E-Banking and E-Commerce Security Issues and Solutions - Coursework Example

Abstract— Technology has allowed information to be communicated easily and inexpensively and people are now able to do online transactions, through it sending valuable information. With all the kind of online transaction there are security issues that come along with it. Use of online transaction in majority of people across the world is determined by security and privacy of user’s personal data, which include credit card number, virus attacks, and fear of identity theft among others. Index Terms—Protocol, Security I. INTRODUCTION There increase in dependence on computers networks and internet to access make payment for goods and services. Online transactions normally take place based on trust between the consumer and online vendors. Trust is the confidence buyers have in online vendors in terms of reliability and integrity, which is associated with consistency, competency, honesty, fairness, responsibility helpful, and benevolence [1].Some of the ways in which transaction takes place is through online payments. Therefore, its security issues are the centre of focus. There are two basic patterns of online payments, one is bank for business payment also known as online payment and the other is third payment platform. The online payment security issues include leakage of information, transaction, fraud, network systems risk among others [2].Recently, privacy and security are the most important concerns for electronic technologies [3]. The internet has provided a means of communication between customers and various companies or online vendors. In many instances people are seen engaging in in online shopping, e- banking and e-commerce. This means a lot of vital information travels over the internet this has caused major concerns over security of transaction as well as concerns over protection of individuals privacy. Information about online users that is normally collected during online transactions is categorized into (1) anonymous data, which include browser type and the computer's IP address. (2) non-identifying person information, these are information, which do not identify the person. What is captured include information regarding age, the gender , education level among others and (3) the third category of information collected are those vital information which can be used to identify someone. This information include, addresses either postal or email address, telephone number and credit card number [4]. II. SECUTITY FEATURE ON ONLINE TRANSACTION Security features do not necessarily assure or guarantee a secure system but they are put in place or rather use to determine and design of a secure system security features are categorized as, authentication and authentication, which is the verification who the persons using the system say they really are. Through authentication, authorization is only allowed on basis of the validity of information held. Then there is encryption, auditing, integrity availability and non-repudiation [3]. III. SECURITY PROTOCOLS There are different protocols that are used to secure online transactions, secure Sockets Layer (SSL), SSL as a security protocol offer security and protection to the communication between any SSL enabled clients and server software that is running on a network. This is possible but addition of a layer between the network transport protocol and the application data. In SSL, data is encrypted before transmission and decrypted before being used by the receiving system. SSL works together with digital certificate and combination of both public and private key to provide privacy in communication [5]. Secure electronic transaction protocol. Secure electronic transaction is a mechanism that helps to achieve secure payment using card transaction over open networks. VISA and MASTERCARD jointly developed the sets of protocol that operate at the application layer. It aims at achieving, secure, cost effective online transactions intended to satisfy the market demand. SET offer standards business requirements, which specify the following, provision of confidentiality when handling order and payment information from online customers. Integrity assurance of all the data transmitted over the network, cardholder authentication that they are legitimate users of a credit card account. Provision of authentication that a merchant can accept credit card transactions through its relationship with a given financial institutions. Ensure that best security practices are used and designing the system to ensure and offer protection to all legitimate parties involved in an electronic transaction, creation of protocol that do not rely on mechanisms of transport security or prevent their use, facilitating and encouraging interoperability among software and network providers. Secure electronic transaction protocol also concerns itself with confidentiality by ensuring that all messages are encrypted. Ensuring that all parties have level of trust through use of digital certificates and providing information only when it is [6]. A. Security architecture of SET The electronic transaction usually begins with the cardholder. In this scenario, there is a financial institution, which functions to establish the account for the cardholder and issues payment. A merchant and or online vendor is responsible for offering goods and service provision to customer in exchange of payment. A payment gateway is usually a device normally operated by the acquirer or the financial institution or it could be a third party responsible for processing vendors payment message the encryption system used by SET is symmetric Encryption System [6]. IV. FAIRNESS AND THIRD PARTY PROTOCOL This protocol is one of the fairness protocol systems. A fair system is a system which does not discriminate its parties both buyer and seller who are behaving as expected. The system stresses that as long as the parties are behaves as expected then it ensures that others who are not behaving correctly do not gain advantage over them. This is because the system works under three important conditions that are to ensure effectiveness, timeliness and fairness. Effectiveness is achieved in instances where the protocol execution is done correctly and both parties, the vendor and the online customer honouring their commitment , then each parties will have what they wanted, vendor receiving the payments and the online customer receiving goods or services. Timeliness ensures that protocols are executed only within the timeframe that is acceptable. Fairness is subdivided into two. Strong fairness this is where either the vendor or the customer does not receive expected items from each other or both of them receive. Weak fairness occurs at the end of exchange with either a strong fairness being achieved or the party which did not receive the items required being in a position to prove to a third party that the has received or can still receive the items without the further involvement of the other party [7]. A trusted third party is any intermediary or a nonpartisan party in online transaction which is used in fair exchange and functions to ensure that the vendor and the online customer receives the item they expect or that no does. Trusted third party is normally neutral, available and trusted by the two parties. TTP ensures there is fair exchange of items, is a delivery agent which gives items to both parties, provides a solution to the parties in instances where there are disputes, does items validation and gives certificates. Fairness exchange protocol that uses TTP are subdivided into three, those protocols that are based on inline TTP, protocols that are based on online TTP, and those protocols that are based on offline TTP [7]. V. security threats on online transaction Security is important in online transaction security breaches normally occur and the consequences are high. Despite the fact that there online transaction is offering convenience of buying and selling it is noted that in recent years, there are many security threats to online transaction [8]. The threats to security in online transaction are, Denial of service attack (DOS).Denial of service attack is normally done or takes place through two possible ways that is spamming and viruses. spamming , here unsolicited commercial emails are send to individuals, email bombing where and attacker sends thousands of emails to one computer or a network and surfing which occurs when a hacker places a software agents onto a third party system and then sets it off to send so many requests to an intended target. There are kinds of DOS that are hard to detect, this is called Distributed Denial of service attack, which occur when a hacker places a software agents onto a number of third party systems, and sets them off in such a way that it simultaneously sends requests to a computer or a network [3]. Unauthorized access, this is where a hacker gains access to the systems or information application or data without legitimate rights for the purpose well known to them. There are two types of unauthorized access. Passive unauthorised access, this is where a hacker intentionally listens to communication channels and extracting information without causing damage. Active unauthorized access; this is where attacker causes damages to information by modifying it [3] Revelation of vital information and data intended to remain confidential through unauthorized access causes huge loss to online buyers. Information alteration through entering, modifying and overwriting without legitimate authorization are major types of attack that causes great problems to users. Many people are tempted to believe that some online transaction through SSL connection is safe. Security experts stress that so long as there is a yellow padlock symbol in the Brower window then everything is safe. Security concerns in SSL comes in because SSL are designed in such a way that it secures the tunnel from the end user computer to the online vendor mainframe computers and does not offer protection to the end user's computer end point. This creates a weakness where attacker can install A Trojan on the user computer. A good example is the key logger program. This normally happens when users are online and download a program that is infected with the Trojan and the downloaded program install so is the Trojan. In case, a user is Log into the vendor’s site to make payments the information is captured and send to the attacker [8]. There is another kind of security breach called man-in-the- middle attack where a malicious attacker intrude into an existing connection established by the user while in online transaction with the vendor intercept the data that is exchanged and inject false information into the connection. An attacker normally uses the following methods to achieve this, eavesdropping on the connection and then intrude into the established connection intercepts information and modify it. Through a method known as phishing, an attacker uses email or malicious websites where there are able to pose as legitimate websites and solicit personal information such as credit card number. These attackers also use pharming, which is a type of fraud where the client's internet connection is diverted to a counterfeit website. When users enter correct addresses in a browser, for instance they are directed to a forged website. Under this Pharming, attacker achieves all these by either changing of host file in the victims computer or by exploiting the vulnerabilities that are present in the DNS server. Recently the online identity theft has been executed using both pharming and phishing. Other kinds of threats include, viruses, Worms, spoofing, Trojan Horses and drive-by downloads [8]. There are also certain viruses, which are self-replicating computer programs that normally perform unintended functions or make computer systems unreliable [3]. A server warm called SQLSlammer for instance is a Worm, which attacked Microsoft SQL server version 2000 and version 2000 of Desktop Engine and caused slowness in online traffic causing temporary cut off cash in some financial institutions [8]. Hacking of credit card, most People have the notion that hackers capture credit card numbers while it is being transmitted through the internet. This makes the sellers or merchants pay more attention to offering more protection to the credit card through encryption to ensure safe travel over the internet. This is seen as a way to secure online transaction, which actually works, but there are threats because most security breaches takes place after the transaction is completed in instances where the customers' credit card number is stored in unprotected mode in the merchant’s computer systems. This means a hacker can sniff the information and steal the credit cards numbers. Protection of merchants’ database is of equal importance as protection of credit card number by encryption during an online transaction [1]. VI. SECURITY IMPLEMENTATION ON ONLINE TRANSACTION Security threats normally affect online transaction through the various vulnerabilities that exit. It is not possible to achieve security using a single control or a security device. Most of the issues arise because of the unprotected information that is sent between the customer and the vendors servers. There are several mechanisms such as user authentication and identification, data encryption, firewall mechanisms. Online transaction systems need to be available and reliable. It should be available all days of the week 24 hours a day 365 days a year. it must have some mechanisms to detect Denial of service attack as well as recover from them, because these attacks make the systems unavailable to users. As a result of ensuring reliability the transaction need to be atomic meaning that the transaction occur successfully or do not occur at all and should not hang or be inconsistent in some instances. All the necessary network, hardware and software components, which are facilitating the transaction, need to be reliable. This can be achieved by employing some aspects of redundancy. Meaning that components critical to the system are duplicated deliberately. There are two types of redundancy, static and dynamic. Static redundancy normally uses n versions of component called a function together with m out of voting on the basis of diversity. Dynamic redundancy causes switching to a redundant component in case an error is detected on the current hardware and software. Additionally fault tolerance mechanism is needed to further ensure reliability. This could include incorporation of stable storage and use of resynchronization protocol needed for crash recover [9]. There is also need to have user anonymity and location untraceability. This two can be provided separately or jointly. When use alone, user anonymity security service can offer protection against disclosing the identity of the users. With untraceability, security mechanisms offer protection against disclosure of the origin of the message. All this can be achieved routing of network traffic through anonym zing host so that it is seen that the traffic seems from these hosts. it is a requirement however that at least there should be some honest of network path in one of the host for the traffic source to still remain totally anonymous. There are several ways to achieve anonymity even in our daily lives, which is by using pseudo names instead of using our real names. Similarly, there are mechanisms that can be used to achieve anonymity of users and the traffic flowing from them to the buyer and vice versa in online transaction. a chain of mix for example that was proposed by D. Chaum which in which user anonymity and location untraceability can is achieved by a series of anonym zing hosts also known as mixes. This mechanism is normally independent and provides protection against traffic analysis [9]. Confidentiality of online payment data, all generally have payment instruction and information pertaining order. This information can have credit card number or any other vital information. Confidentiality will ensure that unauthorized access and use is prevented. This can be achieved by use of use of dual signatures and digital signatures. Dual signature offer confidentiality to purchase order information with respect to the payment gateway. Digital signatures are used to provide integrity of the data. This means that information will remain the in the same state as it was sent. This digital signature uses a technique known as cryptography. The common is the public key cryptography also known as asymmetrical cryptography. Here the sender is normally assigned two keys; one is private and the other public. As the message is send, it is encrypted using the public key and the decrypted by the recipient using private key. In this case, the recipient can determine if the data has been changed while on transit. To achieve more secure confidentiality in digital signatures, one way hashing algorithm is first used to calculate the message digest, then the senders private key encrypt the message digest. This encrypted message digest is what is termed as digital signature. A certificate authority normally manages the key pairs [9]. VII. Conclusion With increase in technology use and the ever changing growth experienced in the field of technology, it is clearer that the use of online transactions technology will continue to rise as change is inevitable. In order to increase the confidence level of online customers concerning the security of their personal data online service providers have to embrace the mechanism that will not only ensure legitimate access to information but also control the access to the stored information in their database. Security cannot be achieved cannot be achieved on one side alone, online users need also to play a key role in ensuring that they do not lose control over their information or rather reduce it through avoiding disclosing the information to others. References [1] L. Wei, M. Osman, N. Zakaria and T. Bo, “Adoption of e-commerce online shopping in Malaysia”, pp. 140-143, 2010. [2] C. Zhang, S. Jiang and B. Huang, “Strategies for The Security of Online Payments in E-commerce”, Advanced Materials Research, vol 756, pp. 3039-3042, 2013. [3] M. Niranjanamurthy and D. Chahar, “The study of E-Commerce Security Issues and Solutions”, perspectives, vol 2, iss 7, pp.2885-2895, 2013. [4] R. Mekovec and Z. Hutinski, “The role of perceived privacy and perceived security in online market”, pp. 1549-1554, 2012. [5] I. Ahmad and A. Khan, “Management Level Security in E-Commerce and Biometric Technology”. [6] V. Ramaswamy, “Security Architecture for On-Line Mutual Funds Trading With Multiple Mobile Agents”, International Journal of Computer Science and Security (IJCSS), vol 5, iss 1, p. 99-106, 2011. [7] A. AlOtaibi and H. Aldabbas, “A Review of Fair Exchange Protocols.”, International Journal of Computer Networks & Communications, vol 4, iss 4, pp.307-319, 2012. [8] A. Fatima, “E-Banking Security Issues--Is There A Solution in Biometrics?”, Journal of Internet Banking & Commerce, vol 16, iss 2, pp.1-8, 2011. [9] R. Barskar, A. Deen, J. Bharti and G. Ahmed, “The Algorithm Analysis of E-Commerce Security Issues for Online Payment Transaction System in Banking Technology”, International Journal of Computer Science and Information Security, vol. 8, pp. 307-312, 2010. Read More