E-Commerce Websites as a Guarantee of Effective Trade - Research Proposal Example

E-Commerce Security Abstract E-commerce websites are used by people all over the world to effect trade. Many of the e-commerce websites are of low quality as they are vulnerable to security threats. Indeed many e-websites are always designed without considering human factors and usability which in effect renders them difficult to use. If E-commerce websites have to be of value to end users especially customers, they need to be standardised to a great level. Introduction E-commerce has become a common activity over the last few years, thanks to developments in computer and internet technology. E-commerce websites demand certain features such as shopping carts and credit card interfaces that are needed for the accomplishment of online transactions. This means that the user interface of e-commerce websites have to be designed in such a way that transactions are easy to effect while at the same time ensuring that users are safe from online security threats. Unfortunately, many potential customers have maintained serious doubts about the websites with respect to security of their personal information. The user interface design has impacted much on the way people perceive a website to be and therefore their willingness to perform online transactions. This study is aimed at determining the existence of a relationship or correlation between quality of interface design and user’s perception of security. Hypothesis H0: There is a correlation between quality of interface design and user’s perception of security. Objectives 1. To determine if there is a correlation between quality of interface design and user’s perception of security. Scope and Limitation This study mainly focuses on e-commerce websites and will only focus on using secondary sources of data. In particular, the websites that will be targeted are those that belong to financial institutions and businesses that trade products (goods and services) online. Literature review User interface design is a process in which the expectations, needs, and limitations of users are given attention at each design stage (Liu, Tucker, Koh, and Kappelman, 602). It is sometimes described as the problem solving stage that expects designers to predict and to analyze how the user is likely to use an interface. The User Interface Design activities generally define the interface that end users use to interact with the website (Liu et al, 603). The designers should also test the validity of their predictions with regard to user behaviour in real situations. Such testing is important as it is often not easy for the designers to understand what first time users of their design will experience. User interface aims at making the user’s interaction with a website as efficient as possible. Interface design is applied in a wide range of projects such as computer systems, cars and commercial planes; all these projects entail the same basic human interactions. Attention to human machine interaction is crucial because carelessly designed interfaces can lead to unexpected problems according to (Liu et al, 603). Every body that uses an E-commerce store should always be concerned about website security according to Aladwani and Palvian (468). E-commerce mainly involves processing of credit cards and sensitive user information and therefore the security of the website should be treated with great care during its overall design. Over the years there has been an increase in cases over stolen credit numbers and synthetic identity theft more so among people whose personal information is stored digitally and those who engage in e-commerce. Melián-Alzola and Padrón-Robaina (327) advocate for a document centred approach to computer interfaces that covers several radical changes to the current situation of operating systems. Every software package should be designed as a set of tools accessible to users on any document web pages. For example, in the middle of surfing the web, a user should be able to perform other duties such as computation by writing on a document. The authors also suggest that an interface should be zoomed in what he calls a Zoom world where the user navigates around a two dimensional plane having a geographical representation of every document on the computer. Zooming enables users of the interface to see all the documents in order to read or edit the document. They further propose that the interface design should be subjected to regulation in various ways. This can be done by establishing legal safe guards to protect users from harm and coming up with professional guidelines and standards to evaluate the interface security. Melián-Alzola and Padrón-Robaina (325) also state that there are two laws of interface design, based on fictional laws of robotics created by Isasc Asimov. The first law states that a computer shall not destroy the user’s work, or allow the user’s work to come to harm while the second law states that a computer shall not waste the users’ time or require the user to do more tasks than that that is required. Pratt, Mills and Kim (75) propose the following principles: First, the design should structure the use interface purposefully and useful ways based on clear and consistent models that are recognisable to users, combining related things together and separating unrelated things, outlining dissimilar thing and making two things resemble one another. Secondly, the design should prepare all needed options and requirements for a given task visible and not distracting the user with redundant information the best designs should not overwhelm the users with several alternatives or confuse the user with irrelevant information. Thirdly, the design ensure users are informed of changes of state or condition relevant to the interest of the user through clear, concise and understandable language familiar to users. Fourthly, the design to be flexible and accommodating, decreasing the cost of mistakes and misuse by permitting undoing and redoing, while also eliminating errors by tolerating varied inputs by interpreting all reasonable actions, and finally. Lastly, the design should be in such away that it can reuse internal and external components and behaviours, ensuring maintained consistency with purpose hence reducing the need for users to rethink and remember. Quality of User Interface of E-Commerce Websites Website quality is an important aspect when user satisfaction on e-commerce comes into focus as noted by Jun, Yang and Kim (835). Website quality may generally include three dimensions which are: service quality, information quality and system quality. These three dimensions impact the satisfaction of users through perceived trust, usefulness and ease of use. E-commerce website interfaces quality has always been compromised since there are a number of vulnerabilities. There are a number of reasons why security vulnerabilities arise in online payment systems. Their effects of such vulnerabilities become much greater since websites have got wide exposure and due to the financial nature of the transactions (Long, and McMellon, 79). Another main reason for this is that web designers are always not very well conversant with safe programming techniques hence the security of the applications they create is not featured as a one of the primary design goals. This is always exacerbated by the hurry to meet deadlines in the rapidly moving e- commerce world. There are several common security vulnerabilities in online payment systems according to Taylor and Francis (1996) some of which are outlined below: Price Manipulation Price manipulation vulnerability of websites to price manipulation is often unique to online shopping carts and payment systems. It often occurs when the total price payable for priced goods is in a hidden html site of a dynamically generated web site. An imposer can use a web application proxy such as Achilles to alter the amount that is payable if this information flows from the user’s browser to the web server’s page. The final price payable will automatically be manipulated by the web impostor to a value of his choice. This information is then sent to a payment system with whom the impostor has partnered. If the amount involved in the transactions is high, the price manipulation may sometimes go unnoticed. Repeated attacks in this manner can potentially cripple the security of online merchants and lead to great financial losses. Similar vulnerabilities also exist in third party software like the 3D3 shop factory, where price and item related information is stored in client side cookies which may easily be manipulated by the web impostor. The Smartwin technology’s Cyber office shopping cart 2,0, for example, is always attacked by downloading the order form locally and then resubmitting it to the target server with the form modified to have hidden unreal values. Some of the vulnerabilities as described by Pearson, Pearson and Green are as outlined below: Buffer Overflows Buffer Overflow vulnerabilities are often not very common on web applications using Perl, PHP and ASP. Sending a larger amount of bytes to web applications that are not committed to dealing with them can have unexpected consequences. In one of the penetration testing, for example, it was easy to disclose the path of the PHP functions in use by sending large amounts of data in the input fields Multiple buffer overflows are often discovered in the PDG Soft shopping cart which automatically allows the web impostor to execute codes of his own choice by overwriting the saved return address. Error pages always serve as important sources of critical information; the errors can always be induced in web applications which do not follow strict input validation principles. For example, the application may fail when alphabets or punctuation marks are use instead of numeric values. Cross-Site Scripting This attack is targeted against the end user and often occurs due to lack of input validation caused by the web application and the trust placed by the final user of a URL that carries a vulnerable website’s identity. The attack requires a web form that allows the user to input or access and print results on a web page. In most instances, the impostor would craft the URL in order to try and steal the user’s cookie, which automatically would contain the sessions ID and other crucial information. The JavaScript has always been coded to redirect the user to the impostor’s website where malicious codes can be launched by use of active controls in the internet explorer. However, the JavaScript can also be used to confuse the user with a site that looks similar to the original website and requires entering sensitive information. The sensitive information may always be for that same website or the user’s credit card number. Remote Command Execution The most catastrophic web application vulnerability happens when the CGI script enables the impostor to execute operating system commands due to insufficient input validation. This is mainly common in the use of the ‘system’ call in Perl and PHP documents. Using a command separator and other possible shell metacharacters can enable the impostor to execute commands with the privilege of the web service provider. Weak Authentication and Authorization Tools such as Brutus have always been used to attack authentication mechanisms that allow multiple failed logins. In addition, when a web site uses and does not pass session IDs over Secure Socket Layer, an impostor can sniff the traffic to determine the user’s credentials. Since Http is a stateless protocol, web applications always maintain the status quo using the session IDs stored in a cookie on the user’s system according to Bruce Thomas, Bernhard Weerdmeester and Ian McClelland, (132). The session ID becomes the only way the web application can possibly identify the online identity of the user. When the ID is stolen, for instance, through XSS, the impostor can take over a valid user’s online identity in relation to the vulnerable website. In situations where the algorithm is used to produce the session’s ID, the ID is always weak therefore it is important to write a Perl script to enumerate across possible session ID space. Results and Discussion A study conducted by Pew Internet as noted in the recent past revealed that about 40% of all internet users use online banks (Atul, Kevin and Laura (1). Another research conducted further revealed that close to 30 percent of websites third party websites in an unsafe way according to end users (Atul, Kevin and Laura (3). However, only seventeen percent of the third party sites gave some kind of notification concerning their transitions to other sites. Table 1: Summary of Security-relevant Design loopholes at Financial Institutions Specific design flaw Sites affected in % Principle violated Insecurely emailing security sensitive information 30 Confidentiality Insufficient policies for user passwords and ids 27 Hard-to-guess credentials Security advice on insecure pages/ Contact information 56 Not securing security-relevant context Presenting secure login options on insecure pages 47 Embedding sensitive forms on web pages that are not secure Break in the chain of trust 30 Little security context for informed decisions The figure below shows the number of user visible design flaws against the sites. Source: cups.cs.cmu.edu Conclusion It is worth noting that the security vulnerabilities discussed in this study may not be entirely exclusive to online payment systems. They can easily be present in other web applications as well. In the case of e-commerce systems, the vulnerabilities pose a graver danger due to the sensitiveness of the financial transactions that are meant to be carried out online. What is at stake may not only be a direct loss of revenues as companies may also experience serious losses to their reputations. In some instances they can be faced with legal penalties for violating the customer’s privacy and for mishandling their trust. It of great importance that the web application developers and designers to consider security as a primary goal in order to provide the highest possible service to costumers. The enormous increase in online transactions has always been followed by an equal rise in the number and ways of attacks targeting the security of online payment systems. Many of these attacks have depended on vulnerabilities published in reusable third party systems utilised by websites, for example, the shopping cart software. Designing the human interface of a website should be biased towards drawing the attention of users to the business that ought to be transacted and henceforth retaining their attention. Results from previous studies have shown that system quality is the major factor that affects the ease of use of a site as perceived by the users. On the other hand, information quality impacts their perception of usefulness. Yet again, service quality impacts trust but may not necessarily affect perceived usefulness and ease of use. References Aladwani, A.M.and Palvia, P.C. "Developing and validating an instrument for measuringvuser-perceived web quality". Information & Management, Vol. 39 No.6, pp.467-76. 2002. Atul Prakash, Kevin Borders and Laura Falk (nd) Analyzing Websites for User-Visible Security Design Flaws, viewed 25th May, 2010. http://cups.cs.cmu.edu/soups/2008/proceedings/p117Falk.pdfBruce Thomas, Bernhard Weerdmeester and Ian McClelland. Usability Evaluation in Industry. Taylor and Francis Publising. 1996. Jun, M., Yang, Z., Kim, D. "Customers' perceptions of online retailing service quality and their satisfaction", International Journal of Quality & Reliability Management, Vol. 21 No.8, pp.817-40. 2004. Liu, S.P., Tucker, D., Koh, C., and Kappelman, L. "Standard user interface in e-commerce sites". Industrial Management & Data Systems (IMDS), Vol. 103 No.8/9, pp.600-10. 2003. Long, M., McMellon, C. (2004) "Exploring the determinants of retail service quality on the internet", Journal of Services Marketing, Vol. 18 No.1, pp.78-90. Melián-Alzola, L., and Padrón-Robaina, V. "Tangibility as a quality factor in electronic commerce b2c", Managing Service Quality, Vol. 16 No.3, pp.320-38. 2006. Pearson, J.M., Pearson, A., Green, D. "Determining the importance of key criteria in web usability", Management Research News, Vol. 30 No.11, pp.816-28. 2007. Pratt, J.A., Mills, R.J., Kim, Y. "The effects of navigational orientation and user experience on user task efficiency and frustration levels", The Journal of Computer Information Systems, Vol. 44 No.4, pp.93-100. 2004. Read More