Modernizing Authentication — What It Takes to Transform Secure Access
Security concerns with respect to business-to-consumer E-commerce come down to two issues: privacy and fraud.
Businesses have to be careful not to alienate their customers by abusing the personal information they collect about them. Most customers don't mind if you tailor their online experience based on subjects and products they've previously shown interest in, but woe to the online entity that sells personal customer data without permission.
The key issue with respect to fraud is that it's simply easier to pull off online than in person. The chance of fraud is so much greater when merchants can't see the physical card used to pay for an item that they have to pay credit card providers far more to conduct such transactions.https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=iAn online merchant will pay 2.3 to 3.5 percent for each dollar transacted for a "card not present" transaction while brick and mortar retailers pay roughly 1.5 percent, says Michael Abbott, senior vice president, E-business for Fleet Credit Card Services in Horsham, Penn. On top of that, online merchants have to eat the cost of any fraudulent transactions, he says, whereas the credit card issuer does in the brick and mortar world.
One technology that promises to change that equation is smart cards. Smart cards look like credit cards but have a tiny embedded computer chip that can hold information about the holder and perform tasks like encryption.
"The widespread use of smart cards will be a quantum leap forward in the strength of authentication of anything across networks, be it E-commerce or just employees logging in to the corporate network," says John Pescatore, research director for network security at the Gartner Group consultancy in Stamford, Conn.
While there has been talk for years about smart cards, it is only now being backed up with action.
The Department of Defense in October started rolling out smart cards that will be used as ID cards for some 4 million DOD-affiliated personnel. It will eventually allow them access to secure buildings and computer networks and potentially store medical records and other personal data.
Around the same time, Visa USA, Inc. announced the launch of smart Visa, its own smart card implementation. Fleet is among the first banks to roll the card out to customers. The Visa example shows how strong security can enable business opportunities.
Like the DOD smart card, Fleet's Fusion card improves security with the use of public key infrastructure (PKI) technology, which provides strong authentication and encryption capabilities. When used with a Visa-provided software plug-in on the online merchant's end, the authentication mechanism is robust enough that Abbot says such transactions will be considered "card present," just as in a brick and mortar store.
That can add at least 1 percent, or 100 basis points, to an online retailer's bottom line. "The retail industry works on margins of 200 to 300 basis points," Abbot says. "Being able to add 100 basis points to your bottom line, a 50% increase in your margins, is something you really don't want to ignore in the long run."
Beyond security, Abbot is quick to point out that Fusion makes possible new types of applications meant to increase convenience and, ultimately, drive consumer loyalty.
When the card is delivered it can come loaded with discount offers good at various online merchants, such as a $10 credit when you log in using the card. Similarly, merchants can deliver coupons to customers as they shop, much like supermarkets dole out coupons at the point of sale based on what you just bought.
Further down the road, the card could support applications such as e-tickets to events or for airlines, says Warren Wilcox, executive vice president of planning and development at Fleet Credit Card services. "Imagine you download a reservation number to the card, stick it in a slot at the airport and a boarding pass pops out," he says.
From a technical perspective, it's interesting to note that Fleet's Fusion card uses PKI technology from Baltimore Technologies, Inc., while the core PKI technology in Visa's implementation comes from Xcert International, Inc. Abbot said Fleet chose Baltimore because it had a strong relationship with First Data Corp., the Atlanta-based payment processor Fleet was already using. This ability to mix and match PKI technologies was not feasible only a couple of years ago.
It may take a while to educate consumers about all these security aspects. "You're going to have a phase of early adopters, and we're educating them through our Web site right now," Abbot says. The company is also giving the first 100,000 customers to sign up for the card free smart card readers, which are required to use the card online. Eventually, the readers will be incorporated into PC keyboards, but that may take time.
"We're projecting it'll be mid 2003 before we see 50% of PCs shipping with smart card input devices," Gartner's Pescatore says.
Securing the server
And smart cards won't help online merchants protect the databases where they store customer credit card numbers, a task some have failed to do thus far.
The idea that merchants collect credit card numbers and associated data on customer purchases is nothing new, says Christian Byrnes, vice president for global security in the La Jolla, Calif. office of the META Group consultancy. What's different is that data used to be stored on computers that were locked deep in the bowels of merchant data centers.
"You had to be physically inside the headquarters building and pass through all kinds of checks and balances to to gain access," Byrnes says. "Now we hook those same computers up to the Internet."
Frank Prince, senior analyst in e-business infrastructure, security and manageability at Forrester Research, Cambridge, Mass., agrees that security breaches rarely involve the stealing of credit card numbers as they cross a wire between a consumer and a merchant. The sheer difficulty in tapping a line along with widespread use of data encryption, which renders such numbers unreadable, "have combined to make attacking the communications channel between buyer and seller relatively unprofitable," he says.
The more attractive target is the server that holds all the credit card numbers.
"We've spent so much time on network security that we've created a situation where, realistically, all of the threats come at the server level," Byrnes says. "And servers are one of the most controllable, but also one of the least controlled points in most electronic commerce implementations."
This is the result of companies planning electronic commerce implementations without getting security experts involved from the get-go. How can this be, you ask, given all the high-profile security breaches?
"Step one is to find a security specialist. Most companies don't have any," Byrnes says. He sees no end in sight to the security personnel shortage, which he says is worse than the general IT shortage. "We have along history of growing security talent internally within companies and that takes time."
Companies also need to implement a server configuration policy that details how to ensure that changes to a server, which occur frequently, don't open up security holes. Templates for such policies are readily available from commercial, non-profit and government organizations, he says, "but most organizations have not yet taken the step of adopting any standard configuration guidelines."
Once such policies are adopted, the next step is to audit servers weekly to ensure the policy is followed. Tools are available to help in this effort, including Axent Technologies, Inc.'s Enterprise Security Manager and Internet Security Systems, Inc.'s System Scanner.
The issue of policies also extends to the privacy arena, where ethics and technology intermingle.
"Many sites have privacy policies, yet few implement adequate controls to ensure the privacy of their customer information," says Matthew Devost, director of operations at Security Design International, Inc., a security consulting firm in Annandale, Va. "They simply aren't being diligent and may end up legally liable."
When customer credit card data is stolen, as it was from CD Universe last year, that is certainly a privacy concern. But it takes far less than that to create a security furor.
News of the change nonetheless raised some hackles. The Electronic Privacy Information Center, for example, severed its ties with Amazon, through which it had sold books online. EPIC's reasoning was that Amazon was not guaranteeing it would never disclose customer information to third parties and had no legal or technical means to protect customer privacy.
When one online merchant sells or gives customer data to another, it typically means customers get a flurry of unwanted email or phone calls. But as digital signatures come into vogue, allowing people to electronically "sign" documents of a sensitive nature, the result of a privacy breach may be far more serious.
"If I'm having you digitally sign payment records for HIV medicine, how am I protecting that signed document?" Pescatore asks. "Most of e-business is oriented towards collecting a lot of data on the customer and conducting targeted marketing, even selling customer data. Privacy runs head on smack into e-businesses wanting to use all this information."
Privacy issues even have international implications. The European Union Directive on Data Privacy, adopted in 1998, said companies could not transfer personal customer data to non-EU nations that did not meet the EU's standard of "adequacy." The Directive was in some ways in conflict with the United States' approach, which encourages companies to police themselves.
During the summer, the two sides came to a meeting of the minds, adopting a "safe harbor" agreement that outlines privacy policies acceptable to both sides. "As it happens, it's a pretty good guideline for everyone," Byrnes says.
Among other things, the safe harbor agreement calls for companies to disclose why they are collecting personal information, give individuals the chance to opt out, let them know if data will be transferred to a third party and to ensure the third party agrees to the same safe harbor principles.
The agreement is vague when it comes to the steps organizations need to take to protect all this consumer data, saying only, "Organizations must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction." It does not define what constitutes "reasonable action."
Adherence to the safe harbor principles is voluntary. To participate, companies self-certify annually with the Department of Commerce that it abides by the agreement and publicly declare in its policy satement that it adheres to safe harbor. The Commerce Dept. is maintaining a list of compliant organizations on its Web site (www.export.gov/safeharbor).
Enforcement varies. Private sector organizations must have dispute resolution and remedy procedures in place, either provided on their own or with a third party privacy seal program, such as TRUSTe. Organizations that fall under the jurisdiction of government agencies will be subject to enforcement from those agencies. The Federal Trade Commission and the Department of Transportation, for example, have said they will take action against organizations under their jurisdiction that fail to live up to their safe harbor compliance statements.
Whether safe harbor or agreements like it will put consumer privacy concerns at ease remains to be seen. Programs like it, including the TRUSTe seal, haven't seemed to do the trick yet.
"They don't make too much difference because people don't know the certifying organization, either," Prince says. "This isn't a Good Houskeeping seal with many years of name recognition behind it."