Security in E-Commerce Systems
77
SECURITY IN E-COMMERCE SYSTEMS
Most experts agree that the ultimate success of e-commerce depends on the effectiveness of its security systems. Without adequate security, retail customers will be unwilling to share sensitive personal information, such as credit card numbers, online, and contracts in business-to-business e-commerce may be neither valid nor enforceable. If confidence in the safety of doing business online is lacking, people will do business by traditional means rather than electronically. The risk of financial loss is high in insecure e-commerce. A Computer Security Institute and FBI study found that losses attributable to cybercrime totaled approximately US$378 million in 2001. Another study found that more than US$700 million in e-tail sales was lost because of online fraud and that online losses due to fraud were 19 times higher than comparable losses for traditional retailers. And cybercrime is on the rise at the same time that many other forms of crime have been declining. Despite all these concerns, however, for many e-commerce companies security is far down on the list of priorities; over 50 percent of businesses allocate less than 5 percent of their information technology (IT) budgets to security.
The primary purpose of e-commerce security is to ensure that unauthorized persons—competitors, hackers, business partners, or customers—are not able to gain access to sensitive information in a company's computer systems. Without good security a company will be vulnerable to a number of threats. Web site defamation is one of the most common. The pure financial cost of a Web site defaced by hackers might be low, but intangible costs, like the damage done to a firm's image, can be high. Poor security can also lay a firm open to more malicious and costly mischief like denial of service attacks in which hackers overload a server with information requests until it shuts down. Lax security can leave sensitive information, such as trade secrets, current R&D projects, customer lists, and financial data, open to the prying eyes of hackers or industrial spies. Poor security can even make a company vulnerable to lawsuits. When Micro-soft's computers, for example, were hacked, a virus was embedded in the code for a product that was subsequently introduced on the market. Microsoft would have been liable for any damages that occurred as a result. Finally, security breaches also inevitably become public knowledge. When they do, a company's reputation suffers and customer confidence declines.
Each area of e-commerce must be addressed by a particular form of security. The most common security systems include firewalls, password access, and virus scan programs. Firewalls regulate access between computer networks, in particular between a company's computers and the Internet. Firewalls can be set up at varying levels of security: depending on the company's needs, they can be configured to block all access from the outside except e-mail or to allow more kinds of access. A firewall system can also be used as a home for a company's Web site, where a firm's public information—downloadable files, bug fixes, investor files and the like—is stored. One way a firewall controls access is by means of a password system. The main benefits of passwords are their familiarity to most computer users and their ease of use. A virus program is used inside the firewall to identify and eliminate dangerous computer viruses that might be introduced via e-mail attachments or floppy disks. The effects of a virus can range from annoying practical jokes to the destruction of valuable files and software to the implementation of hidden programs that transmit valuable company information to industrial spies.
These three types of protection are widespread and effective forms of e-commerce security. However, they illustrate the inherent limitations of any security system. Firewalls can only prevent access from another network, they cannot prevent employees from giving out valuable information or office visitors from stealing a floppy disk. New viruses appear daily, and a virus detection program is only effective if it is updated regularly. Employees must also be trained to check any questionable files they receive. Passwords are too often obvious—a user's name, for example—and workers are frequently casual about sharing them with others.
Increasingly sophisticated security systems are being developed that serve similar functions while providing higher levels of security. An important advanced security technique is encryption, which encodes data in a form that is nearly impossible to crack. It is already used to protect credit card information, to create electronic money for online purchases, and to generate completely unique digital signatures for electronic contracts. Another new technology, bio-metrics, identifies individuals using physical characteristics such as fingerprints, retinal patterns, and voice. Even encryption and biometrics cannot fill an e-business's every security need. They have been designed to provide particular, limited kinds of protection. Ultimately, any e-business will need a suite of security programs rather than a single security system.
Perhaps the most critical security issue for e-commerce is the security of online payments. The safety of credit card information is the leading cause of concern among consumers. Most e-commerce sites use Secured Sockets Layer (SSL) security policy with specific goals, and security specialists to implement it. The policy is critical: not only does it reduce the risk of security violations, it provides the basis for legal action if a violation takes place. No computer system can be 100 percent secure. However, planning, training, and vigilance will improve any system im-measurably.
FURTHER READING
Burnett, Steve, and Stephen Paine. RSA Security's Official Guide to Cryptography, New York, NY: Osborne-McGraw Hill, 2001.
"Credit Card Companies Seek Industry's Help for Secure E-Commerce." Communications Today, 8 November 2001.
Ford, Warwick, and Michael S. Baum. Secure Electronic Commerce: Building the Infrastructure for Digital Signatures and Encryption. 2nd ed. New York, NY: Prentice Hall, 2000.
Ghosh, Anup K. E-Commerce Security: Weak Links, Best Defenses. New York, NY: John Wiley, 1998.
Ghosh, Anup K. Security and Privacy for E-Business. New York, NY: John Wiley, 2001.
Gill, Lisa. "Is This a Good Time to Be a Hacker?" NewsFactor Network, 19 February 2002. Available from www.newsfactor.com/perl/story/16389.html.
——. "E-Commerce Sites Fail Security 101." E-Commerce Times, 9 January 2002. Available from www.ecommercetimes.com/perl/story/15709.html.
——. "E-Signatures: Unsigned, Unsealed, Undelivered." E-Commerce Times, 5 June 2001. Available from www.ecommercetimes.com/perl/story/10247.html.
Hirsh, Lou. "ID Mouse Has Finger on Security Concerns." TechExtreme, 28 November 2001. Available from www.techextreme.com/perl/story/14993.html.
——. "The Incredibly Vulnerable Online Shopper." E-commerce News, 22 January 2002. Available from www.ecommercetimes.com/perl/story/15894.html.——. "Notebook Offers Built-In Biometrics for Security." TechExtreme, 13 December 2001. Available from www.techextreme.com/perl/story/15282.html.
——. "Sultans of E-Commerce Security." E-Commerce Times, 5 April 2002. Available from www.ecommercetimes.com/perl/story/17074.html.
"International Standard for E-Commerce Security Sought." Dow Jones International News, 23 April 2001.
Krause, Micki, ed., and Harold F. Tipton, ed. Information Security Management Handbook, 4th ed. CRC Press, 1998.
Lyman, Jay. "Targeted Hacks—Hard to Uncover, Harder to Fight." NewsFactor Network, 12 February 2002. Available from www.newsfactor.com/perl/story/16258.html.
Lyman, Jay. "Ultimate Computer Security Devices." NewsFactor Network, 4 June 2002. Available from www.newsfactor.com/perl/story/18052.html.
Mahoney, Michael. "Innovators Aren't Giving up on Electronic Payments." E-Commerce Times, 28 November 2002. Available from www.ecommercetimes.com/perl/story/14950.html .
Nascenzi, Nicole. "E-Commerce Tempered by Worries about Security." Tulsa World, 3 March 2001.
Nash, Andrew, Bill Duane, Derek Brink, and Celia Joseph. PKI: Implementing & Managing E-Security. New York, NY: Osborne-McGraw Hill, 2001.
"The Need for Effective Security in E-Business." Available from http://sic.nvgc.vt.edu/SICstuff-Virtual/NORDFELT/WWW/final.ppt.
Van der Walt, Charl. "Assessing Internet Security Risk." Available from online.securityfocus.com/infocus/1591.
Vigoroso, Mark W. "Committee Aims to Boost E-Commerce Biometrics." E-Commerce Times, 7 March 2002. Available from www.ecommercetimes.com/perl/story/16669.html.
Vigoroso, Mark W. "Does Crime Pay More on the Web?" E-Commerce Times, 15 January 2002. Available from www.ecommercetimes.com/perl/story/15787.html.
Vigoroso, Mark W. "Online Mugging a Threat, But No Showstopper." E-Commerce Times, 1 February 2002. Available from www.ecommercetimes.com/perl/story/16113.html.
Vigoroso, Mark W. "Online Security: Job One for E-Commerce." E-Commerce Times, 25 January 2002. Available from www.ecommercetimes.com/perl/story/16008.html.
Vigoroso, Mark W. "Report: Merchants Race to Outpace Online Fraudsters." E-Commerce Times, 4 March 2002. Available from www.ecommercetimes.com/perl/story/16599.html.
Vigoroso, Mark W. "Test Shows Digital Signatures Reduce Risk for Sellers." E-Commerce Times, 24 July 2002.
Available from www.ecommercetimes.com/perl/story/12214.html.
Waltman, Scott. "Employees Weak Link in Businesses' Computer Security, Expert Says." Aberdeen American News, 3 April 2001.
Weisman, Robyn. "Defending the Enterprise: The Antivirus War." Available from www.newsfactor.com/perl/story/16763.html.
Zampetakis, Helene. "How to Protect Your Website." Australian Financial Review, 6 June 2001.