Information Security in Electronic Services
Electronic Services (e-Service) are the attainment and delivery of services through electronic media. E-commerce is also put under this category. It means using electronic communications to transact, without face to face meeting between the two parties of the transaction. Activities taken place in e-Service include:
registering for user identity, e.g. membership application
updating user information, e.g. new address
updating user status, e.g. credit card account balance
submitting application, e.g. credit card, driving licence
placing order / instruction, e.g. buying and selling of stocks and funds
doing payment transaction, e.g. credit card payment
searching for information, e.g. business matching
exchanging information, e.g. chatroom
receiving information and service, e.g. education program notes
making enquiry, e.g. shipping schedule
Who are Involved?
Individuals, including consumers and citizens
Businesses, including public organisations
How are they Involved?
Business-to-Consumer (B2C)
Businesses and consumers can conduct above-mentioned activities between two ends on the Internet
Examples
e-shopping: activities may include
paying by bank cards, such as credit cards and charge cards
e-banking: activities may include
updating accounts of bank, credit card, investment, insurance and MPF
updating user information
doing payment & remittance
submitting IPO application
placing buy / sell instruction
getting market information
applying for bank account, credit card, e-shopping card, investment account, loan facility, etc...
e-learning: activities may include
accessing program information
using student chatroom, etc...
Business-to-Business (B2B)
Business activities such as procurement and payment between two businesses are done online
Examples
Submitting import / export declaration
Applying for dutiable commodities permit
Updating transaction status, billing statement, etc
Accessing trade information, etc...
Government-to-Citizen (G2C)
The way in which citizens can obtain services and purchase products from the government through electronic media such as the Internet
Examples
Activities may include
applying for certificate, license and permit
booking, e.g. marriage registration
submitting information, e.g. job opening
accessing public information, etc...
Government-to-Business (G2B)
The way in which government purchases goods and services from business organisations through electronic media such as the Internet
Security Tools for Electronic Services
To protect the interests of businesses and consumers, it is of their own advantages that security tools are employed. Some security tools are introduced as follows:
1.
Secure Socket Layer (SSL)
For more information about SSL :
2.
Public Key Infrastructure (PKI) and Digital Certificate
PKI provides a secured and trusted environment for conducting electronic transactions. It covers the use of public key cryptography in the authentication and access control of a user, guaranteeing the confidentiality, integrity and non-repudiation of data.
PKI provides a pair of keys for each user: a private key which is known only to the user himself, and a public key which is published by a Certificate Authority, by means of a digital certificate.
Online Payment
With all the threats posed by Electronic Services on information security, the most concerned one is online payment, with involving parties and their concerns as follows:
Table showing security concerns related to online payment
| Participants |
Concerns |
| Cardholder : the person who uses a credit card or debit card to purchase goods or services online |
- that (s)he is dealing with a legitimate merchant
-that (s)he will not be charged for unauthorised goods and services
-that (s)he will not be charged more than the agreed price for authorised transactions
|
| Merchant : the organisation that sells goods or services |
-that after accepting a transaction, (s)he will be paid
-that the customer is authorised to pay the agreed price |
| Issuing bank : the financial institution that establishes an account for the cardholder and issues the bankcard |
-that a legitimate cardholder authorises every transaction |
| Acquiring bank : the financial institution that establishes an account with the merchant and processes bankcard authorisations and payments |
-that a legitimate cardholder authorises all payments made to legitimate merchants |
What to do on Information Security?
There are existing laws and guidelines that govern the services and businesses conducted on the Internet. Both users and service providers of Electronic Services(e-Services) should observe and take notice of.
User
Understanding one's own rights is the first step to protect oneself in e-Service activities:
Consumer Protection Principles in e-Commerce
A checklist of how to select safe website by the Consumer Council
Information on privacy law and individuals' rights from the Office of the Privacy Commissioner for Personal Data
The Office of the Communications Authority provides information on telecommunication consumer rights, such as spam email
A leaflet about some practical tips and security precautions on Internet banking by the Hong Kong Association of Banks.
Service Providers
Service providers must observe and follow ordinances and guidelines relevant to their own industry sector. Here are some of the major ones.
General
Concerning the legal status of electronic records and digital signatures used in electronic transactions as that of their paper-based counterparts.
Major Principles in OECD Guidelines for Consumer Protection in the Context of Electronic Commerce
Containing principles and good practices on e-commerce
Jointly published by the Hong Kong Productivity Council, Consumer Council and the Office of the Privacy Commissioner for Personal Data
This guide provides data users with practical guidance on how to prepare on-line Personal Information Collection (PIC) Statements and Privacy Policy Statements (PPS)
Banking
The Hong Kong Monetary Authority provides guidelines on e-banking:
Fintech
The Hong Kong Monetary Authority provides regulatory guides on Fintech:
Telecommunications
Office of the Privacy Commissioner for Personal Data perpare the Guidance Note to sets out some illustrations and good practices for compliance with the Personal Data (Privacy) Ordinance(Chapter 486).
