Biometric authentication systems for secured e-transactions in Saudi Arabia. An empirical investigation of the factors affecting users' acceptance of fingerprint authentication systems to improve online security for e-commerce and e-government websites in Saudi Arabia.

Al-Harby, Fahad M.

January 2010

Security is becoming an increasingly important issue for business, and with it comes the need for appropriate authentication; consequently, it is becoming gradually more important to develop secure e-commerce systems. Fraud via the web, identity theft, and phishing are raising concerns for users and financial organisations. In addition, current authentication methods, like passwords, have many problems (e.g. some users write them down, they forget them, or they make them easy to hack). We can overcome these drawbacks by using biometric authentication systems. Biometric systems are being used for personal authentication in response to the rising issue of authentication and security. Biometrics provide much promise, in terms of preserving our identities without the inconvenience of carrying ID cards and/or remembering passwords. This research is important because the securing of e-commerce transactions is becoming increasingly important. Identity theft, hacking and viruses are growing threats to Internet users. As more people use the Internet, more identity theft cases are being reported. This could harm not only the users, but also the reputation of the organisations whose names are used in these illegal acts. For example, in the UK, online banking fraud doubled in 2008 compared to 2007. More users took to e-shopping and online banking, but failed to take necessary protection. For non-western cultures, the figures for web security, in 2008, illustrated that Saudi Arabia was ranked ninth worldwide for users who had been attacked over the web. The above statistics reflect the significance of information security with e-commerce systems. As with any new technology, user acceptance of the new technology is often hard to measure. In this thesis, a study of user acceptance of biometric authentication systems in e-transactions, such as online banking, within Saudi society was conducted. It examined whether Saudis are practically willing to accept this technology. This thesis focuses upon Saudi Arabia, which has developing economy. It has achieved a rapid rate of growth, and therefore makes an interesting and unique case study. From an economist¿s point of view, Saudi Arabia is the powerhouse of the Middle East. It has the leading regional economy, and, even though it is still relatively young. It has a young and rapid growing population; therefore, this makes Saudi Arabia an attractive potential market for all kinds of e-commerce applications. Having said that, with more than half of population under the age of 30 are more to be expected to take the risk of accepting new technology. For this work, 306 Saudi participants were involved in the experiments. A laboratory experiment was created that actively tested a biometric authentication system in combination with a survey. The Technology Acceptance Model (TAM) was adopted in the first experimental phase as the theoretical basis on which to develop the iv research framework, the model has proven its efficiency as a good predictor for the biometric authentication system. Furthermore, in a second experimental phase, the Unified Theory of Acceptance and Use of Technology (UTAUT) with moderating variables such as age, gender and education level was examined as a proposed conceptual framework to overcome the limitations of TAM. The aim of the study was to explore factors affecting users¿ acceptance of biometric authentication systems. The findings from Structural Equation Modelling (SEM) analysis indicate that education level is a significant moderating factor, while gender and age do not record as significant. This thesis added new knowledge to this field and highlighted the importance of the perceptions of users regarding biometric security technologies. It helps determine the factors affecting the acceptance of biometric technology. To our knowledge, this is the first systematic study of this issue carried out by academic and non-biased researchers in Saudi Arabia. Furthermore, the thesis presents security technology companies and developers of information security products with information to help in the determination of what is significant to their user base when taking into account the introduction of new secure systems and products.

Authentication

Biometric

E-government

E-commerce

E-transactions

Fingerprint

Saudi Arabia

Web security

Technology acceptance

User acceptance

Fraud

Identity theft

Web-Based Intrusion Detection System

Ademi, Muhamet

January 2013

Web applications are growing rapidly and as the amount of web sites globallyincreases so do security threats. Complex applications often interact with thirdparty services and databases to fetch information and often interactions requireuser input. Intruders are targeting web applications specifically and they are ahuge security threat to organizations and a way to combat this is to haveintrusion detection systems. Most common web attack methods are wellresearched and documented however due to time constraints developers oftenwrite applications fast and may not implement the best security practices. Thisreport describes one way to implement a intrusion detection system thatspecifically detects web based attacks.

intrusion detection system

ids

web application security

web application

network security

web security

Engineering and Technology

Teknik och teknologier

Online Banking Information Systems Acceptance: An Empirical Examination of System Characteristics and Web Security

Hussain Chandio, F., Irani, Zahir, Zeki, A.M., Shah, A., Shah, S.C.

31 October 2016

No / Prior work on the technology acceptance model (TAM) is mainly devoted to the influence of TAM’s core motivational factors and their impact on behavioral intent toward IS acceptance. Relatively little research has focused on what specific system design characteristics motivate individuals toward IS acceptance. This article identified specific systems design factors and examined their impact on TAM’s motivational factors through the TAM. The findings will help designers to design and implement better user-accepted systems.

An investigation of developments in Web 3.0 : opportunities, risks, safeguards and governance

Bruwer, Hendrik Jacobus

04 1900

Thesis (MComm)--Stellenbosch University, 2014. / ENGLISH ABSTRACT: Many organisations consider technology as a significant asset to generate income and control cost. The World Wide Web (henceforth referred to as the Web), is recognised as the fastest growing publication medium of all time, now containing well over 1 trillion URLs. In order to stay competitive it is crucial to stay up to date with technological trends that create new opportunities for organisations, as well as creating risks. The Web acts as an enabler for technological advancement, and matures in its own unique way. From the static informative characteristics of Web 1.0, it progressed into the interactive experience Web 2.0 provides. The next phase of Web evolution, Web 3.0, is already in progress. Web 3.0 entails an integrated Web experience where the machine will be able to understand and catalogue data in a manner similar to humans. This will facilitate a world wide data warehouse where any format of data can be shared and understood by any device over any network. The evolution of the Web will bring forth new opportunities as well as challenges. Organisations need to be ready, and acquire knowledge about the opportunities and risks arising from Web 3.0 technologies. The purpose of this study is to define Web 3.0, and identify new opportunities and risks associated with Web 3.0 technologies by using a control framework. Identified opportunities can mainly be characterised as the autonomous integration of data and services which increases the pre-existing capabilities of Web services, as well as the creation of new functionalities. The identified risks mainly concern unauthorised access and manipulation of data; autonomous initiation of actions, and the development of scripts and languages. Risks will be mitigated by control procedures which organisations need to implement (examples include but is not limited to encryptions; access control; filtering; language and ontology development control procedures; education of consumers and usage policies). The findings will assist management in addressing the key focus areas of opportunities and risks when implementing a new technology. / AFRIKAANSE OPSOMMING: Baie organisasies beskou tegnologie as 'n belangrike bate om inkomste te genereer en kostes te beheer. Die Wêreldwye Web (voorts na verwys as die Web), word erken as die vinnigste groeiende publikasiemedium van alle tye, met tans meer as 1 triljoen URLs. Ten einde kompeterend te bly, is dit noodsaaklik om op datum te bly met tegnologiese tendense wat nuwe geleenthede, sowel as risikos, vir organisasies kan skep. Die Web fasiliteer tegnologiese vooruitgang, en ontwikkel op sy eie unieke manier. Vanaf die statiese informatiewe eienskappe van Web 1.0, het dit ontwikkel tot die interaktiewe ervaring wat Web 2.0 bied. Die volgende fase van Web-ontwikkeling, Web 3.0, is reeds in die proses van ontwikkeling. Web 3.0 behels 'n geïntegreerde Web-ervaring waar ʼn masjien in staat sal wees om data te verstaan en te kategoriseer op ʼn soortgelyke wyse as wat ʼn mens sou kon. Dit sal lei tot 'n wêreldwye databasis waar enige vorm van data gedeel en verstaan kan word deur enige toestel oor enige netwerk. Die ontwikkeling van die Web sal lei tot die ontstaan van nuwe geleenthede, sowel as uitdagings. Dit is noodsaaklik dat organisasies bewus sal wees hiervan, en dat hulle oor genoegsame kennis sal beskik met betrekking tot die geleenthede en risikos wat voortspruit uit Web 3.0 tegnologieë. Die doel van hierdie studie is om Web 3.0 te definieer, en nuwe geleenthede en risikos wat verband hou met Web 3.0 tegnologieë, te identifiseer deur gebruik te maak van ʼn kontrole raamwerk. Geleenthede wat geïdentifiseer is, word hoofsaaklik gekenmerk deur outonome integrasie van data en dienste wat lei tot ʼn toename in die vermoëns van reeds bestaande Webdienste, sowel as die skepping van nuwe funksionaliteite. Die risikos wat geïdentifiseer is, word hoofsaaklik gekenmerk deur ongemagtigde toegang en manipulasie van data; outonome inisieering van aksies, en die ontwikkeling van programskrifte en tale. Risikos wat geïdentifiseer is, sal aangespreek word deur die implementering van voorgestelde kontroleprosedures om sodanige risikos te verminder tot ʼn aanvaarbare vlak (voorbeelde sluit in maar is nie beperk tot enkripsie; toegangkontroles; filters; programmatuur taal en ontologie ontwikkels kontroles prosedures; opleiding van gebruikers en ontwikkelaars en beleide ten op sigte van gebruik van tegnologië). Die bevindinge sal bestuur in staat stel om die sleutelfokus-areas van geleenthede en risikos te adresseer gedurende die implementering van 'n nuwe tegnologie.

Dissertations -- Accountancy

Theses -- Accountancy

Dissertations -- Computer auditing

Theses -- Computer auditing

World Wide Web

World Wide Web -- Security measures

Risk assessment

UCTD

網頁弱點最佳化補強 / Patching web application vulnerabilities with optimal word correction algorithm

薛慶源, Shueh, Ching Yuan

Unknown Date

在這篇論文中我們利用程式碼補強達到使有害的攻擊字串用最小的編輯成本去修正成無害的一般字串,主要分為兩個階段,第一階段,我們利用一個安全性分析工具Stranger來分析使用者的PHP原始碼,藉此找到可能被程式碼注入的攻擊點,並產生基於確定有限狀態自動機基礎的安全特徵,這個安全特徵包含了所有可被接受的無害字串可以當作攻擊過濾器使用,第二階段,我們採取基於文字與自動機之間最短編輯距離的演算法來以最少成本修正攻擊字串,有害的攻擊字串會被一個最少變動的無害字串所取代,我們結合所提出的方法來測試一些網頁跟回報實驗結果 / The security problems of web application are always questioned and concerned by users because that can cause huge loss of nancial and privacy. We want to provide a online service that is open to public users, who can access and upload their codes to check for potential vulnerabilities. Moreover, if there exist vulnerabilities and may be cause damages, it will guide users how they can edit their codes through a easy way step by step. In this paper, we propose an optimal word correction approach for patching string related vulnerabilities in web applications. To be brief, we synthesize patches that sanitize malicious inputs to normal ones with the shortest edit distance. The analysis consists of two phases: First, we use automata based static string analysis techniques called Stranger to detect vulnerabilities in web applications, and generate sanitization signatures that accept un-malicious inputs as an input lter that ensures the vulnerabilities are not exploited with respect to given attack patterns. Second, we adopt the shortest edit-distance algorithms between words and automata to nd a minimum way on the cost of edit distance to patch malicious inputs. A malicious input (not accepted by the sanitization signature) is replaced with an unmalicious string and has the minimum change of character from the original input. We integrate the presented approach with Stranger and report the result of experiments on various web applications.

網路安全

弱點補強

文字修正

文字分析

Web Security

Patch Synthesis

Word Correction

Word Analysis

Internet payment system--: mechanism, applications & experimentation.

January 2000

Ka-Lung Chong. / Thesis (M.Phil.)--Chinese University of Hong Kong, 2000. / Includes bibliographical references (leaves 80-83). / Abstracts in English and Chinese. / Abstract --- p.i / Acknowledgments --- p.iii / Chapter 1 --- Introduction & Motivation --- p.1 / Chapter 1.1 --- Introduction --- p.1 / Chapter 1.2 --- Internet Commerce --- p.3 / Chapter 1.3 --- Motivation --- p.6 / Chapter 1.4 --- Related Work --- p.7 / Chapter 1.4.1 --- Cryptographic Techniques --- p.7 / Chapter 1.4.2 --- Internet Payment Systems --- p.9 / Chapter 1.5 --- Contribution --- p.16 / Chapter 1.6 --- Outline of the Thesis --- p.17 / Chapter 2 --- A New Payment Model --- p.19 / Chapter 2.1 --- Model Description --- p.19 / Chapter 2.2 --- Characteristics of Our Model --- p.22 / Chapter 2.3 --- Model Architecture --- p.24 / Chapter 2.4 --- Comparison --- p.30 / Chapter 2.5 --- System Implementation --- p.30 / Chapter 2.5.1 --- Acquirer Interface --- p.31 / Chapter 2.5.2 --- Issuer Interface --- p.32 / Chapter 2.5.3 --- Merchant Interface --- p.32 / Chapter 2.5.4 --- Payment Gateway Interface --- p.33 / Chapter 2.5.5 --- Payment Cancellation Interface --- p.33 / Chapter 3 --- A E-Commerce Application - TravelNet --- p.35 / Chapter 3.1 --- System Architecture --- p.35 / Chapter 3.2 --- System Features --- p.38 / Chapter 3.3 --- System Snapshots --- p.39 / Chapter 4 --- Simulation --- p.44 / Chapter 4.1 --- Objective --- p.44 / Chapter 4.2 --- Simulation Flow --- p.45 / Chapter 4.3 --- Assumptions --- p.49 / Chapter 4.4 --- Simulation of Payment Systems --- p.50 / Chapter 5 --- Discussion of Security Concerns --- p.54 / Chapter 5.1 --- Threats to Internet Payment --- p.54 / Chapter 5.1.1 --- Eavesdropping --- p.55 / Chapter 5.1.2 --- Masquerading --- p.55 / Chapter 5.1.3 --- Message Tampering --- p.56 / Chapter 5.1.4 --- Replaying --- p.56 / Chapter 5.2 --- Aspects of A Secure Internet Payment System --- p.57 / Chapter 5.2.1 --- Authentication --- p.57 / Chapter 5.2.2 --- Confidentiality --- p.57 / Chapter 5.2.3 --- Integrity --- p.58 / Chapter 5.2.4 --- Non-Repudiation --- p.58 / Chapter 5.3 --- Our System Security --- p.58 / Chapter 5.4 --- TravelNet Application Security --- p.61 / Chapter 6 --- Discussion of Performance Evaluation --- p.64 / Chapter 6.1 --- Performance Concerns --- p.64 / Chapter 6.2 --- Experiments Conducted --- p.65 / Chapter 6.2.1 --- Description --- p.65 / Chapter 6.2.2 --- Analysis on the Results --- p.65 / Chapter 6.3 --- Simulation Analysis --- p.69 / Chapter 7 --- Conclusion & Future Work --- p.72 / Chapter A --- Experiment Specification --- p.74 / Chapter A.1 --- Configuration --- p.74 / Chapter A.2 --- Experiment Results --- p.74 / Chapter B --- Simulation Specification --- p.77 / Chapter B.1 --- Parameter Listing --- p.77 / Chapter B.2 --- Simulation Results --- p.77 / Bibliography --- p.80

Electronic commerce--Security measures

Electronic funds transfers

Internet--Security measures

World Wide Web--Security measures

Computer security

Generating web applications containing XSS and CSRF vulnerabilities

Ahlberg, Gustav

January 2014

Most of the people in the industrial world are using several web applications every day. Many of those web applications contain vulnerabilities that can allow attackers to steal sensitive data from the web application's users. One way to detect these vulnerabilities is to have a penetration tester examine the web application. A common way to train penetration testers to find vulnerabilities is to challenge them with realistic web applications that contain vulnerabilities. The penetration tester's assignment is to try to locate and exploit the vulnerabilities in the web application. Training on the same web application twice will not provide any new challenges to the penetration tester, because the penetration tester already knows how to exploit all the vulnerabilities in the web application. Therefore, a vast number of web applications and variants of web applications are needed to train on. This thesis describes a tool designed and developed to automatically generate vulnerable web applications. First a web application is prepared, so that the tool can generate a vulnerable version of the web application. The tool injects Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) vulnerabilities in prepared web applications. Different variations of the same vulnerability can also be injected, so that different methods are needed to exploit the vulnerability depending on the variation. A purpose of the tool is that it should generate web applications which shall be used to train penetration testers, and some of the vulnerabilities the tool can inject, cannot be detected by current free web application vulnerability scanners, and would thus need to be detected by a penetration tester. To inject the vulnerabilities, the tool uses abstract syntax trees and taint analysis to detect where vulnerabilities can be injected in the prepared web applications. Tests confirm that web application vulnerability scanners cannot find all the vulnerabilities on the web applications which have been generated by the tool.

Web security

CSRF

XSS

Cross Site Request Forgery

Cross Site Scripting

Taint analysis

vulnerability

generating web applications

Computer Sciences

Datavetenskap (datalogi)

Evaluation of open source web vulnerability scanners and their techniques used to find SQL injection and cross-site scripting vulnerabilities / Evaluering av öppen källkod sårbarhetsskannrar för webbapplikationer och dess tekniker för att finna SQL injection och cross-site scripting sårbarheter

Matti, Erik

January 2021

Both for its simplicity and efficiency to search for the most critical security vulnerabilities that could exist within a web application, a web vulnerability scanner is a popular tool among any company that develops a web application. With the existence of many different scanners that are available to use, one is unlikely the same as the other and the results attained when evaluating these scanners in relation to each other are often not the same. In this thesis, three different open source web vulnerability scanners are evaluated and analysed based on their ability to find SQL injection and cross-site scripting vulnerabilities. The scanners were used on several open source deliberately broken web applications that acted as benchmarks. The benchmarks that caused much diversity in the results from the scanners were further investigated. When analysing the scanners based on the results, both the actual results were analysed on what caused the diversity but most of all the source code of the scanners were explored and investigated. It could be found that the techniques used by the scanners were essentially similar but contained several minor differences that caused the diversity in the results. Most differences were dependant on the variation of the predefined payloads injected by the scanners, but it could also be found that the approaches used to determine if a vulnerability was detected or not could vary as well. The finalised result concluded in a report that reveals and demonstrates the different approaches that any web vulnerability scanner could use and the limitations of them.

Open source

Web vulnerability scanner

SQL injection

XSS

cross-site scripting

OWASP ZAP

Web security

Web application

Computer Sciences

Datavetenskap (datalogi)

Context-Aware Malicious Code Detection

Gu, Boxuan

19 December 2012

No description available.

Computer Science

intrusion detection

malicious code detection

web security

javascript security

smartphone security

android security

information flow tracking

information leaking

worm detection

shellcode

shellcode detection

利用可信度本體論與代理者程式以建構具有語意溝通的資訊網服務

楊銘煇, Yang, Min-huei

Unknown Date

為了解決代理者程式在開放式網際網路上溝通的問題，我們採用了語意網中本體論的技術。目的是透過可信度等多個本體論的使用，代理者程式可以進行具有語意程度的溝通以完成代理者程式的互信。研究中，我們利用了DAML+OIL這種具有強大的表達能力的語言來描述數位電子憑証及安全相關的字彙，以及代理者程式彼此間的關係以便於檢驗代理者可信度，最後我們藉代理者程式的認証、授權等的溝通協定來達成資訊網服務的資源及可信度的控管機制。 / We use ontology technology from the Semantic Web to solve the agent communication problem. The idea is to build trust and other ontologies for the multi-agent system to ensure semantic level agent communication on agent trust control. In this research, we use a powerful ontology language, i.e. DAML+OIL to explicitly describe a variety of digital certificates and the relationship among agents for agent trust verification. Furthermore, we fulfill the resource and trust control mechanism using agent authentication/authorization communication protocols on the Web Services environment.

語意網

本體論

多代理者系統

資訊網服務

網路安全

Semantic Web

Ontology

Multi-Agent System

Web Services

Web Security