Providing Services and Digital Goods Many products or services can be sold over the Web and delivered to the customer via a courier.. If you are going to physically ship an item that was
Trang 1Be sure to test your site in a number of browsers and operating systems If the site does not
work for a popular browser or operating system, you will look unprofessional and lose a
sec-tion of your potential market
If your site is already operating, your Web server logs can tell you what browsers your visitors
are using As a rule of thumb, if you test your site in the last two versions of Microsoft Internet
Explorer and Netscape Navigator on a PC running Microsoft Windows, the last two versions of
Netscape Navigator on a Apple Mac, the current version of Netscape Navigator on Linux, and
a text-only browser such as Lynx, you will be visible to the majority of users
Try to avoid features and facilities that are brand-new, unless you are willing to write and
maintain multiple versions of the site
Providing Services and Digital Goods
Many products or services can be sold over the Web and delivered to the customer via a
courier Some services can be delivered immediately online If a service or good can be
trans-mitted to a modem, it can be ordered, paid for, and delivered instantly, without human
interac-tion
The most obvious service provided this way is information Sometimes the information is
entirely free or supported by advertising Some information is provided via subscription or
paid for on an individual basis
Digital goods include e-books and music in electronic formats such as MP3 Stock library
images can be digitized and downloaded Computer software does not always need to be on a
CD, inside shrink-wrap It can be downloaded directly
Services that can be sold this way include Internet access or Web hosting, and some
profes-sional services that can be replaced by an expert system
If you are going to physically ship an item that was ordered from your Web site, you have both
advantages and disadvantages over digital goods and services
Shipping a physical item costs money Digital downloads are nearly free This means that if
you have something that can be duplicated and sold digitally, the cost to you is very similar
whether you sell one item or one thousand items Of course, there are limits to this—if you
have a sufficient level of sales and traffic, you will need to invest in more hardware or
band-width
Digital products or services can be easy to sell as impulse purchases If a person orders a
phys-ical item, it will be a day or more before it reaches her Downloads are usually measured in
seconds or minutes Immediacy can be a burden on merchants If you are delivering a purchase
12
Trang 2digitally, you need to do it immediately You cannot manually oversee the process, or spread peaks of activity through the day Immediate delivery systems are therefore more open to fraud and are more of a burden on computer resources
Digital goods and services are ideal for e-commerce, but obviously only a limited range of goods and services can be delivered this way
Adding Value to Goods or Services
Some successful areas of commercial Web sites do not actually sell any goods or services Services such as courier companies’ (UPS at www.ups.comor Fedex at www.fedex.com) track-ing services are not generally designed to directly make a profit They add value to the existtrack-ing services offered by the organization Allowing customers to track their parcels or bank bal-ances can give the company a competitive advantage
Support forums also fall into this category There are sound commercial reasons for giving cus-tomers a discussion area to share troubleshooting tips about your company’s products
Customers might be able to solve their problems by looking at solutions given to others, inter-national customers can get support without paying for long distance phone calls, and customers might be able to answer one another’s questions outside your office hours Providing support in this way can increase your customers’ satisfaction at a low cost
Cutting Costs
One popular use of the Internet is to cut costs Savings could result from distributing informa-tion online, facilitating communicainforma-tion, replacing services, or centralizing operainforma-tions
If you currently provide information to a large number of people, you could possibly do the same thing more economically via a Web site Whether you are providing price lists, a catalog, documented procedures, specifications, or something else, it could be cheaper to make the same information available on the Web instead of printing and delivering paper copies This is particularly true for information that changes regularly The Internet can save you money by facilitating communication Whether this means that tenders can be widely distributed and rapidly replied to, or whether it means that customers can communicate directly with a whole-saler or manufacturer, eliminating middlemen, the result is the same Prices can come down, or profits can go up
Replacing services that cost money to run with an electronic version can cut costs A brave example is Egghead.com They chose to close their chain of computer stores, and concentrate
on their e-commerce activities Although building a significant e-commerce site obviously costs money, a chain of more than 70 retail stores has much higher ongoing costs Replacing
an existing service comes with risks At the very least, you will lose customers who do not use the Internet
Trang 3Centralization can cut costs If you have numerous physical sites, you need to pay numerous
rents and overheads, staff at all of them, and the costs of maintaining inventory at each An
Internet business can be in one location, but be accessible all over the world
Risks and Threats
Every business faces risks, competitors, theft, fickle public preferences, and natural disasters,
among other risks The list is endless However, many risks that e-commerce companies face
are either less of a risk, or not relevant, to other ventures These risks include
• Crackers
• Failing to attract sufficient business
• Computer hardware failure
• Power, communication, or network failures
• Reliance on shipping services
• Extensive competition
• Software errors
• Evolving governmental policies and taxes
• System-capacity limits
Crackers
The best-publicized threat to e-commerce comes from malicious computer users known as
crackers All businesses run the risk of becoming targets of criminals, but high profile
e-commerce businesses are bound to attract the attention of crackers with varying intentions
and abilities
Crackers might attack for the challenge, for notoriety, to sabotage your site, to steal money, or
to gain free goods or services
Securing your site involves a combination of
• Keeping backups of important information
• Having hiring policies that attract honest staff and keep them loyal—the most dangerous attacks can come from within
• Taking software-based precautions, such as choosing secure software and keeping it up-to-date
• Training staff to identify targets and weaknesses
• Auditing and logging to detect break-ins or attempted break-ins
12
Trang 4Most successful attacks on computer systems take advantage of well-known weaknesses such
as easily guessed passwords, common misconfigurations, and old versions of software A few sensible precautions can turn away nonexpert attacks and ensure that you have a backup if the worst happens
Failing to Attract Sufficient Business
Although attacks by crackers are widely feared, most e-commerce failures relate to traditional economic factors It costs a lot of money to build and market a major e-commerce site Companies are willing to lose money in the short term, based on assumptions that after the brand is established in the market place, customer numbers and revenue will increase
At the time of writing, Amazon.com, arguably the Web’s best-known retailer, has traded at a loss for five consecutive years, losing $99 million (U.S.) in the first quarter of 2000 The string
of high-profile failures includes European boo.com,which ran out of money and changed hands after burning $120 million in six months It was not that Boo did not make sales; it was just that they spent far more than they made
Computer Hardware Failure
It almost goes without saying that if your business relies on a Web site, the failure of a critical part of one of your computers will have an impact
Busy or crucial Web sites justify having multiple redundant systems so that the failure of one does not affect the operation of the whole system As with all threats, you need to determine whether the chance of losing your Web site for a day while waiting for parts or repairs justifies the expense of redundant equipment
Power, Communication, Network, or Shipping Failures
If you rely on the Internet, you are relying on a complex mesh of service providers If your connection to the rest of the world fails, you can do little other than wait for your supplier to reinstate service The same goes for interruptions to power service, and strikes or other stop-pages by your delivery company
Depending on your budget, you might choose to maintain multiple services from different providers This will cost you more, but will mean that, if one of your providers fails, you will still have another Brief power failures can be overcome by investing in an uninterruptible power supply
Extensive Competition
If you are opening a retail outlet on a street corner, you will probably be able to make a pretty accurate survey of the competitive landscape Your competitors will primarily be businesses
Trang 5that sell similar things in surrounding areas New competitors will open occasionally With
e-commerce, the terrain is less certain
Depending on shipping costs, your competitors could be anywhere in the world, and subject to
different currency fluctuations and labor costs The Internet is fiercely competitive and
evolv-ing rapidly If you are competevolv-ing in a popular category, new competitors can appear every day
There is little that you can do to eliminate the risk of competition, but, by staying abreast of
developments, you can ensure that your venture remains competitive
Software Errors
When your business relies on software, you are vulnerable to errors in that software
You can reduce the likelihood of critical errors by selecting software that is reliable, allowing
sufficient time to test after changing parts of your system, having a formal testing process, and
not allowing changes to be made on your live system without testing elsewhere first
You can reduce the severity of outcomes by having up-to-date backups of all your data,
keep-ing known workkeep-ing software configurations when makkeep-ing a change, and monitorkeep-ing system
operation to quickly detect problems
Evolving Governmental Policies and Taxes
Depending on where you live, legislation relating to Internet-based businesses might be
nonex-istent, in the pipeline, or immature This is unlikely to last Some business models might be
threatened, regulated, or eliminated by future legislation Taxes might be added
You cannot avoid these issues The only way to deal with them is to keep up-to-date with what
is happening and keep your site in line with the legislation You might want to consider joining
any appropriate lobby groups as issues arise
System Capacity Limits
One thing to bear in mind when designing your system is growth Your system will hopefully
get busier and busier It should be designed in such a way that it will scale to cope with
demand
For limited growth, you can increase capacity by simply buying faster hardware There is a
limit to how fast a computer you can buy Is your software written so that after you reach this
point, you can separate parts of it to share the load on multiple systems? Can your database
handle multiple concurrent requests from different machines?
Few systems cope with massive growth effortlessly, but if you design it with scalability in
mind, you should be able to identify and eliminate bottlenecks as your customer base grows
12
Trang 6Deciding on a Strategy
Some people believe that the Internet changes too fast to allow effective planning We would argue that it is this very changeability that makes planning crucial Without setting goals and deciding on a strategy, you will be left reacting to changes as they occur, rather than being able
to act in anticipation of change
Having examined some of the typical goals for a commercial Web site, and some of the main threats, you hopefully have some strategies for your own
Your strategy will need to identify a business model The model will usually be something that has been shown to work elsewhere, but is sometimes a new idea that you have faith in Will you adapt your existing business model to the Web, mimic an existing competitor, or aggres-sively create a pioneering service?
Next
In the next chapter, we will look specifically at security for e-commerce, providing an overview of security terms, threats, and techniques
Trang 713
E-commerce Security Issues
Trang 8This chapter discusses the role of security in e-commerce We will discuss who might be inter-ested in your information and how they might try to obtain it, the principles involved in creat-ing a policy to avoid these kinds of problems, and some of the technologies available for safeguarding the security of a Web site including encryption, authentication, and tracking Topics include
• How important is your information?
• Security threats
• Creating a security policy
• Balancing usability, performance, cost, and security
• Authentication principles
• Using authentication
• Encryption basics
• Private Key encryption
• Public Key encryption
• Digital signatures
• Digital certificates
• Secure Web servers
• Auditing and logging
• Firewalls
• Backing up data
• Physical security
How Important Is Your Information?
When considering security, the first thing you need to evaluate is the importance of what you are protecting You need to consider its importance both to you and to potential crackers
It might be tempting to believe that the highest possible level of security is required for all sites
at all times, but protection comes at a cost Before deciding how much effort or expense your security warrants, you need to decide how much your information is worth
The value of the information stored on the computer of a hobby user, a business, a bank, and a military organization obviously varies The lengths to which an attacker would be likely to go
in order to obtain access to that information vary similarly How attractive would the contents
of your machines be to a malicious visitor?
Trang 9Hobby users will probably have limited time to learn about or work towards securing their
sys-tems Given that information stored on their machines is likely to be of limited value to anyone
other than its owner, attacks are likely to be infrequent and involve limited effort However, all
network computer users should take sensible precautions Even the computer with the least
interesting data still has significant appeal as an anonymous launching pad for attacks on other
systems
Military computers are an obvious target for both individuals and foreign governments As
attacking governments might have extensive resources, it would be wise to invest personnel
and other resources to ensure that all practical precautions are taken in this domain
If you are responsible for an e-commerce site, its attractiveness to crackers presumably falls
somewhere between these two extremes
Security Threats
What is at risk on your site? What threats are out there?
We discussed some of the threats to an e-commerce business in Chapter 12, “Running an
E-commerce Site.” Many of these relate to security
Depending on your Web site, security threats might include
• Exposure of confidential data
• Loss or destruction of data
• Modification of data
• Denial of service
• Errors in software
• Repudiation Let’s run through each of these threats
Exposure of Confidential Data
Data stored on your computers, or being transmitted to or from your computers, might be
con-fidential It might be information that only certain people are intended to see such as wholesale
price lists It might be confidential information provided by a customer, such as his password,
contact details, and credit card number
Hopefully you are not storing information on your Web server that you do not intend anyone to
see A Web server is the wrong place for secret information If you were storing your payroll
records or your plan for world domination on a computer, you would be wise to use a
com-puter other than your Web server The Web server is inherently a publicly accessible machine,
Trang 10and should only contain information that either needs to be provided to the public or has recently been collected from the public
To reduce the risk of exposure, you need to limit the methods by which information can be accessed and limit the people who can access it This involves designing with security in mind, configuring your server and software properly, programming carefully, testing thoroughly, removing unnecessary services from the Web server, and requiring authentication
Design, configure, code, and test carefully to reduce the risk of a successful criminal attack and, equally important, to reduce the chance that an error will leave your information open to accidental exposure
Remove unnecessary services from your Web server to decrease the number of potential weak points Each service you are running might have vulnerabilities Each one needs to be kept up-to-date to ensure that known vulnerabilities are not present The services that you do not use might be more dangerous If you never use the command rcp, why have the service installed?1
If you tell the installer that your machine is a network host, the major Linux distributions and Windows NT install a large number of services that you do not need and should remove
Authentication means asking people to prove their identity When the system knows who is
making a request, it can decide whether that person is allowed access There are a number of possible methods of authentication, but only two commonly used forms—passwords and digi-tal signatures We will digi-talk a little more about both later
CD Universe offers a good example of the cost both in dollars and reputation of allowing con-fidential information to be exposed In late 1999, a cracker calling himself Maxus reportedly contacted CD Universe, claiming to have 300,000 credit card numbers stolen from their site
He wanted a $100,000 (U.S.) ransom from the site to destroy the numbers They refused, and found themselves in embarrassing coverage on the front pages of major newspapers as Maxus doled out numbers for others to abuse
Data is also at risk of exposure while it traverses a network Although TCP/IP networks have
many fine features that have made them the de facto standard for connecting diverse networks
together as the Internet, security is not one of them TCP/IP works by chopping your data into packets, and then forwarding those packets from machine to machine until they reach their des-tination This means that your data is passing through numerous machines on the way, as illus-trated in Figure 13.1 Any one of those machines could view your data as it passes by
1
Even if you do currently use rcp, you should probably remove it and use scp(secure copy) instead.