Tomorrow's Winners: E-Commerce Security & IP Management

June 14, 2004
E-Commerce Becomes Mainstream Amidst Security Concerns

Springboarding in 1995, e-commerce's fervent escalation can be seen in its number of users it and the amounts of money they spend. Compared to overall retail spending, though, e-commerce is still nary a blip on the radar screen. But as one pundit proffered, there's plenty of room to grow.

However, the gap between potential growth and actual growth may widen as more consumers turn to mobile devices and it gets harder to ensure a person's true identity. After all, from its outset, commerce has always rested on a foundation of trust. Anything getting in the way of that trust may act as a constraint, or worse, as a "showstopper." To be sure, Internet security remains a diverse and multifaceted issue. The attacks of distributed denial of service (DDOS) that seemed to plague the Internet around the turn of the millennium have become more pointed and, thus, less sensational.

"Phishing" is the threat du jour. This current tactic involves e-mail blasts that have legitimate-looking links to alleged well-known Web sites, such as eBay, to unsuspecting recipients. The e-mail indicates a need to verify key information, and the link takes the recipient to a bogus Web site that looks remarkably like the genuine one. Of course, there's a set of fields to be filled in with name, Social Security number, credit-card number, and other valuable personal information.

Some of the more professional-looking phishing expeditions even fool the experts. So in addition to ID theft and credit-card fraud, phishing can add a substantial fear element to the trust proposition that's critical to commerce. In response, a consortium of big e-commerce sites was formed to tackle this problem head on. According to David Jevans, chairman of the Anti-Phishing Working Group, these attacks are undermining trust in the entire e-commerce system.

This newest scam, with 250 widespread attacks reported in 2003, contributed to the Federal Trade Commission's record of nearly 220,000 ID theft incidents that year, a growth of about a third compared to 2002. But these incidents may look like the tip of the iceberg as efforts to connect mobile users to the Net continue apace. Many more cell phones are out there versus PCs on desks, and the opportunity for a much larger consumer base to more conveniently do business is likewise an opportunity for unprecedented levels of fraud.

The operational term here is "non-repudiation." It simply means a transaction can't be repudiated. When a consumer steps up to a checkout stand, hands over a credit card and photo ID, and makes a purchase (so long as the consumer's face matches the one on the photo ID and the name on the ID matches the credit-card name), this constitutes a transaction with high non-repudiation. In contrast, when a customer calls and places a credit-card order over the phone, providing the card number, the special three-digit credit-card verification (CCV) code on the back, and ZIP code information, this transaction is seen as riskier than the first. Consequently, the transaction cost is usually higher to mitigate that risk.

One mobile e-commerce advantage is that each cell phone features a unique identifier, binding it to an account. Therefore, means are already at hand to automatically link the cell phone used to make a purchase to a person's cell-phone account. Unfortunately, nothing right now authenticates who is actually using the phone.

To fill that void, we turn to authentication strategies that can be summed as something you know (e.g., a PIN code), something you have (e.g., an encryption/decryption "key"), and something you are (e.g., biometrics). By far, PIN codes are the most prevalent. They also are the least secure. Public and private key initiatives have all been hamstrung by issues surrounding who administers them and where they are administered. Biometrics, considered the most secure, have also been the most costly to implement. So for now, we're stuck with PINs because they're easy to implement and use.

But biometric research and development hasn't stood by idling. Fingerprint and iris patterns are unique to individuals. Both can be used for authentication (e.g., matching the current fingerprint with your stored "digital" print) and identification (e.g., matching an unknown fingerprint to a large set of known fingerprints). E-commerce needs authentication, not identification. It doesn't need to compare the fingerprint or iris scan to a large database of known patterns. It must compare to one known pattern and decide whether there's a match. Less resolution, then, is necessary to ensure a low percentage of false negatives or positives. Consequently, a highly reliable authentication scheme can be implemented in smaller size and lower cost compared to an identification scheme.

That said, emerging technologies now make it easier and less costly to implement biometrics in handheld devices. Fingerprint recognition can be incorporated in touchpad controllers, such as those found on laptop computer and jukebox MP3 players. Using optical sensing, pattern recognition, and data-compression technologies, one can create a highly reliable authentication scheme for cell phones and PDAs. Similarly, using built-in digital cameras, pattern recognition, and data compression, handheld devices can also perform iris scanning.

MPC Computers (formerly Micron PC) just introduced its TransPort X3000 laptop computer with built-in fingerprint scanning. Aimed at the government market, the scanner protects access to the system and its data. But similar devices could just as easily be used in other handheld devices to perform authentication for e-commerce purposes. Interestingly, the TransPort X3000 uses a sweeping rather than static scanner, which MPC claims offers more pattern data area to work with. The other advantage over a static scanner is smaller sensor size. For that reason, this technology will likely make its way into cell phones and PDAs.

Cell-phone manufacturers also are using fingerprint scanning. Last year, Casio in collaboration with Aps Electric demonstrated a cell-phone prototype using a sweeping fingerprint scanner (Fig. 1). Built as a "roller" measuring 0.2 in. in diameter and 0.6 in. long, the scanner can produce fingerprint patterns with 600-dpi resolution. Also, last year, Hewlett-Packard introduced a PDA (its iPAQ H5450) that features a tiny fingerprint scanner just below the navigation button (Fig. 2).

With the ability to provide secure authentication at prices in line with consumer handheld devices, low-cost/high-reliability biometric technologies likely will be applied to a wide variety of portable consumer communications and personal information management systems. With volumes of such consumer devices eclipsing those of commercial-system products, companies making and selling these biometric technologies are looking at a large-volume opportunity.


To join the conversation, and become an exclusive member of Electronic Design, create an account today!