION PRESENTATION SESSION TRANSPORT TRANSPORT INTERNET (IP) NETWORK NETWORK DATA LINK INTERFACE PHYSICAL

358 What are the inherent security risks of the Internet?TCP hijacking IP spoofing Network sniffing Businesses need to examine the security procedures used by their Internet Service Providers (ISPs).

359 What are the categories of firewalls?Static firewalls Default permit Default deny Dynamic firewalls Allow both permit and deny to be established for a given time period Requires more maintenance Provides more flexibility

360 What are the components of firewalls?Chokes Limit the flow of packets between networks Decision to pass or block depends on the rules set up by the firewall administrator Gates Control point for external connection Similar to gateway server. Proxy servers Take the place of other servers to allow access authorization testing.

361 Figure 11-2 Gates, chokes, and default deny filteringSMTP FTP FTP SMTP TELNET TELNET FTP SMTP SMTP HTTP TELNET FTP FTP SMTP HTTP PACKETS Rejected Packets SMTP HTTP SMTP CHOKE GATE DEFAULT DENY Application Level Filtering Rule: Deny everything Except FTP and TELNET Corporate Internal Network FTP FTP TELNET

362 Firewalls Typical FunctionalityPacket filtering: Chokes and gates Network address translations: Graphical administration Application-level proxies Stateful inspections Virtual Private networks Real-time Auditing and Monitoring

363 Packet Filtering Packet filtering can be performed by a router, a firewall, or both. Transport Level Filtering: Routers Verifies authorization for the destination network or host addresses and destination transport connection point Granularity is the level of detailed filtering provided Proxies are used to control network traffic at application level. Traffic filtering is also available at the IP and transport layers.

364 Application-based filtering- firewall Packet-filtering- routersAPPLICATION HTTP desired program LAYER TRANSPORT TCP provides the LAYER or connection UDP NETWORK IP locates destination LAYER IP address & routes message LINK Ethernet physical devices Application-based filtering- firewall Packet-filtering- routers TCP/IP

365 What is IP Spoofing? IP spoofing occurs when an attacker disguises his or her originating host server or router as that of another host or router. Filtering rules that deny external network packets that originate from internal address are preventative Audit logs are detective controls

366 Network Address TranslationCorporations save money on IP addressing costs by reassigning temporary Internet-unique IP addresses to outgoing sessions. This method protects external parties from learning about internal network structures.

367 Application Level ProxiesRedundant services that test the request before performing it May require the user to authenticate themselves before the packets are analyzed. Proxy server then establishes a session with desired web address and requests the same file(s) as the user request. Firewall tests for viruses, and risky Java applets before passing the information to the user.

368 Stateful Inspection Compares each packet to a state tableTracks inbound/outbound connections and authorized connections are recorded to a state table Subsequent, identical connections are allowed without repeated authorization processes Virus scanning and Java program scanning is more difficult than with application level proxies.

369 Virtual Private Networks (VPN’s)Create a secure “tunnel” through untrusted networks. Usually requires the download of client software to the remote user’s machine. Connection is secured and authenticated through encrypted messages. Lower cost when compared to leased, private lines. Standard and Poor’s example

370 Real-Time Monitoring and Intrusion Detection SystemsProvide robust auditing and monitoring capabilities Can send emergency signals to the firewall administrator when a pre-determined threshold of denied access attempts occur. Denied requests are logged and analyzed. Intrusion detection systems (IDS) focus on identifying outsider scanning of ports. 50% of companies currently use IDS devices.

371 Personal Firewalls Free firewalls: Personal firewall functionality:Zonealarm.com Sygate at zdnet.com Personal firewall functionality: Programmable times for denying Internet access Port probing monitors with reports Ability to deny services from remote users Tracking of all Internet connections Ability to filter out requests stemming from denial of services and Trojan horse-type attacks

372 Network Topology Network Topology refers to the physical architecture of a network system. Server firewalls should not be the ONLY filtering control between internal and external networks. Router filtering should also be utilized. Network topology affects network performance.

373 Ethernet segments Internet Router Firewall systemCorporate Internal network Ethernet segments

374 What is a Demilitarized Zone (DMZ)?A DMZ is a sub network that is located between the internal system and the external network. DMZs increase the cost of the firewall system and slow the processing time Access is controlled but not prevented by firewall technology. Can lie between two firewalls Can lie off of a separate segment from one firewall Can also function as e-Commerce servers, Web servers, FTP servers, etc. Traffic that originates from the DMZ and destined to internal systems should be limited and controlled.

375 Internet Filter - Internet Access Router Gateway Systems Demilitarized Zone Filter - Bastion Host Corporate Internal network

376 Securing the Firewall - PolicyNetwork Security Access Policy - A high-level policy of network security services allowed must be defined as well as how they may be used processes that must be taken to make changes to rule bases must be determined processes for acceptable exceptions to policy and supporting documentation necessary must be determined Firewall Design Policy - addresses how the denied services will be restricted and how the allowed services will be permitted

377 Securing the Firewall Firewall Security should include the following:Firewall Policy Firewall Administration Firewall Services Internal firewalls Authentication – individual-level controls Operating system controls

378 EXAMPLES Computer Resources Security Policy Floppy disk and hard drive back-up Shredding of printed, unclaimed, sensitive documents Virus scanning software Network Service Access Policy General Rule: Deny access to a specific host computer from internal addresses Exception: Allow selected internal users using strong authentication devices to access this system next Wednesday from PM Firewall Design Policy How will requests be directed to a specific site? How will FTP PUT commands be restricted?

379 Securing the Firewall: Policy GenerationThe order of policy formation is important Start with the Computer resources policies Then design Network service access policies Clearly stating the procedures for exceptions to be qualified and authorized. Then design firewall policies How denied services will be restricted How permitted services will be allowed

380 Securing the Firewall - AdministrationThe 1998 CSI/FBI reported mismanagement as the number 1 reason for firewall breaches 93% due to firewall weakness and mismanagement Rule-bases should be periodically reviewed Administration procedures should be documented and followed. The number of administrator accounts should be limited and one-time passwords used

381 Securing the Firewall ServicesOnly approved vendor software should be used Unnecessary and potentially dangerous services should not be used: TELNET and FTP: allow remote users to login Use strong passwords that are linked to specific terminals/locations with encrypted storage and transmission Use proxy FTP servers, and DMZs Monitor connection attempts Finger Services Authorization and Use Logs: Deny/block access to these files

382 Securing the Firewall Internal FirewallsInternal network topography can include a backbone supporting several subsystems that need their own firewalls. This modulation of subsystems effectively limits the total areas that are compromised when hackers access one area. Internal networks protect against internal threats

383 Securing the Firewall: Operating System ControlsUser and group settings File and directory permissions Remote file system access Operating system initialization files Scheduling of jobs Other core operating system settings Trusting relationships Networking services monitor

384 Firewall Design FactorsDeny Capability - The firewall should be able to support a “deny all services, except those specifically permitted” policy. Filtering - The ability to judiciously and dynamically employ filtering techniques, such as permit or deny services, for each host system is crucial to a good firewall design. Security Policy - Developing a security policy is a precursor to designing and implementing effective firewalls.

385 Firewall Design Factors - (cont.)Dynamic - Networking environments are fluid and the firewall design should allow agility. Authentication - The firewall design should utilize strong authentication devices and be continually updated to incorporate the most advanced and feasible authentication devices that emerge. Flexible Filtering - The firewall should employ a flexible IP filtering language that can filter on as many attributes as is deemed necessary: source and destination transport connections, IP addresses, and inbound and outbound interfaces.

386 Firewall Design Factors - (cont.)Recognize Dangerous Services - It should identify such services and either disable them for outside users or use proxy services in DMZs to reduce exposure from such services. Filter Dial-in Access - It should be able to filter dial-in access and limit access ports. Audit Logs - It should log traffic and suspicious activity and should displayed it in an easy to understand format. Current Version - It should have the most secured version of the operating system installed with any known patches to known problems installed as well

387 Firewall Design Factors - (cont.)Good Documentation - The firewall development process should be implemented in a fashion that provides checkpoints and a verifiable log of actions taken during its development, implementation, and maintenance.

388 Choosing a Firewall Vendor: In-house Solutions vsChoosing a Firewall Vendor: In-house Solutions vs. Commercial Security Software The reputation of the vendor. Request references! Does the software meet the requirements in the network service access policy/firewall design policy? Does the vendor have 24 hour, 365 days a year support? How reliable is this support? Does the vendor provide training? How timely does this vendor release updates/patches? Do they provide support for installing security patches? How does this software fit in with future networking expansion plans?

389 Limitations of Security Provided by FirewallsFirewalls are just one component of security Firewalls are continually changing Firewalls can only protect a firm from the type of attacks the firm has included in their policies and rules. Firewall users need to be aware of risks associated with attached files Humans may over-rely on their firewall capabilities - this is dangerous!

390 Implications for the Accounting ProfessionNew opportunities exist in the areas of: Penetration Testing and Risk Exposure Provider of Network Solutions Forensic Accounting Intrusions Investigation

391 electronic commerce Marilyn Greenstein Miklos VasarhelyiSecond edition Marilyn Greenstein Miklos Vasarhelyi

392 Chapter 12 Electronic Commerce Payment Methods

393 What are the different e-Commerce Payment Methods?The SET Protocol Magnetic Strip Cards Smart Cards Smart Cards and Mobile Commerce Electronic Checks Disposable Credit Card Numbers Electronic Cash Implications for the Accounting Profession

394 Chapter 12 Objectives To distinguish between alternative electronic payment mechanisms To understand the underlying structure of the SET protocol and how it is different from SSL To understand the role of certificate authorities in electronic payment processes

395 How can you pay/get paid online?Credit cards Magnetic strip cards Smart cards Electronic checks Debit cards Electronic cash

396 Secure Sockets Layer (SSL)Works well for data confidentiality Not so well for authentication unless the sender, not the server, has a digital certificate registered with a trusted third party, such as Veri-Sign

397 Depiction of SSL ProcessSender Receiver 2. Encrypt DES Key with RSA Public Key 3. Decrypt key with RSA Private Key 1. Encrypt message with private DES key Transmitted Message Encoded Message Cleartext Message Cleartext Message encrypt decrypt 4. Decrypt with DES private key

398 Secure Electronic Transaction (SET) ProtocolDeveloped jointly by MasterCard and VISA to provide a secure environment for transmission of credit card information Version 1.0 features include: Confidentiality of information: encryption Integrity of data: digital signatures and certificates Cardholder account authentication: digital signatures and certificates Interoperability: defined protocols and message formats.

399 Set vs. SSL FEATURE SET SSL Secure Transmission of Data Yes YesIdentify Authorized Purchasers Yes No Verify Validity of Account Yes No Identify Legitimate of Payment Brand for Merchants Yes No Track Sales Slips and Totals Yes No Validate Merchant’s Credit Policy Yes No

400 Merchant Cardholder Payment Gateway (Acquirer) Certificate Authority Registration Information Issued Purchase Request Purchase Response Authorization Request Response Verification of Trust Chain Authorizes and Processes the transaction

401 What are the four SET Components?Wallet - performs cardholders’ authentication Merchant Server - authenticates merchant and its accepted payment brand Payment Gateway - processes payments and authorizations Certificate Authority - manages certificates for wallets and merchants; allows for branding

402 Approved Extensions to SETPayment instructions will include: BO’ card (France product) information to be included in the payment instructions Hardware token information PINs Exchange of payment options in Japan Allows the merchant party to use SET, while the others do not have to Transports chip card data in purchase request message Transports track-2 data in purchase request message Allows purchase request message to carry credit card verification data

403 What is the Certificate Trust Chain?A hierarchy of trust used to verify the certificates used in SET transactions SET’s root certificate authority is off-line and performs the following functions: Generates and securely stores the SET root certificate authority’s public and private keys Generates and “self-signs” the SET root certificate authority’s certificates Processes brand certificate requests and generates SET brand certificate authority certificates. Generates and distributes certificate revocation lists. Setco, 1999

404 Certificate Authority SignatureCardholder’s Certificate Payment Gateway’s Off-line Root’s Certificate Authority Signature Merchant’s Brand’s Certificate made available by SETCo Adapted from SETCo’s Specification, Version 1.0

405

406 What cryptography does SET use?Both symmetric (private) keys and public-private key pairs are utilized. Digital envelope: The sender’s private symmetric-key encrypted message and The recipient’s public key encryption of the sender’s private symmetric key. Message digests are utilized with the digital envelopes to protect The integrity of the message Message confidentiality during transmission That only the intended recipient can decode the digital envelope Authentication of the sender

407 What are dual signatures?Incorporate the use of the generation of two messages, one for the acquirer and one for the merchant Each message contains only the information that is essential to that particular party in order to protect the privacy of as much information as possible

408 Financial Institution’sBidder/ Purchaser Auction House/ Merchant Bidder’s Financial Institution’s Acquirer Silent Bid for Rare Item Calculate MD1, MD2 and DSMD Message authorizes payment to auction house if offer is accepted, but no details about what item is bought MD2 and DSMD encrypted with Bidder’s private key Message includes $amount offered for which items, but no account information MD1 encrypted with 1b 1a Decrypt message with Bidder’s public key Recompute MD1 Determine whether to accept bid Message that offer is accepted from bidder MD1 encrypted with auction house’s private key 3 2 Decrypt 1a with bidder’s public key Recompute MD2 Decrypt 3 with auction house’s private key - now have MD1 Combine MD1 and MD2 Recompute dual signature and verify against DSMD sent by Bidder 4

409 SET Logo/Compliance TestingMust submit results of test case data SETCo reviews the software capabilities and the accuracy of performance of the essential functionalities of the SET protocol using this data set of test cases To see an updated version of organizations that have passed compliance testing see

410 Magnetic Strip Cards Over 1 billion used worldwideCards have magnetically encoded strips with data, usually with standard data methods On-line - reads data and accesses a database Off-line - all necessary data is stored on card Smart Card – more processing and storage Hybrid cards – combine magnetic card and smart card technologies.

411 User’s Picture ISO Magnetic Field Identification Code Special Magnetic Field used for Photocopy Machines

412 Lehigh’s Central Computer Buildings Access Checkout Library Books On-line Magnetic Strip Component Various Campus Dining Places Off-line Magnetic Strip Component Various Photocopying Machines Laundry Equipment Vending

413 What are smart cards? Contain a microprocessor and storage unit. Need a special reader attached to computers in order to perform. More durable, but less expensive Memory smart cards – less processing, used for simple storage, like holding spending money Microprocessor smart cards - additional feature of greater storage and processing capabilities Contactless smart cards – for wave-by’s as in transportation applications Electronic Purse - refers to the monetary value that is stored on the microprocessor Open Transaction Platform protocol by Funge Systems

414 LOYALTY PROGRAMS Boots Advantage Over 10 million cards Shell Over 5 million cards HEALTHCARE PROGRAMS Gemplus-Belgian Social Identity Cards Over 11 million cards Slovenian National Health Insurance Cards Over 2 million cards FINANCIAL Germany GeldKarta Over 40 million French Chip Card - GIE Carte Bancair Over 25 million TELEPHONY Mobile Telephone Industry Over 250 million smart cards in use worldwide MASS TRANSIT Motorola & Amtrak Expected > 10 million smart cards Education U.S. College Ids Over 1 million smart cards

415 Smart Card Holder Inserts Cardinto Machine and Downloads Money onto the microprocessor on the card Merchant Bank Consumer Pays for Merchandise/Service by Inserting Smart Card into Merchant’s Smart Card Reader Merchant’s Smart Card Reader Smart Card Take to Bank for Credit for day’s sale or cash At end of the day, the merchant inserts a smart card to receive a download of the day’s sales McGraw-Hill, 2001

416 American Express Blue Smart CardThe Blue Card has both a magnetic strip for traditional credit card use as well as a smart chip for Internet purchases. The electronic purse has the following characteristics: Purchasing history Shipping and billing data Card number Automatic completion of online forms User ID and password recording/entering at many merchants.

417 Smart Cards and Mobile CommerceTelephones/PDAs that have smart card reader slots allow smart cards to be used to Pay for items purchased over the telephone Download money from bank accounts to a smart card Transfer balances between accounts Check bank account balances Secure Authenticated Counter (SAC) to authenticate and secure payments using business rules and screening systems.

418 Mobile Devices and e-CommerceTelephones and Personal Digital Assistants conduct electronic payments by: Storing the electronic purse on a smart card that inserts into a wireless device Store the electronic purse on a chip in the wireless device Store the electronic purse remotely on the financial institution’s server

419 Figure 12-10 Wireless, smart card phone growth

420 Figure 11-12 Projected users of wireless financial services

421 What are electronic checks?The payor instructs its financial institution to pay a specific amount to another party, the payee Consumer requests online bill and initiates payment, fills form, verifies, and submits payment Funds are transferred to business owed, typically with an ACH transfer BillPoint and PayPal new services that allow Consumer-to-Consumer check services

422 Biller Presentment SystemsAllow customers to view and pay bills from the payee’s web site CyberCash estimates that a company can cut bill processing costs by as much as 50% by hosting a biller presentment system Bill Concentrators - A third-party that performs the functions of bill presentment and payment transfer FirstUnion

423 Electronic Billing MethodsInternet websites can perform the following: Present the bill to the payor Allow the payor to initiate payment of the invoice Provide remittance information Allow payor to initiate automatic payment authorizations for a specific amount or for a range of amounts Interface with financial management software and transaction processing software. Allow payments to be made to mew business with which the payor has never before transacted

424 Figure 12-13 American Express’ one-time-use credit card numberRegister with AmericanExpress .com for online services (Credit card number must be entered at this point.) Download software (Free) Shop online American Express Non - American Express Profiled Site Profiled Site Private Payments box automatically Click on AE Private Payments icon appears on screen tray that is always on the screen. Login Screen (User ID and Password) Select which credit card to use (if you have multiple cards) View unique, one - time use credit card number and expiration date Type or drag unique, one - time use credit card number and expiration date into merchant’s standard form

425 Disposable Credit Card NumbersAmerican Express and Discover created one-time-use credit card numbers Work like an imprest account, set up prior for exactly the purchase amount. Merchants never see the true credit card number Slow in adoption because it requires an extra step over the smart card.

426 Electronic or Digital CashPrepaid, stored value that can be used for electronic purchases in lieu of cash. Used primarily for anonymity PayPal (not anonymous), DigiCash (anonymous) An “embossment” process is used to add value to a “coin” from a user’s account without recording any information linking the user to the embossed coin

427 Bank Remove $1 from Alice’s account & “emboss” the digital envelope and blank coin with validating signature Place blank coin in digital envelope Create a blank coin $1 $1 Remove coin from digital envelope $1 Redeem coin Alice Recognizes its own “emboss” (validating signature) and honors the coin $1 Spend Coin Merchant

428 Implications for the Accounting ProfessionAudit Implications - the only method that can be used to trace an electronic transaction is to understand the underlying programs and digital methods used to create the transaction Electronic Bill Presentment and Payment Systems Service Provider Opportunities