A series of real problems face the convergence of Internet
eCommerce with internal corporate information policies or with high street
commerce. The first is the problem of trust.
Trust must be created between the buyer, the seller, and the banks before a
transaction can take place. Trust, in a virtual world, can only exist when the
identity of each of the parties involved has been guaranteed. Guaranteeing
identity is such a basic requirement, that eCommerce will not be fully
successful until it is solved.
Numerous organizations and consortiums in seeking to solve
this problem have set themselves the goal of creating a transaction and payment
system to do the following:
1. Uniquely identify the client (authenticity)
2. Authorize the user (verification)
3. Guarantee the confidentiality of the employee's or client's identity and the instructions given over a public network (confidentiality)
4. Guarantee that the instructions given by the employee or client cannot be challenged and that the terms are as agreed (irrefutability)
5. Allow the employee or client to operate anywhere and at anytime (mobility)
A successful solution must also be cost-effective and user-friendly,
requiring only the simple skills needed to operate a browser, insert a card,
and conduct eCommerce.
Three options exist today to assure identity of parties
doing business over the Internet. Only one guarantees ease of use, mobility,
authenticity and irrefutability.
This option can operate from any computer connected to the Internet. It relies on assigning an account number and a password to a user. These typically involve a string of at least fifteen characters. In most systems, the account number is at least twelve digits and the password eight characters. The problem with this approach is that only the server is sure of the authenticity of the user. While having to managing a growing number of passwords, employees or consumers can only be confident that they are connected to the right server by relying on the visual images presented on screen.
Here, data and software are loaded into each employee's or client's machine. This software authenticates the server. After an electronic dialogue, it can state that the machines at both ends hold authentic certificates. This approach is limited in three ways. First it is not the person that is being authenticated, it is the machine. Second, it is not a mobile solution (unless the individual carries a laptop everywhere he/she goes). Third, unless both parties have exchanged something in advance, the authentication process does not function.
This approach is in principle a SET approach, except that SET offers a more complex solution based on a Public Key infrastructure (PKi) with Certification Authorities (CAs) to create the chain of trust and the third-party to guarantee that this trust is current.
Machine dependency has to led a layer of protection being added above the software in the machine. The user must enter a password to confirm that they are at the correct machine. They are then authorized to use this machine for the purpose intended. External parties however can copy or alter the software inside the computer. Because of these difficulties, many do not believe that a software solution can be successful.
This uses a machine-readable physical token, which is given to the parties and authenticated when read. The essence of this approach is that the token is treasured by the carrier. If lost, the carrier will feel obliged to report it. To assure identification from any location, all that is needed is that the physical token can be machine-read anywhere. Keys of course can be stolen. Approximately 50% of bankcard fraud is due to lost or stolen cards. The answer is to add a second level of security such as a password/PIN or a biometric.
|
Means of
Security |
Ease of
use |
Mobility |
Authenticity |
Irrefutability |
|
Account Number |
Medium |
High |
Low |
Low |
|
With Password |
Low |
High |
Medium |
Medium |
|
Software |
High |
Zero |
Medium |
Medium |
|
With Password |
Medium |
Zero |
High |
High |
|
Physical Token |
High |
High |
High |
High |
|
With Password |
Medium |
High |
High |
High |
Please note many people do not believe a software solution can be secure.