We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Free Chapter of Protocols for Secure Electronic Commerce by Mostafa Hashem Sherif

Ditsa Keren Technology Researcher

Mostafa Hashem Sherif  is the author of Protocols for Secure Electronic Commerce, where he presents a compendium of protocols for securing e-commerce platforms B2B and B2C applications. In this article, vpnMentor brings you the first chapter of this fascinating book, along with a few remarks from the author.

What new subjects does the third edition of your book deal with?

The third edition maintains the goal of presenting in a systematic albeit accessible fashion all the issues related to the security of electronic transactions and payments. Obviously, I gave  more attention to mobile commerce and particularly to cryptocurrencies, which did not exist when the 2nd edition was finalized.

What new knowledge did you gain whilst writing the book?

Writing the book helped me gain a realistic assessment of the opportunities and threats that digital transactions and currencies offer. I hope that this knowledge can be useful to system designers and policy makers as they make unavoidable compromises in building infrastructures, processes, laws and social organizations.
The book Protocols for Secure Electronic Commerce is available for purchase on amazon.

Finally, here's the first chapter of Mr. Sherif's book, who was kind enough to share it with our readers.

Chapter 1- Overview of Electronic Commerce

Electronic commerce is at the conjunction of the advances in microelectronics, information processing, and telecommunication that have redefined the role of computers, first in enterprises and now in daily life, beyond that of process and production control. In the early phase, business supply networks or distribution channels were automated for optimal scheduling of production based on feedback from markets. Since the 1980s, a series of innovations opened new vistas to electronic commerce in consumer applications through automatic cash dispensers, bank cards, and Internet and wireless transactions. Simultaneously, money took the form of bits moving around the world, including the form of cryptocurrencies. Electronic commerce is also evolving in a virtual economy, focusing on services with looser temporal, geographic, or organizational obligations and with less consumption of natural resources and pollution hazards (Haesler, 1995).

This chapter presents a general introduction to various aspects of electronic commerce: its definition, various categories, its effects on society, its infrastructure, and what fraud means for  individuals.

1.1 Electronic Commerce and Mobile Commerce

Electronic commerce (e-commerce), as defined by the French Association for Commerce and Electronic Interchange*—a nonprofit industry association created in 1996—is “the set of totally dematerialized relations that economic agents have with each other.” Thus, e-commerce encompasses physical or virtual goods (software, information, music, books, etc.), as well as the establishment of users’ profiles based on demographic and behavioral data collected during online transactions.

The Open Mobile Alliance (OMA) defines mobile commerce (m-commerce) as “the exchange or buying or selling of services and goods, both physical and digital, from a mobile device” (Open Mobile Alliance, 2005, p. 8).
Typically, the buyer and the seller interact over a mobile network before the customer can engage the financial transaction. This initial phase includes advertising, discovery and negotiation of the price, and the terms and conditions.

Thus, both electronic commerce and mobile commerce blend existing technologies to create new financial services accessible from desktops, mobile terminals, phones, or pads. The ubiquity of mobile phones outside the industrialized countries has opened access to financial services, with telephone companies establishing payment networks through cash stored or transferred by phone. In recent years, mobile commerce services were extended to many financial services such as bill presentment and payment, loans, salary payment, and life insurance policies (the telecommunication company has all information that an underwriter needs from its subscribers, such as name, birth date, and address).

In this book, unless explicitly mentioned, the term electronic commerce will encompass all transactions irrespective of the access method, wireline or wireless, as well as the type of money used. There are instances, however, where the term mobile commerce implies specific characteristics. First, mobile transactions can be location based, that is, commercial offers can be modulated according to the current location of the mobile terminal. (In all cases, subscribers can receive tailored offers based on their demographic profile, preferences, and transaction history.) Second, in some countries, the limit for the amount that a user can transfer at any one time or during a specified time interval is lower when the transaction is conducted over a mobile network. Also, in some countries, mobile financial services require a partnership between telecommunication companies and banks or that telecommunication companies have a banking license.

Other countries such as Kenya allow mobile money accounts to be unattached to any financial account, and mobile banking is exempt from the regulation of typical banking institutions (Bird, 2012; Crabtree, 2012; Demirguc-Kunt and Klapper, 2012).
Table 1.1 summarizes the main differences between Internet commerce and mobile commerce. It should be noted that more than 90% of retail purchases in the United States are still conducted offline (Mishkin and Ahmed, 2014), but by 2016, 9% of the retail sales in the United States would be online. Of this, 8% would be mobile commerce transactions, which correspond in value to $90 billion in 2017 (Huynh, 2012).
table 1-1 - Protocols for Secure Electronic Commerce, Third Edition
Furthermore, with the increase in the number of mobile broadband subscribers worldwide to around seven billion, mobile commerce may become the dominant channel by 2018 (Taylor, 2013).
Depending on the nature of the economic agents and the type of relations among them, the applications of e-commerce fall within one of four main categories:

  1. Business to business (B2B), where the customer is another enterprise or another department within the same enterprise. A characteristic of these types of relations is their long-term stability. This stability justifies the use of costly data processing systems, the installation of which is a major project. This is particularly true in information technology systems linking the major financial institutions. It should be noted that currently, mobile commerce does not include business-to-business transactions.
  2. Business to consumer (B2C) at a distance through a telecommunication network, whether fixed or mobile.
  3. Proximity or face-to-face commerce includes face-to-face interactions between the buyer and the seller as in supermarkets, drugstores, coffee shops, and so on. These interactions can be mediated through machines using contactless payment cards or mobile phones.
  4. Peer-to-peer or person-to-person commerce (P2P) takes place without intermediaries, such as the transfer of money from one individual to
    another.

1.1.1 Examples of Business-to-Business Commerce

Business-to-business e-commerce was established long before the Internet. Some of the pre-Internet networks are as follows:

  1. Société Internationale de Télécommunications Aéronautiques (SITA—International Society for Aeronautical Telecommunications), the world’s leading service provider of IT business solutions and communications services to the air transport industry. Today, SITA links 600 airline companies and around 2000 organizations that are tied to them.
  2. SABRE, an airline reservation system that was formerly owned by American Airlines, while in 1987, Air France, Iberia, and Lufthansa, established a centralized interactive system for reservations of air transport (Amadeus) to link travel agents, airline companies, hotel chains, and car rental companies. The settlement of travel documents among airline companies (changing airline companies after the ticket had been issued, trips of several legs on different airlines) is done through the Bank Settlement Payment (BSP) system.
  3. Society for Worldwide Interbank Financial Telecommunications (SWIFT), whose network was established in 1977 to exchange standardized messages for the international transfer of
    funds among banks.
  4. Banking clearance and settlement systems as discussed in Chapter 2.

Standardization of business-to-business e-commerce networks started with the X12 standard in North America and Electronic Data Interchange for Administration, Commerce and Transport (EDIFACT) in Europe. In the early 1980s, the U.S. Department of Defense (DOD) launched the Continuous Acquisition and Life-cycle Support (CALS) to improve the flow of information with its suppliers. In 1993, President Bill (William) Clinton initiated the exchange of commercial and technical data electronically within all branches of the federal government (Presidential Executive Memorandum, 1993). The Federal Acquisition Streamlining Act of October 1994 required the use of EDI in all federal acquisitions. A taxonomy was later developed to describe various entities and assign them a unique identifier within the Universal Data Element Framework (UDEF). With the installation of the Federal Acquisition Computer Network (FACNET) in July 1997, federal transactions can be completed through electronic means from the initial request for proposal to the final payment to the supplier.
Today, the adoption of the Internet as the worldwide network for data exchange is encouraging the migration toward open protocols and new standards, some of which will be presented in Chapter 4.

1.1.2 Examples of Business-to-Consumer Commerce

Interest in business-to-consumer e-commerce started to grow in the 1980s, although this interest varied across different countries. In Germany, remote banking services were conducted through the Bildschirmtext (BTX) system. The users of BTX were identified with a personal identification code and a six-digit transaction number (Turner, 1998).
In France, the Minitel service was undoubtedly one of the most successful pre–World Wide Web online business-to-consumer systems, lasting more than 40 years from the 1980s till its retirement in June 2012.
Access was through a special terminal connected to an X.25 data network called Transpac via the public switched telephone network (PSTN). Until 1994, the rate of penetration of the Minitel in French homes exceeded that of personal computers in the United States (France Télécom, 1995; Hill, 1996). The crossover took place in 2002, when Internet users in France exceeded those using the Minitel (41%–32%), while turnover dropped from €700 billion in 2000 to €485 billion in 2002 (Berber, 2003; Selignan, 2003).

The Minitel uses the kiosk mode of operation. According to this model, the provider of an online service delegates the billing and the collection to the telephone operator for a percentage of the amounts collected. After collection of the funds, the operator compensates the content providers. Collection of small amounts by a nonbank could be justified because banks could not propose a competing solution for consolidating, billing, and collecting small amounts from many subscribers. At the same time, the financial institutions benefit from having a unique interface to consolidate
individual transactions. However, because of the 30-day billing cycle, the telephone company was in effect granting an interest-free loan to its subscribers, a task that is usually associated with banks.
The role of a carrier as a payment intermediary has been carried over into many of the models for mobile commerce or commerce. One of the first examples was the i-mode® service from the Japanese mobile telephony operator NTT DoCoMo (Enoki, 1999; Matsunaga, 1999).
It is worth noting that originally communications were not encrypted but users did not mind giving their banking coordinates over the links. This shows that the sense of security is not merely a question of sophisticated technical means but that of a trust between the user and the operator. Let us now look closer at three business-to-consumer applications over the web. These are the site auction eBay®, Amazon, and Stamps.com™ or Neopost.

1.1.2.1 eBay

The auction site eBay illustrates a successful pure player that established a virtual marketplace. The site supplies a space for exhibiting merchandises that overcome the geographic dispersion of the potential buyers and the fragmentation of the supply. In this regard, eBay provides a space to exhibit merchandises and to negotiate selling conditions; in particular, it provides a platform
that links the participants in return of a commission on the selling price. The setup is characterized by the following properties:

  • Participants can join from anywhere they may be, and the site is open to all categories of merchandises or services. The market is thus fragmented geographically or according to the commercial offers.
  • Buyers have to subscribe and establish an account on eBay to obtain a login and define their password.
  • The operator depends on the evaluation of each participant by its correspondents to assign them a grade. The operators preserve the right to eliminate those that do not meet their obligations.
  • The operator does not intervene in the payment and does not keep records of the account information of the buyers.

These conditions have allowed eBay to be profitable, which is exceptional in consumer-oriented sites.

1.1.2.2 Amazon

Amazon started in 1995 as an online bookseller but also established a structure for consumers with the following components:

  • Electronic catalogues
  • Powerful search engines
  • Rapid processing of searches and orders
  • A capacity of real-time queries of inventories
  • Methods of correct and quick identification of buyers
  • Techniques for securing online payments
  • Logistics for tracking and delivery

This infrastructure required large investments. For more than 6 years, Amazon remained in the red and its first profitable quarter was the last trimester of 2001 for a total yearly loss of $567 million (Edgecliffe-Johnson, 2002). With this infrastructure in place, Amazon evolved into a portal for other retailers looking to outsource their web operations or sell their products through Amazon.com. Another business is Amazon Web Services, which is a complete set of infrastructure and application services in the cloud, from enterprise applications and big data projects to social games and mobile apps. In 2013, it had more than 2 million third-party sellers, many of them small businesses (Bridges, 2013).

1.1.2.3 Stamps.com and Neopost

Electronic stamping systems Stamps.com and Neopost allow the printing of postage stamps with a simple printer instead of postage meters, thereby avoiding going to the post office. They are addressed to individual consumers, home workers, and small enterprises to save them the hassle of going to post offices. A 2D barcode contains, in addition to the stamp, the destination address and a unique number that allows fir tracking the letter.
Stamps.com operates online and with the query of an authorization center each time a stamp is printed. It uses a 2D barcode for postage and additional information related to the shipment, such as the sender’s identity to assist in its tracking. It has established key relationships with the U.S. Postal Service, United Parcel Service (UPS), Federal Express (FedEx), Airborne Express, DHL, and other carriers. In contrast, Neopost is a semi-online system where stamping of envelopes continues without central intervention, as long as the total value of the stamps does not exceed the amount authorized by the authorization server. Neopost ranks number one in Europe and number two worldwide in mailroom equipment and logistics systems. Both systems faced significant operational difficulties. These operational difficulties arose from the tight specifications of postal authorities for the positioning of the impressions, which are, in turn, a consequence of the requirements of automatic mail sorters. There is also a need to adapt to users’ software and to all printer models. The total cost for the operator includes that of running a call center to assist users in debugging their problems. Finally, users must pay a surcharge of about 10% to the operator. From an economic point, the offer may not be attractive for all cases. However, the decision by the U.S. Postal Rate Commission in December 2000 to reduce the rate for Internet postage for some shipments (express mail, priority mail, first- class package service) was a significant victory.

1.1.3 Examples of Proximity Commerce

Proximity commerce or face-to-face commerce is using several methods to replace cash. Prepaid cards can be one of two types: closed-loop and open-loop cards. The first kind is used only at the card sponsor’s store or stores (the so-called gift cards), so the monetary value does not represent a legal tender. The second kind carries a network brand (e.g., Visa or MasterCard) and contains a record for a legal tender so that it can be used wherever the brand is accepted, including purchases, bill payments, and cash withdrawals (Coye Benson and Loftesness, 2010, pp. 72, 96–98).
Prepaid cards are used in many applications, such as transportation, mobile communication, and to play games. In Japan, it is used to play pachinko, a popular game of pinballs propelled with the objective of producing a winning combination of numbers.

In France, prepaid telephone cards have been widely used since the 1980s (Adams, 1998). Prepaid cards have been used in South Africa to pay for electricity in rural communities and remote areas (Anderson and Bezuidenhoudt, 1996). In the United States, prepaid card transactions are considered a special type of debit card transactions.
Mobile Point-of-Sale Terminals (MPOSTs) are suitable for small, low-ticket businesses, such as street vendors, and all other merchants that do not qualify for enrolment in bank card networks. Payments can be accepted from terminals with near-field communication technology (NFC) capabilities by attaching a dongle to an audio port or a docking port or a wireless card reader. Many solution providers enhance their packages with marketing features such as the analysis of the collected sales data and the management of commercial offers.

1.1.4 Examples of Person-to-Person

(Peer-to-Peer) Commerce The ubiquity of network connectivity is driving the growth of the economy of sharing and collaboration. The principle is to share excess and idle capacity on a very short-term basis. This is the principle of public bicycle systems, car rentals (Zipcar), taxi services (Uber), or holiday rentals (Airbnb).
Person-to-person lending—also known as marketplace lending—is built around the Internet or mobile networks. Its scope includes international transfer of worker remittances, student loans, hedge funds, wealth managers, pension funds, and university endowments.

The payment can be directly from a bank account or a payment card (credit or debit). The transfer is credited to the recipient’s bank or mobile account, and the recipient is notified of the deposit with the Short Message Service (SMS). For example, Square Cash users can open an account with their debit card and send money to a recipient using an e-mail address or a mobile phone number.

Venmo, which is now part of PayPal, allows groups to split bills easily. In general, handling small transfers between individuals is not a big or lucrative part of the financial system. Person-to-person transactions increased in importance, however, following the large banking fines and charges imposed on international banks for breaching U.S. sanctions, the highest being $8.9 billion onto BNP Paribas in 2014. Faced with the cost of meeting regulatory demands, many global banks have severed their links with correspondent institutions in several developing countries, particularly in Africa. This pullback has opened the way to new approaches to the transfer of workers’ remittances. For example, TransferWise, a UK company, operates in the following manner. The customer selects a recipient and a currency and the amount to be transferred.

The recipient receives the payment in the chosen currency withdrawn from the account of the initiator, piggybacking on another transfer going in the opposite direction. Thus, money is transferred without physically crossing borders so that the commission can be much lower than typical bank charges for international transfers.
Obviously, this is possible only if the monetary flows in both directions balance each other. If this is not the case, then a system of brokers will be needed. Other person-to-person lenders in the United Kingdom include Funding Circle, Zopa, and WorldRemit.

WebMoney is another global transfer service based in Moscow, Russia. It provides online financial services, person-to-person payment solutions, Internet-based trading platforms, merchant services, and online billing systems. In the United States, the main operators include Prosper and Lending Club and SoFi, the latter specializing in student loans.

In a sense, this is a modern form of hawala transactions, a traditional person-to-person money transfers based on an honor system, with trust built on family or regional connections. It is common in the Arab World, the Horn of Africa, and the Indian subcontinent. In a typical hawala transaction, a person approaches a broker with a sum of money to be transferred to a recipient in another city or country. Along with the money, he or she specifies some secret information that the recipient will have to reveal before the money is paid. Independently, the transfer initiator informs the recipient of that secret code. Next, the hawala broker contacts a correspondent in the recipient’s city with the transaction details including the agreed secret code. When the intended recipient approaches the broker’s agent and reveals the agreed password, the agent delivers the amount in the local currency minus a small commission. The settlement among brokers is handled by whatever means they have agreed to (goods, services, properties, cash, etc.). Thus, the transaction takes place entirely outside the banking system, and there is no legal enforceability of claims.

Some banks have responded with their own mobile applications that allow their customers to send money to another person using the recipient’s phone number, instead of specifying the routing of the recipient’s bank and an account number. Examples of these applications are Pingit from Barclays Bank, or Paym from the Payments Council, the industry group responsible for defining payment mechanisms in the United Kingdom.
In other cases, partnerships have been established among banks and peer-to-peer companies, such as Santander’s collaboration with Funding Circle or Union
Bank with Lending Club.

Peer-to-peer lending and online crowdfunding platforms are raising questions on how to adapt existing regulations to the new phenomena in terms of prudential requirements, protections in case of firm failures, disclosures, and dispute resolutions (Mariotto and Verdier, 2014).

1.2 Effects of the Internet and Mobile Networks

Originally, the Internet was an experimental network subsidized by public funds in the United States and by the large telecommunication companies for exchanges within collaborating communities. The community spirit was translated into an economy of free advice or software freely shared. The Free Software Foundation, for example, introduced a new type of software licensing, called General Public License, to prevent the takeover of free software by commercial parties and to further its diffusion, utilization, or modification. Even today, despite the domination of financial interests, many innovations on the Internet technologies depend to a large extent on volunteers who put their efforts at the disposal of everyone else.

The U.S. decision to privatize the backbone of the Internet from 1991 redirected the Internet to the market economy, in particular through the information highway project of the e Clinton-Gore Administration (Sherif, 1997). Furthermore, the invention of the World Wide Web, with its visual and user-friendly interface, stimulated the development of virtual storefronts. Similarly, the introduction of Extensible Markup Language (XML) and its specialized derivatives improved the ease with which business data are exchanged.
Nevertheless, the transformation of the county fair into a supermarket took more effort than originally anticipated. For one, the utilization of the Internet for economic exchanges clashed with the culture of availability of information free of charge. Other impediments relate to concerns regarding the security of information, because security on the public Internet is afterthought.

Finally, from an operational viewpoint, the integration of electronic commerce with the embedded payment systems required significant investments in time, equipment, and training.
The security of transactions in transit, as well as the associated stored data was and remains to be a challenge. Despite many efforts, fraud for online transactions remains higher than for offline transactions.
Periodically, the private data for millions of individuals stored by reputable banking institutions and online retailers are stolen. Some of the world’s largest corporations, major retailers, financial institutions, and payment processors along with the U.S. largest electronic stock market are periodically penetrated. Another plague that is poisoning the life of many users is unsolicited electronic advertisement (spam).

At the same time, there are legitimate concerns regarding the collection and the reuse of personal data from the web. The consolidation of information tying buyers and products, which allows the constitution of individualized portfolios corresponding to consumer profiles, could be a threat to the individual’s privacy.
In this regard, the non-localization of the participants in a commercial transaction introduces completely new aspects, such as the conflict of jurisdictions on the validity of contracts, the standing of electronic signatures, consumer protection, and the taxation of virtual products. Finally, new approaches are needed to address virtual products such as information, images, or software—products that pose major challenges to the concepts of intellectual property and copyrights.
As a social activity, the penetration of the Internet is also affected by the culture and social environment. Figure 1.1 depicts the percentage of individuals using

table 1-2 Protocols for Secure Electronic Commerce, Third Edition

FIGURE 1.1
Percentage of individuals using the Internet in Western Europe in 2014. (From the International Telecommunication Union—Telecommunication Development Sector, Percentage of individuals using the Internet (Excel), July 8, 2015, available at http://www.itu.int/en/ITU-D/Statistics/Pages/stat/default.aspx, last accessed January 28, 2016.)

FIGURE 1.1 Percentage of individuals using the Internet in Western Europe in 2014. (From the International Telecommunication Union— Telecommunication Development Sector, Percentage of individuals using the Internet (Excel), July 8, 2015, available at http://www.itu.int/ en/ITU-D/Statistics/Pages/stat/default.aspx, last accessed January 28, 2016.)

the Internet in Western European countries as of 2014, available from the International Telecommunication Union (ITU). Figure 1.1 shows that there are two groups of countries: those where, in 2014, more than 85% of the population use the Internet and those where the percentage of individuals using the Internet lies between 60% and 85%. As can be seen from the data in Table 1.2 and illustrated in Figure 1.2 that the difference is persistent over the period of 2000–2014.
Due to Hall, these numbers can be explained by taking into account the classification of societies into lowcontext and high-context societies (Hall and Hall, 1990).

In high-context societies, interpersonal relations and oral networks have a much more important place than in the low-context societies of northern Europe where communication takes explicit and direct means, such as the written word. In contrast, high-context societies, those of central and southern Europe, are less receptive, particularly because the Internet has to compete with traditional social networks. In Figure 1.2, the dotted lines are reserved to countries with high-context cultures.

The situation is substantially different regarding mobile commerce. Table 1.3 reproduces the top 20 countries in terms of the number of mobile subscriptions per 100 inhabitants as recorded by the ITU for 2012. It is noted that 19 countries in the top 20 list are from the developing world. In many emerging economies, the financial infrastructure is not developed or widely distributed, which shows the importance of mobile commerce in meeting the needs for a banking system, particularly in rural areas.

In particular, there is a growing list of countries where more than 20% of adults have adopted some form of mobile money, as shown in Table 1.4 (Demirguc-Kunt and Klapper, 2012). As will be seen in Chapter 10, mobile phones can be used to emulate contactless cards used for transportation and access control. This explains why payment applications using mobile phones (mobile money) have been deployed in many developing countries to offer financial services to the unbanked, even though M-PESA in Kenya remains the lightning rod for mobile payment applications.

The World Bank, the Melinda and Bill Gates Foundation, and others have funded mobile programs, some of which are listed in Table 1.5 (International Telecommunication Union, 2013). In the developed world, many urban areas with high commuter traffic presents a great market potential for mobile payments with contactless chip cards at vending machines or parking kiosks.

Smartphones offer many additional features for mobile commerce. Although the term appeared in 1997 to describe mobile terminals with advanced computing capabilities, the term took hold in January 2007, when Steve Jobs, then Apple’s chief executive, brandished an iPhone front of a rapt audience. The launch of Apple Pay in 2014, which allows iPhone 6 users to pay for goods with a tap of their handset, has been a catalyst for the broader adoption of mobile payments in the United States. In January 2015, it was estimated that $2 of every $3 spent via contactless cards on the three largest U.S. card networks originated from Apple Pay (Mishkin and Fontanella-Khan, 2015).

figuer1-2 Protocols for Secure Electronic Commerce, Third Edition

TABLE 1.4 Protocols for Secure Electronic Commerce, Third Edition table1-3 Protocols for Secure Electronic Commerce, Third Edition

The seductive power of smartphones comes from their size, their computational power, their connectivity, and their openness to mobile applications (apps) that supplement the capabilities of the device. This has security implications as well. Unlike applications designed for laptop and desktop computers, which are produced by identifiable parties, there are millions of applications for smartphones and tablets that have been designed with minimal attention to security or data protection. Furthermore, these downloaded applications could have access to personal information on the mobile device, which makes them potential conduits for attacks. Furthermore, mobile devices have limited options for running protection software.

table 1-5 Protocols for Secure Electronic Commerce, Third Edition

connectivity, and their openness to mobile applications (apps) that supplement the capabilities of the device. This has security implications as well. Unlike applications designed for laptop and desktop computers, which are produced by identifiable parties, there are millions of applications for smartphones and tablets that have been designed with minimal attention to security or data protection. Furthermore, these downloaded applications could have access to personal information on the mobile device, which makes them potential conduits for attacks. Furthermore, mobile devices have limited options for running protection software.

1.3 Network Access

Network access for remote communication can be through either a wireline or a wireless infrastructure. The main properties of the access are the available bandwidth in bits per second (bits/s), the reliability in terms of downtime or time to repair, as well as the availability of resources to ensure access in case of increased load.

1.3.1 Wireline Access

The physical medium for wireline access can be copper cables, coaxial cables, and optical fibers. The bit rates depend on the access technology. Today, it is used to transmit the so-called triple play services (voice, data, high-definition television) to subscribers on the access side. Cable companies use the DOCSIS 3.0 technology to support rates up to 100 Mbit/s. Various flavors of digital subscriber line (DSL) achieve high bit rates on traditional copper lines.

table 1-6 Protocols for Secure Electronic Commerce, Third Edition

Vectored very high bit rate digital subscriber line (VDSL) or VDSL2 of ITU-T G.993.2 provide high transmission speeds on short loops at the 8, 12, 17, or 30 MHz bands, with bit rates up to 100 Mbit/s downstream and 40 Mbit/s upstream.

Gigabit passive optical networks (GPONs) carry all service types in addition to analog telephony. The GPON technology described in ITU-T G.984.X (X varies from 1 to 7) offers up to 2488 Mbit/s in the downstream direction and 1244 Mbit/s upstream. The traffic of any service type can be encrypted using Advanced Encryption Standard (AES). The deployment configuration depends on the reach of the optical fiber. A further development is the XGPON of the ITU-T G.987 series of recommendation, with the maximum bit rates of 10 Gbit/s downstream and 2.5 Gbit/s upstream.

The so-called G.FAST (ITU-T G.9701) technology maximizes the use of the copper link by transmitting in frequency bands (106 or 212 MHz) and exploiting cross-talk cancellation techniques (denoted as frequency division vectoring). In theory, the bit rates over a twisted copper pair can reach 1 Gbit/s in both directions, but for longer copper lines (66 m), the maximum total bit rate is around 900 Mbit/s: 700 Mbit/s downstream and 200 Mbit/s upstream. Table 1.6 summarizes the maximum transmission speeds of all these technologies.

1.3.2 Wireless Access

Several protocols are available for wireless access. With Groupe Spécial Mobile (GSM—Global System for Mobile Communication), the bit rate with SMS does not exceed 9.6 kbit/s. To reach 28 or 56 kbit/s (with a maximum bit rate of 114 kbit/s), General Packet Radio Service (GPRS) was used. Exchange Data rates for GSM Evolution (EDGE) increased the rate to 473.6 kbit/s.

Newer generations of technologies have increased the rates, as shown in Table 1.7. These technologies use innovative spectrum allocation and management techniques required to utilize the radio spectrum availability in an optimal fashion and to enhance the information carrying capacity of the radio channels.

table 1-7 Protocols for Secure Electronic Commerce, Third Edition

optimal fashion and to enhance the information carrying capacity of the radio channels. The Mobile WiMAX (IEEE 802.16e) mobile wireless broadband access (MWBA) standard (marketed as WiBro in South Korea) is sometimes branded as 4G and offers peak data rates of 128 Mbit/s downlink and 56 Mbit/s uplink over 20 MHz wide channels. The peak download is 128 Mbit/s, and the peak upload is 56 Mbit/s. Wireless local area networks can offer access points, in particular, WiFi (IEEE 802.11x), WiMax (802.16x), and Mob-Fi (IEEE 802.20) technologies. These operate respectively at the various frequencies and theoretical bit rates (maximum throughputs). Finally, to connect islands together, such as Indonesia, satellites are the only economical way to establish reliable communication (Bland, 2014).

1.4 Barcodes

Barcodes provide a simple and inexpensive way to encode textual information about items or objects in a form that machines can read, validate, retrieve, and process. The set of encoding rules is called barcode symbology. Barcodes can be read with smartphones equipped with a digital camera. A software client installed on the smartphone controls the digital camera to scan and interpret the coded information, allowing mobile users to connect to the web with a simple point and click of their phones, thereby making mobile surfing easier.

Linear barcodes consist of encoded numbers and letters (alphanumeric ASCII characters) as a sequence of parallel black and white lines of different widths. The specifications for 1D barcodes define the encoding of the message, the size of quiet zones before and after the barcode, and the start and stop patterns. One-dimensional codes have limited storage capacity and provide indices to backend databases. Most consumer products today are equipped with black-and-white stripes or Global Trade Item Number (GTIN). GTIN provides a faster and accurate way to track items as it progresses through the various distribution networks from producer to consumer so that the related information can be updated automatically.

GTIN is a linear or 1D barcode that follows a specific standard. The main standards are the Universal Product Code (UPC) or the European Article Number (EAN) (EAN is a superset of UPC). The UPC barcodes were defined by the Uniform Code Council (UCC) to track items at U.S. retail stores to speed up the checkout process and to keep track of inventory. The 12-digit UPC code comprises two 6-digit fields: the first reserved for a manufacturer identification number, while the second contains the item number. The whole UPC symbol adds to the UPC barcode its human-readable representation in the form of digits printed below the code. In a similar fashion, the EAN-13 barcodes are used worldwide to tag products sold at retail points with International Article Numbers as defined by the GS1 organization.

The United States Post Office, for example, uses several codes to track the mail:
• Postnet is used to encode zip codes and delivery points.
• Planet is used to track both inbound and outbound letter mail.
• The Intelligent Mail Barcode (IM barcode) is a 65 barcode to replace both Postnet and Planet.
• USPS GS1-128 (EAN-128) is used for special services such as delivery confirmation.

2D codes store more information than 1D codes, including links to websites without any manual
intervention.
The symbol elements in 2D barcodes consist of dark and light squares. The 2D specifications define the encoding of the message, the size of quiet zones before and after the barcode, the finder or position detection patterns, and error detection and/or correction of information. The finder pattern is used to detect and locate the 2D barcode symbol and to compute the characteristics of a symbol (e.g., size, location, orientation).

With error detection and correction, the original data can be retrieved when the symbol is partially damaged, provided that the finder pattern is not damaged.
There are two categories of 2D barcodes: stacked codes and matrix codes. Stacked codes consist of a series of rows one on top of the other, with each row represented as a 1D barcode. Data representation in matrix codes consists of a matrix of black and white squares or cells. Most stacked 2D barcodes require specialized laser scanning devices (raster scanners) capable of reading in two dimensions simultaneously.

Charge coupled device (CCD) imagers can read these codes, which is why camera phones can be used for the scanning and decoding of matrix codes. Matrix codes have larger storage capacity than stacked codes. Some of the 2D barcodes that can be read from mobile phones are presented next.

Data Matrix was developed in 1987 and standardized finally in 2006 as ISO/IEC 16022:2006. Its main characteristic is its small symbol size to fit on tiny drug packages. Figure 1.3a shows a Data Matrix symbol with its finder pattern on the perimeter: two solid L-shaped solid lines and two opposite broken lines. The finder pattern defines the physical size of the symbol, its orientation and distortion, and its cell structure. Furthermore, the level of error correction with the Reed–Solomon algorithm is automatically determined in accordance with the symbol size (Kato et al., 2010, pp. 60–66). The 2D Data Matrix barcode symbology has been adopted in specific standards to identify parts by the International Air Transport Association (IATA), the Automotive Industry Action Group (AIAG), the Electronics Industry Association (EIA), and the U.S. Department of Defense. PDF417 is a stacked code, developed in 1991 and standardized in 2006 as ISO/IEC 15438. PDF stands for Portable Data File while 417 signifies that a codeword consists of up to 17 units, each formed by a sequence of 4 bars and 4 spaces of varying widths. The code represents American Standard Code for Information Interchange (ASCII) characters only and, therefore, is used mainly in Europe and the United States. Figure 1.3b shows the structure of a printed PDF417 barcode symbol. It comprises 3 to 90 rows, each row consisting of piling up to 30 codewords on top of one another. A codeword represents 1 of 929 possible patterns from 1 of 3 different sets of symbols, patterns, or clusters used alternatively on every third row (Kato et al., 2010, pp. 32–35).

Error correction is based on the Reed–Solomon algorithm. The U.S. Department of Homeland Security has selected PDF417 for RealID-compliant driver licenses and state-issued identification cards. PDF417 and Data Matrix can be used to print postages accepted by the U.S. Postal Service. PDF417 is also used by FedEx on package labels and by the International Air Transport Association (IATA) for the bar-coded boarding pass (BCBP) standard for airline paper boarding passes.

Note that BCBP also restricts the barcodes that could be used on mobile phones for boarding passes to the Data Matrix, QR (Quick Response), and Aztec barcodes.
A derivative barcode, MicroPDF417, also adopted as ISO/IEC 24728:2006, is for applications where space is restricted.

MaxiCode was developed by UPS in 1992 for the highspeed sorting and tracking of units. It has a fixed size and a limited data capacity. One of its characteristic features is a circular finder pattern made up of three concentric rings. It was standardized in ISO/IEC 16023:2000. Figure 1.3c shows a MaxiCode symbol.
Quick Response (QR) Code was developed in Japan in 1994 by Denso Wave Incorporated to store Japanese ideograms (Kanji characters) in addition to other types of data such as ASCII characters, binary characters, and image data. Model 1 QR Code is the original version of the specification. An improved symbology with alignment patterns to protect against distortion, known as QR Code Model 2, has been approved as ISO/IEC 18004:2006. There are 40 symbol versions of the QR Code model (from 21 × 21 cells to 177 × 177 cells), each with a different size and data capacity (Kato et al., 2010, pp. 51–60, 226–230). Versions differ by the amount of data that can be stored and by the size of the 2D barcode.

The resolution of the camera phone puts a practical limit on the versions that mobile applications can use. As a result, only versions 1–10 are available in mobile applications so that the maximum data capacity corresponds to 57 × 57 cells (Kato and Tan, 2007).

As shown in Figure 1.3d, one visual characteristic of the QR Code is the finder pattern, which consists of three separate parts located at three corners of the symbol. During scanning, these pattern blocks are the first to be detected. Micro QR Code is a small-sized QR Code for applications where less space and data storage capacity are required. In this code, the finder pattern consists of a block located at one corner, as shown in Figure 1.3e.
The QR Code is used to represent a user’s Bitcoin address as discussed in Chapter 14. It can be used at a point-of-sale terminal to represent a payment request with a destination address, a payment amount, and a description so that a Bitcoin wallet application in a smartphone can prefill the information and display it in a human-readable format to the purchaser.

The Aztec Code is another 2D matrix symbology defined in ISO/IEC 24778:2008, as shown in Figure 1.3f. It was developed in 1995 to use less space than other matrix barcodes. Many transportation companies in Europe, such as Eurostar and Deutsche Bahn, use the Aztec barcode for tickets sold online. This is one of the matrix codes that BCBP standard defines for use on mobile phones together with Data Matrix and QR.

figure1-3 Protocols for Secure Electronic Commerce, Third Edition

TABLE 1.8 Protocols for Secure Electronic Commerce, Third Edition

A symbol is made of square modules on a square grid, with a square bull’s-eye pattern at their center. There are 36 predefined symbol sizes to choose from, and the user can also select from 19 levels of error correction (http://www.barcode-soft.com/aztec.aspx, last accessed January 14, 2016).

Table 1.8 presents a comparison of the major 2D barcodes (Gao et al., 2009; Grover et al., 2010; Kato et al., 2010). It should be noted that the exact data capacity depends on the structure of the data to be encoded.
Smart posters are equipped with 2D barcodes that can be read with a phone camera. The code represents the Uniform Resource Locator (URL) of a website that the mobile application can access for additional information without entering the URL manually. There are clear security implications to this capability because the URL can be that of a nefarious site that inserts malware or virus software. One simple check is to verify visually that the tag is printed with the poster and not inserted afterward.

The performance characteristics of mobile barcode scanners are evaluated by the following parameters (Von Reischach et al., 2010):
• Accuracy of the measurement, that is, its correctness. Accuracy is affected by the ambient light, reflections from the surface on which the barcode is displayed, error correction capabilities of the code, and so on.
• Reliability refers to the consistency of the measurement across repetitions. This parameter depends on the visual user interface and the ease of placement of the mobile phone in front of the code to be scanned.

• Speed, typically less than 5 seconds for user acceptance.
• The quality of the user interface. As of now, there is no standardized procedure to assess the performance of scanners. So even though new versions of scanners are being continuously released, the diversity of platforms and the large variety of cameras make it difficult to evaluate the suitability of the scanner/ device combination beforehand.

1.5 Smart Cards

The smart card (or integrated circuit card) is the culmination of a technological evolution starting with cards with barcodes and magnetic stripe cards. Smart cards or microprocessor cards contain within the thickness of their plastic (0.76 mm) a miniature computer (operating system, microprocessor, memories, and integrated circuits). These cards can carry out advanced methods of encryption to authenticate participants, to guarantee the integrity of data, and to ensure their confidentiality.

The first patents for integrated circuit cards were awarded in the 1970s in the United States, Japan, and France, but large-scale commercial development started in Japan in the 1970s and in France in 1980s. In most markets, microprocessor cards are gradually replacing magnetic stripe cards in electronic commerce (e-commerce) applications that require large capacity for storage, for the processing of information, and for security (Dreifus and Monk, 1998).

TABLE 1.9 Protocols for Secure Electronic Commerce, Third Edition

The figures for worldwide shipment of smart secure devices in 2014 are shown in Table 1.9.
Microprocessor cards were first applied in the 1980s for telephone payment cards and then in the Subscriber Identity Module (SIM) of GSM handsets. In the 1990s, they started to be used in health-care systems in Belgium, France, and Germany. The cards Sésame- Vitale in France, VersichertenKarte in Germany, and Hemacard in Belgium provide personalized interfaces to national informatics system for the acquisition and storage of health data of individual cardholders (McCrindle, 1990, pp. 143–146). In these cards, several applications may coexist within the same card but in isolation (sandboxing). Access to the card depends on a personal identification number (PIN), but communication with each application is controlled by a set of secret keys defined by the application providers.
Some specialty cards are related to client fidelity programs, as well as to physical access control (enterprises, hotels, etc.), or logical security (software, confidential data repositories, etc.). These cards are often associated with a display to show dynamic passwords. They can also be used in combination with one or more authentication techniques to provide multifactor authentication, including with biometrics. The use of smart cards for access control and identification started in the 1980s in many European universities (Martres and Sabatier, 1987, pp. 105–106; Lindley, 1997, pp. 36–37, 95–111).

Smart cards can be classified according to several criteria, for example:
• Usage in a closed or open system, that is, whether the monetary value is for a specific application or as a total and immediate legal tender. A transit card is used in a closed system, while credit and debit cards have a backend connection to the banking system.
• Duration of card usage, which distinguishes disposable cards from rechargeable cards.
• Intelligence of the card, which ranges from a simple memory to store information to wired logic and programmable microprocessor.
• Necessity for direct contact with the card reader to power up the card, which distinguishes contact cards from contactless. The technology of contactless integrated circuit cards is also known as radio-frequency identification (RFID).
• Characteristic application of the card, which differentiates monoapplication cards from multiapplication cards. If the card is integrated with a mobile phone, for example, multiple independent applications are expected to run for debit, credit, transportation access, or loyalty programs.

A contact smart card must be inserted into a smart card reader to establish electrical connections with goldplated
points on the surface of the card. In contrast, a contactless card requires only close proximity to a reader. Both the reader and the card are equipped with antennae and establish communication using radio frequencies. Contactless cards derive their power from this electromagnetic link through induction. The contactless chip and its antenna can be embedded in mobile devices such as smartphones. In general, the data transfer rate with contact cards is 9.6 kbit/s, whereas the rates for contactless cards can reach 106 kbit/s; but the actual rate depends on the applied clock. With the near-field communication (NFC) technology used with many mobile terminals, the bit rates are 106, 212, and 424 kbit/s. RFID cards are used for tracking and access control. For example, electronic passports (e‐passports) embedded with RFID chips (or contactless integrated circuit cards) operate at 13.56 MHz RFID and are based on the specifications of the International Civil Aviation Organization (ICAO). These comply with the ISO/IEC 14443 standards. Furthermore, ISO/IEC 7501-1:2008 defines the specifications of electronic passports including globally interoperable biometric data.

To improve the management of physical objects along the supply chain, an RFID tag containing a unique identifier is attached to objects during manufacturing. This tag would then be read at various intervals up to its point of sale. The major target benefits are a better control of inventories, faster material handling time, safer and more secure supply chains, and potential post-sale applications.

Some airport baggage handling systems use RFID tags to improve the accuracy and speed of automatic baggage routing. A growing number of new cars sold today contain an RFID-based vehicle immobilization system. It includes an RFID reader in the steering column and a tag in the ignition key. The computer in the car prevents the ignition from firing unless the reader detects the proper signal.
In general, RFID tags often complement barcodes with product codes as described in §§ 1.4 in supply chain management. Urban transportation systems with high commuter traffic constitute a large market for contactless payments. The value is preloaded value, and the deduction per ticket is recorded on the card itself. Table 1.10 lists other transportation systems that have already adopted contactless cards (Tan and Tan, 2009; Bank for International Settlements, 2012b, p. 31).
In transportation systems, a microchip is embedded inside the card to store the payment information in a secured microcontroller and internal memory. An antenna is integrated in the surface of the card and operates at the carrier frequency of 13.56 MHz. This antenna enables card readers to track the card within 10 cm of the gates as well as data transmission. The card reader at the gate (called the validator) transfers energy to the microchip in the card to establish communication. The data protocols must resolve contentions among several cards vying for access simultaneously.
Typically, a server at each station supervises all the gates and maintains various access control lists, such as blacklisted cards (for buses, the validation lists could be distributed to each bus of the fleet).
For security reasons, the amount is capped: it is £20 in the United Kingdom and €30 in continental Europe (Schäfer and Bradshaw, 2014). In the United States, a typical cap is $100 and the minimum is $5 (e.g., for the
ORCA card).

TABLE 1.10 Protocols for Secure Electronic Commerce, Third Edition

The size of the investment necessary for converting from paper tickets to electronic tickets is still a deterrent from small operators. Standardization of contactless smart cards and NFC, however, has progressed enough to allow benefits from economy of scale, particularly in the back-office systems. Furthermore, location-based services can generate additional revenues to transportation operators. The obvious drawback is that electronic tickets can be used to monitor movement, which would not be possible with conventional paper tickets.

1.6 Parties in Electronic Commerce

The exchanges in a simple transaction electronic commerce transaction cover at least four categories of information:
1. Documentation on the merchandise
2. Agreement on the terms and conditions of the sale
3. Payment instructions
4. Information on the shipment and delivery of the purchases
The documentation relates to the description of the goods and services offered for sale, the terms and conditions of their acquisition, the guarantees that each party has to offer, and so on. These details can be presented online or offline, in catalogs recorded on paper, or on electronic media.
The agreement between the client and the merchant can be implicit or explicit. It is translated into an order with the required object, the price, the expected date of delivery and acceptable delays, and the means and conditions for payment.

The payment method varies according to the amount in question, the distance or proximity of the merchant and the client, and the available instruments.
Regardless of the method used, payment instructions have a different path than that for the exchange of exchange of monetary value through specific interbanking networks.
Finally, the means of delivery depends on the nature of the purchased and the terms of the sale; it can precede, follow, or accompany the payment. The delivery of electronic or digital objects such as files, images, or software can be achieved online. In contrast, the processing, delivery, and guarantees on physical goods or services require a detailed knowledge of insurance procedures and, in international trade, of customs regulations.

FIGURE 1.4 Protocols for Secure Electronic Commerce, Third Edition

Figure 1.4 illustrates the various exchanges that come into play in the acquisition of a physical good and its delivery to the purchaser.
Partial or complete dematerialization of the steps in commercial transactions introduces additional security
concerns. These requirements relate to the authentication of parties in the transaction and guarantees for the integrity and confidentiality of the exchanges and the proofs in case of disagreements. These functions are generally carried by intermediaries that handle the heterogeneity of interfaces to other parties.
We now discuss the main parties involved in electronic commerce.

1.6.1 Banks

To respond to the growth of electronic commerce and online operation, banks have been upgrading their infrastructure to accommodate new access methods and to improve security. In doing so, most banks have had to manage several generations of hardware and software, particularly when their expansion has been through acquisitions. Generally speaking, the banking IT infrastructure continues to include subsystems that are no longer manufactured, and it is estimated that global banks spend about 70%–87% of their IT expenditure on maintenance and not on new systems (Arnold and Ahmed, 2014). Interconnecting elements or middleware may mask this heterogeneity at the cost of complexity and inefficiency. In the meantime, start-ups unencumbered by legacy systems are free to explore new ways and experiment with innovative idea, putting pressure on traditional organizations.
Online access has increased the traffic intensity to the banks’ back office. For example, people check their accounts more regularly from tablets and smartphones, which could strain systems designed for less frequent requests. Outages (such as a shutdown of the Royal Bank of Scotland in 2012) could prevent millions of customers from accessing their accounts for extended periods, denting the banks’ reputations (Arnold and Ahmed, 2014). Also, the role of banks may be radically changed if the use of cryptocurrencies such as Bitcoin, becomes commonplace.
In response, some established banks have started offering cloud storage services to corporate clients. Others have partnered with technology companies to improve their service and/or to get market leads in return for promotional work.

1.6.2 Payment Intermediaries

Payment intermediaries convert purchase requests into financial instructions to banks and card schemes. They provide several functions such as payment aggregation, gateway functionalities, and payment processing. Some also intervene to manage the security of the payment infrastructure.

New intermediaries such as PayPal are at the same time partners or competitors of banks in accessing the end users. In the case of cryptocurrencies (such as Bitcoin), the intermediaries create the currencies and update the common financial ledger with the transactions in a process described in Chapter 14.
Another role they could play is that of matching buyers of bitcoins with sellers using central bank currencies as a payment instrument and/or holding funds in bitcoins.
The main functions that intermediaries play are aggregation, gateway operation, payment processing, and certification.

1.6.2.1 Aggregators

Aggregators are companies that specialize in the collection, integration, synthesis, and online presentation of consumer data obtained from several sources. The goal is to save end customers the headache of managing multiple passwords of all the websites that have their financial accounts by replacing them with a single password to a site from which they can recover all their statements at once: bank statement, fidelity programs, investment accounts, money market accounts, mortgage accounts, and so on. Ultimately, these aggregators may be able to perform some banking functions.

1.6.2.2 Gateways

Payment gateway service providers enable merchant websites to interact with numerous acquiring or issuing banks and accept a variety of card schemes, including versatile cards, and electronic wallets. This alleviates the burden on the merchant of incorporating multiple payment methods into their website and streamlining payment operations. Some payment gateways also help merchants identify risk factors to address customer queries about rejected payments.

1.6.2.3 Payment Processors

Processors are usually sponsored by a bank, which retains the financial responsibility. Front-end processors handle the information for the merchant by verifying the card details, authenticating the cardholder, and requesting authorization for the transaction from the issuing banks and/or the card associations. A payment processor relays the issuer bank’s decision back to the merchant. At the end of each day, payment processors initiate the settlements among the banks. Payment processors may also act as a notary by recording of exchanges to ensure non repudiation and, as a trusted third party, the formation and distribution of revocation lists.

1.6.2.4 Certification Authorities and Trusted Service Managers

These intermediairies are part of the security infrastructure of online payments. They include the certification of merchants and clients, the production and escrow of keys, fabrication and issuance of smart cards, and constitution and management of electronic and virtual purses. These functions could lead to new legal roles, such as electronic notaries, trusted third parties, and certification authorities (Lorentz, 1998), whose exact responsibilities remain to be defined.
Trusted Service Managers (TSMs) are third parties that distribute the secure information (cryptographic keys and certificates) for services and manage the life cycle of a payment application, particularly in mobile applications. The operations they manage include secure downloading of the applications to mobile phones; personalization, locking, unlocking, and deleting applications according to requests from a user or a service provider; and so on. Depending on the operational model, they may also be used to authenticate the transaction parties and authorize the payment.

1.6.3 Providers and Manufacturers

The efficiency and security of electronic transactions may require specialized hardware. For example, with cryptocurrencies, application-specific integrated circuits (ASICs) have been designed to speed up the computations. NFC-enabled terminals, such as mobile phones or tablets, play a role in the security arrangements as discussed in Chapter 10.
Smart card readers must resist physical intrusions and include security modules. These card readers can be with contacts or contactless using a variety of technologies.
Specialized software, such as shopping card software at merchant sites, provides capabilities to administer merchant sites and to manage payments and their security as well as the interfaces to payment gateways.
Additional capabilities include the management of shipment such as real-time shipping calculations and shipment tracking. Additional function includes management of discounts in the form of coupons, gift certificates, membership discounts, and reward points. The software may also be managed through third parties (i.e., as through cloud services). Other specialized functions may be needed in backoffice operations. Back-office processing relates to accounting, inventory management, client relations, supplier management, logistical support, analysis of customers’ profiles, marketing, as well as the relations with government entities such as online submission of tax reports. Data storage and protection, both online and offline, is an important aspect of that overall performance
of electronic commerce systems.

1.7 Security

The maintenance of secure digital commerce channels is a complex enterprise. The pressures for speed and to cut cost are driving reliance on third parties that may compromise security. In addition, new fraudulent techniques
relay on deception through phone calls or e-mail to uncover confidential information (phishing or social engineering).
We discuss here three aspects of security from a user’s point of view: individual loss of control of their own data, loss of confidentiality, and service disruption.

1.7.1 Loss of Control

Loss of control is the result of usurping the identity of authorized users or subverting the authentication systems
used for access control. As will be presented i  Chapter 8, it is relatively easy to clone payment cards with magnetic stripes, and when the merchant neither has access to the physical card nor can authenticate the cardholder, such as for Internet payments, transactions with magnetic stripe cards are not easily protected.
Some websites, such as fakeplastic.net, offered one-stop shopping to counterfeiters, with embossed counterfeit payment cards fetching as much as $15. On these sites, customers can browse through holographic overlays that can be used to make fake driver’s licenses for many U.S. states. They could also select the design and look of payment cards using templates bearing the logos of major credit card companies. The cards would be then embossed with stolen payment card numbers and related information gleaned from the magnetic stripe on the back of legitimate payment cards. Purchases could be made using bitcoins for partial anonymity or U.S. dollars (Zambito, 2014).
Furthermore, mobile devices travel with people so their movements can be tracked, including what websites they consult, or correspondence by phone, e-mail, or various text messaging applications. With new applications, financial information or health information can be tracked, which may be used for industrial espionage or market manipulation. At a minimum, the knowledge can be shared and aggregated and sold without proper disclosure.
Finally, intermediaries in electronic commerce have access to a large amount of data on shopkeepers and their customers. For example, they can track sales and customer retention data and provide shopkeepers the means to compare their performances to anonymized list of their rivals. Small- and medium-size enterprises typically outsource the management of these data, which means that they do not control them.

1.7.2 Loss of Confidentiality

Electronic commerce provides many opportunities to profit from malfeasance. Stealing and selling credit card data and clearing out bank accounts have come easier with the spread of electronic and mobile commerce schemes. This often happens after breaking into a company’s computer systems.
Malware can be installed on the victims’ terminals by enticing them to click on links or to download files through carefully crafted e-mails, often based on very specialized knowledge on individuals and companies.
In business environment, the malware can be used to search for trading accounts on all the machines in a network and then to issue automatic trading instructions, if the account is taken over.
The data gathered, on executives, for example, can be used for market manipulations such as shorting stocks before attacking listed companies, buying commodity futures before taking down the website of a large company, or using confidential information on products, mergers, and acquisitions before playing the markets.

1.7.3 Loss of Service

Service disruption can be used to prevent the digital commerce transactions by attacks on the servers used by any of the participants or the networking infrastructure, for example, taking down the website of a large company.

1.8 Summary

Electronic commerce covers a wide gamut of exchanges with many parties, whether it is monetary or nonmonetary exchanges. Its foundations are simultaneously commercial, socioeconomic, industrial, and civilizational.
The initial applications of e-commerce in the 1980s were stimulated by the desire of the economic agents, such as banks and merchants, to reduce the cost of data processing.
With the Internet and mobile networks in place, electronic commerce targets a wider audience. Online inventories expand the possible audience of any given shopkeeper. Parts of the Internet economy are nonmonetary in the form of open source or free software. Also, some of the value of electronic commerce comes from the value of learning by searching.

By increasing the speed and the quantity as well as the quality of business exchanges, e-commerce rearranges the internal organizations of enterprises and modifies the configurations of the various players. Innovative ways of operation eventually emerge with new intermediaries, suppliers, or marketplaces.
Security was added as afterthought to the Internet Protocols; transactions on the Internet are inherently
not safe, which poses the problem of protection of the associated private information. The commercialization of cryptography, which until the 1990s was strictly for military applications, offers a partial remedy but it cannot overcome insecure system designs.
Electronic and mobile commerce require a reliable and available telecommunication infrastructure.
Mobile commerce, as a green field technology, took hold much faster because it is cheaper to deploy mobile networks, and the rapid succession of cellular or wireless technologies improved the performance substantially.

Questions

1. Comment on the following definitions of e-commerce adapted from the September 1999 issue of the IEEE
Communications Magazine:
• It is the trade of goods and services in which the final order is placed over the Internet (John C. McCarthy).
• It is the sharing and maintaining of business information and conduction of business transactions by means of a telecommunication network (Vladimir Zwass).
• It consists of web-based applications that enable online transactions with business partners, customers, and distribution channels (Sephen Cho).
2. What are the goods sold in digital commerce (electronic or mobile)?
3. Name the 2D barcodes used for (a) Bitcoin addresses, (b) train tickets on Eurostar, (c) UPS, (4) a paper boarding pass on an airline, (e) EIA, (f) U.S. DoD, and (g) U.S. IDs.
4. Compare the roles of barcode technology with RFID technology in supply chain management.
5. What are the specific security challenges for mobile commerce compared to electronic commerce from laptop or desktop devices?
6. Discuss the role of standards in electronic commerce. Consider standards at the terminals, networks, and applications. Provide advantages and disadvantages of standards.
7. Compare at least three characteristics of business-to-business commerce with business-to-consumer commerce.
8. Describe the kiosk business model.
9. What are the main benefits and main costs related to business-to-business e-commerce?
10. List two anticompetitive issues that may arise in electronic procurement.
11. What are the three aspects of security from a user’s viewpoint?

Privacy Alert!

Your data is exposed to the websites you visit!

Your IP Address:

Your Location:

Your Internet Provider:

The information above can be used to track you, target you for ads, and monitor what you do online.

VPNs can help you hide this information from websites so that you are protected at all times. We recommend ExpressVPN — the #1 VPN out of over 350 providers we've tested. It has military-grade encryption and privacy features that will ensure your digital security, plus — it's currently offering 48% off.

Visit ExpressVPN

We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

About the Author

Ditsa Keren is a cybersecurity expert with a keen interest in technology and digital privacy.

Did you like this article? Rate it!
I hated it! I don't really like it It was ok Pretty good! Loved it!
out of 10 - Voted by users
Thank you for your feedback

Please, comment on how to improve this article. Your feedback matters!

Leave a comment

Sorry, links are not allowed in this field!

Name should contain at least 3 letters

The field content should not exceed 80 letters

Sorry, links are not allowed in this field!

Please enter a valid email address