E-Commerce Glossary

Jun 18, 2008 in Banking and EFTPoS

Acquiring Institution
The which holds the partaking in a financial , typically the first involved in the of a .

Applet
A small computer program which facilitates the performance of particular tasks.

Bandwidth
The capacity of a to carry or process information. The higher the bandwidth the faster graphics-laden pages will download.

Browser
Short for browser, a software application used to locate and display pages. The two most popular browsers are Netscape Navigator and . Both of these are graphical browsers, which means that they can display graphics as well as . In addition, most modern browsers can present multimedia information, including sound and video, though they require plug-ins for some formats.

Caching
The automatic copying and storage of frequently used information onto a computer system – Typically caching is seen whilst surfing the (graphics, etc.) and used by Services Providers (’s) to reduce the amount of requested from the user onto the .

Issuer
The which issued the cardholder’s and .

Cardholder
The individual participating in the financial whose is being credited or debited.


The additional information printed on the to be processed. This is used to verify if the was present when the was initiated.  This is the additional digits imprinted on the usually on the reverse side for & Mastercard and on the front for AMEX.

Certificate
An x.509 certificate used to entities such as Merchants and Gateways. Certificates can be used to identify and/or encrypt sensitive such as numbers and personal cardholder information.

CGI
Common Gateway : A protocol that allows a page to run a program on a . Forms, counters, and guest books are common examples of CGI programs.

Any piece of software can be a CGI program if it handles input and output according to the CGI standard. Usually a CGI program is a small program that takes from a and does with it, like putting the content of a form into an e-mail message, or turning the into a database query. CGI “scripts” are just scripts which use CGI. CGI is often confused with Perl, which is a programming language, while CGI is an to the from a particular program.

Client
A computer or software that requests a service of another computer system or process (a “”). For example, a workstation requesting the contents of a file from a file is a client of the file . A browser is commonly referred to as a client.

Clients and Servers
In general, all of the machines on the can be categorised as two types: servers and clients. Those machines that provide services (like servers or FTP servers) to other machines are servers. And the machines that are used to connect to those services are clients.

When you connect to Yahoo at www.google.com to read a page, Google is providing a machine (probably a cluster of very large machines), for use on the , to service your request. Google is providing a . Your machine, on the other hand, is probably providing no services to anyone else on the . Therefore, it is a user machine, also known as a client. It is possible and common for a machine to be both a and a client !

Cookie
A file sent by some servers to your computer’s hard drive to enable you to quickly and easily return to particular sites. Cookies give rise to concerns as they are often used to store information used for marketing purposes.

The main purpose of cookies is to identify users and possibly prepare customised pages for them. When you enter a site using cookies, you may be asked to fill out a form providing such information as your name and interests. This information is packaged into a cookie and sent to your browser which stores it for later use. The next time you go to the same site, your browser will send the cookie to the . The can use this information to present you with custom pages. So, for example, instead of seeing just a generic welcome page you might see a welcome page with your name on it.

CRN
The Customer Receipt Number (CRN) is used to assist the holder, the gateway and the to confirm the has been processed and to track the throughout the end-to-end process. This is often used when making enquiries about a or for tracking.

Cybersquatting
Bad faith, abusive domain name registration. Cybersquatters register company and product names as domain names with a view to selling them at inflated prices to the “rightful” owners.

/CVC
The additional information printed on the to be processed. This is used to verify if the was present when the was initiated.  This is the additional digits imprinted on the usually on the reverse side for & Mastercard and on the front for AMEX.

Database
A collection of : part numbers, product codes, customer information, etc. It usually refers to organised and stored on a computer that can be searched and retrieved by a computer program.

Deep link
A hypertext link directly to a page, often bypassing home pages or other identifying pages.

Certificate
A pop up window that allows you to identify the level of used to secure a particular site.

Signature
A complex numeric “signature” designed to be used, in conjunction with special software, to the sender of a message and guarantee that the contents of the message have not been altered during to the recipient. The EU has adopted legislation which makes signatures legally valid. The Bill (Cth) 1999 has the same effect in .

Domain Name
The plain English name given to a host destination on the , for example, www.madrock.net. The suffix, dot.com is known as the generic top level domain, the prefix madrock. The domain name forms part of the Address or URL.

A name that identifies one or more IP addresses. For example, the domain name .com represents about a dozen IP addresses. Domain names are used in URLs to identify particular pages. For example, in the URL http://www.madrock.net, the domain name is madrock.net.

Download
To transfer information from one computer to your computer.

Dynamic page
A document that is created from a database in real-time or “on the fly” at the same time it is being viewed, providing a continuous flow of new information and giving visitors a new experience each time they visit the site.

Dynamic sites offer the user the ability to interact with the site. This interaction can take place in the form of a search for products, a questionnaire that automatically posts results or polls. Basically, dynamic pages and content are generated from the input of the user.

EC
.

Often referred to as simply e-, business that is conducted over the using any of the applications that rely on the , such as e-mail, instant messaging, shopping carts, services, and FTP, among others. can be between two businesses transmitting funds, goods, services and/or or between a business and a customer.

ECI
The Indicator (ECI), is used to determine the source of the original request. This is a program that the banks have developed and have mandated it’s use.

Interchange (EDI)
Systems set up by businesses, which facilitate the exchange of information.


The process of scrambling to prevent it being viewed by unauthorized persons.

Expiry Date
The date printed on the indicating when the will expire. Not to be confused with the issue date found on some cards.

Firewall
An barrier and/or traffic filter.

Forms
Forms are pages comprised of and “fields” for a user to fill in with information. They are an excellent way of collecting and information from people visiting a site, as well as allowing them to interact with pages. Forms are written in HTML and processed by CGI programs.

Frame
A means of dividing a screen into a number of compartments. Frames may give rise to legal disputes if sites created by third parties are framed as your own.

FTP servers
One of the oldest of the services, File Transfer Protocol makes it possible to move one or more files securely between computers while providing file and organisation as well as transfer control.

Fulfilment
1. Process of supplying goods after an order has been received.
2. Process of reacting to a customer’s request, covering everything that has to happen from the time the customer places an order until they are completely satisfied.

Host
Any computer on a that provides services or information to other computers on the . A host is also called a .


The software and/or business processes which combine the ’s (website, back office, etc.) order system with the System.

IP address
Every computer connected to the is assigned a unique number known as an Protocol (IP) address. Since these numbers are usually assigned in country-based blocks, an IP address can often be used to identify the country from which a computer is connecting to the .

Gateway
A system allowing incompatible computer networks to send and receive information.

HTML (Hypertext Markup Language)
Language used to translate documents into a form which can be sent over the .

Hyperlink
A highlighted phrase in a document which permits linking to another document or part of a document.

Content Host (ICH)
Those who host or propose to host content on the . Anybody who is responsible for a site, news group or bulletin board that contains articles, graphics or other content provided by others. The host may/may not also produce their own content and/or provide to the through a carriage service, ie they may also be an .

Service Provider ()
A company that provides an connection through some kind of carriage service, for example Sprint, Chello Broadband, Telstra Bigpond, Adam , Internode. ’s may/may not also be ICHs.

Mail servers
Almost as ubiquitous and crucial as servers, mail servers move and store mail over networks (via LANs and WANs) and across the .


This is an set up with a to process orders from customers.


The entity receiving payments for goods and/or services.


The ’s into which transactions are credited or debited.


The software installed on the ’s sites or back office system to enable real-time or batched of financial transactions.

Administrator
The individual(s) responsible for the maintenance of the , including issuing and importing certificates.

MTL
Layer (MTL)

PAN
Primary Number (PAN) is the number printed on the customers to reference the cardholder’s financial . This is typically the number.

Gateway
The Gateway provides a central point of contact/ switching with the for the software or devices. The Networks gateway provides advanced integrated , services (Mainframe, Mini, Windows, UNIX, OS400, Desktop/, PoS Terminals. Loyalty systems, etc.) and / customised solutions not offered by regional or global institutions.

An system for real-time charging of cards when a customer places an order. Normally requires a .

A common question from merchants is “Do we have to change banks to use gateways?”

The answer is NO!  - All you need to do is open a facility with one of the supported banks, Networks can ensure you open the correct one for your needs. The facility is then linked to a nominated for example: of New Zealand, ANZ, St George , NAB, Commonwealth, Westpac, of America, of Scotland, Barclay’s, of Queensland, etc. The is then transferred at the end of each day from your to your nominated .

“Pretty Good
A of program used to scramble .

Portal
A site that gathers together many sites under a common branding, for example, Yahoo and Excite.

Private key
The which permits information to be decoded in a public key system.

Public key
The which is used to send a secure message in a public key system.

Secure Certificate
A document that is used to certify that a user or organisation is who they say they are. They contain information about who it belongs to, who it was issued by, expiry date and information that can be used to check out the contents of the certificate. It is as an important part of the SSL system for establishing secure connections.


A computer that provides a service to other computers (known as clients) on a .

Shopping cart
A shopping cart is a piece of software that acts as an store’s catalogue and ordering process. Typically, a shopping cart is the between a company’s site and its deeper infrastructure, allowing consumers to select merchandise; review what they have selected; make necessary modifications or additions; and purchase the merchandise.

Shopping carts can be sold as independent pieces of software so companies can integrate them into their own unique solution, or they can be offered as a feature from a service that will create and host a company’s e- site.

Spam
The use of email or newsgroups to send unsolicited information.

SSL
Short for Secure Sockets Layer, a protocol developed by Netscape for transmitting private documents via the . SSL works by using a private key to encrypt that’s transferred over the SSL connection. Both Netscape Navigator and SSL, and many sites use the protocol to obtain confidential user information, such as numbers. By convention, URLs that require an SSL connection start with https: instead of http:.

Letting your customers know that you have SSL gives your site credibility and may encourage customers to deal with you in confidence.

A protocol used to protect information - typically used between the cardholder’s browser and the ’s webserver and throughout the process. 128bit SSL is typical used as a minimum level within the & Financial industries.

A Secure uses an SSL certificate. It is generally a piece of space that can only be dealt with by using SSL ensuring that transferred between the space and the browser is encrypted.

Static page
In site terms, static means pages that are not interactive. Because the site visitor does not have any control over the information provided, the pages and information do not change with each visit. There is not a two-way communication between the user (client) and the site () in a static page.

Uniform Resource Locator (URL)
An address.

page
A specific group of related files on the , which is usually viewed as a single document.

servers
At its core, a serves static content to a browser by loading a file from a hard disk and serving it across the to a user’s browser. This entire exchange is mediated by the browser and talking to each other using HTTP.

site
A collection of pages stored on a file .

No Comments »

Bluetooth - Security

Mar 24, 2008 in Bluetooth

Redirected from Bluetooth

Source

1
2 Wireless- History
3 Wireless- Technologies
4 - Introduction
5 - Advantages
6 - Applications
7 - Issues
7.1 The
7.2 The
7.3 The BLUEBUG
7.4
7.5 Warnibbling
8 Future of
9 See also:
10 Reference List

is a new that utilises waves as a way to communicate wirelessly between devices. It sets up that incorporate all of a persons devices into one system for both convergence and convenience.

Wireless- History

Many people put the invention of [wireless] down to Guglielmo Marconi, who in 1895 sent the first telegraph across the English Channel. Only twelve years later began being used in the public sphere. [Mathias, p.2] Up until then however, many wireless pioneers conducted trials across lakes where the used to transmit the signal was longer than the distance across the lake. [Brodsky, p. 3] After its introduction the main use of wireless was for military where its first use was for the Boer War. [Flichy, p. 103] The invention of ensured the feasibility of wireless technologies. [Morrow, p. 2] By the 1920s, had become a well-recognised mass medium. [Flichy, p. 111] From the 1980s until now, wireless have been through several stages, from 1G (analogue signal), 2G ( signal) and 3G (always on, faster rate). [Lightman and Rojas, p. 3] The history of is a much more recent one, with the first -enabled products coming into existence in 2000. Named after Harald Blatand the first, king of Denmark around twelve hundred years ago, who joined the Danish and Norwegian kingdoms, is founded on this same unifying principle of being able to unite the computer and telecommunication industr[ies]. [Ganguli, p. 5] In 1994 the Company began looking into the idea of replacing cables connecting accessories to and computers with wireless links, and this became the main inspiration behind . [Morrow, p. 10]

Wireless- Technologies

is not the only wireless currently being developed and utilised. Other wireless technologies, including 802.11b, otherwise known as Wi-Fi, Infrared Association (IrDA), Ultra- Wideband (UWB), and Home RF are being applied to similar technologies that use with mixed results. 802.11 is the most well known , excluding , and uses the same , meaning that they are not compatible as they cause interference with each other. 802.11 is being implemented into universities in the US, Japan and China, as well as food and beverage shops where they are being used to identify students and customers. Even airports have taken up the 802.11 , with airports all over America, and three of Americas most prominent airlines promoting the use of it. [Lightman and Rojas, p. 202-3] Infrared Association is extremely inferior to that of . Its limitations include only being able to communicate point-to-point, needing a line of sight, and it has a speed of fifty- six kilobytes per second, whereas is one megabyte per second. [Ganguli, p. 17] The Ultra- Wideband is superior to that of in that it can transmit at greater lengths (up to 70 metres), with only half of the power that uses. [Ganguli, p.17] HomeRF is a that is not very well known. It is used for and voice communication and targeted for the residential market segment and does not serve - class WLANs, public systems or fixed wireless . [Ganguli, p.17-18]

- Introduction

is a short- range device that replaces cables with low power waves to connect devices, whether they are portable or fixed. The device also uses hopping to ensure a secure, quality link, and it uses ad hoc networks, meaning that it connects peer-to-peer. It can be operated worldwide and without a because it uses the unlicensed Industrial- Scientific Medical (ISM) band for that varies with a change in location. [Ganguli, p. 25-6] The user has the choice of point-to-point or point-to-multipoint links whereby communication can be held between two devices, or up to eight. [Ganguli, p. 96] When devices are communicating with each other they are known as piconets, and each device is designated as a master unit or slave unit, usually depending on who initiates the connection. However, both devices have the potential to be either a master or a slave. [Swaminatha and Elden, p. 49]

- Advantages

There are many advantages to using wireless technologies including the use of a , the inexpensive cost of the device, replacing tedious cable connections, the low power use and implemented measures. The use of an unlicensed ensures that users do not need to gain a license in order to use it. Unlike Infrared which needs to have a line of sight in order to work, waves are omnidirectional and do not need a clear path. The device itself is relatively cheap and easy to use, one can be bought for around ten American dollars, and this price is currently decreasing. Compare this to the expensive cost of implementing hundreds of cables and wires into an office and there is no competition. Of course, this is the main reason for the take -up in -enabled devices; it does away with cables. Another of Bluetooths advantages is its low power use, ensuring that battery operated devices such as and personal assistants wont have their battery life drained with the use of it. This low power consumption also guarantees minimal interruption from other operated and wireless devices that operate at a higher power. has several enabled measures that ensures a level of and , including hopping, whereby the device changes sixteen hundred times per second. Also within the tools are and that guarantee little interference by unauthorised hackers. [Ganguli, p. 330] One of the best advantages of devices, especially the hands free device that connects to a mobile , is that it removes from the brain region. [Tsang, p.1]

- Applications

The applications that are in or current use for the include such areas as automotive, medical, industrial equipment, output equipment, -still cameras, computers, and systems. [Lightman and Rojas, p. 201] is an ad hoc user, and therefore it may be used for social networking, i.e. people can meet and share files or link their devices together to play games or other such activities. [Smyth, p. 70] Using , a mobile can become a three- way , where at home it connects to a landline for cheaper calls, on the move it acts as a mobile and when it comes in contact with another -enabled it acts as a walkie- talkie. This walkie- talkie option allows for free interaction and communication, as is not connected to any telecommunications . [Gupta, p.1] also allows automatic synchronization of your desktop, mobile computer, notebook and your mobile for the user to have all of their managed as one. [Gupta, p.1]

- Issues

has several which range in level of risk and how widespread the action is. These have the ability to provide criminals with sensitive information on both and personal levels. The only way to avoid such is for manufacturers, distributors, and consumers to be provided with more information on how they are committed, current activity and how to combat them. This information can be used on a level for manufacturers, it can be used by distributors at retail levels to teach consumers the risks and it can be used directly by consumers to be aware of the . The outcome of such research will allow end users of products to have an upper hand in this wireless warfare. is in early stages with regards to both the attackers, their techniques and consumers understanding of these attacks. Some research has been conducted into what the attackers are doing and how they do it. Adam Laurie of A.L Ltd http://www.thebunker.net/release-bluestumbler.htm is leading the research race in and is often linked to academic resources. Laurie’s research has uncovered the following capabilities of attacks:

  • Confidential such as the entire book, calender and the ’s IMEI.
  • Complete memory contents of some can be accessed by a previously trusted (”paired”) device that has since been removed from the trusted list.
  • can be gained to the AT command set of the device, giving full to the higher level commands and channels, such as , voice and messaging.

Attacks on devices at this stage are relatively new to consumers, and therefore are not widely seen as a real . Attacks such as the Bluejack are probably more recognised by consumers due to its perceived humorous and novelty nature as well as the ease to Bluejack someone. Users who allow their to be Bluejacked open the door to more attacks, such as the which have a low level of awareness amongst consumers as attackers can attach to the device with out the users knowledge. Corporations are starting to understand the risks devices pose, Michael Ciarochi (in Brewin 2004) stated that ‘ radios were included in laptop PCs that were being configured by an IT Engineer. It raises the possibility of opening a wireless back door into stored on the PCs. Such a weakness would be extremely attractive to hackers. Although invites hackers to such attacks; Venders are playing down the risks, Brewin (2004) said that ‘ advocates last week dismissed growing fears about the short-range wireless , saying any flaws are limited to a few mobile- models. They also detailed steps that users can take to secure devices’. There are many methods of attacks, the , the , Bluebug, Bluejack and Warnibbling are the only recognised attacks at this early stage. Below are explanations of such attacks.

The

It is possible for attackers to connect to the device without alerting the user, once in the system sensitive can be retrieved, such as the book, business cards, images, messages and voice messages.

http://www.salzburgresearch.at/research/gfx/bluesnarf_cebit2004.pdf

Local Copy: BlueSnarf_CeBIT2004.pdf

The

The is a higher concern for users; it allows attackers to establishing a trust relationship through the “pairing” mechanism, but ensuring that the user can not see the target’s register of paired devices. In doing this attackers have to all the on the device, as well as to use the modem or ; WAP and GPRS gateways may be accessed without the owner’s knowledge or consent.

The BLUEBUG

This gives to the AT command set, in other words it allows the attacker to make premium priced calls, allows the use of , or connection the . Attackers can not only use the device for such fraudulent exercises it also allows theft to impersonate the user.

Dibble (2004) explained that ‘Just as was spawned, there’s a new craze that’s spreading across parts of Europe. Reportedly, it’s more prominent in the UK, but popular elsewhere too’. allows attackers to send messages to strangers in public via . When the phones ‘pair’ the attacked can write a message to the user. Although it may seem harmless at first, there is a downside. Once connected the attacker may then have to any on the users device, which has obvious concerns. Powell (2004: 22) explained that ‘Users can refuse any incoming message or , so Bluejackers change their username to a short barb or compliment to beat you to the punch. For example, you might receive along the lines of “Incoming message from: Dude, you’ve been Bluejacked.” Or, “Incoming message from: ROI is overrated.” is regarded as a smaller to as users being attacked are aware they have been Bluejacked. This does not mean however that they are aware that sensitive information is being accessed and used in a malicious manner.

http://www.bluejackq.com/

Warnibbling

Warnibbling is a using Redfang, or similar software that allows hackers to reveal or personal sensitive information. Redfang allows hackers to find devices in the area, once found, the software takes you through the process of accessing any that is stored on that device. Redfang also allows non-discoverable devices to be found. Whitehouse explains when testing Redfang ‘One of the first obstacles we had to overcome was the discovery of non-discoverable devices (it was surprising to see the number of devices that dont by default implement this measure)’. http://www.atstake.com/research/reports/acrobat/atstake_war_nibbling.pdf

Future of

Further information, and somewhat speculation is required for consumers and stakeholders on the future of . Such information will provide a clearer understanding of why of must be improved. Luo and Lee (2004) provide a short term prediction of where is heading, Europe and Asian countries already offer newspapers, subway tickets, and car parking fees via wireless devices. Collins (2003) says that devices ‘appear to be more secure than 802.11 wireless LANs. However, this situation may not last, as the becomes more widespread and attracts greater interest from the community’.

http://www.arraydev.com/commerce/jibc/0402-10.htm

See also:

Reference List

Erin Watson 08:47, 8 Sep 2004 (EST) –nhenzell 12:30, 8 Sep 2004 (EST)

No Comments »

Serious flaws in bluetooth security lead to disclosure of personal data

Mar 24, 2008 in Bluetooth

source

Summary
In November 2003, Adam Laurie of A.L. Ltd. discovered that there are flaws in the and/or transfer on some enabled devices. Specifically, three have been found:

Firstly, confidential can be obtained, anonymously, and without the owner’s knowledge or consent, from some enabled . This includes, at least, the entire book and calendar, and the ’s IMEI.

Secondly, it has been found that the complete memory contents of some can be accessed by a previously trusted (”paired”) device that has since been removed from the trusted list. This includes not only the phonebook and calendar, but media files such as pictures and messages. In essence, the entire device can be “backed up” to an attacker’s own system.

Thirdly, can be gained to the AT command set of the device, giving full to the higher level commands and channels, such as , voice and messaging. This third was identified by Martin Herfurt, and they have since started working together on finding additional possible exploits resulting from this .

Finally, the current trend for “” is promoting an which puts consumer devices at greater risk from the above attacks.

The