ABSTRACT
Over the years, business and organizations have looked for more secure and convenient ways of carrying out their business activities. When smartcards were introduced in the ecommerce world in the form of Master-cards and Visa-cards, it provided an opportunity for businesses, organizations and merchants to enjoy better business transactions with their customers; but another issue emerged which was the online theft of cash or confidential data. This research paper investigates the impact of consumer's perceptions of security issues in digital e-commerce transactions and proposes additional security options that can be implemented into smart-card features to improve its security options
INTRODUCTION
E-Commerce denotes Electronic Commerce and refers to the purchasing and selling of goods and services on the Internet/World-Wide-Web. Nnadoziel (2008) describes it as the sales aspect of e-business (Electronic-business). It also includes the exchange of data to facilitate the financing and payment aspects of business transactions.
Businesses which depend on transactions involving exchanging cash can now carry out transactions with ease through the internet and this provides a wider range of customers for any business. Because of the medium of exchange used in these business transactions (money in this case), coupled with the total reliance on the internet for these transactions, some advancements were made in technology which led to the conception of credit cards, which provides easier and more reliable method for authentication and payment transactions. However, with the continuous development of computer networks and smart cards, Network Security has become an important issue.
E-commerce (Smartcards)
Smart cards were first introduced into the Banking sector in the USA and other parts of the world in subsequent years. Their introduction decreased the reliance on handling and paying physical cash before monetary transactions could be made and a smart card used for conducting business can now serve as a means of identification or authentication of the cardholder whenever a transaction is to be made.
Ecommerce was first introduced in Nigeria in 2004. This led to high technology channels such as ATMs, and smart-cards. By 2006, Visa provided internet payment systems and debit cards which helped to develop electronic payments and some banks adapted this new method, adding the substantial benefits of a cashless society to its economy. This new invention has provided some security features; but even though the security of these smart cards are considered secure enough for business transactions, there still exists unavoidable loopholes within the system which can be examined from both buyers and business-owners perspective.
Smart Card Example:
Maxim (2007)
OBJECTIVES
Several security needs are required in any transaction taking place over the internet involving the use of smart cards but only a few of these needs are common to most transactions. The main needs are Confidentiality, Integrity, Authorization, Authentication and Non-Repudiation of Information. The research paper's objective includes how to ensure these security features of information are included in digital e-commerce transactions involving smart-cards.
The above-mentioned needs are significant security needs in ecommerce; Even though Ecommerce systems are pertinent to the services industry, they create ways for the image/brands of organizations to be attacked and therefore need to adequately secure. This research's questions are
Who bears this risk involved in ecommerce digital transactions:
How can e-commerce transactions be more secured than it presently is?
How can suitable security features, attributes, and countermeasures be implemented into an e-commerce system while under development, rather than waiting until afterwards to conduct a costly 'test and rework' campaign?
This research paper is aimed at throwing some reflection on the issues which are currently facing internet security and particularly e-commerce transactions and to also investigate measures which can be used to improve already existing solutions or reduce the risk underlying it.
The technical structure of smart-cards and its impending effect on security is reviewed and options for better security discussed. The focus will be basically on the areas where security is most needed to ascertain that the data being transferred is not compromised. Its objective will be to deduce techniques to combat future digital e-commerce security threats. It will include research of the security threats which exist in the e-commerce world, using a bank in Africa as a case study, and examine what possible security issues could be a challenge to the growth of e-commerce in the nearest future.
LITEREATURE REVIEW
With the invention of Globalization and IT (Information technologies) the face of organizations is gradually changing as Information Technology is now being incorporated into almost all business transactions. As a result of this, there also is a growing interest in the use of electronic-commerce to carry out business transactions.
Whilst growing over the years, Ecommerce industry has experienced different levels of development; this is always directly/indirectly influenced by consumer's wants or needs because the main aim of creating a means of online shopping is to provide more convenience for the consumer in such a way that irrespective of his/her location, they can purchase either goods or services. Kalakota and Whinston (1997) believe ecommerce issues can be viewed from both consumer and merchant's perspective; the organization could see it as an advantage/disadvantage and same goes for consumers. The reduction in the cost of the Internet-usage has made organizations to move towards using ecommerce for business transactions. A result of this movement in both Africa and all other parts of the world is organizations can now afford to interact with a much larger number of trading partners and also build customer-specific relationships that would have been too expensive in the past.
As Maiwald (2003) says, Organizations who choose to perform e-commerce are taking a risk. Implementing adequate security in transactions has always suffered in line with maintaining user convenience (Marchany and Tront, 2002). For customers, the convenience and ease of shopping without physically visiting stores is an advantage, however there is the issue of security. Udo (2001) mentions the security concerns of consumers whose information is now more open to anybody over the internet unlike previously when only authorized parties were allowed access to such information.
With quite a similar point of view, Smith (2004) believes customers feel more in control when technology isn't really involved in interactions with their business counterparts; it is discovered that most customers base their decisions on the interest and expected benefits from the shopping process.
In the same vein according to Huang (2007), Pavlou and Gefen mention lack of trust as one of the most frequently cited reasons for consumers not purchasing from Internet shops and says trust helps consumers overcome perceptions of uncertainty and perceived risk and engages in "trust-related behaviors" with Web-based vendors, such as sharing personal information or making purchases.
Turban (2000) also says that "a determinant of the level of trust customers possess is an assurance from the card system that all transactions made with cards are relatively done accurately and securely". In addition to the threat of a third party on a transaction network, the price of goods/services being purchased can also have a fair impact on consumer's behavior i.e. the thought that the higher the cost of the goods being purchased, the higher the risks of a security breach (Yenisey, 2005); and this could make them avoid carrying out excessive digital transactions.
Measures used over time have mostly focused more on using protocols to secure the communication channels rather than securing the end-points, thereby leaving the end-points non-resistant to attack but with the need for internet security becoming more indispensable, everyone involved are being forced to seek ways of applying measures to prevent online crimes, or at least reduce them to a bare minimum. This search for solutions has lead to the exploration of security implementations at the different stages that are common to transactions made via the Internet.
Organizations have come up with several ways to make such stages as mentioned above protected from unauthorized users. As Das (2011) says being proactive about security takes on a much greater magnitude now. Several security components have been used in digital ecommerce transactions by them which include protocols such as IPSec, SSL, TLS and SET; however Leach (1995) says the most significant security function that smart cards need to execute is card authentication, followed by the authentication of the card holder using his/her PIN.
With an opposite point of view, Torres (2006) proposed that the smart cards must be able to have its own security credentials independent of the card holder or terminal if it can authenticate itself. In a case where the server can be superseded by malicious activities, it needs to be authenticated by the smart card.
Seeing that authentication is very essential and is two-ways, i.e. customer to vendor and vice-versa; Stumpf et al. (2008) proposed security protocols using attestation techniques in solving the issue of security threats in these transactions. This idea appears practically logical because most of the security violations experienced are indirectly linked to authentication of entities and situations where this is lacking, the activity or service becomes susceptible to attacks such as man-in-the-middle attacks.
Nevertheless, the easy accessibility and usage of the technology for consumers as well as consumer's trust in the system is an important goal to keep in mind. The fact still remains that no matter the height to which technology grows it is still subject to imperfections in some aspects and the present security infrastructure is quite limited. Despite the problems ecommerce faces, it is evidently clear that business-to-consumer digital e-commerce is on the increase in all parts of the world. As a result of this, there are questions about what factors could be driving this acceptance and if consumers and businesses involved are aware of or concerned about security issues.
It is obvious that several technological advancements have been implemented to reduce the effect of security threats in the past but every measure has a setback of some sort. With all these previous research in mind, it is clear that there are still pending security issues to be solved depending on the security threat being tackled and the perspective from which such threat is viewed.
PROPOSED RESEARCH METHODOLOGY AND METHODS
The methodology to be will be in stages which include selection and focus stage, analysis stage, and outcomes and convergence stage. Procedures will be from the outside to the inside. Firstly, the research scope is defined and previous literature publications are identified using a predefined criterion. To have a comprehensive overview of Ecommerce digital transactions and security issues faced in the field, researches will be carried out by drawing on novel and original researches from prominent peer reviewed journals, books and conference proceedings with high prestige. Other publication sources are also included in this research. The collection and integration of these past researches is to help with facilitating future researches.
As mentioned above, survey based on a study of journals and conference papers shall be done; this includes master's theses, textbooks, doctoral dissertations, conference proceeding papers and unpublished working papers. There will also be some experiments to investigate Smart card construction and develop and evaluate an algorithm which could add more security to its configuration. 8. J.H. Nord and G.D. Nord, MIS research: journal status and analysis. Information & Management 29 1 (1995), pp. 29-42. Abstract | PDF (855 K) | View Record in Scopus | Cited By in Scopus (Although all these researches might not be exhaustive, it serves as a comprehensive base for an understanding of research into security of ecommerce digital transactions. Two methods for the collection of data to answer the questions asked will be employed namely Interviews of some organization personnel to provide qualitative data to aid analysis of the quantitative data collected with the second method which is the questionnaire.
Questionnaires will be aimed at gathering what consumers and businesses think about ecommerce as a technology for purchasing goods/services online and the security fears they face in such transactions are also going to be used for subsequent analysis. Would the existing customers use any new implementation of smart cards and what would they like to add as a feature to it. Security in ecommerce has also been considered to be one of the most important issues slightly ahead of some other areas including mobile computing. Some establishments using the internet are not aware of associated risks they face. The research will also make an attempt for minimal technical questions in the consumer questionnaire as the majority of likely respondents are assumed to be non-specialists. For companies, Furnell (1999) suggested these questionnaires be prepared with the aim of assessing:
The respondent's background and expertise in the field;
The organization's concerns in online business;
The respondent's policy for security in their internal network, and whether they are aware of any standards in information system security;
It will be focused on the Banking industry (particularly in Africa). How respondents' awareness of security technologies and security concerns has impacted on their attitude to purchase goods online will also be assess to determine if their concern has stopped them from engaging in this activity.
The present system is going to be analyzed and its weak points discussed. A considered approach is a situation where an attacker is deceived into believing that the Application Protocol Data Unit (APDU) travelling over the internet is a genuine one which is generated from a credit card. There will be analysis of the vulnerable points along the transaction's path that this attacker could easily exploit to compromise the security of systems and known issues which a system/organization using smart cards are liable to experience. To detect an attack which occurs during the use of a smart-card, one can tag the transmitted data used for communicating. The following communication streams can be tracked:
Communications between the smart-card and the card terminal.
Communications between external systems and the card terminal.
The main focus of this research will be on the first communication and then a security feature that can be used to improve the security of the information that is being transferred shall be proposed. The programming language Java-Card 1.6 will be used in designing the implementation of these features.
Normally, communication between the terminal and the SIM card does not include the security of what is being transferred but because of the sensitivity of the content of the communication; encryption/decryption processes will be applied.
There are two basic security attack points in the communication process mentioned above which involves the card and its terminal. The security feature being proposed will focus on the Security vulnerability/leakage at one of the points. The second vulnerability spot would involve modifying information or data sent to or received from the external systems and this cannot be controlled by the terminal therefore it would be impossible to achieve. Some other options were considered such as the Open Source Security Testing Methodology (OSSTMM). It attempts to set a standard for security testing on a running internet system. It can be used to test the Internet part of a running ecommerce system too. But the hitch encountered is that it cannot be used directly during the system design phase.
Finally, the methods of enhancing the security of the communication channel between the smart-card and its terminal shall be discussed. An investigation of the role of the intermediary in these new electronic systems will be carried out to search for evidence of substantial disintermediation. This will be concluded by placing these findings back into the context of the historical perspective described earlier.
EVALUATION
This research is targeted at presenting a strategy to enhance the security of smart-card communications. It proposes an encryption algorithm that modifies an Application-Protocol-Data-Unit before it is transmitted and will consider the introduction of a sequential value generated by a pre-determined equation, to seed the introduction of the initial value (IV0) used to initialize the encryption of the APDU data being transmitted. The end-results will be a more secured smart-card which e-commerce customers could use without fears of third-party attacks. However, more work will need to be carried out in some areas and this is because the programming of smart-cards has to be modified to have these features integrated into the card.
A better alternative, though more of a proposal, would be that the work flow that will be discussed is built into an acceptable protocol, because without a wide acceptance of this design, its use would be limited to research only. But more work has to be done to make this into a proper protocol and the card reading machines will need to be updated as well. In addition, the full implementation of the design proposed will need a modification into an acceptable protocol; the current terminals and devices would also need to be upgraded to pair up their compatibility with the new system. When all this is achieved, a complete end-to-end test of the design and proposal can then be done to investigate even further.
The algorithm that will be developed to add more to smart-card security features will also need to be enhanced in the future to combat any new threats. The platform used for the development of the algorithm which will be Java 1.6 allows for more enhancement and specialization of it.
The documentation that will be done will be aimed at proposing a secure mode for smart-card communications and it will still leave an open front for further research into enhancing the transmission of Application-Protocol-Data-Units between the card and other devices.
As technology advances, the associated security challenges and ways of tackling its challenges also advances. Thus, it can be concluded that the equations and codes derived for solving security-issues that will be discussed will be subject to change as there are various ways to resolving any technical problems, particularly security. However, this proposed solution will serve as a foundation for other related research in the future.
CONCLUSION
Electronic commerce is an area with substantial promise for future development. Nevertheless, the issue of security will still be a concern in the short term. This is not necessarily related to a lack of confidence in the security technologies themselves; in most cases, users are not sufficiently aware of the possible protection that exists. Businesses are very much aware of the advantages that the Internet can deliver in a commerce environment, but are also aware of the security issues. This paper focuses on the security of the data that is being transferred by the APDU, and also proposes a more secure mode of operation for smart-card communications to ensure this data is not being compromised.
