Due to different payment system, B2C is considered as less secure. Most of e-tailers facilitate credit card payment system. Therefore, it is easily targeted for online criminals. Thus, it is high risk associated with transaction. In contrast, B2B transaction is based on contract between partners. And payment is usually made by credit.
Because of nature of trading, another difference has arisen. B2C firm just has transaction with general customers, while B2B firm deals with their business partners. Therefore, B2B operator needs to know the security weaknesses of its partners’ computer networks. Its Data is only as secure as the security of the networks of the outside users that it allows into its internal network. This is not something B2B operator will have control over unless it can reach agreement with its partners about the level of security it want.
Similarity
Although there are differences between two models, the protective mechanisms involved in B2B models are quite similar to those that B2C organisations would enlist. Whatever the purpose in connecting to the web, any company must employ firewalls, virtual private networks, user-authentication and privacy technologies such as secure sockets layer (SSL). ()
Internal systems and data needs for both B2B and B2C are open and closed at the same time for employees, partners, suppliers, customers and related banks and insurance companies, etc. It can be said that once any computer in an organisation is attached to the Internet, security risk assessment needs to consider all possible threats to the company’s business assets, as well as to the integrity and confidentiality of all company data. In other words, both B2C and B2B have same degree of informational risk.
Implementation of Assurance Service
As it is mentioned before, there is no difference in implement security mechanisms into both B2C and B2B. However, due to nature of business, the specific service they are looking for is slightly different.
As it is mentioned earlier, the relationship with partner have evolved from the days of Electronic Data Interchange (EDI) to the fully functioning web sites on the World Wide Web or on company extranets. Therefore, For the B2B operator, service provider should concentrate on which is called EDI VAN (Value-Added Networks). The assurance service provider has to focus on areas shown as below:
- Security assurance of data during transmission over their private networks between companies (Using EDI).
- Audit trail of online information tracking in purpose to satisfy financial auditors and legal requirements
- Authentication of documents throughout the network
(Greenstein et.al,2000)
Furthermore, in providing assurance for B2B e-commerce, the integrity and reliability of the VAN have to be included in the auditing processes. Just like traditional auditing, the procedures must be scrutinised through the VAN, using technology. More, in terms of ‘system thinking’, a reliable operation environment has to be accessed and ensured.
The typical assurance service, which is useful for B2C operator, is the service that can increase positive perception. For example, using third party assurance services such as seal can help e-tailer to convince consumer regarding security.
Moreover, the privacy and security policy has to be clearly stated how operator treats sensitive customer data. Also, its policy has clearly to be followed as it is stated.
Both B2C and B2B have to build up adequate security system, which can protect data from unauthorised access. More important aspect for e-business entity is to monitor and maintain its security system and technology in adequate level.
4.0 The Nature of Business
Company Background
Travel.com.au was established in September 1997, through the merger of two travel agencies to capitalise on the anticipated shift in travel planning and booking from traditional retail travel agents to Internet based travel providers. As such it operates in the virtual marketspace and does not have a physical presence, like most of its competitors (Flight Centre, STA, Harvey World Travel, Thomas Cook) in retail travel industry who have relied to date on a franchise or chain of retail shopfronts to sell travel products. Essentially Travel.com.au has eliminated the interaction between buyer and seller to capitalise on the emergence and growth of e-commerce and to cater to the changing needs and wants of the consumers.
Through its web site of the same name, Travel.com.au provides a wide range of services and travel products to individual and corporate customers. They include domestic and international travel, hotel accommodation, car hire, travel insurance, and holiday packages.
Unlike traditional travel agencies, Travel.com.au is dependent on external suppliers to provide bandwidth and telecommunications. These telecommunications links are the backbone to the company’s operations.
Travel.com.au also provide wide range of payment method such credit card, B-pay, in person then the ticket will delivered via E-ticketing, personal collection, free courier delivery. Travel.com.au sells products over Online, booking engines and through Internet initiated sales that are completed by Online bookings e-mail and/or telephone. Subsequently no additional credit card fees, free overnight delivery (within Australia) and no extra service fee will be charged.
5.0 Risk Associated to Travel.com.au
As it is mentioned before, there are four categories that the assurance provider has to concern with. Those are:
- Security of data
- Privacy of data
- Business policy
- Transaction processing integrity
These risk-related areas can be divided more in detail. According to the text (Greenstein, et.al, 2000), there are several categories of risk, which is related to e-tailers. It also can be applied to the travel.com.au. Those categories are:
- Risk to customers
- Risk to travel.com.au
- Risk associated with transferring business transaction between the supplier and the customer.
Risk to Customer
- Theft of customer from selling agents and Internet Service Providers (ISP)
This is related to data security. Purchasing ticket or voucher (travel package) from the travel.com.au site involves transmission sensitive information about user. Most of the transaction is paid by credit card. The credit card contains sensitive information such as credit card number, name and physical address. If unauthorised person steal such information, they can simply use the credit card number to purchase anything especially on the web.
The are no risk-free system especially on the Internet. And there is no 100% guarantee that the sensitive information could not be stolen. As the security system getting more advanced, hackers also getting smarter. However travel.com.au has provided other payment methods such as B-pay, in person in case that customer is not convince about the security of online transaction. The technology utilised to reduce this risk will be discussed in next section.
Cookies are basically text-formatted files that are stored on the customer’s and the computer. Cookies allow for the increase in efficiency by providing visitor to the site and quicker respond time, as well as allow merchants to track visitors to the site with quicker response. Cookie enables merchant to track consumer behaviour online and gauges the effectiveness of an ad campaign or target marketing to consumer preferences. Hence cookies is used to create profile your interests based on the sites you visit and the things you do there.
()
Because of above characteristics of Cookie, the privacy issues have been often arisen in regarding with to use it. Therefore, the travel.com.au has restricted use of Cookie. It just uses this technology just for newsletter joiner. Also, it has stated use of it in its privacy policy section to reduce misunderstanding between customer and itself.
Risk to travel.com.au
Customer is not the entity that firm can claim to be. This is called as customer impersonation. Due to characteristic of cyberspace, impersonation can be the one risk for the e-tailer. In simple word, Customer and merchant cannot meet by face to face. Therefore, customer can use fake or others ID to purchase product. There are two reasons for fake customer to use other identity. The reasons are theft and malice.
The objective behind theft is to buy the goods or service without the need of paying. Also the bill will be forwarded to whom ID is misused or abuse. In other words, the theft will use others details to purchase goods or service.
The intention of malice is difference from the theft. Instead of acquiring goods of services without paying, also they have other motives such as intrinsic satisfaction to the hacker, to hurt corporation profits and customer relations of competitor or former employer.
- Denial of service attacks
Denial service attacks occur in a typical connection. When the user sends a message asking the server to authenticate it, the server returns the authentication approval to the user. The user acknowledges this approval, and is allowed onto the server. In a denial of service attack, the user sends several authentication requests to the server. All requests have false return addresses, so the server cannot find the user when it tries to send the authentication approval. The server waits, sometimes more than a minute, before closing the connection. When it does close the connection, the attacker sends a new batch of forged requests, and the process begins again--tying up the service indefinitely. Furthermore Denial-of-service attacks can essentially disable your computer or your network. Depending on the nature of your enterprise, this can effectively disable your organisation. Also some denial of service attacks can be executed with limited resources against a large, sophisticated site. This type of attack is sometimes called an "asymmetric attack." For example, an attacker with an old PC and a slow modem may be able to disable much faster and more sophisticated machines or networks.
Risk Associated with Business Transaction
Data interception is the serious risk related to e-business entity. Data can be intercepted during transmission from one point to another point. The following three risk has arisen in relation with data interception.
- Massage Origin authentication
This authentication is to make sure that the massage received is really from the party claimed to be the sender. This is important to prevent any customer impersonation take place. In this case this, travel.com.au has to make sure the massage sender is the legitimate user. This important in order to protect consumer from theft, also protect travel.com.au itself from any harmful activity caused by hacker. For example if in the case the goods or services has been purchased by the theft, then one possibility is that merchants need to written off that certain products.
In order to support this, non-repudiation is use in electronic commerce as provision of “proof of origin”. Authentication techniques such as digital signatures, and other tools are available to prevent any impersonation.
Proof of delivery is to make sure whether the intended massage has been received by recipient form the sender. If the massage were not received, the communication would be useless. For example if purchase request or product information request are intercepted, a company’s customer relations and profitability can be damaged. Moreover misunderstanding between travel.com.au and customer would occur, because customer might think their massage or order is not responded. In fact the massage or order never reach travel.com.au, because the massage or order is intercepted.
Massage Integrity & Unauthorised viewing of massage.
It is important to be able to know if the massage sent is exactly same as the massage received. For example, for example if an order was tampered with, incorrect orders could be placed on the message sent to travel.com’s site, the incorrect goods may then be processed to be delivered to the intended recipient.
6.0 Security System and Mechanism of Travel.com.au
The risks, which are discussed in section 5.0, are the main cause that makes customer to hesitate to shop over Online. To reduce risk level, travel.com.au employ latest security system in order to protect customer data and its business. The system includes:
As stated on Travel.com.au site, it has tried its best to protect customer’s sensitive information. Moreover, travel.com.au also guarantee that they would not share the sensitive information with others. Although, from time to time, travel.com.au may provide statistical information about sales, trading patterns and information on navigation techniques to reputable third parties, this will not include any direct personal information, identifying you as our customer. This privacy policy is clearly stated on the its Web site. Its security policy, such as encryption technique it has adopted, is listed as well.
As it is mentioned earlier, the operator has to follow the policy as stated. Travel.com.au has followed its policy and it is the one key influence to motivate the customer move into its Web site.
See appendix for its entire business policy stated on Website.
- SSL (security socket layer)
This is the one that can secure data transmission. Information entered into SSL secured forms is encrypted by the customer’s browser. Then sent direct to secure server via SSL. Travel.com.au’s secure server then forwards the encrypted details to a private folder and/or via e-mail. Moreover, all information sent via secured forms is safer from eavesdropping, tampering or message forgery. When customer connect to a travel.com’s secure web server, customer ask that server to authenticate it. This authentication is quite a complex process involving public keys, private keys and a digital certificate. ()
This additional features is used to assured customer that travel.com.au is processing customer’s credit card details securely over the Internet using Westpac-accredited Internet payment security system. Using this kind of system show us that it considers the security of customer credit card details to be of prime importance. In addition, customer does not use Westpac credit card in order to utilise this secure service. Westpac secure payment provides the secure link between the online store and the bank. When customer enter credit card details online, the information is scrambled (or encrypted) and passed directly to Westpac, so that only the bank can read information. Even the trevel.com.au does not actually see customer credit card details.
These features only can be utilised by the member of travel.om.au. Customer must firstly register and activate a personal account to become a member. However, non-member can conduct any purchases as well. The registration process will provide the customer with an username for login purposes and a password for the account. Moreover, Information you provide is stored on its secure servers and is protected by its security mechanism.
SafeTrade is one of Australian largest Insurance Company. It will protect customer from fraudulent as a result of credit card purchasing on the Internet and also will guarantee the delivery of product. These tools can assure customer that if anything goes wrong, Safe Trade will cover the loss up to AUD $2,000.
Although it had employed latest technology, the risk is still existing. As it is mentioned before, there is no e-business entity that is 100% secured. Therefore, constant security management is needed. The security management and some other methods, which it can utilise to enhance security level, will be discussed next section.
7.0 Recommendation & Conclusion
To increase security level of travel.com.au, there are few ways. That includes
- Build up risk management system
- Utilise latest security mechanism
- Use third-party assurance services (Web Site Seal Option)
The Risk Management Paradigm
The paradigm is a continuous process that recognises that risk management is an ongoing annual or biannual event. Each risk nominally goes through these functions sequentially, but the activity occurs continuously, concurrently and iteratively throughout the project life cycle. (Greenstein, et.al, 2000)
Figure 1, Risk Management Paradigm
(Source: http://www.sei.cmu.edu)
There are six functions related to risk management paradigm. Those are:
- Identify - search for and locate risks before they become problems.
- Analyse - Transform risk data into decision-making information. Evaluate impact, probability, and timeframe, classify risks, and priorities risks
- Plans - Translate risk information into decisions and mitigating actions (both present and future) and implement those actions.
- Monitor - Monitor risk indicators and mitigation actions
- Control - Correct for deviations from the risk mitigation plans.
- Communicate - Provide information and feedback internal and external to the project on the risk activities, current risks, and emerging risks
Disaster Recovery Plan
According to the text (Greenstein, et.al, 2000), disaster recovery plan is a contingency Plan for resuming operations for those situations where operations are interrupted for any reasons. There are two kinds of disaster existing. Those are natural disaster and man-made disaster.
The objectives of disaster recovery plan are shown as below:
- Assessment of vulnerability
- Prevention and reduction of risk
- Creation of cost-effective solutions
- Minimisation of business interruption and assurance of business continuity
- Securing alternative Internet access modes
- Recovery of lost data
- Providing disaster recovery procedures
- Training employees for disaster recovery scenarios
(Greenstein, et.al, 2000)
The primary objective for plan is to reduce interruption of business. The plan should be the updated continuously and supported by top management level for proper conducting.
One option of disaster recovery planning is to create second site that can back up original site. There are three types of back-up alternatives. Those are:
- Mutual Aid Pact- it involves and agreement between two or more firms to share resources with one another in the case of disaster
- Cold Site (shell site)/ Create and Ship- It refer to firm or group of firms leasing a building site to hold computer equipment. The computer equipment is not actually stored on site. In the case of disaster, create and ship vendor allows the hardware and software to be shipped to the cold site.
- Hot Site- it is completely equipped. Therefore, fully functioning disaster recovery operation centre is available.
The recovery plan is important, because no e-business company is perfectly secured from risk.
Security Mechanism
A firewall can be defined as a system or group of systems that enforce an access control policy between two networks (Greenstein, et.al, 2000). The firewall may be thought of as a pair of mechanisms: one, which exists to block traffic, and another, which exists to permit traffic.
Firewalls are configured to protect against unauthenticated logins from the Internet. Firewalls may also be used as an internal control, which block traffic from both the inside and the outside.
Firewall is just one piece of security system. Therefore, proper security system design is needed before designing the firewall.
Travel.com.au incorporates Secure Sockets Layer (SSL) as their primary encryption technology. SSL technology was created originally by Netscape to allow for secure online transaction information to be encrypted over “unprotected” HTTP. This method enables the scrambling of information so those outsiders couldn’t easily monitor information such as credit card number, names, and addresses. Today, SSL is so commonly used that it is considered the ‘first level’ of protocol for protecting many types of Internet data transmissions including e-mail.
To further ensure the integrity of data, SSL uses a method to verify the data encryption method used for a particular session and is known only by the intended users and not by outsiders. Encrypted messages would not be very private if outsiders knew which encoding method was used. This integrity process occurs during the initial hand-shaking portion of establishing Internet communications with a particular Web site.
The travel.com.au has used 128-bit encryption. There are 300 billion trillion times as many keys as with 40-bit encryption. It is virtually impossible for an unauthorised party to find the right key.
It is recommend that travel.com.au incorporate the some of the following Internet security standards and protocols to ensure a high level of security.
In the case of e-tailer such as travel.com.au, the payment system is the most important thing to be secured. There are many other types of security protocols available for protecting transaction and payment.
SET (Secure Electronic Transaction) is the best example for secure electronic payment protocol. The major credit card companies developed it. Set had been designed to satisfy below categories:
- Provide confidentiality of information
- Ensure payment integrity
- Authenticate both merchants and cardholder
- Interoperate with other protocols
(Greenstein, et.al, 2000)
Moreover, there are many other IP Security Protocols (IPSECs) other than SSL that provide Internet security including SHTTP (Secure Hypertext Transfer Protocol), DNSSEC (Domain Name Server Security), TLS (Transport Layer Security) and several others.
Hire Third-party Assurance Services (Web Site Seal Option)
Website seal is another options that travel.com.au follow. It convince the customer how the travel.com.au is capable. Service provider work on behalf of the company. It will decrease the cost related to assurance services.
In order to increase the assurance, travel.com.au joining Webtrust is one option. Firm will need to pass Webtrust examination by a licensed Certified Public accountant (CPA), Chartered Accountant, or equivalent.
Under the WebTrust program, organisation will examined in regular bases by a WebTrust licensed CPA to ensure compliance with the current WebTrust principles, which include:
- On-Line Privacy
- Security
- Business Practices and Transaction Integrity
- Availability
- WebTrust for Certification Authorities
(http:)
Hence travel.com.au security tools will always be updated, in order to minimise all the risk associated. By doing so, web trust will help travel.com.au to enhance their trustworthiness. Consequently, demonstrating trustworthiness has benefits such as improved customer acquisition and higher sales conversion ratios. Moreover WebTrust has a demonstrated ability to improve customer acquisition and sales conversion rates.
Although travel.com.au have utilise some of encryption and authentication system to maintain data integrity. However by employing third party such as VeriSign, data integrity in the transaction process would be maximise. VeriSign, Inc. is the world's leading Internet Certification Authority, the trusted third party that authenticates, issues, and manages digital certificates on the Internet. VeriSign's Digital IDsSM enable trusted electronic commerce by authenticating the individuals, organisations, and content involved in an electronic transaction. ()
Finally, it is recommended that the travel.com.au have to concentrate on auditing and monitoring process. As it is mentioned before, it should develop its risk management program as well. There are one new warn us is that Amazon has been hacked since last October. There is no doubt its site has utilised the latest mechanism. However, the latest mechanism is not enough to protect hacker. Therefore, only way to ensure the security is develop its risk management plan and continuously check, monitor and updated its security system.
In conclusion, it can be said that the travel.com.au has satisfied every four categories, which is:
- Security of data
- Privacy of data
- Business policy
- Transaction processing integrity
For the security of data, it has used SSL and 128-bit encryption technology. Also, it provides variety of payment system. These techniques can be applied to data integrity as well. Furthermore, its business policy has been clearly stated and followed. One of important stated policy is privacy policy of customer data. It has concern privacy and security of customer data as its asset. Therefore, it can be said the security level of the company is acceptable.
Moreover, by using of Web site seal as a security tool, it can convince the customer and improve security. It is the current trends hiring the third party, which is specialised in assurance service, to enhance firm’s security level. Also, it is less costly way to assure the site.
Finally, say again, there is no perfectly secured Web site. Therefore, continuous security management is one of the key factors to success in marketspace.
8.0 References
-
Greenstein, M. & Feinman, T., M. (2000) Electronic commerce: Security, risk management and control, McGraw-Hill, United States of America
