The Security of Payments in E-Commerce - Research Paper Example

Topic: The Security of Payments in E-commerce 1. Abstract E-commerce has granted a new medium of opportunities for the merchants and a convenient mode of shopping for the customers around the world. However, there are many security threats prevailing in the e-commerce environment which pose threats to the authenticity and reliability of the whole concept. Credit card fraud is the most common internet crime these days. There has been much research on this subject and many solutions have been devised to make online business transactions more secure. Some of the solutions will be discussed that make the e-commerce environment a reliable one. 2. Introduction Internet can be considered as one of the most revolutionary inventions of the last century [2]. It is used by different people for different reasons; some people use it to communicate with the other end of the world, some use it to increase their knowledge with the vast information available online [1]. Another area that has made a prominent name in the World Wide Web is E-commerce. E-commerce, which is the process of business transactions on the web; is preferred for its simplicity and ease [3]. However, one of the factors that cause a great degree of concern for customers and merchants is the level of security involved with these business transactions [4], [15]. The mode of payment in e-commerce transactions is through ‘credit cards’; which have established more opportunities for businessmen but at the same time introduced new problems in the whole process of selling goods. 3. Historical Overview The fear of fraud in online business transactions keeps on increasing every year due to the increase in the respective crime [8], [39], [40]. According to National Consumers League statistics for the year 2007; millions of dollars were lost in e-shopping transactions and have exposed the weakness of the credit card payment system [5]. Credit card fraud and identity theft [11] are the two most prevalent security risks. In the past, many efforts have been done to secure online transactions and make this medium a trusting one. During such efforts, the protocol of Secure Electronic Transactions (SET) was developed to secure credit card information from several kinds of attacks present online [6]. Secure Socket Layer (SSL) also helps in providing a secure environment as it provides an encrypted medium to transfer credit card information [7]. The use of biometric has also been proposed by one of the researchers; this proved helpful to prevent identity theft and any false authorization regarding the credit card information. Numerous aspects have to be considered before allowing a transaction to take place: - Is the card real? - Is there enough money available on the card? - Is the customer authorized to use the card? - Have the goods or services been delivered to the customer? [35]. There was a survey held by Unisys, an information technology company in 2009 [43]; it was found that credit card fraud is considered to be the No.1 fear for Americans, superseding the fears of terrorism and health viruses. The goal of e-commerce websites; firstly to reduce the degree of fraudulent activities, try to lower the number of rejections for legitimate orders as much as possible and minimize the number of manual reviews of transactions which prove to be costly for the company. 4. Summary of the chosen papers The first paper that has been chosen for discussion is [10] to propose a new approach to make the transactions more secure. Nowadays, e-commerce involves more and more business entities because of which the security of data has become a challenge. The need of the hour is that these business entities should be able to amend partial data only and be responsible for its security. This approach is better than a business entity dealing with the whole document even if not needed. For this purpose, they propose a XML security mode for e-commerce transactions. It offers the service of encrypting the desired data and authenticating in arbitrary sequence. The authors promote the concept that data documents should not be taken as entities, rather focus on parts of a document. They support the idea of taking XML documents as the standard of data transfer in e-commerce [12]. This way they could work on any part of the XML data, to encrypt and validate in random sequence and be responsible for the security of that altered portion only. The second paper chosen for the respective subject is [9]; in this paper the authors propose a biometric technique to prevent identity theft and false validation in the process of e-commerce transactions. They choose the iris biometric for authentication purposes since they claim that it is perfect for automatic identification. They justify choosing iris by stating that it does not change with age [16]. This new approach of providing security to e-commerce environment involves implementing a new algorithm (PCA) [17] to extract key characteristics features of iris of an individual. RSA encryption algorithms [18], [30] used to encrypt the iris features which are used for the identification of an individual and authentication with the credit card details. The following system fig.1 works in this manner; A web-camera is integrated at the client system which is meant to take an image of the eyes of the user who has initiated the business transaction. An algorithm is devised to extract the iris image from the user’s picture, then by using the RSA algorithm the extracted features of the iris image are encrypted and sent to the e-commerce site, with the credit card information and personal information. This information is authenticated by the credit card company to allow the user to proceed any further in the transaction. Since all the information is encrypted before sending it to the e-commerce site therefore only the credit card company has access to it. Source: [9] The third paper chosen is [23] where the authors present an e-commerce security system model. They state that e-commerce security can be divided into two categories; computer network security and e-commerce transaction security. They state that the foundation of the e-commerce security is based on computer network security. They carefully analyzed the security requirements of ecommerce transactions and devised a system model with layers similar to the network security levels [24]. They explained that in the e-commerce security system; the security related to the layers i.e. physical security, link security, network transmission security and network application layer security come under the sphere of computer network security. Fig. 2: E-commerce security system model [23] They state that the Public Key Infrastructure (PKI) provides a foundation of several network security services. PKI is the basis of technology for Internet security; as it includes cryptography, public key certificates [25]. The fourth paper chosen for the research report is [31]; it proposes a new system to provide secure transactions so that the customers and merchants do not face ant losses in their respective business transactions. They also focus their attention on RSA algorithm. Firstly, they use a session key approach to increase the performance of the cryptographic algorithm. Then, JDBC tool is chosen to perform any data access between client and server in an efficient manner. They claim that this system provides a secure e-commerce environment. They carried out several tests while implementing this system for different internet applications. The basic idea of the approach is based on three steps; Firstly, the server analyzes the request received from the two users that may be present anywhere in the world communicating with each other through internet. They might be exchanging business and personal information on a secure platform. In the second step, the server will generate two pairs of public and private keys to each of the two users, these will serve as permanent keys for the users. In the third step, the server will generate a new (randomly generated) session key each time a new connection is made across the internet. This session key will determine the number of time for RSA encryptions performed on the message before they are transmitted on the internet. All the exchange of the keys is done using the Secure Socket Layer (SSL) so that they are received by their respective in a secure manner. The fifth paper chosen is [32]; which supports the concept of geo-location to stop credit card fraudulent activities regarding online transactions. Geo-location is one of the most reliable technologies to handle the credit card fraud as it is used to identify the key factors which lead to this crime [33], [35]. The authors propose a new approach to enhance the performance of geo-location; Constraint based Geo-location (CBG) calculates the geographic location of the hosts using multi-lateration. They define multi-lateration as the procedure of estimating a location by a sufficient no. of distances to a fixed place [32]. Location of the customer can be helpful in analyzing if his credit card information is correct or fraudulent [36], [37], [38] for example; if the American credit card number is sniffed from the network and the desired transaction is taking place in. It is also called IP geo-location as it looks up for the unique IP address possessed by every host connected to the internet [41], [42]. 5. Critical Evaluation They claim that this mode and technique has high extensibility and has the power to process any part of the XML documents rather than working on the whole document [10]. They do not support the use of HTML with e-commerce transactions since automatic data acquisition is very difficult in HTML documents and portray XML as having many data exchange advantages [13], [14]. The authors of [9] claim that their method of authenticating the individual on the basis of his iris identification and credit cards details is very effective since biometric are unique features of an individual. They term it effective since iris features do not change to a relative extent with time and age [19], [20], [21], [22]. The authors of the second paper claim that there are some protocols and standards which can lead to the PKI technology; these include the following X.209 ASN.1 basic coding rules [26], X.500 directory services system standards [27], X.509 digital certificate standards [28], Online Certificate Status Protocol [29]. The authors of [31] claim that by using a session key approach, the performance of RSA will be enhanced. They also state the choice of the JDBC tool makes data access easy and SQL conformity is also introduced. The results of their tests reveal that their system is able to provide a dependable and protected Internet environment. The authors of [32] claim that there new approach of geo-location works better than any techniques in the past and therefore will give better results to find the location of the customer. They conducted several tests to prove this. Geo-location is a very common approach adapted by e-commerce websites to reduce the chances of any fraudulent activities. 6. Further Reading Security of E-commerce is a wide field and much research has been done in this field. Only few of the solutions could be discussed here. More literature shall be studied regarding the different techniques of encryption and keeping the customer’s information secure from any unauthorized access. Geo-location is a common approach adapted by many e-commerce websites to reduce the chances of any fraudulent activities; it shall also be studied in more detail. 7. Conclusion E-shopping has become a norm for the modern man; however the risks involved in e-commerce are often greatly feared. Fraudulent activities to credit card information and identity thefts have increased over the years. Therefore efficient security measures need to deployed to make the e-commerce environment safe for the customer and merchant both. Encryption techniques should be promoted and improved so that relevant information of the customers are not sniffed or extracted by any unauthorized individuals. 8. Appendix There have been five main papers for this research. They have been chosen on the basis of the relevance of their content. The papers that have been chosen portray a clear understanding of their respective topics and have been written in an organized manner. The main papers that have been chosen were published in the past 10 years so that they do not portray any old technology. Other papers which had content related to the research topic were also included in the research. Bibliography Main papers: [9] R. S. Sasi, “Biometric Authentication”, IEEE IST 2004 -International Workshop On Imaging Systems and Techniques, 2004. [10] S. Chai, Y. Cheng, J. Qiu, W. Zhou, “An XML based Flexible Security E-Commerce Mode”, IEEE, International Symposium on Electronic Commerce and Security, 2008 [23] Z. Tian, N. Xu, W. Peng, “E-commerce Security: a Technical Survey”, Second International Symposium on Intelligent Information Technology Application, 2008 [31] K. T. Ng, W. N. Chau, Y. M. Siu, “An Internet Security System for E-commerce”, IEEE, 2002 [32] B. Gueye, A. Ziviani, M. Crovella, S. Fdida,, “Constraint-Based Geo-location of Internet Hosts”, IEEE/ACM Transactions on Networking, Vol. 14, No. 6, December 2006. [1] G. R. Newman, R.V. Clarke, Superhighway robbery: Preventing E-commerce Crime, Willan Publishing, USA, 2003 http://books.google.com.sa/books?id=YSL_oq2AB10C&printsec=frontcover&dq=fraud+prevention+techniques+for+credit+card+fraud+2004&source=gbs_similarbooks_s&cad=1#v=onepage&q=&f=false [2] B. Starr, Helium, “Groundbreaking inventions of the 20th century”, http://www.helium.com/items/1452096-20th-century-inventions [3] Mak, “What are the benefits of e-commerce in China”, http://www.helium.com/items/1263046-e-commerce-electronic-commerce-china-trade-business-internet-authority-law [4] A. Shamir, “Secure Click: A Web Payment System with Disposable Credit Card Numbers”, LNCS 2339, pp. 232–242, 2002. [5] Internet Fraud Statistics Reports. Available from: http://www.fraud.org/internet/intstat.htm. [6] What is SET? Available from: http://www.setco.org/set.html. [7] A.O. Freier, P. Karlton, P.C. Kocher. “The SSL protocol”, http://wp.netscape.com/eng/ ssl3/ssl-toc.html. [8] E. Lim, “Electronic Commerce and the Law”, IEEE, 2000. [9] R. S. Sasi, “Biometric Authentication”, IEEE IST 2004 -International Workshop On Imaging Systems and Techniques, 2004. [10] S. Chai, Y. Cheng, J. Qiu, W. Zhou, “An XML based Flexible Security E-Commerce Mode”, IEEE, International Symposium on Electronic Commerce and Security, 2008 [11] J. Cacavias, A. Lugonja, M. Messa, D. Zhanbekov, “Internet Security: Internet Fraud and Identity Theft”, April 12, 2006, http://www.cc.gatech.edu/classes/AY2006/cs4235_spring/CS4235%20-%20Internet%20Security%201%20-%20Internet%20Fraud.pdf [12] X. Lu, “A framework for e-commerce data exchange service of B2B and B2C with XML embedded documents”, ICSSSM '05. 2005 [13] S. Ha, K. Kim, “Mapping XML documents to the object-relational form”, IEEE, International Symposium on Volume 3, 12-16, 2001. [14] J. Won Lee, K. Lee, W. Kim, “Preparations for semantics-based XML mining”, ICDM 2001, Proceedings of IEEE International Conference, 2001 [15] R. C. Marchany, J. G. Tront, “E-Commerce security issues”, Proceedings Of the 35th Hawaii International Conference on System Sciences, 2002. [16] J.G. Daugman, “High Confidence Visual Recognition of Persons by a Test of Statistical Independence”, IEEE Tans. Pattern Analysis and Machine Intelligence, vo1.15, pp.1148-1161, 1993. [17] L. I. Smith, “A tutorial on Principal Components Analysis”, February 2002 [18] P. J Flinn, J. M Jordan, “Using the RSA Algorithm for Encryption and Digital Signatures”, Aston & Bird LLP, 1997 [19] L. Berggren, “Iridology: A critical review”, Acfa, 63(1): 1-8, 1985. [20] D. M. Cockbum, “A study of the validity of iris diagnosis”, Australian Journal of Optomery, 64: 154-157, 1981. [21] P. Knipschild, “Looking for gall bladder disease in the patient’s iris”, British Medical Journal 297: 1578-1581, 1988. [22] S. A. Worthen, D.M. Mitas, “An evaluation of iridology”, Journal of the American Medical Association, 1385-1387, 1979. [23] Z. Tian, N. Xu, W. Peng, “E-commerce Security: a Technical Survey”, Second International Symposium on Intelligent Information Technology Application, 2008 [24] F.G.Hatefi, F.Golshani, “New framework for secure network management.” Computer Communications, 22(7): 629-637, 1999 [25] A. Arsenault, S. Turner, “Internet X. 509 Public Key Infrastructure PKIX Roadmap Work in Progress”, 1999, http://www. ietf. org/internetdrafts/ [26] CCITT. Recommendation X.209: “Specification of Basic Encoding Rules for Abstract Syntax Notation”, 1988. [27] M. Wahl, “A Summary of the X.500 (96) User Schema for Use with LDAPv3”. RFC2256, 1997, http://www.ietf.org/ rfc/ rfc 2256.txt, 1997-11-1. [28] R. Hously, W. Ford, W. Polk, “Internet X.509 public key infrastructure certificate and CRL profile”, 1999, http:// www.ietf.org/ rfc/ rfc2459.html. [29] M. Myers, “X.509 internet public key infrastructure online certificate status protocol-OCSP”, 1999, http://www.ietf.org/rfc/ rfc2560.txt [30] RSA Technology Website, http://www.rsa.com [31] K. T. Ng, W. N. Chau, Y. M. Siu, “An Internet Security System for E-commerce”, IEEE, 2002 [32] B. Gueye, A. Ziviani, M. Crovella, S. Fdida,, “Constraint-Based Geo-location of Internet Hosts”, IEEE/ACM Transactions on Networking, Vol. 14, No. 6, December 2006. [33] S. Olsen, “Geographic tracking raises opportunities, fears”, CNET News.com, 2000. http://news.cnet.com/Geographic-tracking-raises-opportunities,-fears/2100-1023_3-248274.html [34] D. Jerker, B. Svantesson, “How does the accuracy of geo-location technologies affect the law?” HERDC submission, 2008. http://works.bepress.com/dan_svantesson/23/ [35] D. A. Montague, Fraud Prevention Techniques: Credit Card Fraud, Trafford Publishing, Canada, 2004. [36] L. Greenemeier, “New Geo-Location Service Could Help Track Cyber Thieves”, InformationWeek, June 2007. http://www.informationweek.com/story/showArticle.jhtml?articleID=199903929 [37] Fraud labs. “10 Measures to Reduce Credit Card Fraud for Internet Merchants”, http://www.fraudlabs.com/fraudLabswhitepaperpg1.htm [38] Information Technology Association of America, “ECommerce Taxation and the Limitations of Geo-location Tools”, 2004. http://www.itaa.org/taxfinance/docs/geolocationpaper.pdf [39] T. Metzger, “How credit card transactions work”, CreditCards.com, 2009. http://www.creditcards.com/credit-card-news/how-a-credit-card-is-processed-1275.php [40] M. Ratha, “The Credit Card Model, MIT System Dynamics in Education Project”, 1997. http://ocw.mit.edu/NR/rdonlyres/Sloan-School-of-Management/15-988Fall-1998-Spring-1999/999C7C12-4DF7-4B15-BAF4-CC4CD7A63505/0/creditcardmodel.pdf [41] A. Ziviani, S. Fdida, J. F. de Rezende, O. C. M. B. Duarte, Toward a measurement-based geographic location service, Proc. Passive and Active MeasurementWorkshop (PAM 2004), April 2004. [42] IP, How to geographically locate an IP Address, http://ipinfo.info/html/geolocation.php [43] Lieberman Research Group, UNISYS Security Index: United States 4 March 2009 (Wave 4), UNISYS, 2009. http://www.unisyssecurityindex.com/resources/reports/Security%20Index%20Wave%204%20US%20Mar%203-09%20_2_.pdf Read More