Information Security in Electronic Services
Home > 
Information Security in Electronic Services
< back

Information Security in Electronic Services

Electronic Services (e-Service) are the attainment and delivery of services through electronic media. E-commerce is also put under this category. It means using electronic communications to transact, without face to face meeting between the two parties of the transaction. Activities taken place in e-Service include:

registering for user identity, e.g. membership application
updating user information, e.g. new address
updating user status, e.g. credit card account balance
submitting application, e.g. credit card, driving licence
placing order / instruction, e.g. buying and selling of stocks and funds
doing payment transaction, e.g. credit card payment
searching for information, e.g. business matching
exchanging information, e.g. chatroom
receiving information and service, e.g. education program notes
making enquiry, e.g. shipping schedule
doing survey, etc...

Who are Involved?

Individuals, including consumers and citizens
Businesses, including public organisations
Government

How are they Involved?

Business-to-Consumer (B2C)

Businesses and consumers can conduct above-mentioned activities between two ends on the Internet

Examples

e-shopping: activities may include

viewing online catalogue
selecting merchandise
placing purchase order
paying by bank cards, such as credit cards and charge cards
checking goods delivery

e-banking: activities may include

updating accounts of bank, credit card, investment, insurance and MPF
updating user information
doing payment & remittance
submitting IPO application
placing buy / sell instruction
getting market information
applying for bank account, credit card, e-shopping card, investment account, loan facility, etc...

e-learning: activities may include

submitting application
doing payment
accessing program information
taking examination
using student chatroom, etc...

Business-to-Business (B2B)

Business activities such as procurement and payment between two businesses are done online

Examples
Activities may include
Submitting import / export declaration
Applying for dutiable commodities permit
Placing shipping order
Doing payment
Updating transaction status, billing statement, etc
Accessing trade information, etc...

Government-to-Citizen (G2C)

The way in which citizens can obtain services and purchase products from the government through electronic media such as the Internet

Examples

Activities may include

applying for certificate, license and permit
booking, eg marriage registration
submitting information, e.g. job opening
doing payment
accessing public information, etc...

Government-to-Business (G2B)

The way in which government purchases goods and services from business organisations through electronic media such as the Internet

Security Tools for Electronic Services

To protect the interests of businesses and consumers, it is of their own advantages that security tools are employed. Some security tools are introduced as follows:

1.
Secure Socket Layer (SSL)
For more information about SSL :
2.
Public Key Infrastructure (PKI) and Digital Certificate
PKI provides a secured and trusted environment for conducting electronic transactions. It covers the use of public key cryptography in the authentication and access control of a user, guaranteeing the confidentiality, integrity and non-repudiation of data.
PKI provides a pair of keys for each user: a private key which is known only to the user himself, and a public key which is published by a Certificate Authority, by means of a digital certificate.

Online Payment

With all the threats posed by Electronic Services on information security, the most concerned one is online payment, with involving parties and their concerns as follows:

Table showing security concerns related to online payment
Participants Concerns
Cardholder : the person who uses a credit card or debit card to purchase goods or services online - that (s)he is dealing with a legitimate merchant
-that (s)he will not be charged for unauthorised goods and services
-that (s)he will not be charged more than the agreed price for authorised transactions
Merchant : the organisation that sells goods or services -that after accepting a transaction, (s)he will be paid
-that the customer is authorised to pay the agreed price
Issuing bank : the financial institution that establishes an account for the cardholder and issues the bankcard -that a legitimate cardholder authorises every transaction
Acquiring bank : the financial institution that establishes an account with the merchant and processes bankcard authorisations and payments -that a legitimate cardholder authorises all payments made to legitimate merchants

What to do on Information Security?

There are existing laws and guidelines that govern the services and businesses conducted on the Internet. Both users and service providers of Electronic Services(e-Services) should observe and take notice of.

User

Understanding one's own rights is the first step to protect oneself in e-Service activities:

Consumer Protection Principles in e-Commerce
A checklist of how to select safe website by the Consumer Council
Information on privacy law and individuals' rights from the Office of the Privacy Commissioner for Personal Data
The Office of the Communications Authority provides information on telecommunication consumer rights, such as spam email
A leaflet about some practical tips and security precautions on Internet banking by the Hong Kong Association of Banks.
Service Providers

Service providers must observe and follow ordinances and guidelines relevant to their own industry sector. Here are some of the major ones.

General
Concerning the legal status of electronic records and digital signatures used in electronic transactions as that of their paper-based counterparts.
Major Principles in OECD Guidelines for Consumer Protection in the Context of Electronic Commerce
Containing principles and good practices on e-commerce
Jointly published by the Hong Kong Productivity Council, Consumer Council and the Office of the Privacy Commissioner for Personal Data
This guide provides data users with practical guidance on how to prepare on-line Personal Information Collection (PIC) Statements and Privacy Policy Statements (PPS)
Banking
The Hong Kong Monetary Authority provides clear guidelines on e-banking:
Financial Services
The Practice Guide for Security Risk Assessment & Auditoffers guidelines on using the Internet for financial services, such as :
Guidance Note on Internet Regulations
Circular on Provision of Financial Information on the Internet - Licensing Requirement
Guidance Note on the Application of the Electronic Transactions Ordinance to Contract Notes
General Circular to All Registered and Licensed Firms on Internet Trading and Advising
Guidance Note on Internet Regulations Guidelines for Registered Persons Using the Internet to Collect Applications for Securities in an Initial Public Offering
Telecommunications
Code of Practice on Protection of Customer Information for Fixed and Mobile Service Operators
To ensure data relating to customers are properly protected from misuse. This is a joint effort made by the Consumer Council, Independent Commission Against Corruption, Office of the Privacy Commissioner for Personal Data and Office of the Communications Authority.