issues in electronic commerce. e-commerce and e-cash need security features if they are to...

Issues in Electronic CommerceIssues in Electronic CommerceIssues in Electronic CommerceIssues in Electronic Commerce

• E-commerce and e-cash need E-commerce and e-cash need security features if they are to security features if they are to succeedsucceed

• But security and technology alone But security and technology alone are not enoughare not enough

• The critical feature is TRUST - The critical feature is TRUST - security features can sometimes help security features can sometimes help provide trustprovide trust

To anticipate ...To anticipate ...

• in EDI, trust comes from the pre-existing in EDI, trust comes from the pre-existing contractcontract

• in credit card transactions, trust comes in credit card transactions, trust comes from the banking systemfrom the banking system

• the problems occur:the problems occur: in transactions where participants do not in transactions where participants do not

already know each otheralready know each other in transactions too big or complex for credit in transactions too big or complex for credit

card operationscard operations

OverviewOverview

• Electronic TransactionsElectronic Transactions

• Electronic ContractsElectronic Contracts

• Forms of e-cashForms of e-cash

• (copyright protection/ payment (copyright protection/ payment systems)systems)

Market imperativesMarket imperatives

Neither electronic commerce nor e-cash Neither electronic commerce nor e-cash will prosper unless there are will prosper unless there are substantial advantages:substantial advantages:

• lower costs lower costs (but to whom?)(but to whom?)

• greater conveniencegreater convenience

• greater speedgreater speed

• access to more choice, marketsaccess to more choice, markets

• better security?better security?


The players:The players:• buyersbuyers• sellerssellers• businessbusiness• banks, credit card banks, credit card coscos

• IT companiesIT companies• telecoms companiestelecoms companies• governmentgovernment


The players:The players:

• all need to be satisfiedall need to be satisfied

• some will gain more than otherssome will gain more than others

• some individual needs conflict with some individual needs conflict with others others


buyers:buyers:

• lower costslower costs

• greater choicegreater choice

• greater security / privacygreater security / privacy

• more conveniencemore convenience

• (as private citizens): preservation of (as private citizens): preservation of perks and tax evasion possibilitiesperks and tax evasion possibilities


sellers:sellers:


• greater market access & more greater market access & more customerscustomers

• greater securitygreater security

• more convenience in tradingmore convenience in trading


business:business:


• more convenience in trading / more more convenience in trading / more sophisticated ITsophisticated IT

• greater market access & more greater market access & more customerscustomers



banks, credit card banks, credit card coscos : :• lower costs lower costs (money handling, branch (money handling, branch

network)network)

• maintain existing fee earningsmaintain existing fee earnings

• more customersmore customers

• more market sharemore market share

• new servicesnew services


banks, credit card banks, credit card coscos::• lower costs lower costs (money handling, branch (money handling, branch

networks)networks)

• more customersmore customers• more market sharemore market share• new servicesnew services

but they could also lose customers, but they could also lose customers, market share etcmarket share etc


IT companies:IT companies:

software, hardware, systemssoftware, hardware, systems

• sell facilitiessell facilities

• license products, etclicense products, etc

• integrate with other productsintegrate with other products

strategic partnerships?strategic partnerships?


telecoms companies:telecoms companies:

• part of the delivery mechanismpart of the delivery mechanism

• sell facilitiessell facilities

• integrate with other productsintegrate with other products

strategic partnerships?strategic partnerships?


government:government:• provide legal and regulatory frameworkprovide legal and regulatory framework• maintain tax basemaintain tax base• support local businesssupport local business• avoid currency devaluation / money avoid currency devaluation / money

launderinglaundering• maintain “national sovereignty”maintain “national sovereignty”

Hidden existing interests ..Hidden existing interests ..

• buyersbuyers

• sellers sellers

• business business • banks, credit card banks, credit card coscos

• governmentgovernment

Hidden existing interests ..Hidden existing interests ..

• buyers buyers cash, tax evasion, perkscash, tax evasion, perks

• sellers sellers cash, tax evasioncash, tax evasion

• business business certainty, existing customerscertainty, existing customers

• banks, credit card banks, credit card cos cos existing customersexisting customers

• government government tax base, stability in law enforcement tax base, stability in law enforcement mechanismsmechanisms

AttributesAttributes

• Trust, Trust, confidence in mechanismconfidence in mechanism

• AuthenticationAuthentication• Legal FrameworkLegal Framework• Clarity in Liability / obligations Clarity in Liability / obligations (if (if

something goes wrong - who loses?)something goes wrong - who loses?)

• >> Evidence>> Evidence• Speed, computing overheadSpeed, computing overhead• Costs Costs

AttributesAttributes

Security mechanisms support these Security mechanisms support these needs:needs:

• protocols protocols define when liability is transferred / define when liability is transferred / assumed assumed (ie system design)(ie system design)

• encryption for authenticationencryption for authentication• (encryption for confidentiality)(encryption for confidentiality)

Where do the costs fall?Where do the costs fall?

• Buyer, Seller, Initiator, Respondent, Buyer, Seller, Initiator, Respondent, “bank”, TTP “bank”, TTP etc etcetc etc

• Capital costsCapital costs

• On-going overhead costsOn-going overhead costs

• Individual transaction costsIndividual transaction costs

>> slowest acceptable transaction / >> slowest acceptable transaction / confirmation timeconfirmation time

>> cost / benefit trade-off>> cost / benefit trade-off

Electronic CommerceElectronic Commerce

• EDI: pre-existing over-arching EDI: pre-existing over-arching contractual framework - usually contractual framework - usually Many-to-OneMany-to-One

• Many-to-Many Occasional Many-to-Many Occasional TransactionsTransactions

Electronic CommerceElectronic Commerce

Formal Stages within Protocol:Formal Stages within Protocol:• originationorigination• non-repudiation of originationnon-repudiation of origination• confirmation of deliveryconfirmation of delivery• non-repudiation of deliverynon-repudiation of deliverypublic key crypto for authenticationpublic key crypto for authentication serialing of transactions / eventsserialing of transactions / eventsmultiple audit trailsmultiple audit trails

Simple EDISimple EDISimple EDISimple EDI

BigCustomer


BigCustomer

Large organisation with many supplierswants to have e- links with them


BigCustomer

Simple EDISimple EDI

• One-to-Many arrangementOne-to-Many arrangement

• Closed system, defined by pre-Closed system, defined by pre-existing contractexisting contract

• Advantages:Advantages: Lower transaction costs Lower transaction costs JIT proceduresJIT procedures Better use of ITBetter use of IT

Simple EDISimple EDI

• DisadvantagesDisadvantages considerable IT investment before considerable IT investment before

benefits realisedbenefits realised may favour large customer over smaller may favour large customer over smaller

supplierssuppliers

• Technical problems Technical problems - few- few

• Legal problems Legal problems - few- few

EDI NodeEDI NodeEDI NodeEDI Node

EDI facility

ParticipantParticipant

Participant

EDI NodeEDI NodeEDI NodeEDI Node

EDI facility

ParticipantParticipant

Participant

Typically: industry or profession-based

EDI facilityEDI facility

• Trade is between individual entities, Trade is between individual entities, centre is a switch centre is a switch authentication?authentication? credit validation?credit validation? telecoms switch?telecoms switch?

• Closed systemClosed system• Legal problem: Legal problem: liability / obligationsliability / obligations• Technical problems Technical problems - few- few

EDI facilityEDI facility

• Contract enforced by prior relationshipContract enforced by prior relationship• Protocols include:Protocols include:

public key crypto for authenticationpublic key crypto for authentication defined stages for acknowledgement, defined stages for acknowledgement,

non-repudiation etc non-repudiation etc serialing of transactions / eventsserialing of transactions / events multiple audit trailsmultiple audit trails eg EDIFACT, ANSI X12 etceg EDIFACT, ANSI X12 etc

EFT FacilityEFT FacilityEFT FacilityEFT Facility

EFT facility

BankBank

Bank

EFT facilityEFT facility

Where are the liabilities?Where are the liabilities?

• Counter-partiesCounter-parties

• EFT nodeEFT node

• ?? what sorts of failures create ?? what sorts of failures create which sorts of liabilities?which sorts of liabilities?

Securities SettlementSecurities SettlementSecurities SettlementSecurities Settlement

Securities Settlement

BankBank

Bank

Custodian

Securities SettlementSecurities Settlement

Central Switch provides:Central Switch provides:• cash cash vsvs certificate certificate (delivery (delivery vsvs payment) payment)

• link to custodianlink to custodian• nettingnetting• authenticationauthentication• credit verificationcredit verification

liabilities: when and where ?liabilities: when and where ?

>> protocols>> protocols

Many-to-Many Open SystemsMany-to-Many Open Systems


These two people / businesses do not knoweach other and have no prior arrangement, but

they wish to trade electronically


BankingSystem or

Credit Card Co


BankingSystem or

Credit Card Co

TRUST


These two people / businesses do not knoweach other and have no prior arrangement, but

they wish to trade electronically

Open SystemOpen System


Banking system or credit card company Banking system or credit card company provides trust in the money transfer provides trust in the money transfer aspect aspect

• authenticationauthentication• credit worthinesscredit worthiness

when and where do the liabilities fall?when and where do the liabilities fall?

delivery / payment not automatically delivery / payment not automatically connectedconnected


Computer Co, Telco


Computer Co, Telco

eg, Compuserve,AOL, MSN


Computer Co, Telco

Banking, Credit Card Co Shop,

Mall


Computer co or Telco provide links; bank or Computer co or Telco provide links; bank or credit card company provides trust in the credit card company provides trust in the relationshiprelationship

• computer co / telco provides computer co / telco provides authenticationauthentication

• bank etc provides credit worthinessbank etc provides credit worthiness

when and where do the liabilities fall?when and where do the liabilities fall?

relationships through computer relationships through computer coco link link delivery and paymentdelivery and payment

E-commerce worriesE-commerce worries

• System malfunctionSystem malfunction

• Transaction duplication / lossTransaction duplication / loss

• Fraud: device duplicationFraud: device duplication

• Fraud: alteration of data, softwareFraud: alteration of data, software

• Fraud: message manipulationFraud: message manipulation

• Fraud: theft of critical devicesFraud: theft of critical devices

• Fraud: transaction repudiationFraud: transaction repudiation

Internet CommerceInternet Commerce

Internet


Banking, Credit Card Co

Retail TransactionsRetail Transactions

So far: traders of equal statusSo far: traders of equal status

Now: customer and retailerNow: customer and retailer

Retail TransactionsRetail Transactions

Banking, Credit Card Co

RetailCustomer Retailer


Problem I: delivery Problem I: delivery vsvs payment payment

• when is there offer, acceptance, when is there offer, acceptance, consideration?consideration?

• what evidence exists?what evidence exists?

• but what happens now, outside the but what happens now, outside the Internet, on phone transactions?Internet, on phone transactions?

Retail Internet TransactionsRetail Internet Transactions

• Retailer does credit authorisation in Retailer does credit authorisation in the normal waythe normal way

• But how does authentication occur?But how does authentication occur? retailer has link to credit card co?retailer has link to credit card co?

• ProtocolsProtocols to describe stages, liabilities, to describe stages, liabilities,

obligations obligations (no agreements yet)(no agreements yet)


lots of potential solutions, but what lots of potential solutions, but what we need is a standardwe need is a standard

but individual banks and computer cos but individual banks and computer cos also want to “win” the marketalso want to “win” the market


Problem II: security:Problem II: security:

• AuthenticationAuthentication

• ConfidentialityConfidentiality

• IntegrityIntegrity

• Low Transaction Cost / Investment / Low Transaction Cost / Investment / OverheadOverhead

• SpeedSpeed


Problem II: security:Problem II: security:

• lots of potential solutions, but what lots of potential solutions, but what we need is a standardwe need is a standard

• but individual banks and computer but individual banks and computer coscos also want to “win” the marketalso want to “win” the market

• many of the new proposals contain many of the new proposals contain hidden advantages for advocateshidden advantages for advocates

Retail Internet worriesRetail Internet worries

• System malfunctionsSystem malfunctions• Unique IDs, PINs etc sniffed and Unique IDs, PINs etc sniffed and

compromised >> masqueradingcompromised >> masquerading• Loss of confidentialityLoss of confidentiality• Fraud: message manipulation Fraud: message manipulation • Fraud: alteration of data, softwareFraud: alteration of data, software• Fraud: transaction repudiationFraud: transaction repudiation• Fraudulent merchants / customersFraudulent merchants / customers

To remind ...To remind ...






Alternatives to digisig ...Alternatives to digisig ...

Trust mechanismsTrust mechanisms

• EmeritusEmeritus

• CertCoCertCo

Guarantees based on individual Guarantees based on individual transaction, not prime participants; transaction, not prime participants; similar to Letter of Creditsimilar to Letter of Credit

E-cashE-cash

• Why e-cash?Why e-cash?• Benefits for consumersBenefits for consumers• Benefits for “merchants”Benefits for “merchants”• Benefits for Banks, Credit Card Benefits for Banks, Credit Card

Companies, etcCompanies, etc• Role of Comms Service ProvidersRole of Comms Service Providers• Role of specialist computer companiesRole of specialist computer companies

E-cashE-cash

True cash characteristics:True cash characteristics:

• generally acceptable value generally acceptable value representation devicerepresentation device

• anonymous bearer instrumentanonymous bearer instrument

• readily transferablereadily transferable

• without any third-party interventionwithout any third-party intervention

• untraceable ownership / transaction untraceable ownership / transaction audit trailaudit trail

E-cashE-cash

Why e-cash?Why e-cash?• e-cash exists already - as credit cards, e-cash exists already - as credit cards,

debit cards, EFT debit cards, EFT • any new system must offer something any new system must offer something

more:more: better, further facilitiesbetter, further facilities lower costslower costs greater conveniencegreater convenience better securitybetter security

E-cashE-cash

Why e-cash?Why e-cash?

• ““micro-transactions”micro-transactions”

• transaction cost / link to formal transaction cost / link to formal banking systembanking system

• electronic publishing electronic publishing (data, music,(data, music, software)software): : on-demand sale of low value on-demand sale of low value copyright itemscopyright items

E-cashE-cash

TechnologiesTechnologies

where will you use? - real / cyber shopswhere will you use? - real / cyber shops• Mag-stripe cardsMag-stripe cards• Secure protocols for credit cardsSecure protocols for credit cards• Smart cardsSmart cards• Tokens / Wallets Tokens / Wallets (eg Mondex)(eg Mondex) • Virtual credits for e-transactionsVirtual credits for e-transactions

E-cashE-cash

Benefits for consumersBenefits for consumers

• greater purchase opportunitiesgreater purchase opportunities


• better control over expenditure?better control over expenditure?

• in-built credit facilities?in-built credit facilities?

• BUT: will there be an audit trail? - key BUT: will there be an audit trail? - key opportunities for tax evasion may need opportunities for tax evasion may need to be retainedto be retained

E-cashE-cash

Benefits for “merchants”Benefits for “merchants”

• instant confirmation of paymentinstant confirmation of payment

• in-built credit opportunities in-built credit opportunities increases buyer’s purchasing powerincreases buyer’s purchasing power

• reduced administrative costsreduced administrative costs

• greater security because less cash greater security because less cash on premiseson premises

E-cashE-cash

Benefits for Banks, Credit Card Benefits for Banks, Credit Card Companies, etcCompanies, etc

• reduced costs of cash-handlingreduced costs of cash-handling

• effects on retail branch networkeffects on retail branch network

• greater opportunity to make greater opportunity to make commission on cash handlingcommission on cash handling

• greater opportunities to sell creditgreater opportunities to sell credit

• improved security improved security

E-cashE-cash

Role of Comms Service ProvidersRole of Comms Service Providers• eg CompuServe, MSN, AOL, etceg CompuServe, MSN, AOL, etc• growth of online shopping mallsgrowth of online shopping malls• growth of e-tradegrowth of e-trade• opportunities to make commission opportunities to make commission • opportunities to enter banking and opportunities to enter banking and

financial services industryfinancial services industry• data warehousing / mailing listsdata warehousing / mailing lists

E-cashE-cash

Role of specialist computer companiesRole of specialist computer companies

• provide new standards for e-cash provide new standards for e-cash and e-cash transactionsand e-cash transactions

• earn commission, royaltiesearn commission, royalties

• enter, perhaps in consortium, enter, perhaps in consortium, banking business banking business

E-cashE-cash

Tests for successful new systems:Tests for successful new systems:• will capital costswill capital costs

bankbank networknetwork merchantmerchant customercustomer

• transaction coststransaction costs• overcome existing cash and e-cash overcome existing cash and e-cash

systems?systems?

E-cash varieties:E-cash varieties:

• Enhanced credit cards / secure Enhanced credit cards / secure transaction protocolstransaction protocols

• Virtual accountsVirtual accounts

• Devices on PC HDDsDevices on PC HDDs

• Electronic pursesElectronic purses


• Enhanced credit cards / secure Enhanced credit cards / secure transaction protocols transaction protocols access deviceaccess device

• Devices on PC HDDs Devices on PC HDDs stored value devicestored value device

• Electronic purses Electronic purses stored value device stored value device

• Virtual accounts Virtual accounts access and stored valueaccess and stored value






most of the new proposals contain hidden most of the new proposals contain hidden advantages for advocates - or are advantages for advocates - or are designed to minimise disadvantagesdesigned to minimise disadvantages



• SET: Secure Electronic Transactions SET: Secure Electronic Transactions consortiumconsortium

• Europay Europay (Visa, Mastercard)(Visa, Mastercard)

• First Virtual Holdings First Virtual Holdings (PIN # not credit cards)(PIN # not credit cards)

• First Bank of Internet First Bank of Internet (Visa cashpoint)(Visa cashpoint)



• Digi-CashDigi-Cash

• Cyber CashCyber Cash



• MondexMondex

• EuropayEuropay

• CAFECAFE

• VisaCashVisaCash



• First Virtual HoldingsFirst Virtual Holdings

• ++++ ???++++ ???

E-cash features:E-cash features:

• Connections to conventional banking Connections to conventional banking system system - frequency- frequency

• Costs Costs - customer, merchant, bank- customer, merchant, bank

• Costs - Costs - capital, overhead, per transactioncapital, overhead, per transaction

• Ease of use / links to other ITEase of use / links to other IT• Market acceptanceMarket acceptance• Backers / partnersBackers / partners• Transitional arrangementsTransitional arrangements

E-cash features:E-cash features:

• Inter-operabilityInter-operability

• Protections against forgeryProtections against forgery

• Protections against masqueradingProtections against masquerading

• Limitations on size, transactionsLimitations on size, transactions

• Audit trails: extent and visibilityAudit trails: extent and visibility

• Controls against inflationControls against inflation

• International aspectsInternational aspects

E-cash success indicatorsE-cash success indicators

• Combinations of all of the above, plusCombinations of all of the above, plus• Hidden benefits for promotersHidden benefits for promoters

opportunities to sell other financial opportunities to sell other financial products and servicesproducts and services

opportunities to sell products in generalopportunities to sell products in general opportunity to avoid opportunity to avoid lossloss of existing of existing

businessbusiness opportunity for partnershipsopportunity for partnerships

E-cash costsE-cash costs

• IssuerIssuer devicesdevices distributiondistribution links to conventional bank systemlinks to conventional bank system

• MerchantMerchant terminalsterminals change in working methodschange in working methods

• CustomerCustomer devicesdevices

E-cash worriesE-cash worries

• CostsCosts

• System malfunctionsSystem malfunctions

• Fraud: device duplicationFraud: device duplication

• Fraud: alteration of data, softwareFraud: alteration of data, software

• Fraud: message manipulationFraud: message manipulation

• Fraud: theft of critical devicesFraud: theft of critical devices

• Fraud: transaction repudiationFraud: transaction repudiation


• Tax evasionTax evasion

• Challenge to conventional money Challenge to conventional money supply controls supply controls

• Failures could lead to lack of Failures could lead to lack of confidence in banking sectorconfidence in banking sector

• New forms of crime New forms of crime (that are difficult to police)(that are difficult to police)

• Forgery leading to inflationForgery leading to inflation


The greater the number of consecutive The greater the number of consecutive transactions without intervention with transactions without intervention with a central system, the greater the a central system, the greater the chances of:chances of:

• fraudfraud• forgeryforgery• money launderingmoney laundering• tax evasiontax evasion


The greater the number of consecutive The greater the number of consecutive transactions without intervention transactions without intervention with a central system:with a central system:

the higher the coststhe higher the costs

Protecting CopyrightProtecting Copyright

• tv: satellite, cable, digital terrestrialtv: satellite, cable, digital terrestrial

• software distributionsoftware distribution selective unlocking of CD-ROMsselective unlocking of CD-ROMs

• e-publicationse-publications one-time access to low-value, high one-time access to low-value, high

volume online servicesvolume online services selective unlocking of CD-ROMsselective unlocking of CD-ROMs

Protecting CopyrightProtecting Copyright

in each of these areas there will be in each of these areas there will be room only for one or two encryption room only for one or two encryption systems - the owner will then act as systems - the owner will then act as commercial gatekeeper and become commercial gatekeeper and become very powerful -very powerful -

eg Rupert Murdoch and Videocrypt and eg Rupert Murdoch and Videocrypt and UK digital tvUK digital tv

To conclude ...To conclude ...

• E-commerce and e-cash need E-commerce and e-cash need security features if they are to security features if they are to succeedsucceed

• But security and technology alone But security and technology alone are not enoughare not enough

• The critical feature is TRUST - The critical feature is TRUST - security features can sometimes help security features can sometimes help provide trustprovide trust


• Much public discussions about Much public discussions about cryptosystems appears to be limited cryptosystems appears to be limited to the comparative strengths of to the comparative strengths of various encryption methodsvarious encryption methods

• Cryptosystems are only one Cryptosystems are only one constituent in important commercial constituent in important commercial productsproducts


• Cryptosystems are only one Cryptosystems are only one constituent in important commercial constituent in important commercial productsproducts digital signaturedigital signature electronic commerceelectronic commerce electronic bankingelectronic banking e-cashe-cash copyright protection systemscopyright protection systems


Analysis should be based on the Analysis should be based on the qualities and strength of the qualities and strength of the Trust Trust MechanismMechanism - cryptography merely - cryptography merely provides one element: authenticationprovides one element: authentication

Some further thoughts ...Some further thoughts ...

future forms of electronic commercefuture forms of electronic commerce who will dominate world banking?who will dominate world banking? which commercial networks will win?which commercial networks will win? which encryption vendors will win which encryption vendors will win

through?through? what copyright systems will dominate?what copyright systems will dominate? what is the future role of the State? what is the future role of the State?

issues in electronic commerce. e-commerce and e-cash need security features if they are to...

Documents

market imperativesbuyers

market imperativesgovernment

lower costs money handling

trust security features

ecash need security

existing customersbanks

lower costsmore convenience

marketsbetter security