Electronic Money Challenges and Solutions - Report Example

1. Electronic Money and E-Payment Systems 1 Introduction The advent of modern technology has taken its place in each household as important part ofpeople's lives. Internet has been a revolution and is being used for shopping, investments, banking, and a variety of other professional and personal purposes. The modus operandi for these transactions can not be the traditional currency as currency notes can not be exchanged over the web. Hence, a new form of currency has been used. This is called electronic money or 'e-money'. Also called 'e-currency', it is being spent through 'e-wallets'. This has started a new paradigm of business opportunities which would benefit both customers and organizations. As Bill Gate, the founder of Microsoft puts it: 'Information technology and business are becoming inextricably interwoven. I don't think anybody can talk meaningfully about one without talking about the other.' (Bill Gates) 1.2 E-Payment E-payment or electronic payment is a technique of making transactions over the internet or some other electronic system. The transaction takes place in the form of secure data transfer from one end to the other. The greatest advantage of an e-payment based transaction is the speed with which the transaction gets completed. Other benefits include the ease with which the transaction can be completed; the users do not have to be physically present to make these transactions and in fact, both buyers and sellers can meet in the electronic market to make electronic transactions using electronic money. 1.3 Types of e-Payment Systems There are various forms of e-payment systems that are in use nowadays. These include credit cards, debit cards, online transfers, wire transfers, e-money like Pay Pal, and other modes through which people make payments over the web. Most of these systems are based on a ID and password system to protect against unauthorized usage. 2. The Problems with Electronic Payment Systems With an increase in the magnitude of online applications and systems, there is a growing threat of security issues, vulnerabilities and exposure on the use of electronic transmission, and internet based systems. This has been a concern for companies, individuals, government and law enforcement agencies. Doing transactions online means making payments for the goods and services that are purchased; this leads to a need for developing a mechanism to make these 'e-payments'. This further translates into developing and implementing a security process to ensure that these transactions are carried out keeping the confidentiality, integrity and availability of the systems intact. An e-transaction is as susceptible to fraud as any other transaction, if not more. The fraudsters are many in the electronic world, are dispersed all round the globe, have update knowledge and expertise about the systems and computers, and are attacking to gain access to, and in many cases, to use the identity, funds and communication of a person in illegal, unethical and undesired way. 2.1 Security Issues for E-Money and E-Payment Systems Security of electronic money refers to establishing the confidentiality, integrity and availability of information when it is passed through the electronic system. Some security requirements for an electronic money transfer system are outlined below (British Standards, 2006, p.3): Confidentiality - ensuring that information is accessible only to those authorized to have access to it. Integrity - safeguarding the accuracy and completeness of information and processing methods Availability - ensuring that authorized users have access to information and associates assets when required Authenticity - information should be available to sender and recipient, who must prove their identities to each other Non-repudiation - assurance/ proof that the transmitted message was indeed received (ECD, 2007). 3. Key Challenges and Recommendations for Electronic Payment Systems A description of specific risks and challenges of online transactions is provided below. 3.1 Privacy and Confidentiality Issues The information that is being sent over the electronic medium can be viewed by anyone since the data packets take various paths to traverse. This might result into breach of privacy and confidentiality of information. A method to deal with this risk is to encrypt the data packet before sending it across to the network. In this approach, the contents of the data packet are encoded using an algorithm which is known to the sender and receiver only. At destination, the contents are decoded using the same algorithm. This ensures that no modifications are done with the data contents of packets reaching the destination. One of the primary building blocks for security in electronic payment systems is cryptography, the theoretical basis for encryption (ISACA, n.d., p.2). A given cryptographic technique may be based on either private keys or public/secret key pairs. Public key infrastructure (PKI) rests atop encryption and in turn supports online payments. 3.2 Theft and Fraud An evident risk of electronic transactions involving electronic money is the risk of theft and fraud whereby a person knowingly tries to misappropriate funds. One form of electronic fraud is called the Rounding Off technique, which refers to drawing off small amounts of money from a computerized transaction or account and re-routing it to another account. Another form of electronic theft is carried out by stealing identities of authorized personnel and then carrying out transactions impersonating as others. This is also called Spoofing. Effective ways to counter these risks is to use a strong user ID and password mechanism, or perhaps a biometric control at the site from where the transactions are made. In addition, strong internal controls in the electronic payment verification system can track the transaction trails, keep logs of the activities that are being carried out, and can report if any non-routine activity is noted. The logs can also be viewed to detect occurrence of fraudulent activity. 3.3 Data Integrity Violations When data is transmitted across two points, a risk arises that an intruder might tap the wire and will read the contents of data packet. (S)he will then be able to alter and modify the data contents, can redirect the data packet to some other location, or can do other malicious activities. The integrity of data will then be compromised and the contents of the data packet can not be trusted. One way to protect against data integrity violations is to use data encryption procedures as described above. Another approach is to use Digital Certificates. These are used to endorse an electronic document in a way that can be later validated for authenticity. Digital Certificates are like electronic fingerprints that authenticate the identity of a person or website, positively. 3.4 Middleperson Attacks One inherent problem with electronic payment systems is the user interface that is used to display the transaction at various point-of-sales terminals and other places. The machine at the terminals shows the amount of transactions, but what if the machine is being programmed to deceive the customer, and is charging more but showing only a percent of the actual amount that is being charged from the customer. There is no way for a customer to ensure that the transaction actually takes place with an authorized machine and not with some other system that is reading the sensitive information from the card. This poses a threat to customers although they can later on file complaints if they are charged over and above the amount they were supposed to pay. These attacks are called 'relay' attacks or 'middleperson' attacks and are extremely hard to prevent. The biggest problem is to ensure that the transaction follows a trusted path and is not routed through an un-trusted and unknown zone. There is no way for card holders to see exactly how much are they about to pay, and to whom. 3.5 Physical Card Theft It is not uncommon to find out instances where the robbers steal a person's credit/ debit card and make transactions on the customer's behalf. Until recently there was no way to prevent this from happening except a weak control of taking authorization signatures at the payment desk. However, the signature can be forged. One solution to this problem is the latest chip cards in which a digitally programmed chip is installed into the card, and holds the PIN for the customer. The customer has to enter the PIN in the system which is then authenticated by the bank. The transaction is authorized once the PIN and card number both match to the data recorded in the system. 4. Integration with Visa and MasterCard Systems Companies, usually, are connected with Visa and Master Card systems to authenticate the true identity of a potential customer. This is done to keep the identity theft based frauds to a minimum level. The electronic payment details along with card number are electronically sent to Visa and Master Card systems which search the extensive databases that are maintained in these systems to verify the details of card and customers. Upon successful verification, approval is sent back to the requesting terminal (Federal Reserve Bank of Chicago, 2000). 5. Industry's Best Practices and International Benchmarks Realizing the importance of online transactions and payment systems, a number of best practices, benchmark standards and e-commerce laws and regulations have come in to effect. Two most popular standards for information security over the electronic payment systems include ISO27001 Information Security Management System, which is issued by International Standards Organization (ISO); and Control Objectives for Information Technology (CObIT) published by Information Technology Governance Institute (ITGI) in collaboration with Information Systems Audit and Control Association (ISAC) who is the governing body for information systems auditors around the world. The latest version of CObIT is 4.0 with CObIT about to be published in May 2007. CObIT is freely available at the ISACA website (ISACA, 2007). These standards detail the minimum requirements to protect an electronic system like an e-commerce website, point of sale terminal, ATM machine etc. from security flaws and attacks. Companies and individuals can use these standards to obtain valuable information on how to protect electronic money transfers across digital systems. 6. Conclusion Electronic money has become one of the critical innovations of this era due to extremely high demand and impact of electronic transactions and internet in everyday lives. In order to reap the maximum benefits out of this promising field, all stakeholders including companies, regulators, and customers need to understand the importance, risks and challenges associated with the use of electronic money for making online payments. Information security and privacy should be a supreme concern for everyone who is associated with electronic money. References British Standards Institute. (2006). Information Security Management Systems. British Standards Institute, p. 3-4 ECD (2007). Customer Security: Basic Principles. Retrieved April 30, 2007 from the World Wide Web: http://www.ecommerce-digest.com/ecommerce-security-issues.html. Federal Reserve Bank of Chicago (2000). Electronic Bill Payment: Challenges and Opportunities. Proceedings. Retrieved May 3, 2007 from the World Wide Web: http://www.chicagofed.org/news_and_conferences/conferences_and_events/files/2000_electronic_payments_conference_proceedings.pdf. ISACA: Information Systems Audit and Control Association. (n.d.). eCommerce Security: PKI, Digital Certificates in E-Commerce. ISACA.org (2007). Serving IT Governance Professionals. Retrieved April 29, 2007 from the World Wide Web: http://www.isaca.org/. Read More