CIS 4398
Independent Study
Security Issues in E-Commerce
Hector Chavez
Introduction
We live in a world that changes almost on a daily basis, most of this change can be attributed to rapid advancements in technology. While some may argue that technology is advancing to fast for us to keep up with it, the internet has proven to be a major part of many people’s lives. We no longer have to wait for the evening news to get information, the internet serves as a tool to not only distribute information but now it also serves as a medium to distribute goods and services (Guay and Ettwen 1998).
Many corporations and small companies have invested millions of dollars to get a piece of what many believe will be a pie worth hundreds of billions of dollars. The next big thrust in a quest to make our lives better, similar and more productive is electronic commerce or E-commerce (Ferraro).
In this paper I will examine the technology that makes E-commerce possible and I will also look into the issues of privacy, security and trust. While security is the most important issue from the sellers viewpoint, to the buyer privacy and security are just as important. Much of the technology that makes secure transactions possible, can also be used to gather information about the buyer, including: surfing habits and purchasing habits.
When we conduct transaction in the ‘real world’ we have built a level of trust based on experience. The buyer trusts that the goods being received are just what they wanted, and the merchant trusts that the method of payment being used by the buyer is legal tender. This level of trust has not yet reached e-commerce.
For e-commerce to flourish and reach its full potential, the same level of trust in the real world must be developed so that consumers, merchants and banks will have faith in the new system (Ferraro). The internet offers tremendous opportunity for merchants around the world to sell their products online. Government along with business leaders need to develop and continue to improve standards that play a significant role in securing transactions on the internet.
What is E-Commerce?
E-commerce in its simplest form is the buying and selling of goods and services over the internet. Many companies have seen this as an opportunity to remove the middle man and sell their goods and services at a reduced price. The basics of e-commerce can be found in Electronic Data Interchange (EDI) (Ferraro). Many corporations have been using EDI’s to conduct secure transactions between themselves and their suppliers. The major difference between an EDI and e-commerce is that an EDI uses a private connection between suppliers and merchants, this makes it easier to secure transaction over the EDI. Securing information and transactions over the internet is much more difficult.
The banking industry estimates that it costs $1.07 per transaction that involves human interaction, while transactions without human interaction and done online will cost about one cent (Srinivasan). With such a large cost difference many businesses are moving more towards electronic transactions. Web sites can be designed and implemented to target specific buyers and they can be personalized according to visitors surfing and purchasing habits.
Consumers can search for the specific product they want and they can even compare prices and shipping costs from several different merchants. As more people throughout the world gain access to computers barriers and borders that many companies would otherwise face begin to disappear. With expected online sales to reach into the hundreds off billions of dollars by 2003, businesses must make sure that consumers feel secure about the transactions they make online.
E-Commerce Security Standards
While the internet has provided a tremendous opportunity for merchants around the world, the anonymous and open nature of public communication networks has presented serious challenges for securing personal and bankcard information over the internet (Srinivasan 2000). The major beneficiary of the continued growth of online use is online commerce, so this makes it industry’s role to provide confidence for their customers that their online transactions are secure.
Standards play a major role in securing transactions over the internet. Standards provide interoperability, connectivity, consistency of applications, transparent data exchange, distributed open environments, improved information sharing, security, and lower costs to users and software providers (Srinivasan). With hundreds of millions of computers connected to the internet throughout the world, the e-commerce industry has to guarantee the security of these transactions. If they don’t there are many that will try and take advantage and may cause irreparable damage to the entire industry.
Emerging Internet Standards
Secure Electronic Transactions
Secure Electronic Transactions (SET) was developed by MasterCard and Visa to enable secure payment transactions. SET uses cryptography and related technology to provide confidentiality of information about financial data, to ensure payment integrity, and to authenticate merchants, banks, and cardholders during transactions (Srinivasan). The SET system is used in over 100 million copies of internet-based applications making easy for many around the world to adopt it. The key to SET is that there is no need for a physical card to process the transaction.
Secure Sockets Layer
Secure Sockets Layer (SSL) is a program created by Netscape for managing transmissions in a network. The idea behind SSL is that messages should be contained in a program layer between an application such as the browser and the internets TCP/IP layers. SSL does not provide a means to handle payment it does offer confidentiality in Web sessions, authentication of servers and data integrity.
SSL provides authentication by endorsing the identity of a web site through a certification authority (CA). Web browsers come with a list of certification authorities, when a browser hits a Web site the certificate of registration is downloaded to the users’ browser. SSL helps to prevent fraud by inspecting the certificate of the web site.
Secure
Hyper Text Protocol
Secure
Hypertext Protocol (S-HTTP) is a secure extension to HTTP that provides a
number of security features, including client/server authentication,
spontaneous encryption, transaction confidentiality, and request/response
norepudiation (Srinivasan).
This protocol is broad enough to support a number of technologies and to be
interoperable with nonsecure HTTP services.
While all of the previously discussed standards have made e-commerce more secure, there always seems to be someone who is one step ahead of the people that design web site security. Even if someone could actually build a completely secure web site there still lies the possibility of fraud and deceit over the internet.
Unscrupulous characters can try and copy a major website and sell non existent products just to get consumer credit card information. If a company wishes to make more information available to its consumers and employees the more likely it is to leave openings for someone to crack the site and steal important information. Companies need to find a balance between how much information they wish to make available and how open their system is to an attack
Extensive
deployment of fiber cables and the availability of high-speed access such as
ADSL (Asymmetric Digital Subscriber Line) have made it possible for people to
access the internet in a secure way; moreover companies like Amazon.com and
eBay have given the confidence to customers for online transactions
(Srinivasan). If recent trends continue,
tens of billions of dollars will be exchanged in on line transactions within a
few years. It is in these companies best
interest to continue to improve not only the actual security of their online
information and transactions, but also to continue to make consumers more
confident in purchasing on line merchandise.
Privacy and Security
The other side of security is privacy, in order to make a web site more secure, companies must ask the user or customer to give up some privacy (Payton). While some companies list their information gathering/sharing policies to their users, most users including myself do not take the time to read through these often long difficult to read statements. Many companies do not list their privacy policies on their web site and of those that do often they are difficult to find. While traditional retailers regularly gather information about their customers, the internet makes it easy for merchants to gather a customer information in a relatively quick and efficient manner. Not only does the internet allow merchants to gather information quickly, it also allows them to store and distribute this information to anyone they wish.
While noting that
e-commerce is not limited to online purchasing (
Personalization
Technologies
Personalization technologies allow web site owners to custom fit a web site to a user’s preferences and habits. When we search for a video or CD at amazon.com, the results page will list other items that we may like based on our current and even past searches. Most notably, these applications can make use of a range of tools that include data mining, databases, cookies, and rules-based forecasting and inferencing (Payton). In effect these companies are building an electronic profile of visitors to their web site. While this information by itself is not dangerous, the way in which the company chooses to use this information will decide whether or not that company has violated an individual’s privacy. Once all the data for an electronic profile has been collected and analyzed, the information that comes out this process can be sold to other merchants for a big profit, whether or not the individual in question approves of the process.
EMarketing Technologies
EMarketing technologies, acting as decision support tools, enable organizations to develop more targeted marketing programs based on likely customer interests (Payton). When this information has been gathered and analyzed companies can then use this information for targeted emailing, and banner ads and pop up windows to try to sell a specific product to a web user. For instance, whenever I visit a travel website almost immediately pop up ads start coming from windows messenger informing me of great deals at other travel web sites. Given the decision support functionality associated with emarketing technologies, the organization must make a conscious decision to target a customer (Payton). In other words the technology itself is not to blame for what company decision makers decide to do with the information they have collected and analyzed.
While most internet users realize that some amount of privacy will have to be given up in order for there to be a higher level of security, there are still unresolved issues that should concern companies that wish to profit from e-commerce transactions. Misuse and errors in customer information prevail as overriding concerns along with security issues (Payton). The transfer of inaccurate data, loss of identity, stolen credit card numbers and other possible transgressions are very difficult to deal with in the real world where it is possible to determine a starting point (Ferraro). When these things occur in an electronic market it becomes very difficult and expensive to figure what occurred and who was responsible.
Building Trust through Security
What security in e-commerce really comes down to is does the user have trust in the web site/company they are conducting online business with? The opposite side of this is also true, does the online organization and bank have trust that the consumer making an online transaction is really who they say they are? Only when all of the above parties are truly able to trust who they are dealing with online will this business model really take off (Ferraro). Most people agree that electronic commerce can only become a success if the general public trusts the entire environment they are dealing with. As mentioned above, this trust comes down to not only trusting the other party we are dealing with but also with trusting the entire process that will take us through the successful completion of the transaction. This distinction is in particular relevant for international business-to-business electronic commerce, where trading partners often do not know each other before the trading takes place (Tan and Thoen).
So how does a company build trust with its customers? While many retailers that are exclusively online will find it more difficult to gain the trust of their customers, many traditional retailers are seeing the value of putting their name on an e-commerce web site. Traditional brick and mortar retailers such as Barnes and Noble and Best Buy have quickly become internet leaders by using the trust and reputation they had already developed as traditional retailers and selling their products over the internet. The large size of theses traditional retailers boosts consumer confidence in their ability to provide satisfactory service. Many of these traditional retailers have also added the option of purchasing an item online and then picking the item up at a local store. Or the customer may return a product purchased online and delivered to the customers address to a local store. All of these services have raised confidence in the e-commerce transactions offered by these traditional retailers. Because there will usually be some time between purchase and delivery of an online purchase, exclusively online retailers or e-tailers, will have a more difficult time building trust with their customers. For the most part the consumer can assess service quality only after the purchase and delivery have been made (Krishnamurthy).
For the online retailer the layout and structure of their site becomes step one of whether or not a visitor will trust them. For instance if a prospective buyer is looking through a site and that site has broken links or misspelled words the consumer may loose confidence that they can deliver the desired product in a timely fashion. The ease of use of the site then becomes the next step in creating trust for the e-tailer. A site that is difficult to navigate and ambiguous descriptions will not go a long way in creating trust between itself and the consumer. The usability of an e-tailer's site has a major impact on shopping behavior (Nielsen, 2000).
Many e-tailers are figuring out that using a third party to build trust is an effective strategy. Companies can obtain so called seal of approvals from third parties and display them on their web site. There are different types of seals but most deal with either privacy issues or with customer satisfaction issues. Visitors that see these seals may gain more trust that the organization in question will either protect their information or that they will deliver any products purchased in a timely fashion. While most consumers will not be interested in how a particular online system works to complete a transaction, this system is vital if the merchant is to have trust that the consumer not only says who they say they are, but also that the merchant will be paid in a timely manner.
The merchant then becomes concerned with these areas: Identification, Authentication, and Authorization. Identification is the method the merchant system uses to recognize a user. Authentication is the act of identifying the user. Once a user has been authenticated then the system may grant the user certain rights and uses, such as the ability to make an online purchase. Authorization is the act of granting a user the requested access, such as access to his or her account.
Encryption technology is going to play a critical part in protecting confidentiality, authenticity and security. Trust online is going to be created when security issues have developed along these lines (Ferraro). Because most of the development has been largely uncoordinated, the industry may not be taking full advantage of the immense opportunity that e-commerce has to offer.
Government should
outline what legal policies Web sites must follow and what remedies are
available to the consumer. By working
together with government agencies, industry can affect what policies and
safeguards will be put into practice.
Conclusion
The internet and e-commerce offer enormous potential but security, privacy and trust must all be part of a web sites strategy if it is to take advantage of this still relatively new form of commerce. While the cost of securing a web site may appear high to some, the cost of cutting corners and not implementing an appropriate strategy may very well mean the end of that particular business. However if the needs of the customer are not being met, then there is no value added by that strategy (Liddy).
E-Commerce is clearly changing the way in which businesses and consumers do business. Consumers demand more privacy while at the same time they want increased security and usability. Organizations must clearly show what their privacy policies are and let the consumer choose whether or not to do business with them. While increasing security, developers must insure that usability does not suffer, after all it does not matter if a system is 100% secure if it is so difficult to use that no one will use it.
Today’s e-tailers must store and retrieve massive amounts of data. This means that if that data becomes corrupted or compromised in any way that company may be dealing with a catastrophe it may not be able to recover from. While many online shoppers feel secure about using their credit cards or checks to make online purchases, what happens to the information that is gathered while this transaction occurs is of greater concern. Consumers must be confident that their credit card numbers, addresses and other personal information will not be stolen or corrupted while it sits in the company’s data base. More importantly many consumers fear that the company itself may misuse this information to “profile” their customers to try and offer them targeted products, or that they may even sell that information to others without their permission.
As I stated before it comes down to the issue of trust. E-commerce can only reach its full potential if merchants, developers and the industry as a whole can gain consumer trust. Trust is not a separate issue from security because trust is essentially the consumer felling secure about what happens to their information once a transaction has been made. Government agencies and the industry must come together to develop a set of standards all browsers can use and to develop regulations that merchants must follow to insure secure transactions.
The
internet today continues to grow, software and hardware change at a rapid pace
leaving many companies to wonder when they should upgrade. When a company finally does decide to upgrade
it is sure that a flaw in its new system will soon be found and exploited. The only way to secure an e-commerce site
100% is by unplugging it, this is certainly not a realistic option. Armed with the fact that building and
maintaining trust is the key to the successful implantation of an e-commerce
security system, decision makers and administrators can make appropriate
decisions on how to best secure their e-commerce sites.
References
Sandeep, Krishnamurthy “An Empirical Study of the
Causal Antecedents of Customer Confidence in E-Tailers”
First Monday, volume 6, number 1 (January 2001),
O'Daniel, Thomas: A Value-Added Model for
Electronic Commerce. In: Schmid, Beat F.; Alt,
Rainer; Zimmermann, Hans-Dieter; Buchet, Brigette: EM - Anniversary Edition: Business Models. EM -
Electronic Markets, Vol. 11, No. 1, 04/2001.
P. Nelson, 1974. "Advertising as Information," Journal of Political Economy, volume 82, number 4, pp. 729-754.
Anthony Ferraro “Electronic Commerce: The Issues and Challenges to Creating Trust and a Positve Image in Consumer Sales on the World Wide Web”
First Monday, volume 3, number 6 (June 1998)
Liddy, C. “Commercial Security on the Internet” Information Management and Computer Security, volume 4, no. 1, 1996 pp. 47-49
Klein, Stefan: Emerging Electronic
Markets: Economic, Social, Technical, Policy and Management Issues. In: Alt,
Rainer; Schmid, Beat F.; Zbornik,
Stefan: EM - Emerging Electronic Markets. EM - Electronic Markets, Vol. 5, No.
1, 01/95.
Payton, F., “Ecommerce: Technologies That Do Steal” Decision Line, volume 32, no. 02, 2001, pp. 65-66.
Wildhaber, B., “Electronic Markets and Security Requirements” Electronic Markets, no.
11, 1994, pp. 8-9.
Guay, D. and Ettwien, J. “Internet Commerce Basics” Electronic Markets, volume8 08, no. 1, 1998, pp. 12-14.
Srinivasan, S.
“E-Commerce Security Standards and Loopholes”
Khare, R. and Rifkin, A., “Trust Management on the World Wide Web” FirstMonday, volume 6, no. 03, 2001.
Khare, R. and Rifkin, A., “Weaving a Web of Trust”, World Wide Web Journal, special issue on security, volume 02, no.03, 1997, pp. 77-112.
Wildhaber,
Bruno: Electronic Markets and Security Requirements. In: Alt, Rainer; Schmid, Beat F.; Zbornik, Stefan:
EM - Legal Uncertainty and Electronic Markets. EM - Electronic Markets, Vol. 4,
No. 1, 02/94.
Tan, Yao-Hua;
Thoen, Walter: A Logical Model of Trust in Electronic
Commerce. In: Schmid, Beat F.; Lechner,
Ulrike; Stanoevska-Slabeva, Katarina;
Tan, Yao-Hua; Buchet, Brigette: EM - Communities & Platforms. EM - Electronic
Markets, Vol. 10, No. 4, 10/2000.
Zwick, Detlev; Dholakia, N.: Contrasting European and American Approaches to Privacy in Electronic Markets: A Philosophical Perspective. In: Schmid, Beat F.; Swatman, Paula M.; Vogel, Doug; Buchet, Brigette: EM - Electronic Commerce in Austral-Asia. EM - Electronic Markets, Vol. 11, No. 2, 05/2001.