Security Technologies for Online Payments - Literature review Example

?Security Technologies for Online Payments Introduction The progression of computer technology has leaped the level of convenience and accessibility to new wavelengths. Products, services and an ocean of information can be found at a mere distance of a click of a mouse due to the integration of business into the world of internet. The widespread of E-commerce has given much luxury to the people, alongside several adverse consequences such as identity thefts, credit card frauds, eavesdropping etc. Customers enter their personal details and sensitive information on different online shopping websites; they provide the information on the basis of trust that service providers will take effective measures to safeguard the authenticity and integrity of their information. There are several security technologies that are adopted by organizations to ensure smooth execution of online payments without any exposure or leakage of data to unreliable third parties. 2. Security Technologies in E-commerce According to figures from Ali (2011), cyber crimes cost Britain around 27 billion pounds every year. Such instances proved to expose the weaknesses of the credit card payment systems. Due to the appalling increase in the instances of data and identity thefts, organizations have started investing significant fractions of their resources to deploy effective security measures for online payments. Several researchers have also exerted their efforts in devising reliable security technologies. Some of the common ones have been discussed below: 2.1 Payment Gateway Get Started with an Ecommerce Payment Gateway (n.d.) defined the payment gateway as the intermediate pathway that encrypts information between the participants and ensures the completion of a transaction in the most secure environment. A payment gateway workflow is considered to be amongst the numerous pathways that are deployed in the whole cycle of an E-commerce transaction; this workflow is responsible for the authorization of the information. The following figure explains the placement and functions of the payment gateway: Figure 1: Workflow of Payment Gateway (Graham, 2006) The payment gateway works on the basis of the following steps: 1. The customer chooses the products and fills in the credit card details. 2. The credit card information is encrypted and verified for its authenticity with the card companies. The encryption function protects the data from being read by intruders and eavesdroppers. 3. Upon the validation of the information, the customer is displayed the summary of his transaction details; otherwise he is checked out of the whole process. 2.2 Geolocation Bratby (2011) stated that geolocation is a technology that identifies the geographic location of the user to ensure that there are no anomalies between his provided information and his location. Such identification is aimed to reduce instances of identity thefts and credit cards frauds. If a credit card issued from UK is being used to initiate an online payment from South Asia then flags will be raised at the respective online shopping website for possible anomalies or attempts for malicious activity. A general approach is to inquire security questions, PINs etc to ensure that the individual issuing the request is the owner of the card or account. The IP address of the user is translated into geographical locations by the geolocation administrators; these service providers maintain extensive database of IP addresses in relation to locations on the planet. Glover et. al (n.d) stated that the technology is so effective that most of the service providers claim to identify the user within 50 miles. The following figure shows a graphical representation of the geolocation technology: Figure 2: Process of identifying the geographic location of the user (Svantesson, 2004) 2.3 Blacklisting and Whitelisting Approach Application Whitelisting: A New Security Paradigm (2008) stated that blacklisting approach follows a reactive strategy by protecting the system against malware. Extensive records are maintained regarding the past instances of malicious intent and malware activations. This approach is dependent on the timely updates that make the database equipped to handle latest threats in the networks. Therefore, blacklisting is not able to detect any new malware or malicious intent due to its unavailability in the database. Improvements had to be made to the blacklisting approach to make it strong enough to detect zero day attacks. To tackle such zero day attacks, an even more effective approach has been devised to reduce instances of intrusion and eavesdropping of data- whitelisting approach. This approach works in a reverse manner as compared to blacklisting. Only the workflow and operations that are defined in the whitelisting database will be executed, thereby ceasing all the attempts of intrusions and spiteful modifications. 2.4 Public Key Infrastructure (PKI) PKI has been deployed since numerous years to ensure security in the exchange of messages between two parties. An E-commerce transaction encompasses sensitive information therefore this approach is widely used to refrain from instances of data theft and leaking at any point. Every participant in this approach, client and the merchant, possess two cryptographic keys for encryption and decryption purposes. The key that serves to encrypt the data is considered to be public; however the key that can decrypt the text is private for that specific participant. Railsback (2001) pointed out an important aspect that the implementation of PKI is not possible without digital signatures and encryption; therefore these three aspects bear equal degree of relevance in the provision of a secure E-commerce transaction. Railsback (2001) also provided the information that these three security approaches received the Technology of the Year Award 2000 due to their commendable impact on the reduction of malicious intent activities in the field of E-commerce. 2.5 Man in the Middle Attacks Another common attack is the man in the middle attack where the merchant and customer assume to be speaking with each other, whereas they are both communicating with a malicious host. Parno, Kuo and Perrig (n.d.) discussed a method that can help the parties to identify if they are communicating with each other or not. The merchant’s systems are programmed to store the user’s public key to ensure that the messages are only initiated from the customer’s end. 2.6 Other Technologies Several other technologies are used by E-commerce merchants to ensure the provision of an effective and secure service to the customers. Intrusion detection systems are deployed to detect the presence of any unauthorized entity in their systems; this measure can reduce the instances of data thefts (of past transactions and customer details) from data repositories and making the systems a part of a compromised network. 3. Conclusion Ever since the inception of the concept of E-commerce, it has gained wide acceptance around the world. However, the progression of the respective field has been coupled with the increasing number of credit card frauds, identity thefts and intrusion activities, thereby causing losses of millions of pounds every year. Numerous technologies have been devised to tackle the menace of such attacks. Geolocation identifies the location of the user and alerts the system if any anomalies are found between the information retrieved from geolocation and the data entered by the customer. Blacklisting approach follows a reactive approach in which the system is protected against already known spiteful activities and probable malware activations in the network. Whitelisting follows a contrasting approach from blacklisting since only the allowed workflows and operations can be done by the system; the malicious intent attempts of the intruders to activate malware or steal data from the repositories cannot be executed by the system. Maintaining the user’s public key enables the merchants to identify the existence of the customer such that the man in the middle attacks can be avoided during the transactions. PKI, encryption and digital signatures are other technologies to ensure the provision of a secure platform for the merchants and clients. References Ali, H 2011, Cyber crime cost Britain 27 billion pounds sterling a year, Wasel Masr, viewed 10 Dec 2011, Application Whitelisting: A New Security Paradigm 2008, CoreTrace, viewed 24 Nov. 2011, Bratby, R 2011, ‘European privacy body’s opinion on geolocation services on smartphones’, WordPress, 10 Dec 2011, < http://robbratby.com/2011/05/31/european-privacy-bodys- opinion-on-geolocation-services-on-smartphones/> Get Started with an Ecommerce Payment Gateway n.d., QuoteBean, viewed 10 Dec 2011, Glover, D et al. n.d., E-commerce Taxation and the Limitations of Geolocation Tools, ITAA, UK. Graham, B 2006, Payment Gateways, eZ publish, viewed 23 Nov. 2011, Parno, B., Kuo, C., Perrig, A n.d., Phoolproof Phishing Prevention, viewed 10 Dec 2011, Railsback, K 2001, PKI is key to secure e-commerce, IT World, viewed 25 Nov. 2011, Svantesson, D 2004, Geo-location Technologies – A Brief Overview, viewed 24 Nov. 2011, Read More