Sunday, 7 June 2009

Electronic payments and security I

1.List and describe your experiences with a secure Web site.

Very often I use online banking services to settle my bills and manage my financial transactions. HSBC online banking website adopted two-factor authentication and is equiped with EV SSL certificates. Not only I need to logon it with my user id and password but also, enter a one time password generated by the given hardware token. The password is only effective for 15 seconds.

I have experience of purchasing goods from Amazon. When I make a payment for the selected items, I will have to sign in the secure server for processing the transaction. Hypertext Transfer Protocol Secure (HTTPS) is adopted in the payment module of the Amazon website. There are a few methods to settle the payment. I have chosen the credit card option in my account since day one.

2.What is SET and how does it compare to SSL as a platform for secure electronic transaction? Is SET in common use?

Secure Electronic Transactions (SET) is a protocol which is used for sending credit card information over the Internet. It consists of three major components: Electronic Wallet, SET Server and Payment Server. For details, please refer to my previous blog entry.

Both SET and SSL employed Cryptography to secure the information exchanged over the Internet. This would be tremendous important for online transactions. SET was launched in 1996 but was not very popular in the market even though 'SET was ultimately the strongest technology for securing online payments, businesses tended toward the less sophisticated models as a means of establishing for themselves an online presence' (Free Encyclopedia of Ecommerce n.d.).

Wikipedia (2009) explains why SET could win the market due to the following factors:

  • Network effect - need to install client software (an e wallet).
  • Cost and complexity for merchants to offer support and comparatively low cost and simplicity of the existing SSL based alternative.
  • Client-side certificate distribution logistics.

Free Encyclopedia of Ecommerce (n.d.) also claims that SET is a sophisticated model but users favour the less sophisticated model, SSL. Nowadays, SSL has been the most popular protocol for securing e-commerce transactions. Lee, Malkin & Nahum (2007) have evaluated the adoption and evolution of Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) through 19,000 servers. Most of the well-known e-commerce sites (e.g. Amazon, Buy.com), auction sites (e.g., eBay), on-line banking (e.g., Citibank, Chase), stock trading (e.g., Schwab), and even government (e.g., irs.gov) have adopted the SSL protocol. Communication with these sites is secured by SSL or its variant, TLS, which are used to provide authentication, privacy, and integrity. A key component of the security of SSL/TLS is the cryptographic strength of the underlying algorithms used by the protocol. It is crucial to ensure that servers using the SSL protocol have employed it properly. The adoption rate of SSL 3.0 is very positive.The on-going developments of SSL/TLS really enable them to win the e-commerce market.

References

Free Encyclopedia of Ecommerce n.d., Secure Electronic Transaction (SET), <http://ecommerce.hostip.info/pages/925/Secure-Electronic-Transaction-SET.html>.

Lee HK, Malkin T & Nahum E 2007, 'Cryptographic strength of ssl/tls servers: current and recent practices', Internet Measurement Conference: Proceedings of the 7th ACM SIGCOMM conference on Internet measurement, San Diego, California, USA, pp.83-92, also available as pdf file, <http://www.imconf.net/imc-2007/papers/imc130.pdf>.

Wikipedia 2009, Secure Electronic Transaction, Wikipedia, The free encyclopedia, last modified 1 April 2009, Wikimedia Foundation, Inc., US, viewed 7 June 2009, <http://en.wikipedia.org/wiki/Secure_electronic_transaction>.

No comments: