We now focus on security technology, which is, like privacy, a major concern for Internet users. Security fears are a major barrier to e-commerce adoption, by both businesses and consumers. When a customer of an e-commerce site enters their credit card details, these are typically stored on servers of the merchant (retailer) of the third party. Once here, they are vulnerable to downloading by hackers who can use the numbers for fraudulent purchase. Customers may lose the first £50, if the credit card issuer does not cover them, but for larger amounts the risk lies with the credit card issuer. As a result, Internet-related fraud is now the largest source of fraud affecting credit card companies such as Visa and Mastercard. To summarise we can identify the following security risks from the customer or merchant perspective:
A transaction or credit card details stolen in transit; B customer's credit card details stolen from merchant's server; C merchant or customer are not who they claim to be.
In this section we assess the measures that can be taken to reduce the risk of these breaches of e-commerce security. We start by reviewing some of the theory of online security and then review the techniques used.
Before we look at the principles of secure systems, it is worth reviewing the standard terminology for the different parties involved in the transaction:
• Purchasers. These are the consumers buying the goods.
• Merchants. These are the retailers.
• Certification authority (CA). This is a body that issues digital certificates that confirm the identity of purchasers and merchants.
• Banks. These are traditional banks.
• Electronic token issuer. A virtual bank that issues digital currency.
The basic requirements for security systems from these different parties to the transaction are as follows:
1 Authentication - are parties to the transaction who they claim to be (risk C above)?
2 Privacy and confidentiality - is the transaction data-protected? The consumer may want to make an anonymous purchase. Are all non-essential traces of a transaction removed from the public network and all intermediary records eliminated (risks B and C above)?
3 Integrity - checks that the message sent is complete, i.e. that it isn't corrupted.
4 Non-repudiability - ensures sender cannot deny sending message.
5 Availability - how can threats to the continuity and performance of the system be eliminated?
Digital certificates (keys)
Consist of keys made up of large numbers that are used to uniquely identify individuals.
Both parties to a transaction use the same key to encode and decode messages.
Both parties use a related but different key to encode and decode messages.
Approaches to developing secure systems
There are two main methods of encryption using digital certificates or 'keys':
1 Secret-key (symmetric) encryption. This involves both parties having an identical (shared) key that is known only to them. Only this key can be used to encrypt and decrypt messages. The secret key has to be passed from one party to the other before use in much the same way a copy of a secure attaché case key would have to be sent to a receiver of information. This approach has traditionally been used to achieve security between two separate parties, such as major companies conducting EDI. Here the private key is sent out electronically or by courier to ensure it is not copied.
This method is not practical for general e-commerce since it would not be safe for a purchaser to give a secret key to a merchant since control of it would be lost and it could not then be used for other purposes. A merchant would also have to manage many customer keys.
2 Public-key (asymmetric) encryption. Asymmetric encryption is so called since the keys used by the sender and receiver of information are different. The two keys are related by a numerical code, so only the pair of keys can be used in combination to encrypt and decrypt information. Figure 3.11 shows how public-key encryption works in an e-commerce context. A customer can place an order with a merchant by automatically looking up the public key of the merchant and then using this key to encrypt the message containing their order. The scrambled message is then sent across the Internet and on receipt by the merchant is read using the merchant's private key. In this way only the merchant who has the only copy of the private key can read the order. In the reverse case the merchant could confirm the customer's identity by reading identity information such as a digital signature encrypted with the private key of the customer using their public key.
Public key merchant
Private key merchant
Figure 3.11 Public-key or asymmetric encryption
A method of identifying individuals or companies using public-key encryption.
Digital signatures can be used to create commercial systems by using public-key encryption to achieve authentication: the merchant and purchaser can prove they are genuine. The purchaser's digital signature is encrypted before sending a message using their private key and on receipt the public key of the purchaser is used to decrypt the digital signature. This proves the customer is genuine. Digital signatures are not widely used currently due to the difficulty of setting up transactions, but will become more widespread as the public-key infrastructure (PKI) stabilises and use of certificate authorities increases.
Certificates and certificate authorities (CAs)
A certificate is a valid copy of a public key of an individual or organisation together with identification information. It is issued by a trusted third party (TTP) or certificate authority (CA). CAs make public keys available and also issue private keys.
The public-key infrastructure (PKI) and certificate authorities
In order for digital signatures and public-key encryption to be effective it is necessary to be sure that the public key intended for decryption of a document actually belongs to the person you believe is sending you the document. The developing solution to this problem is the issuance by a trusted third party (TTP) of a message containing owner identification information and a copy of the public key of that person. The TTPs are usually referred to as certificate authorities (CAs) - an example is Verisign (www.verisign.com). The message is called a certificate. In reality, as asymmetric encryption is rather slow, it is often only a sample of the message that is encrypted and used as the representative digital signature. Examples of certificate information are:
• user identification data;
• issuing authority identification and digital signature;
• expiry date of this certificate;
• class of certificate;
• digital identification code of this certificate.
Virtual private network
Private network created using the public network infrastructure of the Internet.
A virtual private network (VPN) is a private wide-area network (WAN) that runs over the public network, rather than a more expensive private network. The technique by which a VPN operates is sometimes referred to as tunnelling, and involves encrypting both packet headers and content using a secure form of the Internet protocol known as IPSec. VPNs enable the global organisation to conduct its business securely, but using the public Internet rather than more expensive proprietary systems.
Current approaches to e-commerce security
In this section we review the approaches used by e-commerce sites to achieve security using the techniques described above.
Secure Sockets Layer (SSL)
A commonly used encryption technique for scrambling data as they are passed across the Internet from a customer's web browser to a merchant's web server.
Secure Sockets Layer protocol (SSL)
SSL is a security protocol, originally developed by Netscape, but now supported by all web browsers such as Microsoft Internet Explorer. SSL is used in the majority of B2C e-commerce transactions since it is easy for the customer to use without the need to download additional software or a certificate.
When a customer enters a secure checkout area of an e-commerce site SSL is used and the customer is prompted that 'you are about to view information over a secure connection' and a key symbol is used to denote this security. When encryption is occurring they will see that the web address prefix in the browser changes from 'http://' to 'https://' and a padlock appears at the bottom of the browser window.
How does SSL relate to the different security concepts described above? The main facility it provides is security and confidentiality. SSL enables a private link to be set up between customer and merchant. Encryption is used to scramble the details of an e-commerce transaction as it is passed between the sender and receiver and also when the details are held on the computers at each end. It would require a determined attempt to intercept such a message and decrypt it. SSL is more widely used than the rival S-HTTP method. The detailed stages of SSL are as follows:
1 Client browser sends request for a secure connection.
2 Server responds with a digital certificate which is sent for authentication.
3 Client and server negotiate session keys, which are symmetrical keys used only for the duration of the transaction.
Since, with enough computing power, time and motivation, it is possible to decrypt messages encrypted using SSL, much effort is being put into more secure methods of encryption such as SET. From a merchant's point of view there is also the problem that authentication of the customer is not possible without resorting to other methods such as credit checks.
Secure Electronic Transaction (SET)
A standard for public-key encryption intended to enable secure ecommerce transactions lead-developed by Mastercard and Visa.
Secure Electronic Transaction (SET)
Secure Electronic Transaction (SET) was once touted as the way forward for increasing Internet security, but adoption was limited due to the difficulty of exchanging keys and the time of transaction, with most e-commerce sites still using SSL. SET is a security protocol based on digital certificates, developed by a consortium led by Mastercard and Visa, which allows parties to a transaction to confirm each other's identity. By employing digital certificates, SET allows a purchaser to confirm that the merchant is legitimate and conversely allows the merchant to verify that the credit card is being used by its owner. It also requires that each purchase request include a digital signature, further identifying the cardholder to the retailer. The digital signature and the merchant's digital certificate provide a certain level of trust.
Alternative payment systems
Methods of transferring funds from a customer to a merchant,
The preceding discussion has focused on payment using credit card systems since this is the prevalent method for e-commerce purchases. Throughout the 1990s there were many attempts to develop alternative payment systems to credit cards. These focused on micropayments or electronic coinage such as downloading an online newspaper, for which the overhead and fee of using a credit card was too high. One system that has succeeded is PayPal (www.paypal.com) which was purchased by eBay and is a major part of their revenue stream since it is used for payment by those who don't have access to credit cards. BT has launched BT 'Click and Buy' for micropayments which is successful within the UK.
Reassuring the customer
Once the security measures are in place, content on the merchant's site can be used to reassure the customer, for example Amazon (www.amazon.com) takes customer fears about security seriously judging by the prominence and amount of content it devotes to this issue. Some of the approaches used indicate good practice in allaying customers' fears. These include:
• use of customer guarantee to safeguard purchase;
• clear explanation of SSL security measures used;
• highlighting the rarity of fraud ('ten million customers have shopped safely without credit card fraud');
• the use of alternative ordering mechanisms such as phone or fax;
• the prominence of information to allay fears - the guarantee is one of the main menu options.
Companies can also use independent third parties that set guidelines for online privacy and security. The best-known international bodies are TRUSTe (www.truste.org) and Verisign for payment authentication (www.verisign.com). Within particular countries there may be other bodies such as, in the UK, ISIS (www.imrg.org.uk/isis).
A specialised software application mounted on a server at the point where the company is connected to the Internet. Its purpose is to prevent unauthorised access into the company from outsiders.
Obtaining personal details online through sites and e-mails masquerading as legitimate businesses.
Hackers can use techniques such as 'spoofing' to hack into a system and find credit card details. Spoofing, as its name suggests, involves someone masquerading as someone else. Spoofing can be of two sorts:
• IP spoofing is used to gain access to confidential information by creating false identification data such as the originating network (IP) address. The objective of this access can be espionage, theft or simply to cause mischief, generate confusion and damage corporate public image or political campaigns. Firewalls can be used to reduce this threat.
• Site spoofing, i.e. fooling the organisation's customers: using a similar URL such as www.amazno.com can divert customers to a site which is not the bona fide retailer.
Firewalls can be used to minimise the risk of security breaches by hackers and viruses. Firewalls are usually created as software mounted on a separate server at the point the company is connected to the Internet. Firewall software can then be configured to accept only links from trusted domains representing other offices in the company or key account customers. A firewall has implication for marketers since staff accessing a web site from work may not be able to access some content such as graphics plug-ins.
The risk to companies of these attacks was highlighted in the spring of 2000, when the top web sites were targeted. The performance of these sites such as Yahoo! (www.yahoo.com) and eBay (www.ebay.com) was severely degraded as millions of data packets flooded the site from a number of servers. This was a distributed attack where the sites were bombarded from rogue software installed on many servers, so it was difficult for the e-tailers to counter. Since then, fraudsters have attempted to blackmail online merchants at critical times, for example online betting companies before a major sporting event or e-retailers before Christmas. These are often very sophisticated attacks which involve using viruses to compromise many 'zombie' computers around the world which are not adequately protected by firewalls and are then subsequently used to broadcast messages. Such attacks are very difficult to counter.
Phishing (pronounced 'fishing') is a specialised form of online identity theft. The most common form of 'phishing' is where a spam e-mail is sent out purporting to be from an organisation such as a bank or payment service. In 2004, the sites barclaysprivate.com and eurocitibank.com - neither of them anything to do with existing banks - were shut down, having been used to garner ID details for fraud. Recipients are then invited to visit a web site to update their details after entering their username and password. The web address directs them to a false site appearing the same as the organisation's site. When the username and password are entered these are then collected and used for removing money from the recipient's real account. Such scams are a modern version of the scam devised by criminals where they install a false ATM in a wall with a card reader to access someone's account details. This form of scam is difficult to counter since the e-mail and web site can be made to appear identical to those of the organisation through copying. The main countermea-sure is education of users, so banks for instance will tell their customers that they would never send this form of e-mail. However, this will not eradicate the problem since with millions of online customers some will always respond to such scams. A further approach is the use of multiple passwords, such that when an account is first accessed from a new system an additional password is required which can only be obtained through mail or by phone. Of course, this will only work if identity theft hasn't occurred. So, for organisations subject to phishing attacks, options for e-mail marketing are limited.
Was this article helpful?