UK: E-commerce in safety.

UK: E-commerce in safety. - The economic potential of the Net is in danger of being derailed unless more is done to convince consumers and businesses that it is secure.

by Jane Bird.
Last Updated: 31 Aug 2010

The economic potential of the Net is in danger of being derailed unless more is done to convince consumers and businesses that it is secure.

How safe is the Internet for on-line shopping with a credit card?

Not very, if a selection of lunch-party guests featured in an IBM TV advertisement are to be believed. 'It's not safe' is their constant refrain. 'It's too risky.' Finally, one character raises the possibility that it could be safe, to which another responds with the crucial question: 'But how do you know?'

Ask industry experts how secure the Internet is for electronic shopping and they'll come up with the stock response that it's no more risky than handing your credit card to a waiter or giving your account details over the phone. Yet, as the advertisement concedes, many people are not convinced.

Even Big Blue falls short of claiming that the Internet is secure, concluding its advertisement with the announcement: 'IBM is making it safer to buy things over the web.'

Payment is not the only risk. Take e-mail, for instance. Few people stop to consider the consequences of a rival or a hacker reading their electronic messages, yet e-mail is extremely insecure and can be opened at any of the servers it traverses en route from sender to recipient. Then there is web site counterfeiting, or spoofing. This is where electronic saboteurs set up a fake web site with a name which is identical to a legitimate business in order to divert customers. Even companies the size of BT have been spoofed. Another tactic deployed by the cyber vandals is to bombard commercial web sites with nuisance calls so that genuine business traffic can't get through.

Small wonder that businesses and consumers are worried. Nor will they find much comfort in a policy report from The Consumers' Association which expresses concern about the lack of a regulatory framework for the Internet and the absence of a code of practice for security among Internet Service Providers (ISPs). The problems of enforcing contracts between buyer and seller, especially in the case of overseas suppliers, are also highlighted.

'These issues need to be carefully addressed in the near future if the economic potential of the Internet is not to be derailed by lack of consumer confidence,' the report says. Much is at stake - analysts such as Datapro of the US believe Internet-based commerce could be worth $100 billion (£59.7 billion) a year within a few years. But this won't happen if it is insecure.

The problem is that the Internet wasn't designed for electronic commerce.

'The basic structure of the Net is unsuitable for how it is now being used,' says Judith Jeffcoate, author of a report on Internet security for the telecoms market research company, Ovum. 'It was designed for a small group of researchers in a common domain of trust.'

The domain of trust concept can to some extent be continued in e-commerce where business partners are involved. 'With business-to-business, Internet communications can usually be prearranged,' says Mel Earp, technical director of European software company Sema. 'You know who your collaborators, suppliers and partners are and, if your approach is fairly structured, you'll know what kind of interaction you'll be having, so you can decide on the level of security.' Diary dates exchanged by e-mail, for example, might not be very sensitive, whereas orders, shipping information or details of strategic alliances and government contracts could be much more confidential.

Sensitive information can be sent through the Internet via a tunnel, otherwise known as a virtual network or extranet. This has sealed walls to prevent it being infiltrated.

Creating a tunnel involves telling your server the exact location of the destination web site and what route is to be taken. In standard Internet communications the message finds its own way via any number of intermediary servers. You build a tunnel using a black box such as PIX (Private Internet Exchange), costing $10,000 from Cisco, the US-based networking specialist.

Benjamin Ellis, the company's European Internet product marketing manager, says: 'PIX is an easy way to build an encrypted link between a group of traders, say, a builder and his contractors or suppliers. It gives you a secure link with anyone you specifically request so long as they have a PIX box or equivalent.'

The fact that business-to-business e-commerce can be more tightly controlled is just as well considering how much it has to lose. 'Businesses are likely to be risking higher transactions than consumers,' says Alan Stevens, editor of Which? Online. 'We'd advise organisations to be extremely careful, especially when buying expensive and complex products such as software packages over the Net.' His view is shared by Datapro analyst Muninder Ahsan. 'As Internet security is not yet proven for large-scale trading, it is over-ambitious for businesses to start dealing in millions of pounds at this stage.'

Securing the Internet for consumers is still more problematic. Online merchants, as they are known, must deal with vast numbers of people about whom they know nothing. Nor can they use third parties or ISPs to run their electronic commerce system. It makes sense for companies to have their marketing web pages hosted by ISPs which offer faster, higher capacity lines. But electronic trading requires a route directly into a company's computers.

So you need a way to let electronic customers get into your system without exposing it to competitors or hackers.

The first essential is a firewall or electronic gate that filters incoming traffic, for example, by requiring names and addresses, account numbers or passwords. Firewalls can cost from £5,000 to £20,000, including installation.

'You can install them more cheaply yourself,' says George Thompson, consulting principal at IBM's security practice. 'But unless you understand hacking techniques it's unlikely you'll do a good job.' There should be a firewall between the e-commerce server and the outside world, and another between the server and the remaining in-house computer systems. If your own staff are dialling the Net, they should also go through a firewall. If staff have modems connected directly to their office PCs, they should disconnect from the company network before dialling out. Otherwise their machines can act as a conduit for hackers.

The next step is scrambling the data. The simplest approach here is to use a standard encryption facility such as Secure Socket Layer (SSL).

Messages and data can be unscrambled by recipients providing they also have SSL. The key used by SSL is 40 bits long - the electronic equivalent of a 40-lever lock. In theory, it could be unscrambled by an electronic eavesdropper; in practice it took a group of 5,000 Internet experts 13 hours to crack a 40-bit lock.

One limitation of SSL, however, is that it doesn't authenticate the source of the data. For online businesses, this means there is no guarantee that a person placing an order is the true owner of the credit card being used. Equally, the customer has no way of knowing whether the web site is genuine. 'There could be a problem with fake merchants getting access to credit card details,' says e-commerce manager for Microsoft UK Andrew Matson.

Enter Secure Electronic Transactions (SET) - a joint venture by MasterCard and Visa to secure payment transactions over the Net. SET uses an electronic version of an ancient technique - dual-key encryption. During the Crusades, messengers transported secret documents in boxes with two keys. The first key locked the box with the message inside, but could not unlock it. The recipient used a second key to open the box.

SET uses this principle by setting up software equivalents of pairs of keys between customers and online merchants, merchants and credit card issuers, and credit card issuers and their customers. Before sending an order, customers use one key to lock the details of what they want and where it should be delivered, and another key to lock their credit card details. This may sound complicated but it is carried out automatically by the software. The merchant receives the order, unlocks the details of what is wanted and where, and forwards the still-locked credit card component to the card issuer. The card issuer then unlocks the payment details and transmits an authorisation back to the merchant who fulfils the order without having seen the customer's credit card details.

SET, which is currently undergoing trials with 38 banks across Europe, should make e-commerce on the web more secure than current credit card transactions. Apart from scrambling the data, SET also performs the function of authenticating senders - anyone using it requires a 'digital certificate'.

This is like an electronic identity card which is transmitted at the same time as the data and contains information about the sender's bank account and credit status. 'At the point of entry, the certificate you present will determine your access rights,' says Thompson.

SSL and digital certificates protect online customers from spoofers and fraudulent e-commerce web sites. Customers can easily tell whether a particular web site uses SSL because a key or padlock 'secure-site' icon is displayed on the screen. 'Don't send your credit card number without it,' says Earp.

You might even want to withold information such as your name and address if web sites have not been set up to hold it securely. Browsers such as Microsoft's Explorer and Netscape's Navigator warn users if they attempt to do business with a web site that is not using SSL. When SET comes along, it will offer further customer protection by confirming that the online business has a digital certificate or by flashing a warning if not.

However, there are a number of issues surrounding SET that have still to be clarified. For example, who should be allowed to issue digital certificates?

Banks and independent bodies known as certification authorities or trusted third parties have begun to do so - US-based Verisign claims to have issued 750,000 certificates. Because these bodies aren't regulated, another problem is the proliferation of certificates - online shoppers could end up with the electronic equivalent of a wallet full of credit cards making the process of online shopping difficult and unwieldy.

Despite these issues, SET is being incorporated into e-commerce software and is likely to become the standard for card-based transactions. Industry experts believe that the greater security it offers will enable financial institutions to cut the cost of credit card payments which are currently subsidising fraud. However, SET is restricted to financial transactions: governments want to prevent its use in other areas which might then become impossible to police. For general purpose encryption, SSL is more appropriate and it may well become more widely deployed for e-mail as people become aware of the risks. On the other hand, any form of encryption slows transmission speeds, thus deterring its use in less sensitive business environments.

BUPA, for example, is not using encryption for its Net-based recruitment.

In an effort to speed up some 110 appointments, it is inviting applicants to submit their CVs by unprotected e-mail. Speed is one of the main attractions for recruitment on the Net, says Uwe Natho, BUPA's information systems director. But he admits that the CVs could be hacked. 'Although they only sit on our web site for a few hours, theoretically they could be vulnerable to very sophisticated hackers.' This won't put job applicants off, he reckons. 'The benefits of putting a CV in front of the right person so much faster outweigh the risks of it falling into the wrong hands.' Once the CVs are removed from BUPA's web site they are held in a separate database behind another firewall where they can be accessed only by a few authorised people. Job offers are sent in the post rather than by e-mail, although this is more for legal reasons than fear of security breaches. Meanwhile the main risk to online job-seekers if they carry out their searches on workplace PCs is from their own employers, says Natho. Many companies such as BUPA scan for this kind of activity. 'We regard it as abuse of the Internet in the work-place,' he explains.

So how safe is the Internet? Are the doomsters right, is it really too risky? Certainly for large-scale business-to-business transactions it seems best to stick with Internet tunnels or extranets at the very least.

For consumers, the Internet is as secure as doing business in a shop providing you know who you're dealing with and what to do if it goes wrong. Which?

Online's Stevens advises consumers to buy from companies they know and trust, preferably in the UK and Europe.

'That's not to say that you shouldn't spend money with companies further afield - I buy books and CDs from the US - but these are relatively inexpensive. People should be very wary of doing business outside Europe with countries where consumer protection legislation may not exist or may not be enforced.' Stevens also suggests online shoppers print out copies of web site pages to ensure they know what's on offer, and to check what conditions apply to the transaction.

Whatever the risks, consumers are wary. This is partly fear of the unknown.

People understand what happens if they lose their credit card, but they have no experience of what it might be like trying to access their bank account on the Net and being told it doesn't exist. Online businesses will have to reassure them. 'Ultimately the consumer should not lose out in the case of someone else's fraud,' Stevens says.

The industry hopes that consumers will eventually become as relaxed with Net shopping as they are with conventional credit card transactions. 'People will happily call a travel agent to book a holiday over the phone,' says Microsoft's Matson. 'Quite apart from giving away their credit card details, they'll tell a complete stranger that they're going to be away from home for two weeks.' Fair comment, but as the IBM advertisement shows, ordinary people are going to take a lot of convincing.



People accessing the Dixons e-commerce web site don't seem worried by the thought that their credit card numbers could be accessed by hackers.

The site is already attracting some 2,000 electronic visitors a week, and thousands of pounds of orders are being placed. 'Nobody has mentioned fears about security,' says Mike Nevin, the company's visual merchandise director.

This may be because they recognise and trust the Dixons brand name, he suggests. 'It's not as though we are cowboys or a company that no one had ever heard of.' However, Dixons does share 'a general apprehension among businesses about the fact that the Net is so open', says Nevin. 'That is why we have implemented the best security that is available at the moment.'

By this he means SSL which encrypts the customer's credit card data as it travels over the wires. Conventional credit card authorisation checks are made behind the scenes.

Dixons made the decision to begin trading with SSL rather than wait for SET, which Nevin admits will be better. 'SET is safer because it would put the money directly into the bank,' he says. 'However, it is not ready yet and we wanted to get started now so that we could gain some experience in online transactional systems.

As soon as SET becomes available, we will move to it.'

The Dixons e-commerce web site, which has only been open for a few weeks, does most of its business at night and in the hours before dawn. 'We are clearly expanding our market because these are times when people would not be able to go to the shops,' says Nevin.

However, he is not predicting a boom in online business until TV-based Internet systems become available. 'A prime reason for doing e-commerce now is to be ready then, when the explosion in consumer interest is likely to come.'.

Find this article useful?

Get more great articles like this in your inbox every lunchtime