E-commerce security and fraud protection - Term Paper Example

? E-Commerce Security and Fraud Protection E-commerce presents a strategic platform that offers organizations and consumers an easy-to-use and convenient way of transacting in business. However, the security concerns regarding the system have caused a majority of business organizations and individual consumers to remain wary of it. To deter hacking and fraud from jeopardizing security in e-commerce and hence hinder progress in e-commerce, this paper outlines some of the current security measures that have been adopted to safeguard consumers. Thus, the paper articulates access control approaches, securing of e-commerce channels, security in payment protocols and communications security. Introduction E-commerce refers to the buying and selling of goods and services by via electronic platforms such as the Internet and other computer-based networks (Schneider, 2011). It has grown to be a necessary tool for efficiency in business. However, this platform has been faced with a myriad of challenges with Moftah, Abdullah and Hawedi (2012) indicating that the problems relate to consumers’ protection in their transactions which call for trust and privacy across the different geographical locations. Mohapatra (2013) argues that e-commerce transactions have been constrained by security, with consumers wary of the privacy of their personal information and the use of credit cards to make online purchases. The increased use of mobile devices has even further complicated security provision in e-commerce. Thus, a secured system would be needed to enhance e-commerce growth. E-commerce is online, thus accessible to the general public. The increase in cyber crime has also seen an increase in security threats in e-commerce. According to Mohapatra (2013), amounts reported globally, largely from frauds and hacking in e-commerce, stand at over $ 388 billion per year. As such, e-commerce has suffered the resultant liabilities, loss of trust and additional cost for clean-up. This calls for an effective security systems that would protect consumers and merchants from such losses. According to Schneider (2011), such a system would be pegged on a complex interaction of several database management systems, applications development platforms, network infrastructure and systems software. This encompasses preservation of integrity, confidentiality and availability of computer and data resources, referred to as the security triad. Further to this, there would be need for non-repudiation, access control and privacy. Access Control Approaches The first way in which e-commerce has been secured and protected against fraud is through access control. Physically, access control would involve the restriction of an unauthorized person into a building, property or room. In a similar manner, e-commerce has applied several technologies that control access to Internet resources, including authorization, authentication and audit (Farshchi, Gharib and Ziyaee, 2011). The model in this case entails the subjects, these being entities that could perform an action on the system, and objects, these being entities to which access needs to be controlled. Both of these should be taken as software entities as opposed to human users since a human user would only have an impact on the system through software entities on which they have control. First, user IDs, passwords, biometrics and tokens have been used to authenticate an individual. As observed by Mohapatra (2013), authentication involves what the user knows such as a password, what a user possesses such as a token or what the user is, such as biometric characteristic. The user ID/password approach verifies a user against a set of ID and password. This has however been noted to be the least secure technique in e-commerce because of the threat of guessing, eavesdropping, external disclosure, host compromise and replay attacks (Schneider, 2011). Thus, user IDs and passwords could be combined with physical tokens, creating a multiple factor authentication so as to improve on the reliability of the authentication. Other than the multi-factor authentication, this method has tokens preventing any shared secrets in an open network from being transmitted, thus a more secure technique (Farshchi et al., 2011). There are tokens which prevent password guessing by generating one time passwords while others prevent unauthorized persons from accessing one’s computer to copy keys by storing private keys. Even more secure is the biometrics technique including fingerprint analysis, retinal scanning and voice or handwriting recognition. However, they are much more expensive than the other techniques hence not popular. Additionally, other approaches such as retinal scanning are invasive and hence not easily adopted by the public. Secondly, to fulfill the e-commerce requirement of data confidentiality, non-repudiation and integrity, digital signatures, digital certificates and Public Key Infrastructure, PKI would be used. Confidentiality in e-commerce transactions greatly depends on encryption of information (Haseeb, Arshad, Ali, & Yasin, 2012). One of the most common ways of protection information would involve using a virtual key system where information would be encoded following an encryption algorithm. This would only be decrypted by the user who would be holding the correct key. PKI refers to a system of asymmetrical keys which carry out inverse operations such that one of the keys encrypts the message while the other decrypts it (Moftah et al., 2012). This way, sharing of secrets over the network would be prevented. However, it is a somewhat inefficient technique in terms of speed and entails a third party, the Certification Authority, CA. An approach combining public key cryptography with hashing techniques so as to uphold the non-repudiation, authentication and integrity of data is referred to as digital signatures. According to Mohapatra (2013), hashing entails the performance of an algorithm on the contents of a message then comparing it to the hash of the message that would be received. If the message was altered on transit, there would be a mismatch between the new and original hashes, hence data integrity determination. The PKI would then be used to confirm the sender’s possession of private and also unique key which ensures non-repudiation and authentication. These techniques make e-commerce transactions more secure, but does not confirm that the owner of the public key is the true owner. To curb this limitation, digital certificates would be used. These are data structures tasked with associating public keys with the respective subjects (Schneider, 2011). The Certificate Authorities control these certificates. Securing the E-Commerce Channels Secondly, e-commerce networks have been secured using secure channels together with Secure Socket Layer, SSL. SSL provides a secure channel between the merchants and the clients in e-commerce (Moftah et al., 2012). In fact, this is the basic protocol in which e-commerce communication channels are secured despite its inability to provide payment handling mechanism. It provides security through end to end encryption to ensure confidentiality and hashing, digital signatures and digital certificates to ensure data integrity and authentication (Mohapatra, 2013). Since SSL executes server authentication by using digital certificates, client authentication would be executed using the user ID/password set over SSL. This does not provide non-repudiation, with the information communicated to the server exposed to insecurity because SSL protects the communication channel only. For example, a server could deny receiving the order of a client and use the details of the credit card of such a client for unauthorized transaction. Together with the inability of SSL to handle payments transfers, these make the technique less secure. The e-commerce networks could be secured using a firewall, referring to a point that borders multiple networks through which all traffic passes such that the firewall controls, authenticates and logs all the traffic. Special software could also be used to monitor activities across a network so as to detect any suspicious activities and automatically take action against such activities. This software is referred to as an intrusion detection system, IDS (Schneider, 2011). Moreover, a virtual private network, VPN could be used as a defense against security threats in e-commerce. This network uses public Internet for movement of information but ensures privacy through encryption for the scrambling of communications, access control for identity verification and authentication to determine whether information has been tampered with. Payment Protocols There are various payment schemes which use varied payment protocols and implementations in the provision of secure payment services. Secure payment protocols present a method to guarantee merchants of receiving payments while at the same time keeping the details of the paying credit card confidential (Haseeb et al., 2012). This differs from secure web sessions which make the payment details accessible to the merchant. This advantage of secure payment protocol safeguards the client from potential unsafe merchants. Additionally, it prevents unauthorized clients payment details’ access by insecure merchant systems. Among the payment protocols used include 3D Secure, SET and Secure Payment Application, SPA. The Secure Electronic Transactions, SET is a protocol, being an open industry standard, meant to secure payment information transmission over electronic networks and the Internet. It employs a system to keys and locks together with certified account IDs for merchants and consumers (Mohapatra, 2013). Subsequently, SET uses a convenient, private and secure payment process through encryption and scrambling of the information that flows between the customer and the online store. According to Schneider (2011), the advantage of this system lies in the fact that it establishes an industry standard that ensures the confidentiality of order and payment information. Furthermore, it enhances the integrity of the transmitted data by encryption method. Communication Security, COMSEC COMSEC refers to controls and measures aimed at denying telecommunications information from unauthorized persons so as to promote the authenticity of such information. The first form, crypto security, refers to a component of communications security which results from technically sound systems being provided and properly used. It entails the safeguarding of the confidentiality an authenticity of information. Secondly, emission security, EMSEC, refers to protection that results from denying unauthorized persons from accessing valuable information that could be derived from intercepting and analyzing compromising emanations as derived from automated information systems, telecommunication systems and crypto equipment. Communications security also involves physical security where physical measures would be adopted to safeguard classified documents, material and equipment from being accessed by unauthorized persons. Finally, transmission security, TRANSEC entails the measures that aim at protecting transmissions from being intercepted and exploited using other means apart from cryptanalysis (Farshchi et al., 2011). Conclusion Security stands out as e-commerce system property. There have been extensive research studies that have gone into finding better ways of securing e-commerce and preventing hackers from executing their intent. Security issues in e-commerce are highly related to cyber crime in the society leading to liabilities, loss of trust and clean-up costs which deter its progress. The current measures used to enhance security in e-commerce so as to deter fraud and hacking include access control techniques, security of e-commerce channels, payment protocols security and communications security. These approaches use appropriate software to promote the security triad of integrity, confidentiality and availability in e-commerce. Security in e-commerce remains a growing field because with emerging technologies, newer security challenges arise. It would therefore be important for organizations involved in e-commerce and customers alike to keep discovering more efficient security approaches as they emerge. References Farshchi, S. M. R., Gharib, F., & Ziyaee, R. (2011). Study of security on traditional and new generation of e-commerce model. 2011 International Conference on Software and Computer Applications. Singapore: IACSIT Press. Haseeb, K., Arshad, M., Ali, S., & Yasin, S. (2012). Secure e-commerce protocol. International Journal of Computer Science and Security, 5 (1), 132 – 142. Moftah, A. A. A., Abdullah, S. N. H., & Hawedi, S. H. (2012). Challenges of security, protection and trust on e-commerce: A case of online purchasing in Libya. International Journal of Advanced Research in Computer and Communication Engineering, 1 (3), 141 – 145. Mohapatra, S. (2013). E-commerce strategy: Text and cases. New York, NY: Springer. Schneider, G. (2011). Electronic commerce (9th ed.). Boston, Massachusetts: Cengage Learning. Read More