ssl encryption digital signature digital certificate server security firewall password bio metrics...

8/8/2019 SSL Encryption Digital Signature Digital Certificate Server Security Firewall Password Bio Metrics Payment Security V

1/30

SSL (Secure Sockets Layer):

The Secure Sockets Layer (SSL) is a commonly-usedprotocol for managingthe security of a message transmission on the Internet. SSL has recently beensucceeded by Transport Layer Security (TLS), which is based on SSL. SSL

uses a program layerlocated between the Internet's Hypertext Transfer Protocol(HTTP) and Transport Control Protocol (TCP) layers. SSL is included as partof both the Microsoft and Netscape browsers and most Web server products.Developed by Netscape, SSL also gained the support of Microsoft and otherInternet client/serverdevelopers as well and became the de facto standard untilevolving into Transport Layer Security. The "sockets" part of the term refers tothe sockets method of passing data back and forth between a client and a serverprogram in a network or between program layers in the same computer. SSLuses the public-and-private key encryption system from RSA, which alsoincludes the use of a digital certificate.

TLS and SSL are an integral part of most Web browsers (clients) and Webservers. If a Web site is on a server that supports SSL, SSL can be enabled andspecific Web pages can be identified as requiring SSL access. Any Web servercan be enabled by using Netscape's SSLRef program library which can bedownloaded for noncommercial use or licensed for commercial use.

TLS and SSL are not interoperable. However, a message sent with TLS can behandled by a client that handles SSL but not TLS.

SSLShortforSecureSocketsLayer,

aprotocoldevelopedbyNetscapefor

transmittingprivatedocumentsviatheInte

rnet.SSLworksbyusing aprivatekey

toencryptdatathat'stransferredovertheSSLconnect

Additional Note on SSL:The e-commerce business is all about making money and then finding ways to make moremoney. Of course, it's hard to make (more) money, when consumers don't feel safeexecuting a transaction on your Web site. That's where SSL (Secure Socket Layer) comesinto play. Understanding how SSL affects e-commerce business can also potentially helpyou to unlock (more) money from your customers.

What is SSL?Since its introduction in 1994, SSL has been the de facto standard for e-commercetransaction security, and it's likely to remain so well into the future.SSL is all about encryption. SSL encrypts data, like credit cards numbers (as well otherpersonally identifiable information), which prevents the "bad guys" from stealing yourinformation for malicious intent. You know that you're on an SSL protected page when theaddress begins with "https" and there is a padlock icon at the bottom of the page (and in thecase of Mozilla Firefox in the address bar as well).

Your browser encrypts the data and sends to the receiving Web site using either 40-bit or128-bit encryption. Your browser alone cannot secure the whole transaction and that's whyit's incumbent upon e-commerce site builders to do their part.

SSL CertificatesAt the otherend of the equation, and of greatest importance to e-commerce site builders, isthe SSL certificate. The SSL certificate sits on a secure server and is used to encrypt thedata and to identify the Web site. The SSL certificate helps to prove the site belongs to whoit says it belongs to and contains information about the certificate holder, the domain thatthe certificate was issued to, the name of the Certificate Authority who issued the certificate,the root and the country it was issued in.

SSL certificates come in 40-bit and 128-bit varieties, though 40-bit encryption has beenhacked. As such, you definitely should be looking at getting a 128-bit certificate.

Though there a wide variety of ways in which you could potentially acquire a 128-bitcertificate, there is one key element that is often overlooked in order for full two-way 128-bitencryption to occur. According to SSL certificate vendor VeriSign, in order to have 128-bitencryption you need a certificate that has SGC (server grade cryptography) capabilities.

How to Get an SSL Certificate ... The Wrong WayThere are two principal ways of getting an SSL certificate: you can either buy onefrom a certificate vendor or you can "self-sign" your own certificate. That is, using

any number of different tools (both open source and proprietary) you can actuallysign your own SSL certificate and save the time and expense of going through acertificate vendor.

Technically speaking, the data may be encrypted, but there still is a fundamentalproblem with self-signing that defeats part of the purpose of having an SSLcertificate in the first place. Self-signing a certificate is like issuing yourself a driver'slicense. Roads are safer because governments issue licenses. Making sure thoseroads are safe is the role of the certificate authorities. Certificate authorities makesure the site is legitimate.

Self-Signed certificates will trigger a warning window in most browser configurationsthat will indicate that the certificate was not recognized. VeriSign admits that thereare a lot of people that will click through anyway just like there are a lot of people

that will click through an expired SSL certificate as well.

A site that conveys trust is also more likely to be a site that makes (more) money.There is research that suggests that having a recognizable SSL certificate may, infact, have a direct correlation to increased e-commerce sales. VeriSign, inparticular, has done some research that shows that users who visit sites that have arecognizable trust mark (like the VeriSign Secure Site seal) are more comfortableshopping on those sites and have fewer abandoned shopping carts and betterrepeat purchases.

Choosing an SSL Certificate VendorAccording to GeoTrust Lockhart there are several things that buyers should look forwhen purchasing a certificate:
http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci212839,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci557332,00.htmlhttp://searchsoftwarequality.techtarget.com/sDefinition/0,,sid92_gci343052,00.htmlhttp://searchwindevelopment.techtarget.com/sDefinition/0,,sid8_gci214004,00.htmlhttp://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci214172,00.htmlhttp://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci211796,00.htmlhttp://searchcio-midmarket.techtarget.com/sDefinition/0,,sid183_gci213021,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci212062,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci214273,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211947,00.htmlhttp://searchsoa.techtarget.com/sDefinition/0,,sid26_gci213352,00.htmlhttp://www.webopedia.com/TERM/S/SSL.htmlhttp://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci211796,00.htmlhttp://searchcio-midmarket.techtarget.com/sDefinition/0,,sid183_gci213021,00.htmlhttp://searchcio-midmarket.techtarget.com/sDefinition/0,,sid183_gci213021,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci212062,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci214273,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211947,00.htmlhttp://searchsoa.techtarget.com/sDefinition/0,,sid26_gci213352,00.htmlhttp://www.webopedia.com/TERM/S/SSL.htmlhttp://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci212839,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci557332,00.htmlhttp://searchsoftwarequality.techtarget.com/sDefinition/0,,sid92_gci343052,00.htmlhttp://searchwindevelopment.techtarget.com/sDefinition/0,,sid8_gci214004,00.htmlhttp://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci214172,00.htmlhttp://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci211796,00.htmlhttp://searchcio-midmarket.techtarget.com/sDefinition/0,,sid183_gci213021,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci212062,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci214273,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211947,00.htmlhttp://searchsoa.techtarget.com/sDefinition/0,,sid26_gci213352,00.html


2/30


3/30

Encryption:

Encryption is the conversion of data into a form, called a ciphertext,that cannot be easily understood by unauthorized people. Decryption isthe process of converting encrypted data back into its original form, soit can be understood.

The use of encryption/decryption is as old as the art ofcommunication. In wartime, a cipher, often incorrectly called a code,can be employed to keep the enemy from obtaining the contents oftransmissions. (Technically, a code is a means of representing a signal

without the intent of keeping it secret; examples are Morse code andASCII.) Simple ciphers include the substitution of letters for numbers,the rotation of letters in the alphabet, and the "scrambling" of voicesignals by inverting the sideband frequencies. More complex cipherswork according to sophisticated computeralgorithms that rearrange

the data bits in digital signals.

In order to easily recover the contents of an encrypted signal, the correct decryption keyis required. The key is an algorithm that undoes the work of the encryption algorithm.Alternatively, a computer can be used in an attempt to break the cipher. The morecomplex the encryption algorithm, the more difficult it becomes to eavesdrop on the

communications without access to the key.

Encryption/decryption is especially important in wireless communications. This isbecause wireless circuits are easier to tap than their hard-wired counterparts.Nevertheless, encryption/decryption is a good idea when carrying out any kind ofsensitive transaction, such as a credit-card purchase online, or the discussion of acompany secret between different departments in the organization. The stronger the

EncryptionThetranslationof data intoa secretcode.Encryptionis the mosteffectiveway toachievedatasecurity.

Reputation and credibility of the CA (How long have they been in business? Do they havelots of customers?)

Ubiquity of the root (is it embedded in all of the popular browsers?)

Root is owned by the CA (and not chained to someone else's root)

Lifecycle management tools (how easy is it to install, renew, reinstall, and revoke ifcompromised, etc.)

Ease of acquiring the certificate Who is doing the vetting (is it the CA itself, or in the case of some resellers, do they

delegate this to their resellers?)

ConclusionYou are who you say you are. You have nothing to hide and you are running a legitimate e-commerce business that you want consumers to trust and feel comfortable doing business withThe SSL certificate system exists to help promote the security and integrity of e-commerce foreveryone. In an era where phishing scams run rampant and trust is king, a proper SSL certificatemay well be your key to e-commerce success.
http://searchcio-midmarket.techtarget.com/sDefinition/0,,sid183_gci213853,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213593,00.htmlhttp://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci1045112,00.htmlhttp://searchcio-midmarket.techtarget.com/sDefinition/0,,sid183_gci211600,00.htmlhttp://whatis.techtarget.com/definition/0,,sid9_gci284014,00.htmlhttp://whatis.techtarget.com/definition/0,,sid9_gci211545,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213695,00.htmlhttp://searchmobilecomputing.techtarget.com/sDefinition/0,,sid40_gci213380,00.htmlhttp://www.webopedia.com/TERM/E/encryption.htmlhttp://www.webopedia.com/TERM/E/encryption.htmlhttp://searchcio-midmarket.techtarget.com/sDefinition/0,,sid183_gci213853,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213593,00.htmlhttp://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci1045112,00.htmlhttp://searchcio-midmarket.techtarget.com/sDefinition/0,,sid183_gci211600,00.htmlhttp://whatis.techtarget.com/definition/0,,sid9_gci284014,00.htmlhttp://whatis.techtarget.com/definition/0,,sid9_gci211545,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213695,00.htmlhttp://searchmobilecomputing.techtarget.com/sDefinition/0,,sid40_gci213380,00.html


4/30

cipher -- that is, the harder it is for unauthorized people to break it -- the better, ingeneral. However, as the strength of encryption/decryption increases, so does the cost.

In recent years, a controversy has arisen over so-called strong encryption. This refers tociphers that are essentially unbreakable without the decryption keys. While most

companies and their customers view it as a means of keeping secrets and minimizingfraud, some governments view strong encryption as a potential vehicle by whichterrorists might evade authorities. These governments, including that of the United States,want to set up a key-escrow arrangement. This means everyone who uses a cipher wouldbe required to provide the government with a copy of the key. Decryption keys would bestored in a supposedly secure place, used only by authorities, and used only if backed upby a court order. Opponents of this scheme argue that criminals could hack into the key-escrow database and illegally obtain, steal, or alter the keys. Supporters claim that whilethis is a possibility, implementing the key escrow scheme would be better than doingnothing to prevent criminals from freely using encryption/decryption.

Digital Signature:

A digital signature ordigital signature scheme is a mathematical scheme fordemonstrating the authenticity of a digital message or document. A valid digital signaturegives a recipient reason to believe that the message was created by a known sender, andthat it was not altered in transit. Digital signatures are commonly used for softwaredistribution, financial transactions, and in other cases where it is important to detectforgery and tampering.

Digital signatures are often used to implement electronic signatures, a broader term that

refers to any electronic data that carries the intent of a signature,

[1]

but not all electronicsignatures use digital signatures.[2][3][4]In some countries, including the United States,India, and members of the European Union, electronic signatures have legal significance.However, laws concerning electronic signatures do not always make clear whether theyare digital cryptographic signatures in the sense used here, leaving the legal definition,and so their importance, somewhat confused.

Digital signatures employ a type ofasymmetric cryptography. For messages sent throughan insecure channel, a properly implemented digital signature gives the receiver reason tobelieve the message was sent by the claimed sender. Digital signatures are equivalent totraditional handwritten signatures in many respects; properly implemented digitalsignatures are more difficult to forge than the handwritten type. Digital signature schemesin the sense used here are cryptographically based, and must be implemented properly tobe effective. Digital signatures can also provide non-repudiation, meaning that the signercannot successfully claim they did not sign a message, while also claiming their privatekey remains secret; further, some non-repudiation schemes offer a time stamp for thedigital signature, so that even if the private key is exposed, the signature is validnonetheless. Digitally signed messages may be anything representable as a bitstring:
http://en.wikipedia.org/wiki/Electronic_signaturehttp://en.wikipedia.org/wiki/Digital_signature#cite_note-0http://en.wikipedia.org/wiki/Digital_signature#cite_note-0http://en.wikipedia.org/wiki/Digital_signature#cite_note-1http://en.wikipedia.org/wiki/Digital_signature#cite_note-2http://en.wikipedia.org/wiki/Digital_signature#cite_note-3http://en.wikipedia.org/wiki/Digital_signature#cite_note-3http://en.wikipedia.org/wiki/European_Unionhttp://en.wikipedia.org/wiki/Asymmetric_key_algorithmhttp://en.wikipedia.org/wiki/Non-repudiationhttp://en.wikipedia.org/wiki/Bitstringhttp://en.wikipedia.org/wiki/Electronic_signaturehttp://en.wikipedia.org/wiki/Digital_signature#cite_note-0http://en.wikipedia.org/wiki/Digital_signature#cite_note-1http://en.wikipedia.org/wiki/Digital_signature#cite_note-2http://en.wikipedia.org/wiki/Digital_signature#cite_note-3http://en.wikipedia.org/wiki/European_Unionhttp://en.wikipedia.org/wiki/Asymmetric_key_algorithmhttp://en.wikipedia.org/wiki/Non-repudiationhttp://en.wikipedia.org/wiki/Bitstring


5/30

examples include electronic mail,contracts, or a message sent via some othercryptographic protocol.

Following diagram showing how a simple digital signature is applied and then verified:

A digital signature scheme typically consists of three algorithms:

A key generation algorithm that selects aprivate key uniformly at random from aset of possible private keys. The algorithm outputs the private key and acorrespondingpublic key.

Asigningalgorithm that, given a message and a private key, produces a signature. Asignature verifyingalgorithm that, given a message, public key and a signature,

either accepts or rejects the message's claim to authenticity.

Two main properties are required. First, a signature generated from a fixed message andfixed private key should verify the authenticity of that message by using thecorresponding public key. Secondly, it should be computationally infeasible to generate avalid signature for a party who does not possess the private key.

Use of Digital Signature:

As organizations move away from paper documents with ink signatures or authenticitystamps, digital signatures can provide added assurances of the evidence to provenance,identity, and status of an electronic document as well as acknowledging informed consentand approval by a signatory. The United States Government Printing Office (GPO)publishes electronic versions of the budget, public and private laws, and congressional
http://en.wikipedia.org/wiki/Electronic_mailhttp://en.wikipedia.org/wiki/Contracthttp://en.wikipedia.org/wiki/Cryptographic_protocolhttp://en.wikipedia.org/wiki/Key_generationhttp://en.wikipedia.org/wiki/Uniform_distribution_(discrete)http://en.wikipedia.org/wiki/Electronic_mailhttp://en.wikipedia.org/wiki/Contracthttp://en.wikipedia.org/wiki/Cryptographic_protocolhttp://en.wikipedia.org/wiki/Key_generationhttp://en.wikipedia.org/wiki/Uniform_distribution_(discrete)


6/30

bills with digital signatures. Universities including Penn State, University of Chicago,and Stanford are publishing electronic student transcripts with digital signatures.

Below are some common reasons for applying a digital signature to communications:

1. Authentication2. Integrity3. Non-repudiation

Authentication

Although messages may often include information about the entity sending a message,that information may not be accurate. Digital signatures can be used to authenticate thesource of messages. When ownership of a digital signature secret key is bound to aspecific user, a valid signature shows that the message was sent by that user. The

importance of high confidence in sender authenticity is especially obvious in a financialcontext. For example, suppose a bank's branch office sends instructions to the centraloffice requesting a change in the balance of an account. If the central office is notconvinced that such a message is truly sent from an authorized source, acting on such arequest could be a grave mistake.

Integrity

In many scenarios, the sender and receiver of a message may have a need for confidencethat the message has not been altered during transmission. Although encryption hides thecontents of a message, it may be possible to change an encrypted message without

understanding it. (Some encryption algorithms, known as nonmalleable ones, preventthis, but others do not.) However, if a message is digitally signed, any change in themessage after signature will invalidate the signature. Furthermore, there is no efficientway to modify a message and its signature to produce a new message with a validsignature, because this is still considered to be computationally infeasible by mostcryptographic hash functions

Non-repudiation

Non-repudiation, or more specifically non-repudiation of origin, is an important aspect of

digital signatures. By this property an entity that has signed some information cannot at alater time deny having signed it. Similarly, access to the public key only does not enablea fraudulent party to fake a valid signature. This is in contrast to symmetric systems,where both sender and receiver share the same secret key, and thus in a dispute a thirdparty cannot determine which entity was the true source of the information.
http://en.wikipedia.org/wiki/Malleability_(cryptography)http://en.wikipedia.org/wiki/Non-repudiationhttp://en.wikipedia.org/wiki/Malleability_(cryptography)http://en.wikipedia.org/wiki/Non-repudiation


7/30

Digital Certificate:

An attachment to an electronic message used forsecurity purposes. Themost common use of a digital certificate is to verify that a user sending amessage is who he or she claims to be, and to provide the receiver with themeans to encode a reply.

An individual wishing to send an encrypted message applies for a digitalcertificate from a Certificate Authority (CA). The CA issues an encrypteddigital certificate containing the applicant's public key and a variety of otheridentification information. The CA makes its own public key readilyavailable through print publicity or perhaps on the Internet.

The recipient of an encrypted message uses the CA's public key to decodethe digital certificate attached to the message, verifies it as issued by the CAand then obtains the sender's public key and identification information heldwithin the certificate. With this information, the recipient can send anencrypted reply.

The most widely used standard for digital certificates is X.509.

Also see the additional note on SSL, which is provided above.

Server Security:

An organizations servers provide a wide variety of services to internal and external users, andmany servers also store or process sensitive information for the organization. Some of the mostcommon types of servers are Web, email, database, infrastructure management, and file servers.This publication addresses the general security issues of typical servers.

Servers are frequently targeted by attackers because of the value of their data and services. Forexample, a server might contain personally identifiable information that could be used to performidentity theft. The following are examples of common security threats to servers:

1 Malicious entities may exploit software bugs in the server or its underlying operatingsystem to gain unauthorized access to the server.

2 Denial of service (DoS) attacks may be directed to the server or its supporting networkinfrastructure, denying or hindering valid users from making use of its services.

3 Sensitive information on the server may be read by unauthorized individuals or changedin an unauthorized manner.

4 Sensitive information transmitted unencrypted or weakly encrypted between the serverand the client may be intercepted.

5 Malicious entities may gain unauthorized access to resources elsewhere in theorganizations network via a successful attack on the server.

digital certificateAn attachment toan electronicmessage used forsecurity purposes.The mostcommon use of adigital certificate isto verify that auser sending amessage is whohe or she claimsto be, and toprovide thereceiver with themeans to encodea reply
http://www.webopedia.com/TERM/D/attachment.htmlhttp://www.webopedia.com/TERM/D/security.htmlhttp://www.webopedia.com/TERM/D/encryption.htmlhttp://www.webopedia.com/TERM/D/certification_authority.htmlhttp://www.webopedia.com/TERM/D/public_key_cryptography.htmlhttp://www.webopedia.com/TERM/D/Internet.htmlhttp://www.webopedia.com/TERM/D/X_509.htmlhttp://www.webopedia.com/TERM/D/digital_certificate.htmlhttp://www.webopedia.com/TERM/D/digital_certificate.htmlhttp://www.webopedia.com/TERM/D/attachment.htmlhttp://www.webopedia.com/TERM/D/security.htmlhttp://www.webopedia.com/TERM/D/encryption.htmlhttp://www.webopedia.com/TERM/D/certification_authority.htmlhttp://www.webopedia.com/TERM/D/public_key_cryptography.htmlhttp://www.webopedia.com/TERM/D/Internet.htmlhttp://www.webopedia.com/TERM/D/X_509.html


8/30

6 Malicious entities may attack other entities after compromising a server. These attackscan be launched directly (e.g., from the compromised host against an external server) orindirectly (e.g., placing malicious content on the compromised server that attempts to exploitvulnerabilities in the clients of users accessing the server).

To secure Server, organizations in installing, configuring, and maintaining secure servers shouldfollow the following practices to apply:

1 Securing, installing, and configuring the underlying operating system2 Securing, installing, and configuring server software3 Maintaining the secure configuration through application of appropriate patches and

upgrades, security testing, monitoring of logs, and backups of data and operating system files.

The following key guidelines are recommended to Federal departments and agencies formaintaining a secure server.

Organizations should carefully plan and address the security aspects of the deployment of a

server.

Because it is much more difficult to address security once deployment and implementation haveoccurred, security should be carefully considered from the initial planning stage. Organizationsare more likely to make decisions about configuring computers appropriately and consistentlywhen they develop and use a detailed, well-designed deployment plan. Developing such a planwill support server administrators in making the inevitable tradeoff decisions between usability,performance, and risk.

Organizations often fail to consider the human resource requirements for both deployment and

operational phases of the server and supporting infrastructure. Organizations should address thefollowing points in a deployment plan:

1 Types of personnel required (e.g., system and server administrators, networkadministrators, information systems security officers [ISSO])

2 Skills and training required by assigned personnel3 Individual (i.e., level of effort required of specific personnel types) and collective staffing

(i.e., overall level of effort) requirements.

Organizations should implement appropriate security management practices and controlswhen maintaining and operating a secure server.

Appropriate management practices are essential to operating and maintaining a secure server.Security practices entail the identification of an organizations information system assets and thedevelopment, documentation, and implementation of policies, standards, procedures, andguidelines that help to ensure the confidentiality, integrity, and availability of information system


9/30

resources. To ensure the security of a server and the supporting network infrastructure, thefollowing practices should be implemented:

1 Organization-wide information system security policy2 Configuration/change control and management3 Risk assessment and management4 Standardized software configurations that satisfy the information system security policy5 Security awareness and training6 Contingency planning, continuity of operations, and disaster recovery planning7 Certification and accreditation.Organizations should ensure that the server operating system is deployed, configured, and

managed to meet the security requirements of the organization.

The first step in securing a server is securing the underlying operating system. Most commonlyavailable servers operate on a general-purpose operating system. Many security issues can beavoided if the operating systems underlying servers are configured appropriately. Defaulthardware and software configurations are typically set by manufacturers to emphasize features,functions, and ease of use, at the expense of security. Because manufacturers are not aware ofeach organizations security needs, each server administrator must configure new servers toreflect their organizations security requirements and reconfigure them as those requirementschange. Using security configuration guides or checklists can assist administrators in securingservers consistently and efficiently. Securing an operating system initially would generally

include the following steps:

1 Patch and upgrade the operating system2 Remove or disable unnecessary services, applications, and network protocols3 Configure operating system user authentication4 Configure resource controls5 Install and configure additional security controls, if needed6 Perform security testing of the operating system.Organizations should ensure that the server application is deployed, configured, and

managed to meet the security requirements of the organization.

In many respects, the secure installation and configuration of the server application will mirrorthe operating system process discussed above. The overarching principle is to install the minimalamount of services required and eliminate any known vulnerabilities through patches or upgrades.


10/30

If the installation program installs any unnecessary applications, services, or scripts, they shouldbe removed immediately after the installation process concludes. Securing the server applicationwould generally include the following steps:

1 Patch and upgrade the server application2 Remove or disable unnecessary services, applications, and sample content3 Configure server user authentication and access controls4 Configure server resource controls5 Test the security of the server application (and server content, if applicable).Many servers also use authentication and encryption technologies to restrict who can access theserver and to protect information transmitted between the server and its clients. Organizationsshould periodically examine the services and information accessible on the server and determine

the necessary security requirements. Organizations should also be prepared to migrate theirservers to stronger cryptographic technologies as weaknesses are identified in the serversexisting cryptographic technologies. For example, NIST has recommended that use of the SecureHash Algorithm 1 (SHA-1) be phased out by 2010 in favor of SHA-224, SHA-256, and otherlarger, stronger hash functions. Organizations should stay aware of cryptographic requirementsand plan to update their servers accordingly.

Organizations should commit to the ongoing process of maintaining the security of servers

to ensure continued security.

Maintaining a secure server requires constant effort, resources, and vigilance from anorganization. Securely administering a server on a daily basis is an essential aspect of server

security. Maintaining the security of a server will usually involve the following actions:

1 Configuring, protecting, and analyzing log files on an ongoing and frequent basis2 Backing up critical information frequently3 Establishing and following procedures for recovering from compromise4 Testing and applying patches in a timely manner5 Testing security periodically.

Firewall:

Def. yet has to include.

Password:


11/30

A password is a secret word or string ofcharacters that is used forauthentication, toprove identity or gain access to a resource (example: an access code is a type ofpassword). The password should be kept secret from those not allowed access.

The use of passwords is known to be ancient. Sentries would challenge those wishing to

enter an area or approaching it to supply a password orwatchword. Sentries would onlyallow a person or group to pass if they knew the password. In modern times, user namesand passwords are commonly used by people during a log in process that controls accessto protected computeroperating systems, mobile phones, cable TV decoders, automatedteller machines (ATMs), etc. A typical computer usermay require passwords for manypurposes: logging in to computer accounts, retrieving e-mail from servers, accessingprograms, databases, networks, web sites, and even reading the morning newspaperonline.

Despite the name, there is no need for passwords to be actual words; indeed passwordswhich are not actual words may be harder to guess, a desirable property. Some passwords

are formed from multiple words and may more accurately be called apassphrase. Theterm passcode is sometimes used when the secret information is purely numeric, such asthepersonal identification number(PIN) commonly used for ATM access. Passwords aregenerally short enough to be easily memorized and typed.

For the purposes of more compellingly authenticating the identity of one computingdevice to another, passwords have significant disadvantages (they may be stolen,spoofed, forgotten, etc.) over authentications systems relying on cryptographic protocols,which are more difficult to circumvent.

Factors in the security of a password system

The security of a password-protected system depends on several factors. The overallsystem must, of course, be designed for sound security, with protection against computerviruses, man-in-the-middle attacks and the like. Physical security issues are also aconcern, from deterring shoulder surfing to more sophisticated physical threats such asvideo cameras and keyboard sniffers. And, of course, passwords should be chosen so thatthey are hard for an attacker to guess and hard for an attacker to discover using any (andall) of the available automatic attack schemes. Seepassword strength, computer security,and computer insecurity.

Nowadays it is a common practice for computer systems to hide passwords as they are

typed. The purpose of this measure is to avoid bystanders reading the password.However, some argue that such practice may lead to mistakes and stress, encouragingusers to choose weak passwords. As an alternative, users should have the option to showor hide passwords as they type them.[4]

Effective access control provisions may force extreme measures on criminals seeking toacquire a password or biometric token.[5] Less extreme measures include extortion, rubberhose cryptanalysis, and side channel attack.
http://en.wikipedia.org/wiki/Wordhttp://en.wikipedia.org/wiki/Character_(computing)http://en.wikipedia.org/wiki/Authenticationhttp://en.wikipedia.org/wiki/Access_codehttp://en.wikipedia.org/wiki/Secrecyhttp://en.wikipedia.org/wiki/User_(computing)http://en.wikipedia.org/wiki/Logging_(computer_security)http://en.wikipedia.org/wiki/Access_controlhttp://en.wikipedia.org/wiki/Operating_systemhttp://en.wikipedia.org/wiki/Mobile_phonehttp://en.wikipedia.org/wiki/Cable_TVhttp://en.wikipedia.org/wiki/Automated_Teller_Machinehttp://en.wikipedia.org/wiki/Automated_Teller_Machinehttp://en.wikipedia.org/wiki/Computer_userhttp://en.wikipedia.org/wiki/E-mailhttp://en.wikipedia.org/wiki/Passphrasehttp://en.wikipedia.org/wiki/Personal_identification_numberhttp://en.wikipedia.org/wiki/Memoryhttp://en.wikipedia.org/wiki/Cryptographic_protocolhttp://en.wikipedia.org/wiki/Computer_virushttp://en.wikipedia.org/wiki/Computer_virushttp://en.wikipedia.org/wiki/Man-in-the-middle_attackhttp://en.wikipedia.org/wiki/Shoulder_surfing_(computer_security)http://en.wikipedia.org/wiki/Password_strengthhttp://en.wikipedia.org/wiki/Computer_securityhttp://en.wikipedia.org/wiki/Computer_insecurityhttp://en.wikipedia.org/wiki/Password#cite_note-3%23cite_note-3http://en.wikipedia.org/wiki/Password#cite_note-4%23cite_note-4http://en.wikipedia.org/wiki/Password#cite_note-4%23cite_note-4http://en.wikipedia.org/wiki/Extortionhttp://en.wikipedia.org/wiki/Rubber_hose_cryptanalysishttp://en.wikipedia.org/wiki/Rubber_hose_cryptanalysishttp://en.wikipedia.org/wiki/Side_channel_attackhttp://en.wikipedia.org/wiki/Wordhttp://en.wikipedia.org/wiki/Character_(computing)http://en.wikipedia.org/wiki/Authenticationhttp://en.wikipedia.org/wiki/Access_codehttp://en.wikipedia.org/wiki/Secrecyhttp://en.wikipedia.org/wiki/User_(computing)http://en.wikipedia.org/wiki/Logging_(computer_security)http://en.wikipedia.org/wiki/Access_controlhttp://en.wikipedia.org/wiki/Operating_systemhttp://en.wikipedia.org/wiki/Mobile_phonehttp://en.wikipedia.org/wiki/Cable_TVhttp://en.wikipedia.org/wiki/Automated_Teller_Machinehttp://en.wikipedia.org/wiki/Automated_Teller_Machinehttp://en.wikipedia.org/wiki/Computer_userhttp://en.wikipedia.org/wiki/E-mailhttp://en.wikipedia.org/wiki/Passphrasehttp://en.wikipedia.org/wiki/Personal_identification_numberhttp://en.wikipedia.org/wiki/Memoryhttp://en.wikipedia.org/wiki/Cryptographic_protocolhttp://en.wikipedia.org/wiki/Computer_virushttp://en.wikipedia.org/wiki/Computer_virushttp://en.wikipedia.org/wiki/Man-in-the-middle_attackhttp://en.wikipedia.org/wiki/Shoulder_surfing_(computer_security)http://en.wikipedia.org/wiki/Password_strengthhttp://en.wikipedia.org/wiki/Computer_securityhttp://en.wikipedia.org/wiki/Computer_insecurityhttp://en.wikipedia.org/wiki/Password#cite_note-3%23cite_note-3http://en.wikipedia.org/wiki/Password#cite_note-4%23cite_note-4http://en.wikipedia.org/wiki/Extortionhttp://en.wikipedia.org/wiki/Rubber_hose_cryptanalysishttp://en.wikipedia.org/wiki/Rubber_hose_cryptanalysishttp://en.wikipedia.org/wiki/Side_channel_attack


12/30

Here are some specific password management issues that must be considered in thinkingabout, choosing, and handling, a password.

Rate at which an attacker can try guessed passwords

The rate at which an attacker can submit guessed passwords to the system is a key factorin determining system security. Some systems impose a time-out of several seconds aftera small number (e.g., three) of failed password entry attempts. In the absence of othervulnerabilities, such systems can be effectively secure with relatively simple passwords,if they have been well chosen and are not easily guessed.[6]

Many systems store or transmit a cryptographic hash of the password in a manner thatmakes the hash value accessible to an attacker. When this is done, and it is very common,an attacker can work off-line, rapidly testing candidate passwords against the truepassword's hash value. Passwords that are used to generate cryptographic keys (e.g., fordisk encryption orWi-Fi security) can also be subjected to high rate guessing. Lists of

common passwords are widely available and can make password attacks very efficient.(See Password cracking.) Security in such situations depends on using passwords orpassphrases of adequate complexity, making such an attack computationally infeasiblefor the attacker. Some systems, such as PGP and Wi-Fi WPA, apply a computation-intensive hash to the password to slow such attacks. See key strengthening.

Form of stored passwords

Some computer systems store user passwords as cleartext, against which to compare userlog on attempts. If an attacker gains access to such an internal password store, allpasswordsand so all user accountswill be compromised. If some users employ the

same password for accounts on different systems, those will be compromised as well.

More secure systems store each password in a cryptographically protected form, soaccess to the actual password will still be difficult for a snooper who gains internal accessto the system, while validation of user access attempts remains possible.

A common approach stores only a "hashed" form of the plaintext password. When a usertypes in a password on such a system, the password handling software runs through acryptographic hash algorithm, and if the hash value generated from the user's entrymatches the hash stored in the password database, the user is permitted access. The hashvalue is created by applying a hash function (for maximum resistance to attack this

should be a cryptographic hash function) to a string consisting of the submitted passwordand, usually, another value known as a salt. The salt prevents attackers from easilybuilding a list of hash values for common passwords. MD5 and SHA1 are frequentlyused cryptographic hash functions.

A modified version of the DES algorithm was used for this purpose in early Unixsystems. The UNIX DES function was iterated to make the hash function equivalentslow, further frustrating automated guessing attacks, and used the password candidate as
http://en.wikipedia.org/wiki/Password#cite_note-5%23cite_note-5http://en.wikipedia.org/wiki/Password#cite_note-5%23cite_note-5http://en.wikipedia.org/wiki/Cryptographic_hashhttp://en.wikipedia.org/wiki/Disk_encryptionhttp://en.wikipedia.org/wiki/Wi-Fihttp://en.wikipedia.org/wiki/Password_crackinghttp://en.wikipedia.org/wiki/Pretty_Good_Privacyhttp://en.wikipedia.org/wiki/Wi-Fi_Protected_Accesshttp://en.wikipedia.org/wiki/Key_strengtheninghttp://en.wikipedia.org/wiki/Cleartexthttp://en.wikipedia.org/wiki/Cryptographic_hashhttp://en.wikipedia.org/wiki/Cryptographic_hash_functionhttp://en.wikipedia.org/wiki/Salt_(cryptography)http://en.wikipedia.org/wiki/MD5http://en.wikipedia.org/wiki/SHA1http://en.wikipedia.org/wiki/Data_Encryption_Standardhttp://en.wikipedia.org/wiki/Unixhttp://en.wikipedia.org/wiki/Password#cite_note-5%23cite_note-5http://en.wikipedia.org/wiki/Cryptographic_hashhttp://en.wikipedia.org/wiki/Disk_encryptionhttp://en.wikipedia.org/wiki/Wi-Fihttp://en.wikipedia.org/wiki/Password_crackinghttp://en.wikipedia.org/wiki/Pretty_Good_Privacyhttp://en.wikipedia.org/wiki/Wi-Fi_Protected_Accesshttp://en.wikipedia.org/wiki/Key_strengtheninghttp://en.wikipedia.org/wiki/Cleartexthttp://en.wikipedia.org/wiki/Cryptographic_hashhttp://en.wikipedia.org/wiki/Cryptographic_hash_functionhttp://en.wikipedia.org/wiki/Salt_(cryptography)http://en.wikipedia.org/wiki/MD5http://en.wikipedia.org/wiki/SHA1http://en.wikipedia.org/wiki/Data_Encryption_Standardhttp://en.wikipedia.org/wiki/Unix


13/30

a key to encrypt a fixed value, thus blocking yet another attack on the passwordshrouding system. More recent Unix or Unix like systems (e.g., Linux or the various BSDsystems) use what most believe to be still more effective protective mechanisms based onMD5, SHA1, Blowfish, Twofish, or any of several other algorithms to prevent orfrustrate attacks on stored password files.[7]

If the hash function is well designed, it will be computationally infeasible to reverse it todirectly find aplaintextpassword. However, many systems do not protect their hashedpasswords adequately, and if an attacker can gain access to the hashed values he can usewidely available tools which compare the encrypted outcome of every word from somelist, such as a dictionary (many are available on the Internet). Large lists of possiblepasswords in many languages are widely available on the Internet, as are softwareprograms to try common variations. The existence of these dictionary attacktoolsconstrains user password choices which are intended to resist easy attacks; they must notbe findable on such lists. Obviously, words on such lists should be avoided as passwords.Use of a key stretching hash such as PBKDF2 is designed to reduce this risk.

A poorly designed hash function can make attacks feasible even if a strong password ischosen. See LM hash for a widely deployed, and insecure, example.[8]

Methods of verifying a password over a network

Various methods have been used to verify submitted passwords in a network setting:

Simple transmission of the password

Passwords are vulnerable to interception (i.e., "snooping") while being transmitted to the

authenticating machine or person. If the password is carried as electrical signals onunsecured physical wiring between the user access point and the central systemcontrolling the password database, it is subject to snooping by wiretapping methods. If itis carried as packetized data over the Internet, anyone able to watch thepacketscontaining the logon information can snoop with a very low probability of detection.

Email is sometimes used to distribute passwords. Since most email is sent as cleartext, itis available without effort during transport to any eavesdropper. Further, the email will bestored on at least two computers as cleartextthe sender's and the recipient's. If it passesthrough intermediate systems during its travels, it will probably be stored on those aswell, at least for some time. Attempts to delete an email from all these vulnerabilities

may, or may not, succeed;backups or history files orcaches on any of several systemsmay still contain the email. Indeed merely identifying every one of those systems may bedifficult. Emailed passwords are generally an insecure method of distribution.

An example ofcleartext transmission of passwords is the original Wikipedia website.When you logged into your Wikipedia account, yourusername and password are sentfrom your computer's browser through the Internet as cleartext. In principle, anyonecould read them in transit and thereafter log into your account as you; Wikipedia's servers
http://en.wikipedia.org/wiki/Linuxhttp://en.wikipedia.org/wiki/BSDhttp://en.wikipedia.org/wiki/MD5http://en.wikipedia.org/wiki/SHA1http://en.wikipedia.org/wiki/Blowfish_(cipher)http://en.wikipedia.org/wiki/Twofishhttp://en.wikipedia.org/wiki/Password#cite_note-6%23cite_note-6http://en.wikipedia.org/wiki/Password#cite_note-6%23cite_note-6http://en.wikipedia.org/wiki/Plaintexthttp://en.wikipedia.org/wiki/Dictionary_attackhttp://en.wikipedia.org/wiki/Key_stretchinghttp://en.wikipedia.org/wiki/PBKDF2http://en.wikipedia.org/wiki/LM_hashhttp://en.wikipedia.org/wiki/Password#cite_note-7%23cite_note-7http://en.wikipedia.org/wiki/Password#cite_note-7%23cite_note-7http://en.wikipedia.org/wiki/Telephone_tappinghttp://en.wikipedia.org/wiki/Packet_(information_technology)http://en.wikipedia.org/wiki/Cleartexthttp://en.wikipedia.org/wiki/Backuphttp://en.wikipedia.org/wiki/Cachehttp://en.wikipedia.org/wiki/Cleartexthttp://en.wikipedia.org/wiki/Wikipediahttp://en.wikipedia.org/wiki/Usernamehttp://en.wikipedia.org/wiki/Linuxhttp://en.wikipedia.org/wiki/BSDhttp://en.wikipedia.org/wiki/MD5http://en.wikipedia.org/wiki/SHA1http://en.wikipedia.org/wiki/Blowfish_(cipher)http://en.wikipedia.org/wiki/Twofishhttp://en.wikipedia.org/wiki/Password#cite_note-6%23cite_note-6http://en.wikipedia.org/wiki/Plaintexthttp://en.wikipedia.org/wiki/Dictionary_attackhttp://en.wikipedia.org/wiki/Key_stretchinghttp://en.wikipedia.org/wiki/PBKDF2http://en.wikipedia.org/wiki/LM_hashhttp://en.wikipedia.org/wiki/Password#cite_note-7%23cite_note-7http://en.wikipedia.org/wiki/Telephone_tappinghttp://en.wikipedia.org/wiki/Packet_(information_technology)http://en.wikipedia.org/wiki/Cleartexthttp://en.wikipedia.org/wiki/Backuphttp://en.wikipedia.org/wiki/Cachehttp://en.wikipedia.org/wiki/Cleartexthttp://en.wikipedia.org/wiki/Wikipediahttp://en.wikipedia.org/wiki/Username


14/30

have no way of distinguishing such an attacker from you. In practice, an unknowablylarger number could do so as well (e.g., employees at your Internet Service Provider, atany of the systems through which the traffic passes, etc.). More recently, Wikipedia hasoffered a secure login option, which, like many e-commerce sites, uses the SSL / (TLS)cryptographically based protocol to eliminate the cleartext transmission. But, because

anyone can gain access to Wikipedia (without logging in at all), and then edit essentiallyall articles, it can be argued that there is little need to encrypt these transmissions asthere's little being protected. Other websites (e.g., banks and financial institutions) havequite different security requirements, and cleartext transmission of anything is clearlyinsecure in those contexts.

Using client-side encryption will only protect transmission from the mail handling systemserver to the client machine. Previous or subsequent relays of the email will not beprotected and the email will probably be stored on multiple computers, certainly on theoriginating and receiving computers, most often in cleartext.

Transmission through encrypted channels

The risk of interception of passwords sent over the Internet can be reduced by, amongother approaches, using cryptographicprotection. The most widely used is the TransportLayer Security (TLS, previously called SSL) feature built into most current Internetbrowsers. Most browsers alert the user of a TLS/SSL protected exchange with a server bydisplaying a closed lock icon, or some other sign, when TLS is in use. There are severalother techniques in use; see cryptography.

Hash-based challenge-response methods

Unfortunately, there is a conflict between stored hashed-passwords and hash-basedchallenge-response authentication; the latter requires a client to prove to a server that heknows what the shared secret (i.e., password) is, and to do this, the server must be able toobtain the shared secret from its stored form. On many systems (including Unix-typesystems) doing remote authentication, the shared secret usually becomes the hashed formand has the serious limitation of exposing passwords to offline guessing attacks. Inaddition, when the hash is used as a shared secret, an attacker does not need the originalpassword to authenticate remotely; he only needs the hash.

Zero-knowledge password proofs

Rather than transmitting a password, or transmitting the hash of the password,password-authenticated key agreement systems can perform a zero-knowledge password proof,which proves knowledge of the password without exposing it.

Moving a step further, augmented systems forpassword-authenticated key agreement(e.g., AMP, B-SPEKE, PAK-Z, SRP-6) avoid both the conflict and limitation of hash-based methods. An augmented system allows a client to prove knowledge of the
http://en.wikipedia.org/wiki/Secure_Sockets_Layerhttp://en.wikipedia.org/wiki/Transport_Layer_Securityhttp://en.wikipedia.org/wiki/Cryptographyhttp://en.wikipedia.org/wiki/Transport_Layer_Securityhttp://en.wikipedia.org/wiki/Transport_Layer_Securityhttp://en.wikipedia.org/wiki/Secure_Sockets_Layerhttp://en.wikipedia.org/wiki/Web_browserhttp://en.wikipedia.org/wiki/Cryptographyhttp://en.wikipedia.org/wiki/Challenge-response_authenticationhttp://en.wikipedia.org/wiki/Shared_secrethttp://en.wikipedia.org/wiki/Unixhttp://en.wikipedia.org/wiki/Password-authenticated_key_agreementhttp://en.wikipedia.org/wiki/Password-authenticated_key_agreementhttp://en.wikipedia.org/wiki/Zero-knowledge_password_proofhttp://en.wikipedia.org/wiki/Password-authenticated_key_agreementhttp://en.wikipedia.org/w/index.php?title=Authentication_and_key_agreement_via_Memorable_Passwords&action=edit&redlink=1http://en.wikipedia.org/wiki/SPEKEhttp://en.wikipedia.org/w/index.php?title=PAK-Z&action=edit&redlink=1http://en.wikipedia.org/wiki/Secure_remote_password_protocolhttp://en.wikipedia.org/wiki/Secure_Sockets_Layerhttp://en.wikipedia.org/wiki/Transport_Layer_Securityhttp://en.wikipedia.org/wiki/Cryptographyhttp://en.wikipedia.org/wiki/Transport_Layer_Securityhttp://en.wikipedia.org/wiki/Transport_Layer_Securityhttp://en.wikipedia.org/wiki/Secure_Sockets_Layerhttp://en.wikipedia.org/wiki/Web_browserhttp://en.wikipedia.org/wiki/Cryptographyhttp://en.wikipedia.org/wiki/Challenge-response_authenticationhttp://en.wikipedia.org/wiki/Shared_secrethttp://en.wikipedia.org/wiki/Unixhttp://en.wikipedia.org/wiki/Password-authenticated_key_agreementhttp://en.wikipedia.org/wiki/Password-authenticated_key_agreementhttp://en.wikipedia.org/wiki/Zero-knowledge_password_proofhttp://en.wikipedia.org/wiki/Password-authenticated_key_agreementhttp://en.wikipedia.org/w/index.php?title=Authentication_and_key_agreement_via_Memorable_Passwords&action=edit&redlink=1http://en.wikipedia.org/wiki/SPEKEhttp://en.wikipedia.org/w/index.php?title=PAK-Z&action=edit&redlink=1http://en.wikipedia.org/wiki/Secure_remote_password_protocol


15/30

password to a server, where the server knows only a (not exactly) hashed password, andwhere the unhashed password is required to gain access.

Procedures for changing passwords

Usually, a system must provide a way to change a password, either because a userbelieves the current password has been (or might have been) compromised, or as aprecautionary measure. If a new password is passed to the system in unencrypted form,security can be lost (e.g., via wiretapping) even before the new password can even beinstalled in the password database. And, of course, if the new password is given to acompromised employee, little is gained. Some web sites include the user-selectedpassword in an unencrypted confirmation e-mail message, with the obvious increasedvulnerability.

Identity management systems are increasingly used to automate issuance of replacementsfor lost passwords, a feature called self service password reset. The user's identity is

verified by asking questions and comparing the answers to ones previously stored (i.e.,when the account was opened). Typical questions include: "Where were you born?,""What is your favorite movie?" or "What is the name of your pet?" In many cases theanswers to these questions can be relatively easily guessed by an attacker, determined bylow effort research, or obtained through social engineering, and so this is less than fullysatisfactory as a verification technique. While many users have been trained never toreveal a password, few consider the name of their pet or favorite movie to require similarcare.

Password longevity

"Password aging" is a feature of some operating systems which forces users to changepasswords frequently (e.g., quarterly, monthly or even more often), with the intent that astolen password will become unusable more or less quickly. Such policies usuallyprovoke user protest and foot-dragging at best and hostility at worst. Users may developsimple variation patterns to keep their passwords memorable. In any case, the securitybenefits are distinctly limited, if worthwhile, because attackers often exploit a passwordas soon as it is compromised, which will probably be some time before change isrequired. In many cases, particularly with administrative or "root" accounts, once anattacker has gained access, he can make alterations to the operating system that will allowhim future access even after the initial password he used expires. (see rootkit).Implementing such a policy requires careful consideration of the relevant human factors.

It may be required because of the nature of IT systems the password allows access to, ifpersonal data is involved the EU Data Protection Directive is in force.

Number of users per password

Sometimes a single password controls access to a device, for example, for a networkrouter, or password-protected mobile phone. However, in the case of a computer system,a password is usually stored for each user account, thus making all access traceable (save,
http://en.wikipedia.org/wiki/Identity_managementhttp://en.wikipedia.org/wiki/Self_service_password_resethttp://en.wikipedia.org/wiki/Social_engineering_(computer_security)http://en.wikipedia.org/wiki/Rootkithttp://en.wikipedia.org/wiki/Data_Protection_Directivehttp://en.wikipedia.org/wiki/Computer_securityhttp://en.wikipedia.org/wiki/Identity_managementhttp://en.wikipedia.org/wiki/Self_service_password_resethttp://en.wikipedia.org/wiki/Social_engineering_(computer_security)http://en.wikipedia.org/wiki/Rootkithttp://en.wikipedia.org/wiki/Data_Protection_Directivehttp://en.wikipedia.org/wiki/Computer_security


16/30

of course, in the case of users sharing passwords). A would-be user on most systems mustsupply a username as well as a password, almost always at account set up time, andperiodically thereafter. If the user supplies a password matching the one stored for thesupplied username, he or she is permitted further access into the computer system. This isalso the case for a cash machine, except that the 'user name' is typically the account

number stored on the bank customer's card, and the PIN is usually quite short (4 to 6digits).

Allotting separate passwords to each user of a system is preferable to having a singlepassword shared by legitimate users of the system, certainly from a security viewpoint.This is partly because users are more willing to tell another person (who may not beauthorized) a shared password than one exclusively for their use. Single passwords arealso much less convenient to change because many people need to be told at the sametime, and they make removal of a particular user's access more difficult, as for instanceon graduation or resignation. Per-user passwords are also essential if users are to be heldaccountable for their activities, such as making financial transactions or viewing medical

records.

Biometrics:

Biometrics comprises methods for uniquely recognizing humans based upon one or moreintrinsic physical or behavioral traits. In computer science, in particular, biometrics isused as a form ofidentity access management and access control. It is also used toidentify individuals in groups that are undersurveillance.

Biometric characteristics can be divided in two main classes

[citation needed]

:

Physiological are related to the shape of the body. Examples include, but are notlimited to fingerprint, face recognition, DNA, Palm print, hand geometry, irisrecognition, which has largely replaced retina, and odour/scent.

Behavioral are related to the behavior of a person. Examples include, but are notlimited to typing rhythm, gait, and voice. Some researchers[1] have coined the termbehaviometrics for this class of biometrics.

Strictly speaking, voice is also a physiological trait because every person has a differentvocal tract, but voice recognition is mainly based on the study of the way a person

speaks, commonly classified as behavioral.

It is possible to understand if a human characteristic can be used for biometrics in termsof the following parameters:[2]

Universality each person should have the characteristic. Uniqueness is how well the biometric separates individuals from another.
http://en.wikipedia.org/wiki/Intrinsichttp://en.wikipedia.org/wiki/Traitshttp://en.wikipedia.org/wiki/Computer_sciencehttp://en.wikipedia.org/wiki/Identity_access_managementhttp://en.wikipedia.org/wiki/Access_controlhttp://en.wikipedia.org/wiki/Surveillancehttp://en.wikipedia.org/wiki/Wikipedia:Citation_neededhttp://en.wikipedia.org/wiki/Wikipedia:Citation_neededhttp://en.wikipedia.org/wiki/Fingerprinthttp://en.wikipedia.org/wiki/Facial_recognition_systemhttp://en.wikipedia.org/wiki/DNAhttp://en.wikipedia.org/wiki/Palm_printhttp://en.wikipedia.org/wiki/Iris_recognitionhttp://en.wikipedia.org/wiki/Iris_recognitionhttp://en.wikipedia.org/wiki/Retinal_scanhttp://en.wikipedia.org/wiki/Keystroke_dynamicshttp://en.wikipedia.org/wiki/Gait_analysishttp://en.wikipedia.org/wiki/Speaker_recognitionhttp://en.wikipedia.org/wiki/Biometrics#cite_note-0http://en.wikipedia.org/wiki/Vocal_tracthttp://en.wikipedia.org/wiki/Biometrics#cite_note-jain_short_article-1http://en.wikipedia.org/wiki/Intrinsichttp://en.wikipedia.org/wiki/Traitshttp://en.wikipedia.org/wiki/Computer_sciencehttp://en.wikipedia.org/wiki/Identity_access_managementhttp://en.wikipedia.org/wiki/Access_controlhttp://en.wikipedia.org/wiki/Surveillancehttp://en.wikipedia.org/wiki/Wikipedia:Citation_neededhttp://en.wikipedia.org/wiki/Fingerprinthttp://en.wikipedia.org/wiki/Facial_recognition_systemhttp://en.wikipedia.org/wiki/DNAhttp://en.wikipedia.org/wiki/Palm_printhttp://en.wikipedia.org/wiki/Iris_recognitionhttp://en.wikipedia.org/wiki/Iris_recognitionhttp://en.wikipedia.org/wiki/Retinal_scanhttp://en.wikipedia.org/wiki/Keystroke_dynamicshttp://en.wikipedia.org/wiki/Gait_analysishttp://en.wikipedia.org/wiki/Speaker_recognitionhttp://en.wikipedia.org/wiki/Biometrics#cite_note-0http://en.wikipedia.org/wiki/Vocal_tracthttp://en.wikipedia.org/wiki/Biometrics#cite_note-jain_short_article-1


17/30

Permanence measures how well a biometric resists aging and other varianceover time.

Collectability ease of acquisition for measurement. Performance accuracy, speed, and robustness of technology used. Acceptability degree of approval of a technology.

Circumvention ease of use of a substitute.

A biometric system can operate in the following two modes

Verification A one to one comparison of a captured biometric with a storedtemplate to verify that the individual is who he claims to be. Can be done inconjunction with a smart card, username or ID number.

Identification A one to many comparison of the captured biometric against abiometric database in attempt to identify an unknown individual. Theidentification only succeeds in identifying the individual if the comparison of thebiometric sample to a template in the database falls within a previously set

threshold.

The first time an individual uses a biometric system is called an enrollment. During theenrollment, biometric information from an individual is stored. In subsequent uses,biometric information is detected and compared with the information stored at the time ofenrollment. Note that it is crucial that storage and retrieval of such systems themselves besecure if the biometric system is to be robust. The first block (sensor) is the interfacebetween the real world and the system; it has to acquire all the necessary data. Most ofthe times it is an image acquisition system, but it can change according to thecharacteristics desired. The second block performs all the necessary pre-processing: it hasto remove artifacts from the sensor, to enhance the input (e.g. removing background

noise), to use some kind of normalization, etc. In the third block necessary features areextracted. This step is an important step as the correct features need to be extracted in theoptimal way. A vector of numbers or an image with particular properties is used to createa template. A template is a synthesis of the relevant characteristics extracted from thesource. Elements of the biometric measurement that are not used in the comparisonalgorithm are discarded in the template to reduce the filesize and to protect the identity ofthe enrollee

If enrollment is being performed, the template is simply stored somewhere (on a card orwithin a database or both). If a matching phase is being performed, the obtained templateis passed to a matcher that compares it with other existing templates, estimating thedistance between them using any algorithm (e.g. Hamming distance). The matchingprogram will analyze the template with the input. This will then be output for anyspecified use or purpose (e.g. entrance in a restricted area).

Payment Security:

Summary

Protect card details over the Internet, and make your customers feel secure.
http://en.wikipedia.org/wiki/Hamming_distancehttp://en.wikipedia.org/wiki/Hamming_distance


18/30

Although it is perceived otherwise, transactions over the Internet are in fact saferthan offline transactions.

Three commonly used security measures are SSL, SET and PKI technology.

Protecting card details is the primary security risk with electronic

transactions. Customers are very comfortable using cards in shops andover the phone despite the ever-present risk of details being copied or

stolen. With payments over the Internet, there is more resistancetowards disclosing card information.

While it is generally perceived that conducting credit/debit card

transactions over the Internet is prone to insecurity and fraud, offlinetransactions like landline based telephone calls, can be less secure.

According to Forrester research, for every 1000 of transactions a

company could lose 1 over the Internet compared to 25 offline as aresult of fraud.

Perception can get in the way of fact. Both software and hardwarecompanies have invested a great deal to further protect online data

and build up customer confidence. Be aware of the security issue and

help customers to feel at ease by telling them about the precautionsyou have taken. In the current Internet climate it is vitally important

that you are not only secure but are seen to be secure.

Three of the best known options for the encryption and security ofpersonal and card details are explained below. Almost every payment

solution mentioned in this online payments tool includes thistechnology as standard. Online retailers will not need extra security

measures if they use these market-tested and well-established

products.

Secure Socket Layer (SSL)

SSL allows traffic to be scrambled (or encrypted). The standard SSL

developed by Netscape provides a high level of protection. The USgovernment views encryption technology as munitions, so the only

version of SSL available worldwide is the relatively weak 40-bit

version. However, this version can protect against any casual attemptto decipher card details, as it takes over an hour to crack one

message.

Browsers that support this feature a dialogue box, a padlock in the

bottom task bar, or a blue key (like Netscape Navigator) to indicate

that a secure session is in progress.


19/30

Secure Electronic Transaction (SET)

SET encrypts payment card transaction data and verifies that both

parties in the transaction are genuine. SET, originally developed by

Mastercard and Visa in collaboration with leading technology providers,

has a large corporate backing and is perceived to be more secure as aresult of its validation from card companies.

Public Key Software Infrastructure (PKI)

PKI is similar to a banks night safe in that many public keys can be

used to deposit items into the safe, but only one private key,belonging to the bank can make withdrawals.

With these systems in place you will be able to demonstrate your

concern for customer security.

ABCpayments.com is the most secured and trusted payment gateway

in India that allows you to accept online bank transfers, credit cardsand prepaid cash card payments from your customers. Some of our

services include free shopping cart, invoice management and weprovide total end to end e-commerce solution.

Why ABC Payments:

Internet Banking Excel Credit Cards in India

The financial transactions from online banking in India is expected tooutpace credit card transactions in the forthcoming years.

ABCpayments offers your customers the benefit to transact throughall major banks in India by bringing them on one common platform

that offers one point contact for all banking transactions.1. All Cash Card companies integrated2. Provides highest level of security3. Multi currency support4. Technical support

Safety Knowhow

Always use a payment gateway that provides merchants with fast,

reliable and secure passage for transaction data via a 128-bit SecureSockets Layer (SSL) Internet Protocol (IP) connection, and effectively

manage the complex routing of payment information to theappropriate credit card processors.


20/30

Online payment risk assessment:Summary:How exposed are you to risk?

Your exposure to risk depends on charge-backs, forecast turnover, averagetransaction size, time from payment to order fulfillment, the length of your trading

record, your business sector classification and how many safeguards you have inplace.

You will need to pay for a bond ie an insurance to cover this risk. This could cost

between 300-2000.

Exposure is the acquiring banks estimate of the total risk you are

exposed to at any one time, for instance, the number of sales open torefund over a given period. The bond is an amount of money,

overdraft facility or insurance to cover any exposure. Your exposurelevel will also affect the charge bands offered to your business, i.e.

monthly charges and transaction charges.

Acquiring banks calculate the exposure whether the Merchant Serviceprovided is online or offline. The exposure level is calculated by

examining the following elements of risk:

Charge-backs the risk of refunds on your merchant account;

Forecast turnover figures higher turnover can generate higher exposure;

Average transaction size if you sell very high value items (diamonds, cars)this will influence the risk analysis of your business;

Time from payment to order fulfillment The longer it takes to dispatch

goods to a customer, the greater the risk of an order cancellation; Length of trading record a start-up company presents more risk than a well

established business;

Business sector classification different sectors have more or less riskassociated with them (CDs can be resold but a flight needs the purchaser to

turn up in person). Some banks have over 700 different business sectorclassifications.

Safeguards you have in place security checks like verifying address details

or phoning customers who place large or repeated orders will reduce theperceived risk.

The bond that may be introduced to underwrite the exposure level can

range from 300-2000 (maybe even 0) for an average SME bond.Often the bond can be covered by a small increase to your overdraft

facility and even some specialist insurance.

The level of bond required from your company depends on the factors

above. For instance a travel company where products are often

purchased months prior to the fulfillment of the transaction have amuch higher exposure to charge-back than a product where fulfillment
http://www.electronic-payments.co.uk/merchant_service.jsphttp://www.electronic-payments.co.uk/merchant_service.jsphttp://www.electronic-payments.co.uk/merchant_service.jsphttp://www.electronic-payments.co.uk/merchant_service.jsp


21/30

is immediate, or even prior to payment, for example a restaurantbusiness, which will rarely have to lodge a bond.

The element of exposure will be an important factor for the retailer to

consider when deciding which payment method to employ. The

acquiring bank may require a bond to be lodged with them to coverthe worst possible scenario of charge-backs or fraud.

Be aware of this area of merchant services and negotiate with yourbank to establish a reasonable level of risk or look at bureaus and

alternative solutions to remove this cost from your payment solution.

Electronic Payment Application:Summary:If you want to use Electronic payments you will need to undergo an application

process.

Think about your average transaction value, transaction frequency, perceivedsecurity risk, exposure level, forecast turnover, online turnover, trading history andtime from payment to order fulfillment.

The diagnostic tool will help you.

Electronic payments are a financial process and your application will be

checked thoroughly by the solution provider. The banks use the most

rigid application procedures but other service providers will askquestions about your business to determine the price and products

that suit you. Please register for free to use the e-payments

comparison tool. This will give you a good starting point and allow youto shortlist potential solution providers for a detailed discussion. We

would also recommend you look at the product information datasheetswhich are accessible from the tool as all the contact or online

application forms are linked from these pages.

Prepared data means a faster application process. Here is a list ofcriteria to consider:

Average transaction value: this is the normal size of transactions that gothrough your electronic payment system. There is a big difference between

a ?0.50 sale and a ?2,500.00 sale, especially if your solution provider chargesa commission based on a percentage of the transaction!

Transaction frequency: This determines what solution is best for the volume

of transactions carried out; 100 x ?10.00 transactions per month are verydifferent from 10,000 x ?30.00 transactions per month.

Perceived security risk: Most providers (especially banks) will place your

business into a security classification when assessing your application. Easy toresell items like CDs and footballs then might fall into a lower risk category
http://www.electronic-payments.co.uk/epayment_index.jsphttps://www.electronic-payments.co.uk/ToolInputhttps://www.electronic-payments.co.uk/ToolInputhttp://www.electronic-payments.co.uk/product_data.jsphttp://www.electronic-payments.co.uk/epayment_index.jsphttps://www.electronic-payments.co.uk/ToolInputhttps://www.electronic-payments.co.uk/ToolInputhttp://www.electronic-payments.co.uk/product_data.jsp


22/30

than a business selling, say, holidays where the customer has to turn up totake the holiday.

Exposure level: This reflects the perceived risk ofrefunds and fraud in your

business; see the next few pages.

Forecast turnover figures: This is an indication of your financial viability.

Online turnover: Simply how much do you plan to make online!

Trading history: This will affect the trust the provider places in your business;if you are a newly started business you might find it harder to get some

products but the diagnostic tool will help you identify the alternatives.

Time from payment to order fulfillment: This is the period of time a customerhas to become dissatisfied.

These main points to consider are examined in the following pages.

The diagnostic tool also provides links and phone numbers for all themain UK electronic payment solution providers so you can progress

your application.

Payment Methods

Payment transfers may be completed by a variety of means. All of these payments areapplicable to mainstream national currencies, but many of them also apply to the variouslocal or community currencies (e.g. LETS,Ithaca HOURS,Time Dollars) as well.

We have classified the different payment mechanisms in five categories as follows:1. ATM-model transactions, involving only a financial institution and an

accountholder who either deposits or withdraws money from his/her account;2. Unmediated Two-Party Payments: when the buyer and seller are the only two

parties involved in the transaction--for instance, cash payments in national

currency orIthaca HOURS;3. Mediated Three-Party Transactions: payments with credit or debit cards or withcheques fall in this category, as do most LETS and Time Dollar transactions;

4. Micropayments: until now only applicable in new forms of electronic paymentswhere the service or information is metered out and charged on very smallincrements, e.g. traditional telephone charges, new automatic toll charges, andother digital cash applications; and

5. Anonymous digital cash: electronic encrypted currency, pioneered by DavidChaum's Digicash , which ensures that--as with paper currency and coins--theprivacy of the cash user remains protected.

Take a look at our payment method directories, each of which contains a brief (andimpartial) description of all the possible variations on that particular method. And be sureto tell us if we missed one.

ATM / Farecard Two-Party Payment Methods

NetFare is a farecard for making incremental payments for onlinepurchases of information.
http://www.electronic-payments.co.uk/charge_backs.jsphttp://www.transaction.net/money/national/index.htmlhttp://www.transaction.net/money/lets/http://www.transaction.net/money/ithaca/http://www.transaction.net/money/timedollars/http://www.transaction.net/payment/atm.htmlhttp://www.transaction.net/payment/2party.htmlhttp://www.transaction.net/money/national/http://www.transaction.net/money/national/http://www.transaction.net/money/ithacahttp://www.transaction.net/payment/3party.htmlhttp://www.transaction.net/payment/micro.htmlhttp://www.transaction.net/payment/anon.htmlhttp://www.digicash.com/http://www.transaction.net/payment/#interact%23interacthttp://www.netfare.com/http://www.electronic-payments.co.uk/charge_backs.jsphttp://www.transaction.net/money/national/index.htmlhttp://www.transaction.net/money/lets/http://www.transaction.net/money/ithaca/http://www.transaction.net/money/timedollars/http://www.transaction.net/payment/atm.htmlhttp://www.transaction.net/payment/2party.htmlhttp://www.transaction.net/money/national/http://www.transaction.net/money/national/http://www.transaction.net/money/ithacahttp://www.transaction.net/payment/3party.htmlhttp://www.transaction.net/payment/micro.htmlhttp://www.transaction.net/payment/anon.htmlhttp://www.digicash.com/http://www.transaction.net/payment/#interact%23interacthttp://www.netfare.com/


23/30

Mondex on the Internet aims to enable home downloading of debit cashcards, online micropayments, and more.

The Transactor MK2 provides an easy and convenient method oftransferring value or information from one smart card to another, andwill be used to enable community currency smartcards for use withLETS and othercomplementary currency systems.

Some companies list an 800 number on their web page for orders.Unfortunately, some imply that transactions over the internet aren't assafe as other transactions.

Ziplockwill allow online vendors to provide customers key codes totheir products only after payment has been verified.

I-Escrow will verify and set aside payment for online purchases until thebuyer has received and approved the merchandise.

TheNetcard project has gathered lots of information about ATMs andhigh speed networks, smartcards, and ATM security.

purchased Digicash in August, 1999, and now offers secure andanonymous cash-like electronic payments.

Atalla, recently purchased by Compaq, offers a variety of securityhardware products, including smartcard systems.

Unmediated Two-Party Payment Methods

Plenty ofbarter and service exchange networks are thriving on and offthe net. To name a few:

o The International Reciprocal Trade Association aims to "advancethe barter industry worldwide and raise barter's value to the

business community and economy".o Habitat For Humanity helps low-income families trade their

"sweat equity" for affordable housing.o The Global Village Bankfacilitates the exchange of computer-

and Internet-related services.o The Global Resource Bankattempts to preserve shareholders'

"natural capital". Some companies list an 800 number on their web page for orders.

Unfortunately, some imply that transactions over the internet aren't assafe as other transactions.
http://www.mondex.com/mondex/cgi-bin/printpage.pl?fname=net.txt&doctype=gate&style=noframescashhttp://gis.co.uk/products/tx2/index.htmhttp://www.gmlets.u-net.com/go/cc99/ccsmart.htmhttp://www.transaction.net/money/comp/http://www.portsoft.com/http://www.i-escrow.com/http://www.cl.cam.ac.uk/users/cm213/Project/http://www.cl.cam.ac.uk/users/cm213/Project/Project_hotlist/Links.ATM.htmlhttp://www.cl.cam.ac.uk/users/cm213/Project/Project_hotlist/Links.ATM.htmlhttp://www.cl.cam.ac.uk/users/cm213/Project/Project_hotlist/Links.Smartcards.htmlhttp://www.cl.cam.ac.uk/users/cm213/Project/Project_hotlist/Links.ATM-sec.htmlhttp://www.digicash.com/http://www.tandem.com/iBase.asp?PAGE=iAtallahttp://www.transaction.net/money/backedhttp://www.irta.net/http://www.transaction.net/payment/%20http:/www.habitat.orghttp://www.gvb.org/http://www.globalresourcebank.com/http://www.mondex.com/mondex/cgi-bin/printpage.pl?fname=net.txt&doctype=gate&style=noframescashhttp://gis.co.uk/products/tx2/index.htmhttp://www.gmlets.u-net.com/go/cc99/ccsmart.htmhttp://www.transaction.net/money/comp/http://www.portsoft.com/http://www.i-escrow.com/http://www.cl.cam.ac.uk/users/cm213/Project/http://www.cl.cam.ac.uk/users/cm213/Project/Project_hotlist/Links.ATM.htmlhttp://www.cl.cam.ac.uk/users/cm213/Project/Project_hotlist/Links.ATM.htmlhttp://www.cl.cam.ac.uk/users/cm213/Project/Project_hotlist/Links.Smartcards.htmlhttp://www.cl.cam.ac.uk/users/cm213/Project/Project_hotlist/Links.ATM-sec.htmlhttp://www.digicash.com/http://www.tandem.com/iBase.asp?PAGE=iAtallahttp://www.transaction.net/money/backedhttp://www.irta.net/http://www.transaction.net/payment/%20http:/www.habitat.orghttp://www.gvb.org/http://www.globalresourcebank.com/


24/30

Mediated Three-Party Payment Methods

Let it is a model for community-building mutual credit systems. TheLETSystems Home Page provides information on British applications ofLETS, and the econ-lets mailing list site includes list archives. The latest

word on multi-LETS can be found at LETSgo. We also maintain adirectory of LETS resources to visit.

What are Time Dollars? The Time Dollar model was designed to keeptrack of--and thus encourage--community service and volunteer work,and has been successfully adapted for use in many communities. See TheTime Dollar Institute page for more information.

Step into the lobby ofSecurity First Network Bank, an internet savingsbank.

If, for whatever reason, you can't conduct secure transactions online, youcan always use toll-free or metered telephone calls to transfer or verify

payments. For example, the Secure800 system generates a transactionnumber online but payment is transferred over the telephone.

Credit Card-Related Online Payments

Some new (Fall 1999) free email-based payment systems, includingPayPal/X.com and Flooz, bill the sender's credit card or bank account, ordeduct the payment from an account prepaid by check or money order.PayPal recipients may receive payment by check, or have it directlydeposited to a bank account; Flooz recipients may use their payments atcertain online merchants.

1ClickCharge consumers download a "super-thin client" (wallet) andprepay for a block of micropurchases by credit card.

Other micropayment enterprises relying on third parties includeo Trintech's NetWallet and ezCard aim to "provide consumers with

simple and secure eCommerce payment instruments".o Trivnet's WISP merchant server bills micropayments to the

consumer's ISP account.o iPIN also bills digital content purchases to the buyer's ISP

account.o QPass is another wallet-based system that bills the buyer's credit

card for aggregated purchases.o If you're running a cyber cash server, people can download a

Cybercash wallet, and then send their credit card numberencrypted safely over the internet. They also have a new
http://www.transaction.net/money/glossary.html#mutualcredithttp://www.gmlets.u-net.com/http://www.mailbase.ac.uk/lists-a-e/econ-lets/http://www.gmlets.u-net.com/go/http://www.transaction.net/money/lets/http://www.cfg.com/timedollar/whatis.htmlhttp://www.timedollar.org/http://www.timedollar.org/http://www.sfnb.com/http://www.secure800.com/http://www.paypal.com/http://www.x.com/http://www.flooz.com/http://www.1clickcharge.com/http://www.transaction.net/payment/www.trintech.comhttp://www.transaction.net/payment/www.trivnet.comhttp://www.transaction.net/payment/www.ipin.comhttp://www.qpass.com/http://www.cybercash.com/http://www.transaction.net/money/glossary.html#mutualcredithttp://www.gmlets.u-net.com/http://www.mailbase.ac.uk/lists-a-e/econ-lets/http://www.gmlets.u-net.com/go/http://www.transaction.net/money/lets/http://www.cfg.com/timedollar/whatis.htmlhttp://www.timedollar.org/http://www.timedollar.org/http://www.sfnb.com/http://www.secure800.com/http://www.paypal.com/http://www.x.com/http://www.flooz.com/http://www.1clickcharge.com/http://www.transaction.net/payment/www.trintech.comhttp://www.transaction.net/payment/www.trivnet.comhttp://www.transaction.net/payment/www.ipin.comhttp://www.qpass.com/http://www.cybercash.com/


25/30

micropayment system, Cybercoin which we'll talk about in themicropayment section.

o IBM now offers a micropayment wallets and servers.

Netscape offers a wide range ofsecure server products. Considering thatthey're the most predominant browser cruising the net, and that there'salready seamless integration, this is an obvious, compelling solution, andhelps enable a lot of other solutions.

Cybersource--led by the folks who brought you software.net--offers real-time creditcard processing.

Open Marketprovides secure servers and other transaction software. software (currently available only for PCs) will process transactions via

credit card or ATM/debit card. Outreach allows merchants to process credit card transactions online in

real time. Ziplockwill allow online vendors to provide customers key codes to

their products only after credit card payment has been verified. The AuricWeb system allows ISPs to log online transactions just like

other accountholder statistics. CyBankadapts telephone billing models--prepaid cards and metered

charges--to Internet purchases. SecureProcess handles real-time Electronic Funds Transfers, ACH

transactions, and credit card payments online. Sales Associate will host and manage your "virtual storefront" for you.

eVend helps you handle your online credit-card authentication. develops and markets real-time credit card payment servers. The SET specification for encrypted electronic transaction data,

develope

ssl encryption digital signature digital certificate server security firewall password bio metrics...

Documents