Roger Clarke's Web-Site

© Xamax Consultancy Pty Ltd,  1995-2024
Photo of Roger Clarke

Roger Clarke's 'Security of Electronic Trading'

ANU COMP3410 - I.T. for eCommerce
Security of eTrading - Topic Outline

Roger Clarke **

Version of 21 Aug 2012, revs. 6, 26 Sep, 4 Oct 2012

REQUIRED READING for Lecture 1, added 26 Sep 2012: 'Data breach at 100k plaintext passwords' 24 Sep 2012

REQUIRED READING for Lecture 4, added 4 Oct 2012: Mobile Banking Fact Sheet, 26 September 2012

© Xamax Consultancy Pty Ltd, 2012

Available under an AEShareNet Free
for Education licence or a Creative Commons 'Some
Rights Reserved' licence.

This document is at


This 4-hour segment continues on from the earlier 6-hour series of eTrading topics. It provides a brief overview of information security generally, then considers important security aspects of electronic and mobile commerce.


Lecture Outlines
Lecture 1: Security of Information and IT

Week 10 - Tue 9 October, 10:00-11:00, Dedman 102 - (Slides in PPT97 and in PDF)

This session introduces the notion of security, and then the conventional models of information security and I.T. security. An overview is provided of the processes of risk assessment and risk management. Safeguards are presented within a general IT security architecture. An overview of access control is provided, as an important cases study in safeguards.


The Notion of Security

The Conventional Security Model

Risk Assessment and Risk Management


Access Control


The Conventional Security Model

Risk Assessment and Risk Management


Access Control

Lecture 2: Malware and Other Attacks

Mon 15 October, 10:00-11:00, Dedman 102 - (Slides in PPT97 and in PDF)

This session examines the diverse forms of malware and other kinds of attacks, which represent complex and increasingly sophisticated challenges to delivering reliable IT services. The available safeguards are presented.


1. Malcontent, Malbehaviour, Malware

2. Safeguards Against Malware

3. Attacks and Safeguards

4. DOS Attacks and Safeguards


1. Malcontent, Malbehaviour, Malware

2. Safeguards Against Malware

3. Attacks and Safeguards

4. DOS Attacks and Safeguards


Lecture 3: Identity in Marketspaces

Tue 16 October, 09:00-10:00, Dedman 102 - (Slides in PPT97 and in PDF)

The effectiveness of a trading scheme depends on trust by participants in one another's behaviour, and in the infrastructure supporting the activity. Identification (of parties and of tradable items) is one factor. Developing confidence in the assertions that parties make, referred to as 'authentication', is crucial. Biometric technologies have potential benefits, but bring with them significant risks. The roles of anonymity and pseudonymity also need to be understood.

There's a widespread presumption that, in cyberspace moreso than in meatspace, you need to know who you're doing business with. To test the prevailing presumptions about identities in marketspaces, it's necessary to study the concepts of identification, of anonymity and pseudonymity, and of authentication, and the technologies that both support and threaten consumers' interests.


1. (Id)entification and Authentication

2. Identity Management

3. Biometrics

4. Nymity

5. PITs and PETs

6. Dig Sigs and PKI

7. Location and Tracking


1. Identification, Anonymity and Pseudonymity

2. Biometrics

3. PETs

4. Privacy-Sensitive Public Key Infrastructure

Lecture 4: Mobile Security

Tue 16 October, 10:00-11:00, Dedman 102 - (Slides in PPT97 and in PDF)

This session reviews user access devices and access channels in order to consider different patterns of mobile usage among different demographics. The parallel explosions in mobile devices and wireless connectivity are creating new challenges; and Baby Boomers, Gen-X, Gen-Y and iGens use them differently. Mobile security is considered, focussing on payments. The general approach to risk management is then applied to mobile payments.


1. Mobile Technology Users

2. Mobile Payments

3. Risk Assessment for Mobile Payments

4. Risk Management for Mobile Payments


3. Risk Assessment for Mobile Payments

The Examinable Materials

The examinable materials comprise the following:

The Further Reading is not examinable. It's provided in order to enable you to 'drill down' on topics you're particularly interested in.

Discussion Topics for the Tutorial Session

A. Your mobile devices have been impounded by the university, under suspicion of containing:

  1. What challenges do the investigators have to overcome in order to establish a case against you?

B. The investigators have found some material, and have accused you of committing criminal acts by having that material on your devices.

  1. How could that material have got onto your device?
  2. What can you do to defend ourself against the accusations?

C. On your own mobile devices:

  1. What perimeter safeguards do you have?
  2. What internal safeguards do you have?
  3. Are further safeguards available that you're not using?
  4. Are there additional safeguards that you'd like to have, but that aren't available to you?

D. Your software providers offer to update your operating system, virus-protection and apps automatically, by pushing patches over the network and an auto-instalment service to put them on your device, and activate them.

  1. Which is better: to let them do it; or to decide for yourself whether and when to apply updates to your software?

E. Births Registries issue birth certificates.

  1. How much care should a Birth Registry take when someone asks them for a copy of your birth certificate?
  2. Are there any differences between someone asking for a copy face-to-face and asking online?
  3. What options are open to them to authenticate the assertions made by the applicant?
  4. When you try to get a copy of your own birth certificate, will you be able to authenticate yourself to their satisfaction?

F. Lecture 4, Slides 5-9, outlined some 'dimensions of differentiation' among users of mobile devices.

  1. Use these dimensions to categorise yourself. Do you think the dimensions are relevant to mobile device usage? Are they comprehensive, or are there other important factors?
  2. Describe another category of user that's quite different from yourself.
  3. What advice would you give that category of user about how to protect themselves against harm arising from use of their mobile devices, both generally and in the particular context of mobile payments?
  4. Is that advice the same as you would give to yourself and people like you? Or similar? Or quite different? Why?
  5. Do you act on your own advice?

Author Affiliations

Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Research School of Computer Science at the Australian National University,, and in the Cyberspace Law & Policy Centre at the University of N.S.W.

xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 65 million in early 2021.

Sponsored by the Gallery, Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 19 March 2000 - Last Amended: 4 October 2012 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2022   -    Privacy Policy