E-commerce Security and Its Relevance

E-commerce is primarily an economic phenomenon with an electronic media mediating the exchange of money for goods and services. According to independent analysts, "cash transaction on the Internet will reach $9 billion by the year 2000, and $30 billion by 2005."ⁱ  No business can ignore the economic potential of this robust market. Internet transactions present challenges for both business and individuals. Exchange of capital for goods or services no longer pass directly from business to consumer. The exchange is now transacted by a third party electronic mediator which neither the consumer or supplier ever sees. The impersonal and remote nature of e-commerce brings to question the consumer’s confidence, trust, and willingness to accept the risk of being defrauded. Internet e-commerce will not reach its capital earning potential until mass consumer-based technologies exist that will provide confidence for consumers to overcome the fear of putting their credit card information into an electronic form on a web site. Ultimately, high security must exist on the host end as well as user end to realize the emerging e-commerce market.
 
 

E-commerce Security Impacts Emerging E-commerce Market

Internet e-commerce security measures are already being employed by 98 of the Fortune 100 companies and 100,000 other leading Internet e-commerce sites. Any enterprise from small businesses to robust Fortune 500 companies who wish to establish a web presence, with a store front that remains open 24 hours a day, has to be concerned with e-commerce security. This storefront is the delivery channel that brings potential revenues and market shares. Fortunately, security is not as big an issue as it once was. Getting a secure storefront setup on the net can be done now in one working day, and for minimal cost. A whole new market has emerged, companies are popping up all over the place, specialize in making your website secure and then supporting your site for a monthly fee. They are using current security techniques that are very effective. Many businesses cannot ignore this huge market opportunity, as a result, we are going to see the popularity of shopping online skyrocket.

E-commerce Still Refining Security Options

The dominant Internet e-commerce security company is Verisign. However, the regulatory organization is the Department of Commerce, which maintains restrictions on encryption technologies. Verisign’s technology can only go as far as the Department of Commerce’s policies allow. Recently, the Department of Commerce allowed Verisign to deploy a "128-bit encryption technology, the most ever allowed."ⁱⁱ

The dominant e-commerce security measure employed is Secure Socket Layer (SSL). Originally developed by Netscape Communications Corporation, it is basically the industry standard method for protecting web communications. The SSL protocol provides data encryption, message integrity, server authentication, and if you want, client authentication for a TCP/IP connection. SSL is built in to all major web browsers now. It currently uses 128-bit encryption. Older browsers, such as Netscape previous to 4.0, used 40-bit encryption. It turns out that 128 bit encryption is trillions of times "stronger" an encryption than 40 bit encryption.

The Secure Socket Layer can guarantee privacy through its encryption system. The data packet could still be intercepted by a third party, but it would not do them any good since they would not have access to the encryption key. Digital certificates are used to provide authentication for the secure documents. The certificates enable all parties to quickly verify if the other party is giving the correct identity. The SSL also provides integrity to the packets. If a packet will not decrypt properly, then you know that the packet has been altered during transmission and the session halts.

Essentially, SSL is just secret-key encryption enclosed within public-key encryption. Then certificates are used for authentication. Both public-key and private-key encryption is employed since public-key encryption is slow relative to private-key. The sessions start by an exchange of public keys by the client and server. The client then generates a private encryption key that will only be used for this session. The private-key is sometimes referred to as a session key. Next, the client encrypts the session key with the server’s public key and sends it to the server. The server then uses to the session key for the remainder of the transaction.
 
 

From a common user perspective, the process looks like this: the session gets started by a web browser (client) requesting a document be sent through the secure protocol, HTTPS. Changing the prefix of the URL from http to https redirects it through this secure protocol. Next, the server sends its certificate (describing itself) to the client. The client checks to see who issued the certificate. If the client does not trust the Certificate Authority (CA), it will prompt the user to choose either to continue or terminate the transaction. Then the client will compare the information just received in the certificate with the sites domain name and its public key. It is accepted as authenticated by the client if the information matches. The client tells the server which types of encryption algorithms it can use. The strongest encryption algorithm is selected by the server and is communicated to the client. Then the client will generate a private key (session key) using the agreed upon encryption. The client encrypts the session key using the server’s public key, and sends it to the server. The server, using its private key, then decrypts it. This session key will remain in use until the transaction is complete.

Another popular security protocol is Secure Electronic Transaction (SET) protocol. Visa and MasterCard developed this protocol for merchants, banks and cardholders. It was designed specifically to handle secure credit card transactions over the Internet. It guarantees identities of everyone involved in the purchases by using digital certificates prior to sending the packets over the Internet. Similar to SSL, SET uses certificates to provide authentication of the merchant’s identity. SET takes this one step further by allowing merchants to request that users authentication is proven by certificates as well. This makes using stolen credit cards much more difficult to use. Another big advantage is that merchants don’t have access to the actual credit card number.

In a typical credit card transaction, there are two types of information. The first is information between the merchant and the customer, such as the items being ordered. The second is the information between the customer and the bank, such as credit card numbers. SET allows each type of information to be private from one another and still be sent on a single digitally signed packet. This is done by encrypting information intended for the bank with the banks public key, and information intended for the merchant using the merchant’s public key. This set up does not allow the merchant to have access to the actual credit card number, effectively eliminating another source of fraud.

How is Security being used by "users"

Using the secure socket level is as simple as making sure that the URL has an "https". Using SET can become more involved. SET contains three major parts, (1) a software "wallet" contained on the user’s computer, (2) a server that runs at the merchants website known as the commerce server, and (3) the server at the merchant’s bank called a payment server. Future versions of web browsers will include SET wallets pre-installed; current users must download them and install them to their computers. In the installation process, the user provides credit card information and chooses a PIN number. The PIN provides security to the access of the wallet. Digital certificates are required for each credit card the users wishes to put in his wallet. These certificates must be obtained from a bank or certificate agency.

To use SET, a shopper would choose items from a website then decide to pay by SET from the payment options set forth by the merchant. This will start the wallet program. The user would then be prompted to choose which credit card to use. Then the wallet and merchant’s server exchange certificates. Assuming these were accepted, they would be encrypted and sent to the merchant. Again, the merchant would only see the purchase details, items ordered and mailing address, it would not see the credit card number. The credit card information would be sent to the bank’s payment server, who would then credit and debit the appropriate accounts.

Merging of Technologies Provide Key to E-commerce Security

Existing identification verifications systems have evolved into cumbersome and time intensive problems for both users and host. The most common problems are forgotten passwords and lost or stolen IDs. In e-commerce, where users have multiple credit accounts, favorite shopping sites, the old problems still persist. The answer to part of the problems is biometrics. Biometrics measures a human characteristics such as finger prints, eyes or face to positively identify a person (user). To remove any possible errors, biometrics indicators can be combined, linking a finger print with its heat patterns. Biometrics essentially replaces the need to memorize multiple user passwords. Figuratively speaking, the user is now the "key"- a very unique key. It is a key that can’t be forgotten or lost.

Biometrics is not a new technology. It has been used to control entry to restricted facilities such as laboratories and airports. It has replaced traditional network logons at businesses, and can also be linked to time and attendance software. So why hasn’t this technology emerged in the mass consumer mainstream yet? The main challenge facing the biometrics industry is not technological. The industry lacks a common set standards.

In its infancy stage, Identicator Technology is seeking to define these much needed catalystic standards. Identicator Technology is one of six founding members of the BioAPIⁱⁱⁱ, a consortium consisting of dominant leaders in the technology industry: (1) Compaq, (2) IBM (3) Microsoft (4) Miros (5) Novell and (6) Identicator Technology. Like all new standards, once the application program interface standards are formalized, the market should enjoy the widespread adoption of the technology. The standards will provide a measure of collaboration within the biometrics industry to create interoperable and easily implementable biometrics applications of the technology.

In an interview on CNBC with host Bill Griffith in October 1999, the CEO of Identix (parent company to Identicator Technology) foresees the technology starting in "enterprise systems, to e-commerce, then eventually on the Internet." The potential for biometrics is far beyond just a password replacement. In the area of biometrics user authentication, the next likely technology integration will be with smart card technology. Identicator Technology and its technology and marketing alliances plans to deliver finger-print based biometrics security solutions to mass market personal computers and a wide-range of other technology solutions (key boards, mouse, hand-held PCs) and providers (banks, finance organizations, insurance companies). At the core of the finger print technology is the Infineon FingerTIP chip. The small sensor chip is the size of an average postage stamp. It contains about 65,000 individual pixels that capture crisp digital image of a human fingerprint. Once incorporated onto a smartcard and integrated in the mass market, it will be a user and e-commerce dream. The user would feel more confident that fingerprint authentication has an improved measure of security. The uniqueness of one’s fingerprint cannot be mimicked easily. Even if someone managed to steal a smart card, they couldn’t use it because they can’t authenticate properly. In addition, the two-element authentication and authorization process makes it extremely difficult to defeat both the authentication and authorization process. Another feature that makes fingerprint authentication attractive to users is the fact that no password protection or maintenance is required. In contrast to today’s credit card with its number and expiration date exposed, a smart card with biometrics fingerprints doesn’t expose the user’s sensitive information. Even if the card was lost, there would not be any data that can be extracted to enable fraudulent use of the card. On the business enterprise side of e-commerce, much more collaboration needs to be achieved before smart cards and biometrics e-commerce security will be mainstream for the mass consumers.

Presently, the technology solutions are segmented, to the point that smart card/biometrics security implementation is either too cost prohibitive or lacking collaboration with standards for their interoperable integration. Once collaboration and standards are set forth, we can expect PC makers to start installing smart card slots on every PC. Instead of fingerprint authentication we can expect voice, face or heat pattern authentication on either PCs or even point of sale stations or kiosks.
 
 

1. E-commerce information: 

http://www.brownbain.com/ecommerce.asp

2. Secure Socket Layer (SSL) or Secure Electronic Transaction SEL see: 

 http://sellitontheweb.com/ezine/tech31.shtml

3. Identicator Technology: 

http://www.identicator.com

4. "Secure E-Commerce with Smart Cards," R. Franklin Smith, Windows NT Magazine. Volume 5 No. 10, pp. 83-89.
 
 

_______________

  Footnotes 

ⁱ Department of Commerce

"Measuring Electronic Business Definitions.  Underlying Concepts and Measurement Plans."

ⁱⁱ Verisign

"Securing Your Website for Business."

ⁱⁱⁱ Identicator

Biometrics Solution/BioAPI Consortium