Chapter 20: Electronic Commerce

Previous page
Table of content
Next page
Team-Fly

OVERVIEW

This book is about technologies that can be used to provide Internet and intranet security. While most of these technologies are interesting from a theoretical point of view, they need a better and more practical reason to be used and deployed on a large scale. Electronic commerce (e-commerce) is commonly considered to be such a reason and to be one of the major driving forces for the use and further deployment of security technologies, mechanisms, and services on the Internet.

According to RFC 2828, the term e-commerce refers to any kind of "business conducted through paperless exchanges of information, using electronic data interchange, electronic funds transfer (EFT), electronic mail, computer bulletin boards, facsimile, and other paperless technologies" [1]. There are several other buzzwords that also refer to similar ideas:

  • Electronic business (e-business);

  • Electronic government (e-government);

  • Mobile commerce (m-commerce).

The term e-business is often used to refer to the integration of systems, processes, organizations, value chains, and entire markets using Internet-based and related technologies and concepts. As such, e-commerce is merely a part of e-business and is limited essentially to marketing and sales processes. Similarly, the term e-government refers to the use of information technologies to deliver government services directly to the customer (i.e., a citizen, a business, or even another government entity). E-government delivers services in a manner that is most convenient for the customer, while at the same time allowing government to provide those services at a significantly lower cost. Finally, the term m-commerce is used for something similar to e-commerce with the additional requirement that clients are mobile and not necessarily bound to a specific location.

In this book, we use the term e-commerce to collectively refer to all the terms itemized and briefly explained here. In either case, the aim is to use an open and public network, such as the Internet, to electronically market goods and services without having to be physically present at the point of sale [2]. As such, there are many security requirements related to e-commerce. A comprehensive overview is given in [3].

In e-commerce, the Internet may serve several purposes, including, for example, marketing, services, sales, and payments.

  • Internet marketing includes advertising and providing information about an organization (i.e., a company) and its current offerings. Compared to advertising with print media, advertising on the Internet is attractive, given its low cost and easy access to a potentially very large audience. In the recent past, however, Internet marketing investments have slowed down considerably.

  • There are many forms of services that can be provided over the Internet. Many of these services are just electronic counterparts of the services we know and are familiar with in the physical world. Examples include on-line shopping in virtual malls, on-line gambling in virtual casinos, and on-line banking in virtual banks. Other services are inherently new and must be explored with regard to user acceptance first. For example, Federal Express (FedEx) and United Parcel Service (UPS) provide customer access to their databases to check the current status of their postal deliveries. This kind of service is new and has no counterpart in the physical world. It is possible and very likely that we will see many such services evolve in the future. Some of them will be successful, whereas others will not succeed and disappear after a short period of time. In either case, it is very important to be first with a new service.

  • The Internet can also be used for sales. Material goods must still be delivered with conventional delivery services (e.g., FedEx and UPS), whereas many nonmaterial goods may be delivered directly over the Internet. Note that more and more goods that have been offered in material form in the past are now being offered in nonmaterial form. Examples include all forms of print media, such as newspapers, magazines, journals, and books. We are familiar with all forms of electronic newspapers, magazines, and journals. Furthermore, publishing companies and book resellers are strongly pushing electronic books (e-books) to market. With the proliferation of high-speed Internet access, it has even become possible to deliver voice and video recordings in nonmaterial and electronic form. Also note that the Internet is still seldom used for sales. An Internet storefront simply enhances the sales at the real-world retail outlet. It may take a couple of years for merchants to determine the optimal ways to sell effectively on-line, as well as to find and maintain corresponding customers. Retailers still need to demonstrate the advantages of virtual malls, such as timeliness, convenience, ease of use, and potentially lower prices.

  • Finally, the Internet can also be used to handle payments. In fact, there is a wide range of electronic payment systems available today, including, for example, digital cash, electronic checks, electronic credit card payments, and micropayments. Refer to Chapter 7 of [4] or [5–7] for a more comprehensive and up-to-date picture about currently available electronic payment systems.

In general, there are many reasons why an organization (i.e., a company) would like to establish a presence on the Internet. Probably the first and foremost reason is access to a potentially very large audience. Globalization is another issue. Through the Internet, a organization can reach customers in almost every country of the world. Establishing a presence on the Internet is particularly cheap compared with the alternative of opening physical shops and advertising in various countries. Another important reason is potential savings in sales costs. Note that it costs an organization a considerable amount of money to establish a physical shop in a mall, as well as to pay bills, salaries, and commission fees to the corresponding sales staff. Many of these expenses can be reduced by establishing a presence on the Internet. These savings can in turn help reduce the costs of goods or services and make them more competitive as a whole. Finally, organizations can also provide instant updates to the announcements of their goods or services. Note that an organization can easily insert an update that reaches on-line customers almost instantly. The availability of such a rapid update mechanism is particularly interesting for selling goods or services that expire in a relatively short amount of time. For example, online updates are attractive for selling vacant seats on airline flights as well as tickets for evening theater shows and plays. Another example in which on-line updates are particularly interesting and important is the distribution of antivirus software.

However, there are also benefits from an e-commerce customer's point of view. Perhaps the most important benefit is the potential savings in time. By logging on to the Internet and accessing information on-line, customers can browse through shops and merchandise from their home at any time. Alternatively, in the real world a customer usually spends hours on a shopping trip, including travel to and from the shopping mall.[1] A related benefit is convenient access to a wide variety of shops and merchandise. For example, a physical shopping mall may provide clothing and some other merchandise, but it may not include a car dealership, an airline ticket office, or an Asian food store. Consequently, a customer must travel to several places if he or she has specific needs. This is arguably not the case in a virtual shopping trip to the Internet. A customer may also like to shop in a virtual mall simply to compare instantly the quality and price of a product from different shops. This may help make shopping decisions easier and faster.

Against this background, a lot has been said about the future of mobile code and agent-based systems. In such a system, a user can send out a (software) agent that autonomously roams through the Internet and acts on his or her behalf. For example, the agent travels to the relevant Web sites, compares the current offerings, and eventually signs a contract on the user's behalf. Obviously, there also are some serious security problems related to the use of mobile code and agent-based systems. How do you, for example, hide the function implemented by the agent? And how do you protect the collected information or the private key the agent must use to digitally sign documents on the user's behalf? The problems are further explored in [8] and Chapter 11 of [4]. In short, there are two core problems:

  1. How to protect an execution environment against potentially malicious mobile code;

  2. How to protect the mobile code against potentially malicious hosts and execution environments.

The first problem can be addressed with a couple of technologies, such as sand-boxing or digital signatures to authenticate the software developer. Contrary to that, the second problem is very difficult (if not impossible) to address. The intrinsic difficulty of the second problem was first pointed out by Bennet S. Yee [9]:

"In agent-based computing, most researchers have been concentrating on one side of the security issue: protecting the server from potentially malicious agents () The converse side of the agent security problem, however, is largely neglected and needs to be addressed: how do we protect agents from potentially malicious servers?"

This statement is still true. In fact, there are only a few preliminary results and largely insufficient technologies to address the second problem. To make things worse, the two problems seem to be dependent, meaning that a solution for the second problem is very likely going to make it more difficult to find an appropriate solution for the first problem. For example, if one partly solves the second problem by hiding the agent's function from a potentially malicious host and execution environment (i.e., the execution environment is not able to "see inside" the agent), one also loses the possibility to decide whether the agent is malicious or not. In this case, it becomes very difficult—if not impossible—to make intelligent decisions with regard to the protection of the execution environment. Consequently, at least some technical solutions to address the second problem will be contradictory to the possibility of finding appropriate solutions for the first problem. It is not clear whether other solutions exist at all. This is a very bad situation and it severely limits the likelihood that we will see mobile code and agent-based systems being used for financially relevant applications in the future.

In Part III, we introduced and discussed technologies that can be used to provide communication security on the Internet (i.e., cryptographic security protocols). It is, however, important to note that secure communications do not satisfy all security needs for e-commerce. For example, a customer willing to purchase goods or services from an Internet merchant must still trust the Web server's administrator with his or her credit card information, even if the communication channel is securely encrypted. Note that communication security, in general, protects only the communication channels; it does not protect against disreputable or careless people who may induce careless customers into entering a transaction with them. In a sense, this is similar to the mode of business conducted over switched networks, such as the PSTN or the ISDN. It is common practice today to order goods or services over the telephone network with credit card information, such as the credit card brand, the card number, and the expiration date. More precisely, a customer telephones the merchant, orders some items, and gives out his or her credit card information to accomplish the purchase. The merchant, in turn, verifies the credit card information with the corresponding credit card company. If the credit card is valid, the merchant delivers the items and has the customer's credit card account charged for the corresponding amount of money. The customer gives out his or her credit card information because he or she feels secure that nobody is eavesdropping on the telephone line, and because he or she trusts the merchant to use the information only in reference to the business being conducted and for nothing else. One thing that should be considered with care is that credit card information is stored locally at the merchant's site for later reuse or marketing purposes. Let us assume the very likely scenario in which a customer who has used his or her credit card to buy something in the past and who wants to buy some additional items, is kindly asked at the checkout counter of a shop whether he or she wants to charge the same credit card as the previous time. It is very obvious in this case that the customer's credit card information has been stored at the merchant' site, and that the customer has implicitly trusted the merchant to protect the credit card information against misuse and other security-related threats. This level of trust may not always be justified.

Following this line of argumentation, the credit card number problem that has driven the Internet security discussion in the past is not particularly an Internet security problem; it is rather a problem of how we carelessly use credit card information in the real world. The credit card information that is generally used to order goods or services today should simply not be sufficient to place such an order. In addition to the credit card information, a customer should also be able to provide some additional information that would be used to strongly authenticate him or her and to prove his or her identity or creditworthiness accordingly. This is where cryptography and cryptographic techniques come into play. Many electronic payment systems that are available today address these issues (again, you many refer to the references given above for a more comprehensive overview about currently available electronic payment systems). Note, for example, that one specific feature of the secure electronic transaction (SET) standard for credit card payment over the Internet is that the merchant does not necessarily learn the credit card information of its customers.

[1]Note, however, that sometimes a shopping trip is also considered to be a social event.

Team-Fly

Previous page
Table of content
Next page
Internet and Intranet Security
Internet & Intranet Security
ISBN: 1580531660
EAN: 2147483647
Year: 2002
Pages: 144
Authors: Rolf Oppliger, Rolf Oppliger
BUY ON AMAZON
Project Management JumpStart
Image Processing with LabVIEW and IMAQ Vision
Excel Scientific and Engineering Cookbook (Cookbooks (OReilly))
Special Edition Using Crystal Reports 10
Extending and Embedding PHP
Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy