I have a Bachelor’s degree in Computer Science and a Master’s degree (with distinction) in Information Systems Security. I am a certified ISO/IEC 27001 lead auditor and an Information Security professional with four years of experience in the banking and I.T. industries. Over the past four years, I have undertaken several research projects relating to the subjects: computing, e-commerce, international relations, and Information Systems. I have also written on topics such as: ‘Systems and Application Security’, ‘Information Security Concepts and Principles’, ‘e-Commerce: An Analysis of the Security of Contactless Smartcard Transactions’, ‘Network Security, Incident Handling and Hacking Techniques’, ‘Information Security Management’, “Intrusion Detection’, and ‘ISO27001 Security Auditing.
Perceptions of Security in e-Commerce with Particular Reference to the use of Smart Cards.
Over the years, organisations have looked for more convenient and safer ways of carrying out their business activities. When smart cards were introduced, an opportunity was provided for organisations to have a more effective and consistent method for payment and verification of transactions. However, sellers need an assured payment for goods and services, while their clientele require protection from misuse of their financial accounts. There has been a gradual increase in fraudulent activities and security issues have emerged. The aim of this research paper is to examine the impact of customers’ awareness of security issues in digital e-commerce transactions and propose supplementary security options that can be implemented into the attributes of smart cards to improve its security options.
E-commerce denotes Electronic Commerce and refers to the purchasing and selling of goods and services on the Internet/World Wide Web. Nnadoziel (2008) describes it as the sales aspect of e-business (electronic business). Within the e-commerce industry, organisations which have previously dealt with cash transactions can now carry out transactions with ease via the internet and this provides a wider range of customers for all businesses.
This new invention has provided some security features; however, though the security of these smart cards is considered to be secure enough for business transactions, there are still inescapable loopholes within the system which can be viewed from both the buyers’ and sellers’ standpoint. The use of the internet for these transactions means internal IT and e-commerce systems are potentially accessible by anyone, irrespective of their location (Business-Link, 2010). With the ongoing development of computer networks and smart cards, network security is viewed as an important issue.
Security poses as a major challenge to successful e-commerce implementation. (Halaweh and Fidler, 2006) Academic researchers agree that security does not involve just a technical challenge; rather it involves executive, organisational and human dimensions to be effective. Therefore, accepting as well as acting upon a customer’s opinion of security is imperative for successful e-commerce transactions. Even when an organisation uses the best technical solutions which provide complete security, unless the customer has the fundamental and conscious perception that its website is secure, these technological solutions may not achieve anything (Bjorck, 2004). Over the years of its development, the e-commerce industry has experienced different stages of growth; this is always directly or indirectly influenced by customer’s wants or needs.
Kalakota and Whinston (1997) believe that e-commerce issues can be analysed from both the customer’s and the buyer’s perspective; the organisation could see it as an advantage or a disadvantage and same goes for customers. An advantage is that organisations can now afford to interact with a much larger number of trading partners and also build customer-specific relationships that would have been too expensive in the past. However, there is the issue of security. As Maiwald (2003) says, organisations who offer e-commerce are taking a risk. They are investing in new technologies and new ways of providing goods/services in the hope of making a profit from the activity.
Marchany and Tront (2002) say that applying the adequate security measures in these transactions has always suffered in line with sustaining user convenience. The customers view e-commerce as an advantage because they can easily log onto the internet and purchase goods and services. However, they are conscious of the issue of security. Udo (2001) mentions that customers generally feel insecure because their information is now open to everybody over the internet, unlike previously when only authorised parties could access such information.
Smith (2004) also believes that customers feel more in control when technology isn’t involved in interactions with their business counterparts and, apparently, most customers base their decisions on the interest and expected profits from shopping online.
In the same vein, according to Huang (2007), Pavlou and Gefen mention lack of trust as one of the most frequently cited reasons for customers not purchasing from internet shops and says trust helps customers overcome perceptions of uncertainty and perceived risk and engage in ‘trust-related behaviours’ with web-based vendors, such as sharing personal information or making purchases.
Yenisey (2005) adds that in addition to the threat of a hacker sniffing at their personal details, the price of goods/services being purchased can also have an impact on customers’ behaviour. The thought is that customers believe that the higher the cost of the goods being purchased, the higher the risk of a security breach and this could lead them to avoid carrying out excessive digital transactions.
Offering a contrary point of view, Dinoj (no date) believes that when digital commercial transactions using the internet are not numerous and don’t contain large monetary values, the potential threat could be regarded as an acceptable or low risk level; however, once e-commerce customers gain more confidence, thereby increasing the volume of online business transactions, the risk-exposure level will rise because this attracts fraudulent activities. However, Gonzalez (2001) believes that lack of security and fear of attacks are among the reasons why there’s slow growth of online commercial transactions by both the customer and buyers. As Meng (2008) says, even though we have technological growth, imperfections will always exist on various levels.
Marchany and Tront (2002) state that until recently the security measures used have mostly focused on using cryptographic protocols to secure the communication channels rather than securing the end-points. This leaves the end-points vulnerable to attack. Security has become indispensable and therefore everyone involved now finds it necessary to seek ways of applying security measures to prevent or reduce online theft. This search for security solutions has resulted in good methods of security implementation that are common to all transactions made on the internet. As Das (2011) says, being proactive about security now takes on a much greater importance. Organisations have come up with several ways to protect end-users, as mentioned above, from unauthorised users.
Several security components have been used by organisations in digital e-commerce transactions. These include protocols such as IPSec, SSL and SET; however Leach(1995)says that the most significant security function that smart cards need to execute is card authentication, followed by the authentication of the card-holder using his/her PIN. Torres (2006) proposed that the smart cards have their own security credentials independent of the card-holder or terminal so that they can be independently authenticated.
Nonetheless, whatever solution is being proposed, it must consider the ease of accessibility, the use of technology by customers and, finally, the customers’ trust in the e-commerce system. (Devane et al. 2007). Despite the problems e-commerce faces, it is evident that business-to-customer digital e-commerce is on the increase in all parts of the world. As a result, there are questions about what factors could be driving this acceptance and whether customers and businesses involved are aware of, or concerned about, security issues. Evidently, several technological advances have been implemented to reduce the effect of previous security threats although every step forward has a setback of some sort. Despite all the previous research, it is apparent that e-commerce security still has outstanding issues to be resolved, depending on the security threat being solved and the angle from which it is viewed.
Proposed Research Methodology and Methods
Most of the recent research into digital e-commerce transactions has a limited focus. Generally, it has completely ignored some aspects and likens electronic money with the substitution of currency through electronic gadgets such as smart cards and virtual currency.
The research methodology will be in stages: the selection and focus stage, the analysis stage and the outcome and convergence stage. To develop a comprehensive overview of e-commerce digital transactions and security issues being faced in the field, this research will draw on novel and original research from prominent, peer-reviewed journals, books and the proceedings of high-prestige conferences. Other sources are also included in this research. The compilation and integration of the previous research is to facilitate future research.
The technical structure of smart cards and its imminent effect on security is reviewed and options for better security discussed. The focus will be on areas where security is most needed to ascertain that the data being transferred is not compromised. The project will also deduce techniques to combat future digital e-commerce security threats and examine what possible security issues could be a challenge to the growth of e-commerce in the nearest future.
In addition, the present system will be analysed and its weak points discussed. There will be an analysis of the vulnerable points on the transaction’s path which those that a hacker could easily take advantage of to compromise the security of systems, and known issues which a system/organisation using smart cards is liable to experience. To detect an attack which could occur during the use of a smart card, the transmitted information used for communicating can be tagged. The following broadcast streams can be tracked:
- Broadcasts between smart cards and the card terminal.
- Broadcasts between external systems and the card terminal.
The focus of this research will be first on the broadcast and then a security feature that can be used to improve the security of the information that is being transferred shall be proposed. The programming language, Java-Card 1.6, will be used in designing this implementation.
Finally, the methods of enhancing the security of the communication channel between the smart cards and their terminal shall be discussed. An examination of the role of the third party in the new electronic systems will be done to check for proof of extensive disintermediation. It will be concluded by placing these findings into the context of the previous research mentioned earlier.
Based on the findings in the previous sections, it is apparent that security is an important factor in e-commerce transactions. Providing insight into a customer’s view of the security of e-commerce transactions has helped to identify that there are substantial and insubstantial features which play a key role in the customer’s opinion and perception of the security of these online transactions. The research also assists in highlighting the responsibility of organisations to ensure that their websites are well-secured and cannot be accessed by unauthorised intruders.
Although the results of this research paper cannot be exhaustive, it will offer reasonable insights into the current state-of-the-art security of these smart cards as well as develop a new security feature that can be implemented, which can be a valuable contribution towards enhancing its present state. This will also stimulate future research which can address additional structures within the framework of digital transactions as well as identify, by empirical research, whether the factors that influence customers’ security perceptions are similar to those that influence trust (or, indeed, where they differ).
Business-Link (2010). Securing your Ecommerce Systems. [Online]. Available at: http://www.businesslink.gov.uk/bdotg/action/detail?itemId=1075385862&type=RESOURCES (Accessed 22/03/2012).
Cardwerk (2011). Smartcard Application Areas. [Online]. Available at: http://www.cardwerk.com/smartcards/smartcard_applications.aspx (Accessed 20/03/2012).
Das, Ravi (2011). Threat to Ecommerce Server. [Online]. Available at: http://www.technologyexecutivesclub.com/Articles/security/artThreatstoEcommerceServers.php (Accessed 20/03/2012).
Devane, S., Chatterjee, M. And Phatak, D. (2007). Secure e-commerce protocol for Purchase of E-goods-Using Smartcard. In: Proceedings –IAS 2007 3rd International Symposium on Information Assurance and Security, 2007. p. 9-14
Dinoj, S. (no date). Smartcard Technology and Security. [Online]. Available at: http://people.cs.uchicago.edu/~dinoj/smartcard/security.html (Accessed 20/03/2012).
Furnell, S. (2004). E-commerce security: A question of trust. Computer Fraud& Security, 10-14
Gonzalez, M. H. (2001). E-commerce and Smartcards. [Online]. Journal of Past Issues, 3. Article from ISACA. Available at: http://www.isaca.org/Journal/Past-Issues/2001/Volume-3/Pages/E-commerce-and-Smartcards.aspx (Accessed 20/03/2012).
Halawey M. and Fidler, C. (2006). Security Perception in E-Commerce: Conflict between Customer and Organizational Perspectives. [Online]. Available at: http://www.proceedings2008.imcsit.org/pliks/35.pdf (Accessed 20/03/2012).
Huang, Shan-Yan et al. (2007). A Literature Review of online Trust in Business to Customer E-Commerce Transactions: 2001-2006. [Online]. Available at: http://www.iacis.org/iis/2007_iis/PDFs/Huang_Li_Lin.pdf (Accessed 20/03/2012).
Irani, K. (2011). Advantages of Smartcard Technology. [Online]. Available at: http://www.buzzle.com/articles/advantages-of-Smartcard-technology.html
Kalakota, R. and Whinston, A.B. (1997). Electronic Commerce: A Manager’s Guide, Addison-Wesley, Reading, MA
Maiwald, E. (2003) E commerce Security needs. [Online]. Last accessed 25 March 2011 at: http://searchsecurity.techtarget.com/searchSecurity/downloads/29578C17.PDF (Accessed 20/03/2012).
Marchany, R.C, and Tront, J.G. (2002). E-Commerce security issues. In: Proceedings of the 35th Annual Hawaii International Conference on System Sciences, USA 2002. Blacksburg, VA, USA, Computer Center, Virginia Tech, p2500-2508.
Meng, X. (2008) Analyze and prevent the security risks in E-commerce privacy. In: Proceedings-International Conference on Management of e-commerce and e-government, ICMeCG, China 2008. China, p. 403-407.
Nnadoziel (2008). E-Commerce: Who Bears the Risk of Fraud in a Banking Transaction (no date). [Online]. Available at: http://www.oppapers.com/essays/E-Commerce-Bears-Risk-Fraud-Banking-Transaction/187388 (Accessed 21/03/2012).
Peters, Mark E. (2002) Emerging E-Commerce Credit and Debit Card Protocols. [Online]. Available at: http://repository.binus.ac.id/content/A0154/A015491925.pdf (Accessed 20/03/2012).
Smartcard (2010). [Online]. Available at: http://www.Smartcard.com/history/ (Accessed 20/03/2012).
Smith, A.D. (2004). Cybercriminal Impacts on Online business and customer confidence, (Dept. of Management and Marketing, Robert Morris Univ. Pittsburgh, PA USA). Information Review, 28 (3), p. 224-234.
Torres, J et al. (2006). Towards self-authenticable Smartcards (Univ. Carlos de Madrid, Spain). Computer Communications, 29 (15), p. 2781-2787.
Turban, E. and Brahm, J. (2000). Smartcard-based electronic card payment systems in the transportation industry, (Dept. of Information System, City University of Hong Kong, China). Journal of Organizational Computing and Electronic Commerce, 10 (4), p. 281-293.
Udo, G.J. (2001). Privacy and Security Concerns as major barriers for e-commerce: A survey study, (College of Bus. Admin, Texas Univ., El-Paso, TX, USA). Information Management& Computer Security, 9 (4), p. 165-174.
Urien, P. (2000). Internet card: A Smartcard as a true Internet node. Computer Communications, 23 (17), p. 1655-1666.
Yenisey, M.M., Ozok, A.A., and Salvendy, G. (2005). Perceived Security Determinants in e-commerce among Turkish University Students. Behavior and Information technology, 24 (4), p. 259-274.