Teaching Security Techniques in an E-Commerce Course

Journal of Information Systems Education, Spring 2006 by Liu, Chang, Mackie, Brian G

4.2 Security in the Online Sales Phase

The next area to be handled was security within the online sales phase. Research was presented that showed that as the number of businesses using EC applications has increased there has been an increase in the level of concern about consumer privacy. This concern will become even more heightened as more customers engage in EC activities which collect personal and financial information. According to the Federal Trade Commission (FTC), protecting consumers' privacy is an important aspect of ensuring data security in online sales activities (FTC Congress Report, 2000). To show the importance of addressing privacy concerns in an EC application design, the students were asked to research and write their own privacy policies that they felt could ease customers' privacy concerns. The students also explored several seal programs such as TRUSTe (http://www.truste.orgA and BBBOnLine (http://www.bbbonline.org/). They found that the seal programs require their licensees to abide by posted privacy policies and various types of compliance monitoring in order to be allowed to display a seal of trust on their web sites. For example, all privacy seal programs require posting notice and disclosure of collection and use of personally identifiable information. In addition, websites should give customers choice and consent over how their information could be used and shared. It is very important to incorporate these privacy dimensions into an EC application design in the online sales phase.

It was shown how to use ASP.Net for input validation, data encryption, and secure data connection within the online sales phase of an EC application. Figure 3 shows a web page used in the course for the secure data connection, data encryption, and input validation hands-on activities.

When customers submit their financial and personal information to a web site, the data is transmitted from a browser to the company's web server. As the data moves through the Internet, it could be intercepted and read by unauthorized persons. The proper solution is to encrypt the data before it is sent through the Internet. One hands-on exercise in the course was to use the MD5 Hash algorithm to encrypt credit card information before it was passed from the browser to the server and then decrypt it before it was stored in a database table. In addition, the students learned how the Secure Socket Layer (SSL) could be used to encrypt sensitive information. Because this course dealt with application design, the authors presented the process to install Certificate Services in a Microsoft Windows 2003 Server, generate a Certificate Request file, issue a Certificate, and then install a server-side Certificate by using Microsoft Internet Information Manager.

4.3 Security in the After-Sales Phase

In the after-sales phase, the course focused on secure access to the data collected from customers for an EC application. Hands-on activities centered on authentication and authorization techniques to allow customers to securely view or update their personal and financial information submitted to a corporate web site. For example, the course explored the SQL Injection attack as shown in Figure 4. In this type of attack the intruders attempt to pass malicious SQL code into an application in an attempt to determine rights, passwords and/or information about the data and the backend database design. The students learned about using validation controls to constrain certain characters such as " ' " and "-" and implementing SQL stored procedures to avoid this type of attack.