|
Is security an important concern in
e-commerce?
Yes, security is a very important issue in
e-commerce. Many businesses and consumers are afraid to go online
because of fears related to security of information and information
systems.
The general security concerns in e-commerce
involve the following:
How do you ensure user privacy and information
security in an open network like the internet?
The available authorization schemes which
make sure that only authorized users and programs can gain access to
information resources such as user accounts, files, and databases,
are:
What are the available data
transaction security schemes?
For purposes of protecting the privacy,
integrity, and confidentiality of business transactions and messages,
the following data and transaction security schemes maybe used:
The above schemes are commonly used in
several online payment systems such as electronic cash and electronic
checks.
For the safe arrival and storage of
information, and for the protection of the same from internal and
external threats, a system cryptographic methods should be supported
by perimeter guards known as firewalls.
Internet
security terms
Authentication - A way to verify that
message senders are who they say they are.
Integrity - Ensuring that information
will not be accidentally or maliciously altered or destroyed.
Reliability - Ensuring that systems
will perform consistently and at an acceptable level of quality.
Encryption - A process of making
information indecipherable except to those with a decoding key.
Firewall - A filter between a
corporate network and the internet that keeps the corporate network
secure from intruders, but allows authenticated corporate users
uninhibited access to the internet
Spoofing - A way of creating
counterfeit packets with private IP (Intranet) addresses in order to
gain access to private networks and steal information.
Denial of service - An attack on the
information and communications services by a third party that prevents
legitimate users from using the infrastructure.
What are the basic requirements of
transaction security?
The basic
requirements of transaction security are:
Transaction privacy. This simply
means that transactions must be held private and intact, with
unauthorized users unable to understand the message content.
Transaction Confidentiality. This
implies that traces of transactions must be dislodged from the public
network. No intermediary is permitted to hold copies of the
transactions unless authorized to do so.
Transaction Integrity. This simply
means that the transactions should be protected from unlawful
interference – i. E., they must not be altered or modified.
What
is encryption?
Encryption is a set of secret codes which
defends sensitive information that crosses over public channels (such
as the Internet). It is a mutation of information in any form (text,
video, and graphics) into a form decipherable only with a decryption
key.
The purpose of encryption is to make data
impossible for a stranger who obtains the ciphertext (encrypted
information) while in transit across the network, to understand it,
while in enabling the intended recipient to the code and recover the
original message-un altered and not tampered with.
What are the kinds of encryption?
The two main kinds of encryption in common
use today are: (1) the “single-key” or “secret key” encryption; and
(2) “public key” encryption. A “key” is a very large number, a string
of zeroes and ones.
How does the secret-key encryption work?
The secret-key encryption, otherwise known
as symmetric encryption, involves the use of the same key-a shared
key-for both encryption by the transmitted and decryption by the
receiver.
For instance , Juan transmits a purchase
order (PO) over the network to Pedro in a way that Pedro can read it.
Juan encrypts the plaintext of the PO with an encryption key and sends
the encrypted PO (the ciphertext-which is an scrambled format) to
Pedro, Pedro then decrypts the ciphertext with the decryption key and
reads the PO. Decryption enables Pedro to convert the ciphertext (the
indecipherable text) into its readable format.
In secret-key encryption, the key for
encryption and decryption is the same.
This system has been found to be impractical
for message exchanges among large groups of unknown parties over a
public network. In this system, it is difficult to ensure secure key
management because Pedro or Juan can easily divulge their secret-key
code to other parties (say, their friends). Hence, secret-key
encryption cannot play a dominant role in e-commerce.
What is public-key encryption?
Public-key encryption is a type of secret
encryption that can ensure safe e-commerce.
Public-key encryption, or asymmetric encryption, uses two keys which
are mathematically related: one key to encrypt the message and a
different key to decrypt the message. Each party therefor has a pair
of keys. One of the keys is a “public” key and the other is a
“private” key. Under this system, the public key may be disclosed to
others while the private key must be kept secret and confidential to
its owner.
A common application of public-key
encryption is digital signatures
What is a digital signature?
A digital signature is a cryptographic
mechanism- the counterpart of a written signature on a paper-based
transaction. Its basic function is to verify the origin and contents
of a message for sender authentication purposes. It allows the
computer to notarize the message, to assure the intended recipient
that the message has not been forged while it traversed the network.
In simple terms, a digital signature, just
like a real one, validates the sender’s identity. The digital
signature is composed of a unique sequence of data bits and codes
which pertain to the sender’s identity or the document’s contents.
Technically, how do digital signatures work?
First, data are electronically signed to the
message through the application of the private key of the data’s
author. The private key is applied to a shorter form of the data
called a “hash” or “message digest,” “instead of the entire data. The
digital signature can be stored and is transmitted along with the
data. Any party can verify the signature through the use of a public
key of the signer.
How do digital signatures ensure authentication?
Simple. When a user digitally signs a
document, he integrates his private key with the document and performs
a certain computation on the composite (key+document) in order to come
up with a particular number called the digital signature. The digital
signature is unique to one user.
For
instance, when an electronic document (say, an order form with a
credit card number) passes through the digital signature process, the
outcome is a “fingerprint” of the document, which is attached to the
original message further encrypted (second encryption) with the
signer’s private key.
So, when a user communicates with his bank,
he only sends the result of the second encryption to the bank. The
bank then decrypts the document using the user’s public key to check
if the enclosed message has been altered or interfered with by a third
party. Then the bank performs a computation on the original document,
the digital signature, and the customer’s public key for purposes of
validation. The digital signature is verified as genuine if the
results of the computation show a matching “fingerprint.”
Digital certificates further strengthen
authentication.
What are digital certificates and
how do they work?
Before two parties use public-key encryption
to transact a business, each party to the transaction wants to be
assured that the other is authenticated. Say, before Pedro even
accepts a message with Juan’s digital signature, he wants to be sure
that the public key indeed belongs to Juan and not to someone who is
alleging to be Juan. How then can Pedro ensure that the message is
from Juan/ Pedro can do this by receiving messages over a secure
channel directly from Juan. But, in most circumstances, this is not
practical.
An alternative to the use of a secure
channel is to use a trusted third party to authenticate that the
public key belongs to Pedro. Such a party is known as the certificate
authority (CA).
What is an Electronic Payment
System?
Electronic payment is defined as financial
exchange that takes place online between buyers and sellers. The
exchange is facilitated by some form of digital financial instrument
(such as encrypted credit card nu7mbers, electronic checks, or digital
cash) that is backed by a bank, an intermediary, or by legal tender.
Electronic payments close the e-commerce
loop. The underdeveloped electronic payments system in the country is
a serious impediment to the growth of e-commerce here. For instance,
Filipino entrepreneurs are not able to accept credit card payments
over the Internet for legal and business concerns.
One of the biggest barriers to electronic
transactions in the Philippines is the absence of a legal
infrastructure governing their operation. Banks that utilize
electronic banking only have service agreements between themselves and
their clients.
Another barrier is the relatively
underdeveloped credit card industry. The Philippine credit card
industry has an estimated market base of only 1.5 million. Thus only
this segment of the population can buy goods and services over the
Internet. A related problem to credit card use is a regulatory
entanglement that requires “explicit consent” (i.e., signature) of a
card owner before a transaction is considered valid. This requirement
does not exist in the U.S.
How do Electronic Payment Systems work?
An electronic payment system must
incorporate key features/properties, which are the minimum
requirements to make any e-payment system work: (1) monetary value;
(2) interoperability; (3) retrievability, and (4) security.
Monetary Value. This means that the
e-payment must be backed by hard cash (currency), bank authorized
credit, or a bank certified cashier’s check.
Interoperability. This pertains to the
exchangeability of the e-payment with other digital cash, paper cash,
goods or services, lines of credit, deposits in banking accounts, bank
notes or obligations, electronic benefits transfers, etc.
Retrievability. This implies that e-cash
must be storable and retrievable. Remote storage and retrieval (such
as through a telephone or through any personal communication device)
permits users to exchange e-cash (i.e., to withdraw from and to
deposit into banking accounts) either from home or office or even
while traveling. Here, cash is stored in a remote computer’s memory,
in smart cards, or in other easily transported standard or
special-purpose devices.
Security. This means that e-cash should not
be easily duplicated or altered in the process of the exchange. The
system should ensure mechanisms for protection against duplication and
double spending of e-cash (such as prevention and tracking/detecting
devices).
What is e-cash and how does it
differ from conventional money?
E-cash, or e-money, is based on
cryptographic system called “digital signatures.” It includes all
credits on wholesale electronic nets without conventional money
counterparts, including all retail e-monies whose value rests outside
conventional banks and on plastic or computer chips – unlike
conventional money, which consists of cash, deposits and other
components of the published money aggregates or the official money
supply.
E-money has only a virtual existence in
that: (a) it has no physical presence; (b) it does not resemble any
other formal money aggregates; (c) it is transferred out of official
money stock and drawn into new money-like accounts; (d) it rests in a
computer memory or on chip embedded in plastic or on a computer hard
disk; and (e) it may be issued by a bank or credit card systems as a
smart card or an electronic wallet or a cash substitute, but is not of
legal tender status, representing a liability6 (IOU) of the issuer.
Is the average Filipino computer
receptive to a payment system done electronically?
Not quite. The Philippines is basically
still a cash economy. Particular issues need to be resolved first,
such as consumer protection from fraud through efficiency in
record-keeping; transaction privacy and safety; competitive payment
services to ensure equal access to all consumers; and the right to the
choice of institutions and payment methods. The present legal
framework should also be modified to recognize electronic transactions
and payment schemes.
What about e-banking? Do we have
such a market in the Philippines?
Inasmuch
as most of our banking is still done the conventional way, some of the
bigger Philippine banks, such as Citibank, Bank of the Philippine
Islands and the Philippine National Bank, have already introduced
e-banking in the country in the early ‘80s. Interbank networks like
Megalink, Bancnet, and BPI Expressnet, are among the biggest pioneers
of ATM technology in the country.
BPI recently launched its full Internet
banking service called BPI Express Online (Manila Standard, January 3,
2000). Its online financial services include deposits, fund transfers,
applications for new accounts. Stop Payment on issued checks, housing
and auto loans, credit cards, and remittances, among others. Security
is ensured through the employment of mechanisms such as:
-
a user id and password nominated by the
client upon enrolment;
-
a secured internet channel called a secure
socket layer (ssl) for online communication exchange; and
-
a firewall system to stop unauthorized
users from accessing clients’ accounts.
The PCIB
has also recently offered online banking on current and savings
accounts. Among its notable online banking features include fund
transfers to other PCIB accounts.
The bank secures transactions through the
use of the Verisign technology (which provides digital ID
certification and secure encryption); and the FASTPhone/PCIBank Online
Access Number (or F.A.N.), which is a confidential six-digit password
known only to the client for the purpose of authenticating
transactions.
Can
Filipinos use their credit card when buying
online?
Yes, as long as they have internationally
accepted credit card (i.e., Visa, Mastercard, Diners, America Express,
etc.)
Unfortunately, most Filipino online
merchants will not accept credit cards. Ultimately this has to do with
the fear of fraud. In the “real” world there are measures that can be
taken to minimize fraud. The most familiar is the need for “explicit
consent of the card owner before a transaction is considered valid.
When we change a purchase (say, in a restaurant) we usually sign a
receipt acknowledging the transaction.
Fortunately, this situation will not last
long. As soon as digital signatures and certificate authorities become
widespread, even Filipino e-tailers will begin accepting credit cards
online. |
