How safe are your online transactions? And how can you make them more secure? -- Cindy Duffield
At the heart of all online transactions is the concept of trust. Where parties are separated by distance, there is a need to know who is on the other end of the "line." This is in contrast to "private" transactions between two parties, where neither needs to know the other's identity, for example, when paying cash for goods in a shop.
The online world, however, follows the trend set by mail-order transactions, where either the merchant must trust the unknown customer to pay after receipt of the goods, or the customer must pay in advance and trust the merchant to deliver.
Online, with the immediacy of the Web, it is necessary to be able to secure the transaction through "authentication" -- knowing that the person you are dealing with is actually who they say they are.
In today's marketplace, technology has advanced sufficiently to assure the integrity of the actual transaction. Each online transaction can be conducted by using some form of security through encryption -- essentially coding -- to ensure that identity remains secret.
A number of technologies have begun to be adopted to facilitate this. These include:
Secure sockets layer (SSL) technology
Public key infrastructures (PKIs)
Identity cards and electronic wallets.
SSL sprung up with the advent of browsers and encrypts the information being sent, ensuring that no one else can read it while in transit.
All browsers are SSL-enabled, as are most websites, thereby creating a secure point-to-point connection. As data, such as credit card details, is sent from the desktop to the website, it is encrypted, usually to a 128kbit standard. This is difficult to hack and widely recognised as extremely secure. However, some transactions overseas ought to be viewed with caution.
Matt Tomlinson, business development director for independent security consultant MIS Corporate Defence Solutions, explains: "In countries where you might have an unstable, military-biased or paranoid government, a lower encryption standard, capable of being breached, may continue to be adopted. The 56-bit standard enables local security forces to watch communications, as well as opens the door to commercial fraud."
However, not everything is encrypted. Financial information usually is, although not all websites encrypt personal information. For example, a bill requested from BT online will not have its content encrypted. The customer's name, address and telephone number, plus any call analysis, will all be "accessible." But BT is far from a minority case in this stance and access of personal information of any kind by those of an unscrupulous nature could be as damaging as that of the financial variety.
Tomlinson believes that it is at the final stage of any given transaction where the greatest exposure to risk exists. To process the transaction, the recipient organisation needs to de-encrypt all of the information. This is when the process is at its most vulnerable. "A good hacker can get into the internal network via a number of routes, wait for the hard work to be completed and then access the data," he says. Tomlinson's view is that too little attention is being paid to the internal network threat and that an entirely separate network, dedicated solely to online transactions ought to be created to minimise the risk.
Public key infrastructures (PKIs) -- which have sprung up over the last three years have come into their own over the issue of "authentication" -- getting assurance that the person communicating with them is who they say they are and have authorisation to purchase, transfer funds or receive goods -- and "non-repudiation," where goods are delivered and the recipient denies all knowledge of having ordered them.
PKIs, which so far have not been a great commercial success, provide individuals with digital certificates, effectively digital passports, with which to securely move around the Internet. These are attainable via trusted, creditable and government approved organisations: certificate authorities. The organisations involved, which include Verisign, Baltimore, Thawte and Entrust, provide a means of binding an individual, department or company, to an identity that can be recognised and verified by other user-designated parties.
Verified certificates provide the ability to digitally sign documents or transactions and verify the signatures of others. The certificate is stored and encrypted under a user-defined pass phrase (private key), credit card number and other unique details.
Adoption of PKI and digital certificates/signatures has been slow because PKI has largely been sold as a technology solution in its own right, rather than as a means of solving business needs.
Tomlinson believes that unless awareness of PKI and its associated security products is raised on a national scale, and with the backing of the Government (which after all, wants to offer Internet access to one and all), it will be limited to the business-to-business market, adopted only by large corporations looking to protect communications among their own business community.
Walk the streets safely
PKI and its associated encryption, signatures and passports are the primary components in online transactions, but there are also a number of advances being made on the periphery.
Electronic wallets, for instance, are being trialled by online bank Egg, as a replacement to the credit card payment method. The system allows the transfer of funds to a "server-side" secure holding site, accessed via encryption, directly by the merchant from whom goods or services are being purchased.
The E-wallet theme comes in many varieties. The Visa e-commerce security programme is based on traditional credit card transactions. When a cardholder is about to make a purchase online, they will receive a message from their bank asking them to confirm their identity, probably with a password. The bank will then contact the retailer's bank and advise them that the payment is authorised. The retailer will only be provided with the cardholder's shipping details, not their payment information. It sounds complex but it is thorough.
Token ID cards or smart cards are also under evaluation. Internet authentication service Signify believes that they should be adopted instead of credit cards. They offer the facility of an ever-changing number as well as a unique PIN, in combination proving that the user had the card in their possession. This prevents the number from being used again by an unauthorised user. The predicted typical cost is likely to be £15 per user per month.
Pre-paid, unique numbered scratch cards with limited value are also being evaluated, but these focus more on limiting fraudulent use rather than overcoming it and are aimed at the lucrative youth and teenage markets.
Earning a reputation
Dean Adams, principal consultant for secure e-commerce specialist Trustis, sums it up: "We need to be able to trust the infrastructure on which we depend. Security and secure e-commerce technologies can go some way to enabling this trust; the rest depends on legal and regularity safeguards [which need to catch up] and on the reputations of the individuals or commercial brands concerned".
Securing transactions over the Internet is feasible, but has a long way to go in terms of simplicity and take-up.
WEB banking: ING barings
ING Barings, the corporate and investment banking arm of the ING Group, wanted to implement a secure e-business infrastructure for online trading across 89 offices in 49 countries. Based on PKI technology and the use of Entrust's Entrust/TruPass digital signature-based technology, more than 10,000 employees, partners, suppliers, customers and service providers are now able to undertake secure e-business transactions.
Entrust/TruPass protects data while in transit over and between Web servers. It provides ING Barings users with digital signatures and encryption of transactions, using digital certificates to authenticate users. High on the list of criteria in electing Entrust products were minimal user administration and changes to the website "feel," in addition to secure communications.
Engineering trust: PwC
Global consulting company, PricewaterhouseCoopers (PwC) established its "beTRUSTed" arm as a means of helping clients to exploit the potential of the Internet. BeTRUSTed uses PKI technology as the basis for conducting sensitive, high-value communications and transactions in a networked environment within its business-to-business client base.
BeTRUSTed also acts as a high-grade certification authority providing four classes of digital certificates customised to clients' needs. Certificate carriers can securely identify, authenticate and communicate with one another across untrusted networks. NCipher technology allows for key generation, back up and recovery. At beTRUSTed, no individual has overall system responsibility, for security, ut relies on a team for security. Protection from internal threats is also provided via the private keys' storage in a secure tamper-resistant device before issue and validation.
Reassurance: media sales
London-based Notting Hill Publishing was set up to develop interactive media products. The four-people company elected to sell its products over the Internet following the launch of its first music responsive graphics application, Dancer DNA. BT BuyNet payment gateway was implemented, not least because "it was important to have a safe name like BT to reassure those nervous with their credit cards on the Internet. The price was also competitive."
BT BuyNet enables Notting Hill Publishing to process bank payment cards. The system authenticates the cards, identifying whether they are genuine and that they have not been stolen. It authorises transactions and ensures there are sufficient funds to cover the payment. Notting Hill Publishing receives all the associated information in real-time, enabling automatic transaction acceptance or decline. The system is based on SSL encryption, 128-bit digital certificates and BT TrustWise Onsite Server certificates, plus six tiers of security, guarding physical access to the BT BuyNet platform.
BT BuyNet is available in two versions, Easy Starter for companies handling low volumes of card transactions with the first 100 processed free of charge; and Easy Cruiser, for larger volumes, which calculates charges at a sliding flat-pence scale dependent on the number of card payments. Multi-currency versions are also available.
Reality check: standards
Secure online transactions are feasible, but to become reality, everyone involved -- Internet browsers, merchants, corporations and consumers -- need to buy into the same standard. Consumers would quickly become comfortable with carrying digital passports if they knew the protection implications and were assured that other security features were in place. But at the moment, awareness is low, suspicion high and the adoption of secure technology, simply not pervasive enough.
In this climate, trading will always be limited and the opportunity for abuse, high. Finally, costs need to consolidated and an industry tariff agreed. At present, merchants are charged for transactions via flat-rate costs or percentage-based fees, and the associated hardware and software costs are difficult to confirm, given the varying requirements of different banks, merchants or e-tailers.