Wednesday, October 2, 2019
Website For Malaysian Insurance Institute
Website For Malaysian Insurance Institute INTRODUCTION: The project aim is to setup a website for Malaysian Insurance to allow insurance agency leader to enroll their candidates for the Pre-Contract Examination. In phase 1, the author will conduct a few studies related to the electronic commerce to allow insurance agency leader to pay for the exam fees. Furthermore, additional security features to protect the website and the user will also be study to enhance the security of the website. FINDINGS: Background Study of Malaysian Insurance Institute Malaysian Insurance Institute is a non-profit organization that founded in 1968. This organization is a leading insurance institute that provide insurance knowledge, training and offer all kinds of qualifications that recognized by the international insurance company such as insurance, financial planning and risk management. MII is known as the primary insurance knowledge provider in Malaysia. It works together with other insurance company in the industry with supports and helps from the Bank Negara Malaysia and Regulator to guarantee the provided education is up to date and fulfill the changes in the insurance industry. Figure 1.1: Malaysian Insurance Institute Website 1.1 MII AS EDUCATIONAL AND TRAINING BODY An average of 300 training programs is organized by MII to educate the brokers, insurers, reinsurers, adjusters and regulators. In each training program, there are about 10,000 participants from all other countries including Malaysia. These outstanding records make MII a place in the Education Board of the Federation of Afro Asian Insurers and Reinsurers (FAIR) that based in Egypt. Besides that, MII also help general and life insurance agents by providing training to them. These training will help them to provide a better service to their customers. For agency leaders, MII is ally with LIMRA (USA) to organize the Agency Management Training Course (AMTC) to upgrade their leadership and professionalism. There are two primary professional programs provide by MII. They are the Diploma of The Malaysian Insurance Institute (DMII) and the Associateship of The Malaysian Insurance Institute (AMII). These two programs are the basic requirement for the insurance industry and also for the emerging markets. 1.2 MII AS EXAMINATION CENTRE MII act as a guardian to monitor the education standards of insurance exam. Besides that, it is also the authorized exam center to conduct insurance examination. MII offers 32 major examinations that attract over 60 thousand candidates for the insurance industry in a year. Because of the outstanding management and good reputation as an education and exam centre, MII is consigned to be the primary place to conduct some others examinations that organize by others examination bodies such as The Institute of Risk Management (UK), Chartered Institute of Loss Adjusters ( UK), The Insurance Institute of America ( USA), The Society of Actuaries (USA) and others. 1.3 MII AS INSURANCE INFORMATION CENTRE MII is proud to have their own library that specialized in the insurance industry and others related industry. Besides that, all kind of collection of books, magazines or journals that related to insurance is also collect by the library for public use. Moreover, MII also has an electronic library portal that publish information to the public such as online newspapers, electronic journals, links to others insurance companies, associations, regulators, university and other related sectors. 1.4 MII AS CONFERENCE ORGANIZER There are around eight conferences that conducted by MII in a year which was planned to fulfill the needs of the emerging insurance industry. Most of the conference receives massive response from all kinds of business industry from local and international. These conferences not only provide experience and knowledge to the public but also provide a chance to each other to build up their networking with other industry. 1.5 AFFILIATION WITH INTERNATIONAL BODIES MII has a firm belief in collaborating its efforts and resources together with other reputable insurance education bodies throughout the world so as to maximize and leverage on each others strengths. MIIs commitment to deliver the best quality standards in education is reflected in its international links with major insurance institutions, universities and relevant organisations. Among the collaborations that MII has established are with The Chartered Insurance Institute (UK), Australasian Institute of Chartered Loss adjusters (AICLA), Chartered Institute of Loss Adjusters (CILA), Australian New Zealand Institute of Insurance and Finance (ANZIIF), LOMA (USA), Institute of Risk Management (UK), LIMRA (USA) and others 1.6 INTERNATIONAL PRESENCE While addressing the domestic needs will always remain as a main focus and priority, MII has also spread its wings into the international scene, particularly in fulfilling the needs of the emerging markets. This is in line with its vision to be the preferred Institute for training solutions, education and information in insurance in Malaysia and the emerging markets. The increasing numbers and wide range of international training participants and conference delegates is a testimony of the recognition and regard for the relevant and high quality programmes being offered by MII. MIIs presence in the emerging market, particularly within the ASEAN region is quite significant. When the 10 ASEAN insurance regulatory authorities formed the ASEAN Insurance Training Research Institute (AITRI), MII was given the honour to lead as the secretariat for AITRI. AITRI is a non-profit organization to provide regional research, insurance education and training support for the regulators as well as the industry of the ASEAN member countries. Its activities are featured in international publications and have gained great recognition and international support such as the World Bank (USA), International Association for Insurance Supervisors ( Switzerland), Office of the Superintendent of Financial Institutions ( Canada) and others. 1.7 INTERNATIONAL AWARD MII won a title named as Professional Service Provider of the Year 2007 Award at year 2007 from The Review Worldwide Reinsurance Association in London, U.K. MII show up as the first winner that come from Asia after 14 years when the award is started. MIIs effort and their compliance for the training and the education was the reasons for them to receive the award. 1.8 List of Certification and Professional Programs The list below is the certification or professional programs that offer by Malaysian Insurance Institute. These certification or professional programs are recognized by all the insurance company in Malaysia. The agent of an insurance company must possess the related certification or professional programs to promote or sell the insurance to the customers. Diploma of Financial Services Associateship of the Malaysia Insurance Institute (AMII) Associateship of the Malaysia Insurance Institute (AMII) International Diploma of the Malaysia Insurance Institute (DMII) Diploma of the Malaysia Insurance Institute (DMII) Life Certificate of MII Insurance (CMII Insurance) Pre-Contract Examination for Insurance Agent (PCEIA) Certificate Examination in Investment-Linked Life Insurance (CEILLI) International Certificate in Risk Management (CIRM) Basic Agency Management Course (BAMC) Registered Financial Planner (RFP) Basic Certificate Course in Loss Adjusting (BCCILA) Intermediate Certificate Course in Loss Adjusting (ICCILA) Basic Certificate Course in Insurance Broking (BCCIB) Intermediate Certificate Course in Insurance Broking (ICCIB) Certificate in General Insurance Actuarial Practice (CGIAP) 1.9 Conclusion MII is a powerful organization that provides high quality education to the insurance industry and others related field. Besides that, MII is also recognized by international organization for their quality services and excellent programs. Literature Review This chapter discusses about the online electronic commerce system and the security features that plan to implement on the registration website such as on screen keyboard, multi step authentication and secure socket layer. 2.1 Electronic Commerce Electronic commerce is known as any transaction or payment that occurs through the internet. It includes a wide range of area such as auction website, retail website, registration website, banking website, and etc. The content of electronic commerce can be goods or services. It has become important with the emerging of the internet and World Wide Web. Since electronic commerce is conduct on the internet, so the customer can ignore the barrier of distance and time. The electronic commerce is growing frequently since five years ago and it is expected to growing in faster rate. When electronic commerce is conducted, it means online payment will be conduct during the transaction. There are several of payment method are available online such as credit card, PayPal, and Google checkout. (Networksolution, 2010) Credit card is the most popular payment method used by most of the electronic commerce website. A marketing research shows that an electronic business will lost 60 to 80 percent of potential customers if credit card payment is not implemented in their electronic commerce system. With credit cards payment enabled, it makes the customer has the impulse to purchase an item at anytime and also ensure the legitimacy of the electronic business to the customers. (EasyStoreCreator, 2010) Another popular online payment method is PayPal. The benefit of PayPal is it allows the merchant or customer to make online and offline transaction at anytime. Furthermore, PayPal is well known for its ease of use and no verification bounding of credit rating. The users of PayPal only need to verify their electronic mail address and their accounts personal information. Payment can be easily directed to the PayPal account with the tied electronic mail address like [emailprotected] Additionally, Google checkout is also a preference of some electronic business merchant. Google checkout fast enough to become popular is because the provided service of this system is user friendly, very stable and reliable. Another benefits of Google checkout is it charge lesser merchant fees compare to PayPal and this makes it grow at a rapid rate. (Arora.n, 2010) 2.2 Types of Electronic Commerce There are multiple types of electronic commerce that are available on the internet. Among all kinds of electronic commerce, there are 4 popular types that occupy most of the electronic commerce website. They are business-to-business (B2B), business-to-consumer (B2C), consumer-to-business (C2B), consumer-to-consumer (C2C). Out of these popular types, there are also some others electronic commerce are used by those electronic business merchant such as business-to-employee (B2E), government-to-government (G2G), government-to-employee (G2E), government-to-business (G2B), business-to-government (B2G), government-to-citizen (G2C), citizen-to-government (C2G) and etc. (DigitSmith Embroidery and Screen Printing, 2006) 2.3 On Screen Keyboard On screen keyboard is a software or application that shows on the monitor of the computer. It allow user to input any kind of text by mouse or the monitors touch screen. On screen keyboard can help those mobility impairment people or those people that cannot type. Besides that, on screen keyboard also can help users to bypass those virus, Trojan or key logger to steal data (Microsoft Corporation, 2010). Figure 2.1 shows an example of on screen keyboard. It is a default application that comes with the operating system provide by Microsoft. msosk.jpg Figure 2.1 Microsoft on screen keyboard 2.4 Multi Step Authentication The single factor authentication such as the username and password process is widely used by a lot of website in the World Wide Web. Due to the demand for more security during login, an ideology named multi step authentication has been create to fulfill the public demand. Multi step authentication is a process of login and authenticates users in multiple webpage. The first step of the authentication is verify the username entered by the user. If it is match with any name inside the database, then the user will be redirect to the second step. Second step required the user to enter their password and if it is correct, then the system will redirect the user to the services they login to. (Agilewebsolutions, 2010) Besides that, this feature also block any malware that using form robot to capture password entered by the user because there is two different login processes is performing. 2.5 Secure Socket Layer Protocol(SSL) Secure Socket Layer is a well known protocol that uses to provide a secure connection between the server and the client. The purpose to secure a connection is to protect the integrity of data, privacy and authentication. SSL protect data by encrypting a plaintext message to ciphertext. Ciphertext is meaningless to everyone if someone captured the data packet try to crack it. A pair of key is used to encrypt the data. They are named public key and private key. Public key is used to encrypt data that send from the client and the private key is used to decrypt the data that received by the server. To ensure the server side is the real owner of the service provider, a digital certificate will be issue by a third party certificate authority such as GeoTrust and VeriSign. This process is to identify the domain is maintain by the recognized owner and it is legal. Figure 2.2 shows an example of digital certificate. (GeoCerts, 2010) cert.gif Figure 2.2: Digital Certificate Netscape introduced the SSL Protocol in 1994 due to the concern for the security over the internet was rising. At first, SSL is develop to secure the connection between the server and the client but modification was make to fit it in to other services such as TELNET, FTP, Email and etc. (Martz. C, 2010) 2.6 Conclusion Security feature is an important session to keep a website safe from any threats. All the features discussed is planned to implement into the website to work with the electronic commerce system and the website security. Electronic Commerce System Security It is a big challenge to maintain and securing an electronic commerce system as the internet world is emerging every day. It is important for electronic merchant to implement security for their electronic commerce website. 3.1 Components of Electronic Commerce Security There are 5 components of electronic commerce security that is important to electronic commerce website. The first component is containment that uses to prevent all kinds of attacks. The second component is compartmentalization that uses to avoid unauthorized access to the website system. Besides that, it prevents collateral damage deal to the website during attacks. The third component is continuity that guarantees website system to keep running even during DOS attacks or even during the equipment failure. The fourth component is recovery that frequently starts the recovery operation during external attacks or malicious internal activity. The fifth component is performance that ensures the network performance is not reducing due to the others security operation. 3.2 Electronic Commerce Vulnerabilities The fearful of online transaction threats has been increase with all types of attacks. Multiple vulnerabilities will be discussed to understand their characteristic. 3.2.1 SQL Injection SQL injection is a technique that inserts the SQL meta character into the user input. This technique allows the attacker to force the back-end database to execute the command entered into the system. To check whether the website is vulnerable to this attack, a single quote () character will be send into the database. An invulnerable website will return an error message which exposes the technology being used at the host machine. These information is enough for the attackers to perform further attacks to the restricted area or the operation system. SQL injection attack can be different depends on the types of database. If the attack is conduct on the Oracle database, it needs the UNION keyword to execute and it is harder to capture compare to Microsoft SQL server. (Mookhey. K. K, 2004) 3.2.2 Price Manipulation This is a new threat that threatens the payment gateway and the shopping cart. In the common case, the total price that needs to pay by the customer is saved in a hidden HTML field. A web application proxy such as Achilles can modify these figures when the information is send from the users browser to the website. The figure 3.1 is taken from one of the Symantec article showing that the price can be modify by the attackers to any value. Then, this information will be send to the merchants payment gateway. (Mookhey. K. K, 2004) achilles.jpg Figure 3.1: Achilles web proxy 3.2.3 Buffer Overflows Bad consequences will be happen when massive number of bytes is sent to an application that is not set up properly to handle these bytes. According to K. K. Mookhey, the path of the PHP functions is exposed when he sent in a very large value in the input field. Figure 3.2 shows that when a large value is sent in and the PHP script cannot process the value, the returned error message expose the location of the PHP functions. This error message reveals the admin folder that allows attackers to conduct further attacks. (Mookhey. K. K, 2004) phptimeout.jpg Figure 3.2: PHP timeout error 3.2.4 Cross-site Scripting Cross-site scripting is primary concentrated to the end user and also leverages two factors, the weak input output validation of the web application and the trust gain from the user to the well known website name. This attack required the website to take in user input, process it and shows the result together with the original user input. This sequence is commonly found in the search system. The attacker conducts the attack by embedding the JavaScript into the user input as part of the input. Then, a link will be created which contain this JavaScript and the victim will be persuaded to click on it. For example, the URL will looks similar like this: http://www.vulnerablesite.com/cgibin/search.php?keywords=alert(OK). This example will pop up an alert box that shows the text OK. The attacker can place the script they want into this link to conduct the attack. Usually, the attacker will use this method to capture the victims cookies that may contain victims sensitive information. Besides that, the JavaScript can be also use to redirect the victim to the website that contain malicious code and conduct the attack at there. 3.2.5 Weak Authentication Authentication system that does not block multiple fail login can lead to unexpected consequences. An attacker may use some brute force software to guess an accounts password by sending all kinds of combination to the server to validate the password. Another weak authentication is when the website uses basic authentication but does not transfer it through SSL. Attacker can sniff the traffic packet and discover the user information inside the packets. 3.3 Pros and Cons of Electronic Commerce System Although electronic commerce provide a lot of benefits to electronic business and the consumer, but there are also some consequences that affect both merchant and the consumer. The benefits of electronic commerce are it save the users time compare to shopping at any shops or markets. Everything transaction is conduct on the internet and just a few clicks, consumer can buy everything they want and pay it. Compare to shopping at regular shop, consumer have to travel to the shop, park the car, walk to the shop, browse the shop for the item, then pay it and that is wasting a lot of time. Electronic commerce is cheap compare to the product selling at regular shops and markets. This is because every electronic merchant does not need to pay for the rental and utilities expenses like the physical shop. That is why they can sell cheaper product when they do not need to cover these expenses. Besides that, lowering the product price is one of the marketing skills to attract customers to buy from their electronic shop. (Finnila. J, 2008) Most of the electronic commerce is supported with credit cards paying method. With this method enable, consumer does not need to download or install special plugin to make a transaction. Besides that, consumers with credit cards are always fill with impulse to buy something during every visit. Furthermore, the electronic merchant can keep the customer transaction information for future use such as follow up sales or advertise product. (Nightcats Multimedia Productions, 2010) The disadvantages of electronic commerce are the competitor is all around the world. Electronic merchant have to keep generate new marketing strategy to attract customers or keep the customers to visit them again. As the internet world is changing rapidly, there are a lot of new traps appear to steal information from the consumer such as phishing website and malicious scripts. For any electronic commerce user that unaware to these internet threats will expose their personal confidential information to those scam owners. (Finnila. J, 2008) From the point of view of most of the customers, it is an abuse to the customers personal information when the electronic merchant keeps the information for future use. The customer may want to keep their personal information in private and it is better to request for their permission before their information is used. Besides that, the customers also worry that their personal information may leak out to the public in any accident. It is a benefit for the merchant but a disadvantage to the customers. (Nightcats Multimedia Productions, 2010) 3.4 Conclusion It is important to electronic merchant to secure their electronic commerce system to prevent all kinds of incident that cause unexpected losses to the business. CONCLUSIONS: The author successfully completed objective one to three in the phase 1 of the project. The author learns how MII works in daily operation and their roles and responsibilities. Besides that, the author also learn how those additional security features works to protect the website and the users. As a proof of meeting objective one to three, the reference list below shows various information from different sites. REFERENCES (BACKGROUND READING MATERIALS): About MII (Online) (Cited 20 MAY 2010) Available from: http://www.insurance.com.my/mii2010/about.html MII Vision and Mission (Online) (Cited 21 MAY 2010) Available from: http://www.insurance.com.my/mii2010/about_vision.html Certification and Professional Programmes (Online) (Cited 22 MAY 2010) Available from: http://www.insurance.com.my/mii2010/certification.html What is Ecommerce? (Online) (Cited 23 MAY 2010) Available from: http://www.networksolutions.com/education/what-is-ecommerce/ Choosing a Merchant Credit Card Processing Vendor To Meet Your ecommerce Credit Card Processing Needs (Online) (Cited 25 MAY 2010) Available from: http://www.easystorecreator.com/choosing-vendor.asp Different Payment Methods in E-Commerce Website (Online) (Cited 26 MAY 2010) Available from: http://ezinearticles.com/?Different-Payment-Methods-in-E-Commerce-Websiteid=2073803 Ecommerce definition and types of ecommerce (Online) (Cited 26 MAY 2010) Available from: http://www.digitsmith.com/ecommerce-definition.html Handling Financial Web Site Tricks (Online) (Cited 28 MAY 2010) Available from: http://help.agile.ws/1Password3/multi_step_logins.html Two-Step Authentication Method For Online Banking (Online) (Cited 30 MAY 2010) Available from: http://priorartdatabase.com/IPCOM/000126859 Handling Financial Web Site Tricks (Online) (Cited 30 MAY 2010) Available from: http://help.agile.ws/1Password3/multi_step_logins.html Turn On and Use On-Screen Keyboard (Online) (cited 31 MAY 2010) Available from: http://www.microsoft.com/windowsxp/using/accessibility/oskturnonuse.mspx SSL Secure Sockets Layer (Online) (Cited 1 JUNE 2010) Available from: http://www.birds-eye.net/definition/s/ssl-secure_sockets_layer.shtml How SSL Works (Online) (Cited 1 JUNE 2010) Available from: http://www.geocerts.com/ssl/how_ssl_works Pros Cons of E-Commerce (Online) (Cited 2 JUNE 2010) Available from: http://ezinearticles.com/?Pros-and-Cons-of-E-Commerceid=1481356 Pros and Cons for consumers when shopping online (Online) (Cited 2 JUNE 2010) Available from: http://www.nireland.com/e.commerce/Pros%20and%20Cons.htm Beginners Guide to Ecommerce (Online) (Cited 2 JUNE 2010) Available from: http://www.nightcats.com/sales/free.html 5 Essential Components of E-Commerce Security (Online) (Cited 3 JUNE 2010) Available from: http://www.intruguard.com/E-commerceSecurity.html Common Security Vulnerabilities in e-commerce Systems (Online) (Cited 4 JUNE 2010) Available from: http://www.symantec.com/connect/articles/common-security-vulnerabilities-e-commerce-systems ***END OF REPORT***
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.