Being accessible, low cost and user-friendly, the Internet has become over the past decade one of the most frequently used means of communication for people from all over the world. However, sheer communication was not enough for the companies' owners who wanted to maintain a reasonable online presence and improve their competitiveness globally. They were looking for a fast and accessible way to send and receive money. Therefore, banks and other financial institutions assembled and developed the so-called “online payment systems” such as: credit and debit card systems, digital wallets, internet banking systems etc. Inevitably, the Internet also provides a good way for cyber-thieves to steal electronic money, which increases the need of strong security measures. Khan (2011, p. 4) has estimated that over a third of businesses based in the UK “are expecting to see the percentage of web revenue lost to fraud grow year-on-year”. Therefore, the following analysis will give a useful insight on the technologies used to provide a secure and stable environment for online payments.
One of the most important components of the Online Transaction Processing system which needs a high level of security is the online-banking, since it is necessary to protect the financial transactions between the customers and the bank. Currently, a great deal of banks which offer internet solutions for their customers are using the Secure Sockets Layer(SSL) and more recently the Transport Layer Security(TLS) protocol in order to protect the connection between the client and the server. However, many researchers have tested the security of SSL/TLS protocol and they all came to the conclusion that such technology is vulnerable to different attacks, among which MITM (man-in-the-middle) attacks (Hiltgen et al, 2006, p. 21). Therefore, a couple of techniques have been developed in order to protect the clients against this type of attacks. First of all, banks tend to advise their customers to follow the Internet security best practices, such as: not to access internet pages from e-mail messages that come from unfamiliar sources. Secondly, the most modern web browsers are equipped with technologies preventing from violation of data credentials. A case in point is Internet Explorer which has a strong phishing filter and Mozilla Firefox that uses Google's Safe Browsing technology (Oppliger et al, 2009, p. 29). Finally, there are server-side technologies offering a high security level for online transactions. For instance, the Bank of America is utilizing ShopSafe, SafePass and SiteKey solutions to add an extra layer of protection for its clients (“Turn to Bank of America”, n.d., para. 2, 3, 4). Furthermore, researchers have proposed the implementation of Extended Validation Certificate (EV-SSL) (“Proof Positive”, 2010, p. 1), password-based key-exchange protocols (Steiner et al, 2001, p. 134) and Internet Engineering Task Force (IETF) also suggests the use of the Secure Remote Password (SRP) protocol (Taylor et al, 2007, p. 1).
Throughout the world, the process by which the user logs into the online application of the bank is based on the PIN/TAN system where the PIN (personal identification number) is the key used to generate the TAN (transaction authentication number) representing an OTP (One-Time-Password). It is widely believed that it is a secure technology since it avoids the risk of the password being stolen by anybody else due to the fact that it consists of a device which generates passwords that can be used only once and a potential intruder would not be capable of using it to log into the system as it would be no longer valid (Oppliger et. al, 2009, p. 29). However, some implementations of this security measure proved to be unsecure. Güneysu and Paar (2008, p. 128) tested the security of OTP systems and demonstrated “how to break such an OTP-token with little effort in terms of costs and time” by focusing on OTP tokens generated by devices using a single key without other factors.
Benson Edwin Raj and Portia (2011, p. 152) state that “due to the rise and rapid growth of e-Commerce, use of credit cards for online purchases has dramatically increased”. Therefore, in order to lower the risks and to increase the security of the online transactions, the international credit card organizations have implemented the 3-D Secure (3DS) standard. This type of security technology enables online merchants and financial institutions to verify the card holders who want to use their payment systems for online shopping. By doing so, the card holder considerably reduces the chances of his card being used by unauthorised persons for fraudulent activities on Internet. In a recent research paper, Murdoch and Anderson (2010, p. 336) reveal the security weaknesses of technologies based on the 3-D Secure protocol. One of the major security problems noticed by the two researchers is the fact that the activation of 3DS is made during online shopping when the cardholders are asked to create a password for authentication in the 3DS system. This flaw is used by cyber crooks to create phishing websites where they ask for cardholders' banking details in the same way the ADS (activation during shopping) technology does. Evidence of the phishing attacks is presented by Ronchi (2010, p. 5) who states that “3DS is currently prey of massive phishing scams, accounting for over £300 Million bank fraud losses during 2008 in the UK alone”.
The Address Verification System (AVS) is a technology implemented by credit card institutions and banks which allows merchants to verify if the billing address submitted by customers is the same as the one on the file issued by the corresponding bank. The countries where AVS is supported are: United Kingdom, United States and Canada and it is available for most of the card types such as Visa and Mastercard. In his later work, Montague (2011, p. 128) states that AVS helps “in disputing chargebacks because you have a transaction in which the consumer's billing address on the order is the same as what is on file at the issuing bank”. AVS is a free security technology for online payments that can be used by merchants after they requested the enabling of this option from their credit card service providers. Symantec (“Secure Online Transactions”, 2007, para. 5) advises people who want to build an online-shopping website, to take in consideration the AVS technology when choosing a payment gateway processor as this is a basic fraud detection technique. Even though is a frequently used security measure by merchants all over the world, AVS proves to be very unreliable because simple actions like mistyping the address by the customer can trigger the security system which will block the transaction. According to Khan (2011, p. 8), “AVS is subject to a significant rate of 'false positives', which may lead to merchants unnecessarily rejecting valid orders and potentially accepting fraudulent ones”.
The velocity of change is a fraud prevention technique used by online payment gateways such as: CyberSource and authorize.net which consists in analyzing the frequency of changes in the payment elements such as: home address, telephone number, e-mail address etc. between past and present transactions in order to identify the existence of any fraudulent activity. An example of this kind of security technology is the checking of the number of email addresses used with a credit card number during a week. According to Montague (2004, p. 184) the velocity of change becomes a better security measure when you can track as many data elements as possible. Some systems like authorize.net allow the users to configure their own velocity filter so they can specify how many transactions can be made per hour on their account in order to prevent high-volume attacks. Another technique which is very similar with velocity of change is the velocity of use. This security measure is used to prevent fraudulent payments by analyzing the number of uses on a payment element in a certain period of time. Montague (2011, p. 219) advises merchants to get the required data for velocity of use analysis from 3rd party services which have a database populated with information from multiple merchants and banks so the results can be more accurate. Both security technologies are low-cost, very easy to implement and are used by most of the payment security services.
It is clear, therefore, that not only the existing security technologies used for online payments have to be improved, but there is also a need of newer and stronger security measures. Financial institutions and banks must ensure that effective fraud prevention techniques are implemented into their online payment systems in order to protect their clients against attacks from cyber-thieves. According to Ross Anderson (2010, para 8), creating new security technologies is not an easy task to do, because computer criminals are different than ordinary criminals in the way that they are always thinking before acting and most of them are very well trained software engineers who can develop malware kits that are able to outsmart even the best security systems. Above all, in order to minimise security problems and to maintain a fraud-free online environment, there should be given more importance for the security of “UI transaction context and in particular the Web Browser, which is widely recognized as the main source of security vulnerabilities exploited by e-criminals today” (Ronchi, 2010, p. 2). The online payment systems may never be completely free of vulnerabilities, however, further research to identify potential security problems and solutions, as well as a better understanding of how cyber-criminals think, should result in a safer e-Commerce environment.