How to succeed in e-commerce

Web access and the increasing availability of high-speed broadband has expanded the potential market and reach for Australian organisations and businesses.

The web’s mix of ubiquity, low-cost and ease of use has transformed operational models, so very few businesses now don’t interact with customers, suppliers or staff via the web.

But as the use of the web has expanded so has the activity of fraudsters and online thieves.

Attracted to the web and e-commerce channels by the sheer volume of transactions and wide variances in security, fraud and online theft extends well beyond the traditional financial services targets.

Now all organisations, whether in B2B or B2C industries, need to have a proactive plan in place to protect their business – both internally (staff and suppliers) and externally (customers).

Savvy security resellers will be able to identify both the internal and external security requirements by better understanding the customer’s business, and identifying points of weakness on both sides of the organisational wall.

People, process or technology

Typically points of weakness can be categorised in three main areas – people, process or technology. Most security resellers are well versed in technology and process, so our discussion will focus more on the area most difficult for
a business to control – people.

No matter how strong a security infrastructure is, staff, suppliers, customers, distributors and vendors can be the weakest link that allows the siphoning of data and resources.

Identification of exactly who is remotely accessing the network or application is a vital element of any online security strategy, with many embracing strong authentication of identity.

The term strong user authentication describes any authentication process that increases the likelihood that a user’s identity will be verified correctly.
There are three ways to authenticate the identity of a user:

• The user presents something they know, such as a password – an approach known as a Knowledge factor.

• The user presents something they have in their possession, such as a device or a card – an approach known as a Possession factor.

• The user presents a personal physical attribute, such as a fingerprint or a retinal scan – an approach known as a Being factor.

Strong user authentication (or two-factor authentication) is achieved by combining two of the above mentioned authentication factors.

Something you know

Passwords are the most common method of using confidential knowledge to authenticate users. Easy to administrate and convenient for most users, passwords are also the least expensive method of user authentication.

Unfortunately, passwords have some drawbacks. Often, user-selected passwords are very short and simple, which makes them easy to guess.

This problem is usually solved by implementing password rules that may require a certain password length or include capital letters or numbers, and may even force users to change passwords on a regular basis.

Unfortunately, these rules make passwords even harder to remember, which leads some users to write them down and compromise the original goal of security.

Some simple facts bear this out (see if you identify with any on this list):

• 12 percent of users use ‘password’ as the password;

• 35 percent of people use a piece of personal information as their password;

• 30 percent of users write down their passwords and hide it around their desktop.

Even with password rules in place, passwords can still be shared between users who want more convenience, which can make the system more vulnerable.

In addition, passwords can be stolen by monitoring keyboard keystrokes or network traffic, by tricking individuals into revealing their passwords, or by guessing them with brute force methods such as dictionary attacks.

Knowledge factors such as password authentication are viewed as a weak form of user authentication because of the problems discussed above.

However, knowledge factors are still valuable in high-security applications when combined with other factors such as possession factors.

Something you have

A stronger way to authenticate users is to provide them with authentication devices or tokens that contain a digital code that acts like a key.

An example of an authentication device found in everyday use is a remote key for locking and unlocking vehicle doors. Authentication devices that are used to access computer networks include:

• Devices or tokens, which are available as both hardware and software. These generate a different code every 36 seconds. The one-time password is protected with a personalised PIN code and is synchronised with the log-in server. Because the code changes every minute, it is impossible for a hacker to record the code and use it later to log in to the system.

• Smart cards, which are similar in size to a standard credit card. These tokens are inserted into a card reader as part of the authentication process. They often contain a digital certificate and are usually presented in combination with a password or Personal Identification Number (PIN).

Something you are

In the future, biometrics (something you are) might be added to two-factor authentication, thus creating three-factor authentication.

But from a consumer perspective online security is still a concern:

• 60 percent of Australian consumers are very or extremely concerned about other people obtaining their credit card/debit cards details;

• 36 percent are very or extremely concerned about the security of shopping and banking online;

• 59 percent are very or extremely concerned about unauthorised access to or misuse of their personal information.

Of most interest is that each user on average has 6.5 passwords, re-using each one on 3.9 different sites and typing an average of eight passwords per day. No wonder consumers choose simple passwords or write them down.

The eternal trade-off situation now arises. How can you as a security reseller help your clients secure data and resources for e-commerce while providing a satisfactory and simple experience for customers and providing an acceptable ROI?

The answer is partly in the ability to identify e-commerce situations where security (particularly strong authentication from the combination of something you know and something you have) is a key component of the perceived customer value; or business revenue and profitability is enhanced by restricting access to authorised users only.

Once opportunities are identified, look for authentication technology with a straightforward implementation and long lifespan to reduce potential business, customer and operation risk as well as improving return on investment.

Identify the opportunity

Opportunities abound in both B2B and B2C sectors. B2B opportunities are more likely to involve the restriction of access to data and corporate resources typically through portals or extranets.

Examples include automotive dealer extranets. As part of disseminating marque-specific technical information such as detailed service manuals to authorised dealers, automotive organisations have established dealer extranets.

Dealers sign in using an ID and simple password that is easily ‘borrowed’. With the high value associated with the extranet information (essentially a dealer agreement deliverable), protecting these corporate assets with strong authentication is totally appropriate.

Sensitive commercial information

Other B2B organisations with business models that blend large staff numbers with resellers, alliance partners and other channel members provide sensitive commercial information such as price lists via online portals.

The sensitivity of this information demands authentication to control access.

Government departments are a good real-life example of this kind of business model.

Sensitive and private information is held on numerous databases within the department head office. Normal activities in the department offices dotted around the country require daily access to these head office databases.

The risk is obvious. Two-factor authentication ensures only those with access privileges can interact with departmental resources and view private information. A similar example lies in the health sector.

Hospitals hold mountains of data on millions of Australians, much of which is personal and private. Privacy legislation has seen onsite access at the hospital tightly managed, but what of remote access channels? Associated external organisations and personnel have a need to access private information
as part of providing their services to patients.

Strong authentication protects patient identity and records from unauthorised access.

Enhancing and reassuring

The B2C sector can provide even more variety and innovative opportunities for strong authentication.

The combination of lingering security concerns and the daily hassle factor of typing eight passwords provide a rich market for resellers to address.

Many authentication opportunities are revenue enhancing in addition to reassuring customers.

Take publishing and media firms for example. The high cost of printing has seen traditional publications launch online versions for greater reach with minimal additional cost.

Publishing start-ups employing online-only publications are increasingly common.

If the key asset of these publications (the content) is protected only by simple passwords, subscribers can ‘share’ access with others – effectively reducing the market potential for the publisher. Strong authentication thwarts ID sharing and creates a secure online area for subscribers.

Protect their online world

In education situations, particularly in large campuses such as universities, two-factor authentication ensures resources are only accessed by authorised students.

Student ‘credits’ that act as online currency for user-pays resources are also protected. Authentication provides better management of resources and users.

Seeking technology

Authentication technology available in Australia is hardware, software or message based.

Each has their own pros and cons and may be more applicable to certain situations than others.

When evaluating which technology is most appropriate, it may be useful to consider the elements listed below.

Summary
To be successful, resellers need to take a holistic view of each client’s business, including a special focus on each point of external and internal access.

Helping the client to understand the revenue, risk mitigation and potential that strong authentication can deliver will open the door to opportunities.

Customers are concerned about security so resellers who have done their homework can ease consumer concerns, boost client business and experience great success in e-commerce.