guidebook ecommerce

1

Principle of Electronic Commerce- Mr.Lee- E*commerce Faculty 2013

E-COMMERCE SUBJECT � KEY TERMS

E-tailing: retailing conduct over the Internet is called electronic retailing or e-tailing and those

who conduct retail business online called e-tailer

E-marketplace: play a central role in the economy, facilitating the exchange of information,

goods, services and payments. In the process, they creat economic value for buyers, sellers,

market intermediaries, for society at large. Markets have three main functions: matching buyers

and sellers; Facilitating the exchange the information, goods, services and payment associated

with market transactions; Providing an institutional infrastructure such as legal and regulatory

framework. (simple to mean that is an online marketplace where buyers and sellers meet to

exchange goods, services, money or information)

Intranet: is a corporate or government network that use Internet tools, such as web browsers

and Internet protocols

Extranet: a network that uses the Internet to link multiple intranets

E-commerce: the process of buying, selling, or exchanging products, services and information

via computer

E-Business: a broader definition of EC that includes not just the buying and selling of goods and

services, but also servicing customers, collaborating electronic transactions within an

organization

Social network: A category of Internet applications that help connect friends, business partners

or individuals with specific interests by proving free services such as photos presentation, email,

blogging and so on using a variety of tools

The Internet is a global system of interconnected computer networks that use the standard

Internet protocol suite (TCP/IP) to serve several billion users worldwide. It is a network of

networks that consists of millions of private, public, academic, business, and government

networks, of local to global scope, that are linked by a broad array of electronic, wireless and

optical networking technologies. The Internet carries an extensive range of information resources

and services, such as the inter-linked hypertext documents of the World Wide Web (WWW), the

infrastructure to support email, and peer-to-peer networks. (Source:

http://en.wikipedia.org/wiki/Internet)

VNNIC: Vietnam Internet Network Imformation Center

VECITA: Vietnam Ecommerce and Information Technology Agency

EFT: Electronic Funds Tranfer

EDI: Electronic Data Interchange

2


CONTENTS

CHAPTER 1

OVERVIEW OF ECOMMERCE

1.1 ELECTRONIC COMMERCE:DEFINITIONS AND CONCEPTS

Electronic commerce is the process of buying, selling, transferring or exchanging

products, services and/or information via computer networks, mostly the Internet and Intranet

According to En.wikipedia.org/wiki/E-commerce. E-commerce can also be defined from the

following perspectives:

a/ Business process: E-commerce is doing business electronically by implementing business

processes over electronic networks, thereby substituting information for physical business

processes

b/ Service: E-commerce is a tool that addresses the desire of government, firms, consumers and

management to cut service costs while improving the quality of customer service and increasing

the speed of service delivery

c/ Learning: From a learning perspective, E-commerce is an enabler of online training and

education in schools, universities, and other organizations, including businesses

d/ Collaborative: E-commerce is the framework for inter- and intra-organizational collaboration

e/ Community: E-commerce provides a gathering place for community members to learn,

transact and collaborate. The most popular type of community is social networks such as

MySpace and Facebook.

According to OECD

Broad definition: An electronic transaction is the sale or purchase of good or services,

whether between businesses, households, individuals, governments and other public or private

organizations, conducted over computer –mediated networks. The goods and services are order

over those networks, but payment and the ultimate delivery of the good or service may be

conducted on or off-line

Narrow definition: an Internet transaction is the sale or purchase of goods or services,

whether between businesses, households, individuals, governments and other public or private

organizations, conducted over the Internet.

According to WTO

Ecommerce is understood to mean the production, distribution, marketing, sale or

delivery of goods and services by electtonic means. A commercial transaction can be be divided

into three main stages: the advertising and searching stage, the ordering and payment stage and

delivery stage. Any or all of these may be carried out electronically.

According to EU

3


E-commerce, based on the electronic processing and transmission of data, encompasses

many diverse activities including electronic trading of goods and services, online delivery

content, electronic funds transfers, electronic share trading, public procurement, and so on

These activities may be divided into two categories:

• Indirect electronic commerce, i.e. the electronic ordering of tangible goods that must still

be physically delivered and which therefore depends on a number of external factors, such as the

efficiency of the transport system and postal services; and

• Direct electronic commerce, i.e. the on-line ordering, payment and delivery of intangible

goods and services such as computer software and entertainment content.

1.2 E-COMMERCE Vs E-BUSINESS

Commerce includes only buying and selling transactions conducted between business

partners (definition of commerce)� The term E-commerce would be fairly narrow

E-business refers to a broader definition of Ecommerce, not just the buying and selling

goods and services, but also servicing customers, collaborating with business partners,

conducting e-learning, and conducting electronic transactions with an organization

However, the view E-business as comprising those activities that do not involve buying

or selling over the Internet, such as collaboration and intrabusiness activities

� Some define E-business as deals with organizations’ internal activities only, whereas

Ecommerce deals with external activities only.

� Two terms will be interchangeably throughout the text

1.3 THE ELECTRONIC COMMERCE FIELD: CLASSIFICATION A ND HISTORY

1.3.1 Classification of Ecommerce A. Based on the nature, direction of the transactions and interactions (or relationship among

participants). Including Business (B), Consumer (C), Government (G), Peer (P), Employee

(E), Mobile (M)

• B2B model in which all of the participants are Business or other organizations. It refers to

transactions between businesses conducted electronically over the Internet, extranets, intranets or

private networks (Papazoglou and Ribbers, 2006). Some types of B2B transactions: Sell-side

(One seller to many buyers), Buy-side (One buyer to many sellers), Exchange (many sellers to

many buyers), Supply chain improvement and collaborative commerce (This category includes

activities other than buying or selling among business partners, for example, supply chain

improvements, communicating, collaborating and sharing information for joint design, planning

and so on)

• B2C: Business to Consumer (include individual shoppers). The main type of B2C is e-

tailing (online tailing). For example B2C model.

4


• C2C: Consumer to consumer model is in which consumers sell (goods and services)

directly to other consumers. It involves all transactions between and among individual

consumers. These transactions can also include third parties, usually in the form of those who

facilitate the marketplace such as Ebay or social network site. Some types of C2C applications:

C2C Auctions (ex. eBay.com, auctionanything.com, greatshop.com); Classified Ads (ex.

Iclassifieds2000.com-contains a list of about 500000 cars, forrent.com includes departments for

rent), Personal Services (ex: lawyers, helpers, investment clubs, dating services ) (reference in

Chapter 7_ 329-333)

• P2P networks (Peer to Peer), Several C2C applications are based on a computer

architecture known as peer to peer. With a peer to peer network, each clients’ computer can share

files or computer resources (such as processing power) directly with other rather than through a

central server (P2P can stand for people to people, person to person, point to point)

• Mobile commerce also known as m-business, includes any business activity conducted

over a wireless telecommunications networks. This includes B2C and B2B commercial

transactions as well as the transfer of information and services via wireless mobile devices. Some

attributes of M-commerce: Ubiquity (being available at any location and any time), Convenience

(easier to operate for user), Interactivity, Personalization (truly personal computing devices),

Localization (located physically at any particular moment in the real time) (reference in Chapter

8_ 339)

• B2E: Business to Employees model in which an organization delivers services,

information or products to it individual employees

• E-Government model in which a Government (G) entity buys or provides goods,

services or information from ot to business or individual citizens (C). Some types of E-

Government: G2G, G2B, G2C

• E-Government is the use of information technology in general, E-commerce in particular,

to provide C or Organizations with more convenient access to government informatmion and

services and to provide delivery of public service to C, business partners ans those working in

the public sector (reference in Chapter 7_ 294-301, case study 298)

B. Depend on the degree of digitization of 3P

Ecommerce can take several forms depending on the degree the digitization (the

transformation from physical feature to digital feature) of (P1) the product (service) sold, (P2)

the process (e.g ordering, payment, fulfillment) and (P3) the delivery method-player

Each element may be physical or digital (P1,P2,P3)

The possible configurations of these three dimensions determine different levels of E-commerce

5


Three elements 3P creat one large cube concluding eight small cubes, each of which has three

dimensions

In traditional commerce, all three dimensions of the cube are physical

In pure E-commerce, all dimensions are digital

All other cubes include a mix of digital and physical dimensions

For example: Amazon, Dell

Ecommerce Organizations:

+ Brick and mortar Organizations

+ Click and mortar (or Click and brick) Organizations

+ Pure (or virtual) Organizations

1.3.2 History of Ecommerce � In the early 1970s, EC applications were first developed with innovations such as

Electronic Funds Transfer (EFT) and be routed electronically from one organization to another

� Electronic Data Interchange (EDI) used to electronically transfer routine documents,

which later expanded from financial transactions to other types of transactions

� In 1969, The Internet began life as an experiment by US government and its initial users

were a largely techinical audience of government agencies and academic researchers and

scientists

� In the early 1990s, The term of World Wide Web was introduced – the major milestone

of the development of EC

6


� In 1995, Internet users were witnessed the rapid growth of many innovation applications,

distinct model from online direct sales to e-learning; expansion of the size of organizations on

the Internet, etc.

1.4 THE FUTURE OF E-COMMERCE

The growth of Ecommerce in over the world in general, in Vietnam in particular

1.4.1 The growth of Ecommerce in over the world in general Figure 1.1: Value of B2C Ecommerce per head (2007-2012)

Source: IMRG B2C Global Ecommerce Overview 2011-2012

Figure 1.2: Numbers of Online buyers in China 2010-2016

Source: E-marketer, July 2012

7


Figure 1.3: B2C Ecommerce Sales in China, 2010-2016

Source: E-marketer, July 2012

Figure 1.4: US Retail Ecommerce Sales, 2010-2016

8


Source: E-marketer, March 2012

Figure 1.5: Korean Ecommerce in 2011 and 2012

Source: Korean Statistics Agency

Firgure 1.6: Malaysia Ecommerce market size in 2010 and forest of 2014

Source: www.malaysiacrunch.com

9


Firgure 1.7: Online purchase in EU (2004-2010)

Source: JupiterResearch Internet Shopping model

Figure 1.8: E-retail in EU (2004-2010)

Source: JupiterResearch Internet Shopping model

10


Firgure 1.9: E-retail in US and predict to 2014

Source: http://www.internetretailer.com/dailyNews.asp?id=33828

Firgure 1.10: Forcast US online and Web-influenced Retail Sales, 2009-2014

Source: http://www.internetretailer.com/dailyNews.asp?id=33828

1.4.2 E-commerce in Vietnam

11


(References by www.vnnic.vn, www.vectia.gov.vn and Vietnam Annual Ecommerce Report

from 2010-2012)

Firgure 1.11: Report on Vietnam’s Internet statistics in VN

Source: www.vnnic.vn (VNNIC-Vietnam Internet Network Imformation Center)

Figure 1.12: Number of VN’s Internet user


12


Figure 1.13: Number of Vietnam’s broadband Internet subscribers


Figure 1.14: The estimation of Vietnam B2C Ecommerce revenue in 2012

According to VN Ecommerce Report 2012 – VECITA

13


Figure 1.15: Forecast of Vietnam’s B2C Ecommerce sales revenue in 2015

According to VN Ecommerce Report 2012 - VECITA

1.5 THE BENEFITS, LIMITATIONS AND IMPACTS OF E-COMM ERCE

1.5.1 The Benefits � For organizations (business, enterprise, company..)

� Global reach: Locating customers and/or suppliers worldwide, at reasonable cost and fast

� Cost reduction: Lower cost of information processing, storage and distribution

� Facilitate problem solving: Solve complex problems that have remained unsolved

� Supply chain improvements: Reduce delays, inventories and costs

� Business always open: Open 24/7/365, no ovetime or other costs

� Customization/Personalization: Make it to consumer wish, fast and at reasonable cost

� Seller’s specialization (niche market): Seller can specialize in a narrow field (e.g dogtoys

products), yet make money

� Ability to innovate, use/apply new business models: Facilitate innovation and enable

unique business models

� Rapid time – to – market and increased speed: Expedite processes, higher speed and

productivity

� Lower communication costs: Internet is cheaper than VAN private lines

� Efficient procurement: Save time and reduce costs by enabling e-procurement

� Improved customer service and relationship: Direct interaction with customers, better

CRM

� Fewer permits and less tax: May need fewer permits and be able to avoid sales tax

14


� Up-to-date materials: All distributed material in up-to-date

� Help SME to compete: EC may support small companies to compete against large ones

by using special business models

� Lower inventories: Using customization inventories can be minimized

� Lower cost of distributing digitizable product: Delivery online ca be 90 percent cheaper

� Provide competitive advantage: Innovative business models

� For Individual customers

� Ubiquity: Can shop at any place and any time

� More products and services: Large selection to choose from vendor, products, styles,

interests, habits, etc

� Customized products/services: can customize many products/services

� Cheaper products/services: Compare and buy at lowest prices

� Instant delivery: Digitized products can be downloaded immediately from website, upon

e-payment

� Information availability: Easy find and search what you need, with details, demos..by

search engine.

� Convenient auction participation: Do auctions any time and from any place

� No sales tax: Sometime without tax on products/service included

� Enable telecommuting: Can work or study at home

� Electronic socialization: can socialize online in communities yet be at home

� Fine unique items: Using online auctions, collective items can be found

� For Society

� Enable telecommuting: Facilitate work at home, less traffic (congestion), pollution

� More public services: Make education (e-learning), health, etc available for more people.

Rural area can share benefits, more service for the poor

� Improved homeland security: Facititate domestic security

� Increased standard of living: Can purchase more and cheaper goods/services

� Close the digital divide: Allow people in developing countries and rural areas to accept

more services and purchase what they really like

For example: Impacts of Ecommerce application on Business in VN

Figure 1.16: Efficient of Ecommerce application of enterprises in 2012

15



Figure 1.17: Trends of revenue from electronic means


1.5.2 The limitations Based on the technological factors: Technological limitations and non-tech limitations

� Technological limitations

� Lack of universal standards of quality, security and reliability

� The telecommunications bandwidth is insufficient, especially for M-commerce, videos,

graphics

� Software developmemt tools are still evolving

� It is difficult to integrate Internet and EC software with some existing (especially legacy)

application and databases

� Special Web servers are needed in addition to the network servers, which add to the cost

of EC

� Internet accessibility is still expensive and/or inconvenient

16


� Order fulfillment of large-scale B2C requires special automated warehouses

� Non-technological limitations

• Security and privacy concerns deter customers from buying

• Lack of trust in EC and in unkown seller hinders buying

• People do not yet sufficiently trust paperless, including taxation, have not yet been

resolved or are not clear

• National and international government regulations sometimes get in the way

• It it difficult to measure some of the benefits of EC such as online advertising. Mature

measurement methodologies are not yet available

• Some customers like to feel and touch products. Also, customers are resistant to the

change from shopping at a brick and mortar store to a virtual store

• People do not yet sufficiently trust paperless, faceless transactions

• In many cases, the numbet of sellers and buyers that are need for profitable Ec operations

is insufficient

• Online faud is increasing dramatically

• It is difficult to obtain venture capital due to the failture of many dot-coms

For example: Obstacles to Ecommerce application in VN

Figure 1.18: Evaluation on obstacles to Ecommerce application in 2012


Figure 1.19: Obstacles in Ecommerce implementation in the period of 2005-2012

17



18


CHAPTER 2

E-COMMERCE BUSINESS MODELS

2.1 DEFINITION AND ELEMENTS OF E-COMMERCE BUSINESS MODEL

2.1.1 Definition of Ecommerce business model One of the major characteristics of Ecommerce is that it enables the creation of new

business models (Prahahalad and Krishnan 2008). A business model is a method of doing

business by which a company can generate revenue to sustain itseft. The model also spells out

where the company is positioned in the value chain, that is, by what activities the company adds

value to the product or service it supplies. (the value chain is the series of value-adding activities

that an organization performs to achieve its goals, such as making profit, at various stages of the

production process). One company may have several business models. Some models are very

simple. For example, Walmart buys merchandise, sells it, and generates a profit. In contrast, a

TV station provides free broadcasting to its viewers. That station’s survival depends on a

complexmodel involving advertisers ans content providers. Public Internet portals, such as

Yahoo! Also use a complex business model

Business models are a subset of a business plan or a business case. These concepts

frenquently as confused.

A business model is a set of planned activities (sometimes referred to as business

procsesses) designed to result in a profit in a marketplace. A business model is not always the

same as a business strategy although in some cases they are very close insofar as the business

model explicitly takes into account the competitive environment (Margretta, 2002). The business

model is at the center of the business plan. A business plan is a document that describes a firm’s

business model. A business plan always takes into account the competitive environment. An E-

commerce business model aims to use and leverage the unique qualities of the Internet anf the

World Wide Web (Timmers, 1998)

A business model according to Timmer’s definition is architecture for information,

product and service flow as well as a description of different actors and the roles they play. E-

commerce is also of the potential benefits of the Internet to business actors and it describes a

source of revenue. Based on this definition, Timmer was able to illustrate with examples the

eleven e-Business models which have become popular in other e –business models

2.1.2 Elements of Ecommerce business model The structure and properties of business models

If you hope to develop a successful business model in any arena, not just e-

commerce, you must make sure that the model effectively addresses the eight elements

listed in Table 2.1. These elements are: value proposition, revenue model, market

19


opportunity, competitive environment, competitive advantage, market strategy,

organizational development, and management team (Ghosh, 1998). Many writers

focus on a firm’s value proposition and revenue model. While these may be the most

important and most easily identifiable aspects of a company’s business model, the other

elements are equally important when evaluating business models and plans, or when

attempting to understand why a particular company has succeeded or failed (Kim and

Mauborgne, 2000). In the following section, we describe each of the key business model

elements more fully.

Element 1. Value Proposition

A company’s value proposition is at the very heart of its business model. A value

proposition defines how a company’s product or service fulfills the needs of

customers (Kambil, Ginsberg, and Bloch, 1998). To develop and/or analyze a firm’s value

proposition, you need to understand why customers will choose to do business with

the firm instead of another company and what the firm provides that other firms do not

and cannot. From the consumer point of view, successful e-commerce value

propositions include: personalization and customization of product offerings,

reduction of product search costs, reduction of price discovery costs, and facilitation of

transactions by managing product delivery (Kambil, 1997; Bakos, 1998).

FreshDirect, for instance, primarily is offering customers the freshest perishable

food in New York, direct from the growers and manufacturers, at the lowest prices,

delivered to their homes at night. Although local supermarkets can offer fresh food also,

customers need to spend an hour or two shopping at those stores every week.

Convenience and saved time are very important elements in FreshDirect’s value

20


proposition to customers.

Before Amazon existed, most customers personally traveled to book retailers to

place an order. In some cases, the desired book might not be available and the

customer would have to wait several days or weeks, and then return to the

bookstore to pick it up. Amazon makes it possible for book lovers to shop for

virtually any book in print from the comfort of their home or office, 24 hours a day, and to

know immediately whether a book is in stock. Amazon’s primary value propositions

are unparalleled selection and convenience.

In many cases, companies develop their value proposition based on current

market conditions or trends. Consumers’ increasing emphasis on fresh perishable foods—

as opposed to frozen or canned goods—is a trend FreshDirect’s founders took note of, just

as Starbucks’ founders saw the growing interest in and demand for coffee bars nationwide.

Both companies watched the market and then developed their value proposition to meet

what they perceived to be consumers’ demand for certain products and services.

Several different EC business models are possible, depending on the company, industry,

and so on

A comprehensive business model is composed of the following elements:

A description of the customers to be served and the company’s relationship with these

customers, including what constitures value from the customers’ perspective (customers’value

proposition)

Business models also include a value-proposition statement. A value proposition refers to

benefits, including the intangible, non-quantitative ones, that a company can derive from using

the model. In B2C EC, for example, a value proposition defines how a company’s product or

service fulfills the needs of customers. The value preposition is an important part of marketing

plan of any product or service.

Specially, how do e-marketplaces creat value? Amit and Zott (2001) identify four sets of

values that are created by e-business: search and transaction cost efficiency, complementarities,

lock-in and novelty. Search and transaction cost –efficiency enables faster and more imformed

decision making, wider product and service selection, and greater economies of scale – cost

savings per unit as greater quatities are produced and sold (e.g through demand anf supply

aggregation for small buyers and sellers). Compementarities involve bundling some goods and

services together to provide more value than from offering them separately. Lock-in is

attributable to the high switching cost that ties customers to particular suppliers. Novelty creates

value through innovative ways for structuring transactions, connecting partners and fostering

new markets

21


A description of all products and services the business will offer and the markets in

which they will be sold

A description of the business process required to make and deliver the products and

services including distribution and marketing strategies

A list of the resources required and the identification of which ones are available, which

will be developed in house and which will need to be acquired (including human resources)

A description of the organization’s supply chain, including suppliers and other business

partners

A list of the major competitors, their market share, and strengths/weaknesses

The competitive advantage offered by the business model

The antincipated organizational changes and any resistance to change

A description of the revenues expected (revenue model), anticipated costs, sources of financing

and estimated profitability (financial viability)

Element 2. Revenue Model

A firm’s revenue model describes how the firm will earn revenue, generate prof-

its, and produce a superior return on invested capital. We use the terms revenue model

and financial model interchangeably. The function of business organizations is both to

generate profits and to produce returns on invested capital that exceed alternative

investments. Profits alone are not sufficient to make a company “successful”

(Porter, 1985). In order to be considered successful, a firm must produce returns

greater than alternative investments. Firms that fail this test go out of existence.

Retailers, for example, sell a product, such as a personal computer, to a

customer who pays for the computer using cash or a credit card. This produces

revenue. The merchant typically charges more for the computer than it pays out in

operating expenses, producing a profit. But in order to go into business, the computer

merchant had to invest capital—either by borrowing or by dipping into personal savings.

The profits from the business constitute the return on invested capital, and these

returns must be greater than the merchant could obtain elsewhere, say, by investing

in real estate or just putting the money into a savings account.

Although there are many different e-commerce revenue models that have been

developed, most companies rely on one, or some combination, of the following

major revenue models: the advertising model, the subscription model, the transaction

fee model, the sales model, and the affiliate model.

Figure 2.1: Revenue models in E-commerce

22


(Source: Turban, Efraim; King, David (2011-09-23). Electronic Commerce 2012: A Managerial

Perspective (7th Edition). Prentice Hall )

In the advertising revenue model, a Web site that offers its users content,

services, and/or products also provides a forum for advertisements and receives fees

from advertisers. Those Web sites that are able to attract the greatest viewership

or that have a highly specialized, differentiated viewership and are able to retain user

attention (“stickiness”) are able to charge higher advertising rates. Yahoo, for instance,

derives a significant amount of revenue from search engine and other forms of online

advertising.

In the subscription revenue model, a Web site that offers its users content or

services charges a subscription fee for access to some or all of its offerings. For

instance, the online version of Consumer Reports provides access to premium content,

such as detailed ratings, reviews and recommendations, only to subscribers, who have a

choice of paying a $5.95 monthly subscription fee or a $26.00 annual fee. Experience

with the subscription revenue model indicates that to successfully overcome the

disinclination of users to pay for content on the Web, the content offered must be

perceived as a high-value-added, premium offering that is not read-ily available elsewhere

nor easily replicated. Companies successfully offering content or services online on a

subscription basis include Match.com and eHarmony (dating services), Ancestry.com

23


(see Figure 2.1) and Genealogy.com (genealogy research), Microsoft's Xboxlive.com

(video games), Rhapsody Online (music), among others.

In the transaction fee revenue model, a company receives a fee for enabling or

executing a transaction. For example, eBay provides an online auction

marketplace and receives a small transaction fee from a seller if the seller is

successful in selling the item. E*Trade, an online stockbroker, receives transaction fees

each time it executes a stock transaction on behalf of a customer.

In the sales revenue model, companies derive revenue by selling goods,

information, or services to customers. Companies such as Amazon (which sells books,

music, and other products), LLBean.com, and Gap.com, all have sales revenue

models.

In the affiliate revenue model, sites that steer business to an “affiliate”

receive a referral fee or percentage of the revenue from any resulting sales. For

example, MyPoints makes money by connecting companies with potential customers

by offering special deals to its members. When they take advantage of an offer and

make a purchase, members earn “points” they can redeem for freebies, and

MyPoints receives a fee. Community feedback sites such as Epinions receive much of

their revenue from steering potential customers to Web sites where they make a

purchase.

(Source: Ecommerce: Business, Technology, and Society - Kenneth C. Laudon)

24


Element 3. Market Opportunity

The term market opportunity refers to the company’s intended marketspace (i.e.,

an area of actual or potential commercial value) and the overall potential financial

opportunities available to the firm in that marketspace. The market opportunity is usually

divided into smaller market niches. The realistic market opportunity is defined by the revenue

potential in each of the market niches where you hope to compete.

For instance, let’s assume you are analyzing a software training company that

creates software-learning systems for sale to corporations over the Internet. The

overall size of the software training market for all market segments is

approximately $70 billion. The overall market can be broken down, however, into two

major market segments: instructor-led training products, which comprise about 70%

of the market ($49 billion in revenue), and computer-based training, which accounts for

30% ($21 billion). There are further market niches within each of those major market

segments, such as the Fortune 500 computer-based training market and the small business

computer-based training market. Because the firm is a startup firm, it cannot compete

effectively in the large business, computer- based training market (about $15

billion). Large brand-name training firms dominate this niche. The startup firm’s real

market opportunity is to sell to the thousands of small business firms who spend about

$6 billion on computer-based software training and who desperately need a cost-effective

training solution. This is the size of the firm’s realistic market opportunity


25


Element 4. Competitive Environment

A firm’s competitive environment refers to the other companies selling similar

products and operating in the same marketspace. It also refers to the presence of

substitute products and potential new entrants to the market, as well as the power of

customers and suppliers over your business. We discuss the firm’s environment later in the

chapter. The competitive environment for a company is influenced by several factors: how

many competitors are active, how large their operations are, what the market share of

each competitor is, how profitable these firms are, and how they price their products.

Firms typically have both direct and indirect competitors. Direct competitors are those

companies that sell products and services that are very similar and into the same

market segment. For example, Priceline and Travelocity, both of whom sell discount

airline tickets online, are direct competitors because both companies sell identical

products—cheap tickets. Indirect competitors are companies that may be in different

industries but still compete indirectly because their products can substitute for one

another. For instance, automobile manufacturers and airline companies operate in

different industries, but they still compete indirectly because they offer consumers

alternative means of transportation. CNN.com, a news outlet, is an indirect competitor

of ESPN.com not because they sell identical products, but because they both compete for

consumers’ time online.

The existence of a large number of competitors in any one segment may be a sign

that the market is saturated and that it may be difficult to become profitable. On the other

hand, a lack of competitors could either signal an untapped market niche ripe for the

picking or a market that has already been tried without success because there is no

money to be made. Analysis of the competitive environment can help you decide which it

is.

Element 5. Competitive Advantage

Firms achieve a competitive advantage when they can produce a superior product

and/or bring the product to market at a lower price than most, or all, of their

competitors (Porter, 1985). Firms also compete on scope. Some firms can develop global

markets, while other firms can only develop a national or regional market. Firms that

can provide superior products at lowest cost on a global basis are truly advantaged.

Firms achieve competitive advantages because they have somehow been able to

obtain differential access to the factors of production that are denied to their

competitors—at least in the short term (Barney, 1991). Perhaps the firm has been able to

obtain very favorable terms from suppliers, shippers, or sources of labor. Or

26


perhaps the firm has more experienced, knowledgeable, and loyal employees than any

competitors. Maybe the firm has a patent on a product that others cannot imitate, or access

to investment capital through a network of former business colleagues or a brand name

and popular image that other firms cannot duplicate. An asymmetry exists whenever

one participant in a market has more resources—financial backing, knowledge,

information, and/or power—than other participants. Asymmetries lead to some firms having

an edge over others, permitting them to come to market with better products, faster than

competitors, and sometimes at lower cost.

For instance, when Steven Jobs, CEO and founder of Apple Computer,

announced iTunes, a new service offering legal, downloadable individual song tracks for 99

cents a tune that would be playable on Apple iPods or Apple desktops, the company

was given better than average odds of success simply because of Apple’s prior success

with innovative hardware designs, and the large stable of music labels which Apple had

meticulously lined up to support its online music catalog. Few competitors could match the

combination of cheap, legal songs and powerful hardware to play them on.

One rather unique competitive advantage derives from being first mover. A first-

mover advantage is a competitive market advantage for a firm that results from being

the first into a marketplace with a serviceable product or service. If first movers develop a

loyal following or a unique interface that is difficult to imitate, they can sustain their

first-mover advantage for long periods (Arthur, 1996). Amazon provides a good example.

However, in the history of technology-driven business innovation, most first movers lack

the complimentary resources needed to sustain their advantages, and often follower

firms reap the largest rewards (Rigdon, 2000; Teece, 1986). Indeed, many of the success

stories we discuss in this book are those of companies that were slow followers—

businesses that gained knowledge from failure of pioneering firms and entered into the

market late.

Some competitive advantages are called “unfair.” An unfair competitive

advantage occurs when one firm develops an advantage based on a factor that other firms

cannot purchase (Barney, 1991). For instance, a brand name cannot be purchased

and is in that sense an “unfair” advantage. brands are built upon loyalty, trust, reliability,

and quality. Once obtained, they are difficult to copy or imitate, and they permit firms to

charge premium prices for their products.

In perfect markets, there are no competitive advantages or asymmetries

because all firms have access to all the factors of production (including information and

knowledge) equally. However, real markets are imperfect, and asymmetries leading to

27


competitive advantages do exist, at least in the short term. Most competitive advantages

are short term, although some—such as the competitive advantage enjoyed by Coca-Cola

because of the Coke brand name—can be sustained for very long periods. But not forever:

Coke is increasingly being challenged by fruit, health, and unique flavor drinks.

Companies are said to leverage their competitive assets when they use their

competitive advantages to achieve more advantage in surrounding markets. For

instance, Amazon’s move into the online grocery business leverages the company’s huge

customer database and years of e-commerce experience.

Element 6. Market Strategy

No matter how tremendous a firm’s qualities, its marketing strategy and execution are

often just as important. The best business concept, or idea, will fail if it is not properly

marketed to potential customers.

Everything you do to promote your company’s products and services to potential

customers is known as marketing. Market strategy is the plan you put together that details

exactly how you intend to enter a new market and attract new customers.

Part of FreshDirect’s strategy, for instance, is to develop close supply chain

partnerships with growers and manufacturers so it purchases goods at lower prices

directly from the source. This helps FreshDirect lower its prices for consumers. By

partnering with suppliers that could benefit from FreshDirect’s access to

consumers, FreshDirect is attempting to extend its competitive advantages.

YouTube and PhotoBucket have a social network marketing strategy which

encourages users to post their content on the sites for free, build personal profile pages,

contact their friends, and build a community. In these cases, the customer is the marketing

staff!

Element 7. Organizational Development

Although many entrepreneurial ventures are started by one visionary individual, it is

rare that one person alone can grow an idea into a multi-million dollar company. In

most cases, fast-growth companies - especially e-commerce businesses-need employees

and a set of business procedures. In short, all firms-new ones in particular-need an

organization to efficiently implement their business plans and strategies. Many e-

commerce firms and many traditional firms who attempt an e-commerce strategy have

failed because they lacked the organizational structures and supportive cultural values

required to support new forms of commerce (Kanter, 2001).

Companies that hope to grow and thrive need to have a plan for organizational

development that describes how the company will organize the work that needs to be

28


accomplished. Typically, work is divided into functional departments, such as

production, shipping, marketing, customer support, and finance. Jobs within these

functional areas are defined, and then recruitment begins for specific job titles and

responsibilities. Typically, in the beginning, generalists who can perform multiple tasks

are hired. As the company grows, recruiting becomes more specialized. For instance,

at the outset, a business may have one marketing manager. But after two or three years of

steady growth, that one marketing position may be broken down into seven separate jobs

done by seven individuals.

For instance, eBay founder Pierre Omidyar started an online auction site,

according to some sources, to help his girlfriend trade PEZ dispensers with other

collectors, but within a few months the volume of business had far exceeded what he alone

could handle. So he began hiring people with more business experience to help out. Soon

the company had many employees, departments, and managers who were responsible for

overseeing the various aspects of the organization.

Element 8. Management team

Arguably, the single most important element of a business model is the management

team responsible for making the model work. A strong management team gives a model

instant credibility to outside investors, immediate market-specific knowledge, and

experience in implementing business plans. A strong management team may not be able to

salvage a weak business model, but the team should be able to change the model and

redefine the business as it becomes necessary.

Eventually, most companies get to the point of having several senior executives or

managers. How skilled managers are, however, can be a source of competitive advantage

or disadvantage. The challenge is to find people who have both the experience and the

ability to apply that experience to new situations.

To be able to identify good managers for a business startup, first consider the

kinds of experiences that would be helpful to a manager joining your company. What kind

of technical background is desirable? What kind of supervisory experience is necessary?

How many years in a particular function should be required? What job functions should

be fulfilled first: marketing, production, finance, or operations? Especially in situations

where financing will be needed to get a company off the ground, do prospective senior

managers have experience and contacts for raising financing from outside investors?

29


CATEGORIZING E-COMMERCE BUSINESS MODELS: SOME DIFFICULTIES

There are many e-commerce business models, and more are being invented every

day. The number of such models is limited only by the human imagination, and our list of

different business models is certainly not exhaustive. However, despite the abundance of

potential models, it is possible to identify the major generic types (and subtle variations) of

business models that have been developed for the e-commerce arena and describe their key

features. It is important to realize, however, that there is no one correct way to categorize

these business models.

Our approach is to categorize business models according to the different

Ecommerce sectors-B2C, B2B, C2C, etc. in which they are utilized. You will note, however,

that fundamentally similar business models may appear in more than one sector. For

example, the business models of online retailers (often called e-tailers) and e-distributors are

quite similar. However, they are distinguished by the market focus of the sector in which

they are used. In the case of e-tailers in the B2C sector, the business model focuses on

sales to the individual consumer, while in the case of the e-distributor, the business model

focuses on sales to another business.

The type of e-commerce technology involved can also affect the classification of a

business model. M-commerce, for instance, refers to e-commerce conducted over wireless

networks. The e-tail business model, for instance, can also be used in m-commerce,

and while the basic business model may remain fundamentally the same as that used

in the B2C sector, it will nonetheless have to be adapted to the special challenges posed

by the m-commerce environment.

Finally, you will also note that some companies use multiple business models. For

instance, eBay can be considered as a B2C market maker. At the same time, eBay can also

be considered as having a C2C business model. If eBay adopts wireless mobile

computing, allowing customers to bid on auctions from their cell phone or wireless Web

devices, then eBay may also be described as having a B2C m-commerce business model. We

can expect many companies will have closely related B2C, B2B, and m-commerce

variations on their basic business model. The purpose will be to leverage investments

and assets developed with one business model into a new business model.

2.2 MAJOR BUSINESS TO CONSUMER (B2C) BUSINESS MODEL

Business-to-consumer (B2C) e-commerce, in which online businesses seek to

reach individual consumers, is the most well-known and familiar type of e-commerce.

30


Table 2.3 Illustrates the major business models utilized in the B2C arena.


31


MODEL 1: PORTAL

Portals such as Yahoo, MSN/Windows Live, and AOL offer users powerful Web search

tools as well as an integrated package of content and services, such as news, e-mail, instant

messaging, calendars, shopping, music downloads, video streaming, and more, all in

one place. Initially, portals sought to be viewed as “gateways” to the Internet. Today,

however, the portal business model is to be a destination site. They are marketed as places

where consumers will want to start their Web searching and hopefully stay a long time to

read news, find entertainment, and meet other people (think of destination resorts).

Portals do not sell anything directly—or so it seems— and in that sense they can present

themselves as unbiased. The market opportunity is very large: In 2008, about 173 million

people in the United States had access to the Internet at work or home (eMarketer, Inc.,

2008a). Portals generate revenue primarily by charging advertisers for ad placement,

collecting referral fees for steering customers to other sites, and charging for premium

services. AOL, MSN (in conjunction with Verizon), and Yahoo (in conjunction with AT&T)—

which in addition to being portals are also Internet Service Providers (ISPs) that provide

access to the Internet and the Web—add an additional revenue stream: monthly

subscription fees for access.

Although there are numerous portal/search engine sites, the top five sites

(Google, Yahoo, MSN/Windows Live, AOL, and Ask.com) gather more than 95% of the search

engine traffic because of their superior brand recognition (Nielsen Online, 2008). Many

of the top sites were among the first to appear on the Web and therefore had first-mover

advantages. Being first confers advantage because customers come to trust a reliable

provider and experience switching costs if they change to late arrivals in the market. By

garnering a large chunk of the marketplace, first-movers—just like a single telephone

network—can offer customers access to commonly shared ideas, standards, and

experiences (something called network externalities that we describe in later chapters).

Yahoo, AOL, MSN/Windows Live, and others like them are considered to be

horizontal portals because they define their marketspace to include all users of the

Internet. Vertical portals (sometimes called vortals) attempt to provide similar services as

horizontal portals, but are focused around a particular subject matter or market segment.

For instance, Sailnet specializes in the consumer sailboat market that contains about 8 million

Americans who own or rent sailboats. Although the total number of vortal users may be

much lower than the number of portal users, if the market segment is attractive enough,

advertisers are willing to pay a premium in order to reach a targeted audience. Also,

32


visitors to specialized niche vortals spend more money than the average Yahoo visitor. Google

and Ask.com can also be considered portals of a sort, but currently focus primarily on offering

search services. They generate revenues primarily from search engine advertising sales and

also from affiliate referral fees. For more information, see Insight on Technology: Search,

Ads, and Apps: the Future for Google (and Microsoft)

MODEL 2: E-TAILER

Online retail stores, often called e-tailers, come in all sizes, from giant Amazon to

tiny local stores that have Web sites. E-tailers are similar to the typical bricks- and-

mortar storefront, except that customers only have to connect to the Internet to check

their inventory and place an order. Some e-tailers, which are referred to as “bricks-and-

clicks,” are subsidiaries or divisions of existing physical stores and carry the same

products. JCPenney, Barnes & Noble, Wal-Mart, and Staples are four examples of

companies with complementary online stores. Others, however, operate only in the

virtual world, without any ties to physical locations. Amazon, BlueNile.com, and

Drugstore.com are examples of this type of e-tailer. Several other variations of e-

tailers—such as online versions of direct mail catalogs, online malls, and manufacturer-

direct online sales—also exist (Gulati and Garino, 2000).

Given that the overall retail market in the United States in 2008 is estimated to be

around $4 trillion, the market opportunity for e-tailers is very large (U.S. Census Bureau,

Economic and Statistics Administration, 2008). Every Internet user is a potential

customer. Customers who feel time-starved are even better prospects, since they want

shopping solutions that will eliminate the need to drive to the mall or store (Bellman, Lohse,

and Johnson, 1999). The e-tail revenue model is product-based, with customers paying for

the purchase of a particular item.

This sector is extremely competitive, however. Since barriers to entry (the total cost

of entering a new marketplace) into the Web e-tail market are low, tens of thousands of

small e-tail shops have sprung up on the Web. Becoming profitable and surviving is very

difficult, however, for e-tailers with no prior brand name or experience. The e-tailer’s

challenge is differentiating its business from existing stores and Web sites.

Companies that try to reach every online consumer are likely to deplete their

resources quickly. Those that develop a niche strategy, clearly identifying their target market

and its needs, are best prepared to make a profit. Keeping expenses low, selection broad,

and inventory controlled are keys to success in e-tailing, with inventory being the most

difficult to gauge.

33


MODEL 3: CONTENT PROVIDER

Although there are many different ways the Internet can be useful, “inf ormation

content,” which can be defined broadly to include all forms of intellectual property, is one

of the largest types of Internet usage. Intellectual property refers to all forms of human

expression that can be put into a tangible medium such as text, CDs, or the Web (Fisher,

1999). Content providers distribute information content, such as digital video, music,

photos, text, and artwork, over the Web. According to the Online Publishers Association,

in 2005, U.S. consumers spent $2 billion for online content (Online Publishers

Association, 2006). Since then, digital music, movies, and television have become an

increasingly important part of the market, and are expected to generate over $3.6 billion

in revenues alone during 2008 (eMarketer, Inc. 2007b; 2007c; author estimates).

Content providers make money by charging a subscription fee. For instance, in the

case of Real.com’s Rhapsody Unlimited service, a monthly subscription fee provides

users with access to thousands of song tracks. Other content providers, such as WSJ.com

(The Wall Street Journal’s online newspaper), Harvard Business Review, and many others,

charge customers for content downloads in addition to or in place of a subscription fee.

Micropayment systems technology provides content providers with a cost-effective method

for processing high volumes of very small monetary transactions (anywhere from $.25 to

$5.00 per transaction). Micropayment systems have greatly enhanced the revenue model

prospects of content providers who wish to charge by the download.

Of course, not all online content providers charge for their information: just look at

Sportsline.com, CIO.com, CNN.com, and the online versions of many newspapers and

magazines. Users can access news and information at these sites without paying a cent.

These popular sites make money in other ways, such as through advertising and partner

promotions on the site. Increasingly, however, “free content” is limited to headlines and text,

whereas premium content—in-depth articles or video delivery— is sold for a fee.

Generally, the key to becoming a successful content provider is owning the

content. Traditional owners of copyrighted content—publishers of books and

newspapers, broadcasters of radio and television content, music publishers, and movie

studios—have powerful advantages over newcomers to the Web who simply offer

distribution channels and must pay for content, often at oligopolistic prices.

Some content providers, however, do not own content, but syndicate (aggregate) and

then distribute content produced by others. Syndication is a major variation of the standard

content provider model. Another variation here is Web aggregators, who collect

34


information from a wide variety of sources and then add value to that information

through post-aggregation services. For instance, Shopping.com collects information on the

prices of thousands of goods online, analyzes the information, and presents users with

tables showing the range of prices and Web locations. Shopping.com adds value to

content it aggregates, and re-sells this value to advertis-ers who advertise on its site

(Madnick and Siegel, 2001).

Any e-commerce startup that intends to make money by providing content is

likely to face difficulties unless it has a unique information source that others cannot access.

For the most part, this business category is dominated by traditional content providers.

MODEL 4: TRANSACTION BROKER

Sites that process transactions for consumers normally handled in person, by phone,

or by mail are transaction brokers. The largest industries using this model are

financial services, travel services, and job placement services. The online transaction

broker’s primary value propositions are savings of money and time. In addition, most

transaction brokers provide timely information and opinions. Sites such as Monster.com

offer job searchers a national marketplace for their talents and employers a national resource

for that talent. Both employers and job seekers are attracted by the convenience and currency

of information. Online stock brokers charge commissions that are considerably less than

traditional brokers, with many offering substantial deals, such as cash and a certain number

of free trades, to lure new customers (Bakos, Lucas, et al., 2000).

Given rising consumer interest in financial planning and the stock market, the

market opportunity for online transaction brokers appears to be large. However, while

millions of customers have shifted to online brokers, many have been wary about

switching from their traditional broker who provides personal advice and a brand name.

Fears of privacy invasion and the loss of control over personal financial information

also contribute to market resistance. Consequently, the challenge for online brokers is

to overcome consumer fears by emphasizing the security and privacy measures in

place, and, like physical banks and brokerage firms, providing a broad range of financial

services and not just stock trading.

Transaction brokers make money each time a transaction occurs. Each stock

trade, for example, nets the company a fee, based either on a flat rate or a sliding scale related

to the size of the transaction. Attracting new customers and encouraging them to trade

frequently are the keys to generating more revenue for these companies. Job sites generate

listing fees from employers up front, rather than charging a fee when a position is filled.

Competition among brokers has become more fierce in the past few years, due to

35


new entrants offering ever more appealing offers to consumers to sign on. Those who

prospered initially were the first movers such as E*Trade, Ameritrade, Datek, and

Schwab. During the early days of e-commerce, many of these firms engaged in

expensive marketing campaigns and were willing to pay up to $400 to acquire a single

customer. However, online brokerages are now in direct competition with traditional

brokerage firms who have joined the online marketspace. Significant consolidation is

occurring in this industry. The number of job sites has also multiplied, but the largest sites

(those with the largest number of job listings) are pulling ahead of smaller niche companies.

In both industries, only a few, very large firms are likely to survive in the long term.

MODEL 5: MARKET CREATOR

Market creators build a digital environment in which buyers and sellers can meet,

display products, search for products, and establish prices. Prior to the Internet and the

Web, market creators relied on physical places to establish a market. Beginning with the

medieval marketplace and extending to today’s New York Stock Exchange, a market has

meant a physical space for transacting. There were few private digital network

marketplaces prior to the Web. The Web changed this by making it possible to separate

markets from physical space. A prime example is Priceline, which allows consumers to set

the price they are willing to pay for various travel accommodations and other products

(sometimes referred to as a reverse auction) and eBay, the online auction site utilized by

both businesses and consumers.

For example, eBay’s auction business model is to create a digital electronic

environment for buyers and sellers to meet, agree on a price, and transact. This is

different from transaction brokers who actually carry out the transaction for their

customers, acting as agents in larger markets. At eBay, the buyers and sellers are their

own agents. Each sale on eBay nets the company a commission based on the percentage

of the item’s sales price, in addition to a listing fee. eBay is one of the few Web sites that has

been profitable virtually from the beginning. Why? One answer is that eBay has no

inventory or production costs. It is simply a middleman.

The market opportunity for market creators is potentially vast, but only if the firm

has the financial resources and marketing plan to attract sufficient sellers and buyers to

the marketplace. At the end of June 2008, eBay had about 84.5 million active users, and

this makes for an efficient market (eBay, 2008). There are many sellers and buyers for

each type of product, sometimes for the same product, for example, laptop computer

models. New firms wishing to create a market require an aggressive branding and

awareness program to attract a sufficient critical mass of customers. Some very large

36


Web-based firms such as Amazon have leveraged their large customer base and started

auctions. Many other digital auctions have sprung up in smaller, more specialized vertical

market segments such as jewelry and automo- biles.

In addition to marketing and branding, a company’s management team and

organization can make a difference in creating new markets, especially if some

managers have had experience in similar businesses. Speed is often the key in such

situations. The ability to become operational quickly can make the difference

between success and failure.

MODEL 6: SERVICE PROVIDER

While e-tailers sell products online, service providers offer services online. There’s

been an explosion in online services that is often unrecognized. Web 2.0 applications such

as photo sharing, video sharing, and user-generated content (in blogs and social networking

sites) are all services provided to customers. Google has led the way in developing online

applications such as Google Maps, Google Docs and Spreadsheets, and Gmail. ThinkFree

and Buzzword are online alternatives to Microsoft Word provided as services (rather

than boxed software—a product). More personal services such as online medical bill

management, financial and pension planning, and travel recommender sites are showing

strong growth.

Service providers use a variety of revenue models. Some charge a fee, or monthly

subscriptions, while others generate revenue from other sources, such as through

advertising and by collecting personal information that is useful in direct marketing. Some

services are free but are not complete. For instance, Google Apps’ basic edition is free, but a

“Premier” model with virtual conference rooms and advanced tools costs $50 per employee

a year. Much like retailers who trade products for cash, service providers trade

knowledge, expertise, and capabilities, for revenue.

Obviously, some services cannot be provided online. For example, dentistry,

medical services, plumbing, and car repair cannot be completed via the Internet.

However, online arrangements can be made for these services. Online service

providers may offer computer services, such as information storage, provide legal

services, such as at Linklaters BlueFlag, or offer advice and services to high-net worth

individuals, such as at MyCFO.com. Grocery shopping sites such as FreshDirect and

Peapod are also providing services.

To complicate matters a bit, most financial transaction brokers (described

previously) provide services such as college tuition and pension planning. Travel brokers

also provide vacation-planning services, not just transactions with airlines and hotels.

37


Indeed, mixing services with your products is a powerful business strategy pursued by many

hard-goods companies (for example, warranties are services). The basic value proposition

of service providers is that they offer consumers valuable, convenient, time-saving, and

low-cost alternatives to traditional service providers or—in the case of search engines

and most Web 2.0 applications—they provide services that are truly unique to the Web.

Where else can you search 50 billion Web pages, or share photos with as many other people

instantly? Research has found, for instance, that a major factor in predicting online buying

behavior is time starvation. Time-starved people tend to be busy professionals who work

long hours and simply do not have the time to pick up packages, buy groceries, send

photos, or visit with financial planners (Bellman, Lohse, and Johnson, 1999). The market

opportunity for service providers is as large as the variety of services that can be

provided and potentially is much larger than the market opportunity for physical goods. We

live in a service-based economy and society; witness the growth of fast food restaurants,

package delivery services, and wireless cellular phone services. Consumers’

increasing demand for convenience products and services bodes well for current and future

online service providers.

Marketing of service providers must allay consumer fears about hiring a vendor

online, as well as build confidence and familiarity among current and potential

customers. Building confidence and trust is critical for service providers just as it is for retail

product merchants. Kodak, for instance, has a powerful brand name over a century old,

and has translated that brand into a trusted online provider of photo services. In the

process, Kodak is transforming itself from a products-only company (cameras and paper)

into a more contemporary digital services company.

MODEL 7: COMMUNITY PROVIDER

Although community providers are not a new entity, the Internet has made such

sites for like-minded individuals to meet and converse much easier, without the

limitations of geography and time to hinder participation. Community providers are

sites that create a digital online environment where people with similar interests

can transact (buy and sell goods); share interests, photos, videos; communicate

with like-minded people; receive interest-related information; and even play out

fantasies by adopting online personalities called avatars. The social networking sites

MySpace, Facebook, Friendster, and hundreds of other smaller, niche sites such as

Doostang, Twitter, and Sportsvite, all offer users community building tools and

services.

The basic value proposition of community providers is to create a fast, conven-

38


ient, one-stop site where users can focus on their most important concerns and

interests, share the experience with friends, and learn more about their own interests.

Community providers typically rely on a hybrid revenue model that includes

subscription fees, sales revenues, transaction fees, affiliate fees, and advertising fees from

other firms that are attracted by a tightly focused audience.

Community sites such as iVillage make money through affiliate relationships

with retailers and from advertising. For instance, a parent might visit Babystyle for tips on

diapering a baby and be presented with a link to Huggies.com; if the parent clicks the

link and then makes a purchase from Huggies.com, Babystyle gets a commission.

Likewise, banner ads also generate revenue. At About.com, visitors can share tips and

buy recommended books from Amazon, giving About.com a commission on every

purchase. Some of the oldest communities on the Web are Well.com, which provides a

forum for technology and Internet-related discussions, and The Motley Fool (Fool.com),

which provides financial advice, news, and opinions. The Well offers various membership

plans ranging from $10 to $15 a month. Motley Fool supports itself through ads and selling

products that start out “free” but turn into annual subscriptions.

Consumers’ interest in communities is mushrooming. Community is, arguably, the

fastest growing online activity. While many community sites have had a difficult time

becoming profitable, over time many have succeeded. Newer community sites such as

Facebook and MySpace may not be profitable at this time, but they are quickly

developing advertising revenues as their main avenue of revenue. Both the very large social

networking sites (MySpace and Facebook each have over 100 million profiles) as well as niche

sites with smaller dedicated audiences are ideal marketing and advertising territories.

Traditional online communities such as the Well, iVillage, and WebMD (which provides

medical information to members) find that breadth and depth of knowledge at a site is an

important factor. Community members frequently request knowledge, guidance, and

advice. Lack of experienced personnel can severely hamper the growth of a community,

which needs facilitators and managers to keep discussions on course and relevant. For the

newer community social networking sites, the most important ingredients of success appear

to be ease and flexibility of use, and a strong customer value proposition. For instance,

Facebook has rapidly gained on its rival MySpace by encouraging users to build their own

revenue-producing applications that run on their profiles, and even take in advertising and

affiliate revenues.

Online communities benefit significantly from offline word-of-mouth, viral

marketing. Online communities tend to reflect offline relationships. When your friends

39


say they have a profile on Facebook, and ask you to visit, you are encouraged to build your

own online profile.

2.3 MAJOR BUSINESS TO BUSINESS (B2B) BUSINESS MODELS

In Chapter 1, we noted that business-to-business (B2B) e-commerce, in which

businesses sell to other businesses, is more than ten times the size of B2C e-commerce, even

though most of the public attention has focused on B2C. For instance, it is estimated that

revenues for all types of B2C e-commerce (including spending on online leisure travel and

digital content) in 2008 will total around $258 billion (eMarketer, Inc., 2008b), compared to

over $3.8 trillion for all types of B2B e-commerce in 2008 (U.S. Census Bureau,2008).

Clearly, most of the dollar revenues in e-commerce involve B2B e-commerce.

Much of this activity is unseen and unknown to the average consumer.

Table 2.4 lists the major business models utilized in the B2B arena.


40


MODEL 1: E-DISTRIBUTOR

Companies that supply products and services directly to individual businesses are

e-distributors. W.W. Grainger, for example, is the largest distributor of maintenance, repair,

and operations (MRO) supplies. MRO supplies are thought of as indirect inputs to the

production process—as opposed to direct inputs. In the past, Grainger relied on catalog

sales and physical distribution centers in metropolitan areas. Its catalog of equipment

went online in 1995 at Grainger.com, giving businesses access to more than 300,000 items.

Company purchasing agents can search by type of product, such as motors, HVAC, or

fluids, or by specific brand name.

E-distributors are owned by one company seeking to serve many customers.

However, as with exchanges (described on the next page), critical mass is a factor. With e-

distributors, the more products and services a company makes available on its site, the more

attractive that site is to potential customers. One-stop shopping is always preferable to having to

visit numerous sites to locate a particular part or product.

MODEL 2: E-PROCUREMENT

Just as e-distributors provide products to other companies, e-procurement firms create

and sell access to digital electronic markets. Firms such as Ariba, for instance, have created

software that helps large firms organize their procurement process by creating mini-digital

markets for a single firm. Ariba creates custom integrated online catalogs (where supplier

firms can list their offerings) for purchasing firms. On the sell side, Ariba helps vendors sell

to large purchasers by providing software to handle catalog creation, shipping, insurance,

and finance. Both the buy and sell side software is referred to generically as “value chain

management” software.

B2B service providers make money through transaction fees, fees based on the

number of workstations using the service, or annual licensing fees. They offer purchasing

firms a sophisticated set of sourcing and supply chain management tools that permit firms to

reduce supply chain costs. In the software world, firms such as Ariba are sometimes also

called application service providers (ASPs); they are able to offer firms much lower costs

of software by achieving scale economies. Scale economies are efficiencies that result from

increasing the size of a business, for instance, when large, fixed-cost production systems (such

as factories or software systems) can be operated at full capacity with no idle time. In the case of

software, the marginal cost of a digital copy of a software program is nearly zero, and finding

additional buyers for an expensive software program is exceptionally profitable. This is much

more efficient than having every firm build its own supply chain management system, and it

permits firms such as Ariba to specialize and offer their software to firms at a cost far less

41


than the cost of developing it.

MODEL 3: EXCHANGES

Exchanges have garnered most of the B2B attention and early funding because of their

potential market size even though today they are a small part of the overall B2B picture. An

exchange is an independent digital electronic marketplace where hundreds of suppliers

meet a smaller number of very large commercial purchasers (Kaplan and Sawh- ney, 2000).

Exchanges are owned by independent, usually entrepreneurial startup firms whose business is

making a market, and they generate revenue by charging a commission or fee based on the size of

the transactions conducted among trading parties. They usually serve a single vertical industry

such as steel, polymers or aluminum, and focus on the exchange of direct inputs to production

and short-term contracts or spot purchasing. For buyers, B2B exchanges make it possible to

gather information, check out suppliers, collect prices, and keep up to date on the latest

happenings all in one place. Sellers, on the other hand, benefit from expanded access to buyers.

The greater the number of sellers and buyers, the lower the sales cost and the higher the chances

of making a sale. The ease, speed, and volume of transactions are summarily referred to as

market liquidity.

In theory, exchanges make it significantly less expensive and time-consuming to

identify potential suppliers, customers and partners, and to do business with each other. As a

result, they can lower transaction costs—the cost of making a sale or purchase. Exchanges

can also lower product costs and inventory-carrying costs—the cost of keeping a product

on hand in a warehouse. In reality, as discussed in Chapter 12, B2B exchanges have had a

difficult time convincing thousands of suppliers to move into singular digital markets where

they face powerful price competition, and an equally difficult time convincing businesses to

change their purchasing behavior away from trusted long-term trading partners. As a result,

the number of exchanges has fallen to less than 200, down from over 1,500 in 2002, although the

surviving firms have experienced some success (Ulfelder, 2004; Day, Fein, Ruppersberger,

2003). Read Insight on Business: Onvia Evolves for a look at how a former B2B high flyer has

evolved its business model in order to survive.

MODEL 4: INDUSTRY CONSORTIA

Industry consortia are industry-owned vertical marketplaces that serve specific

industries, such as the automobile, aerospace, chemical, floral, or logging industries. In

contrast, horizontal marketplaces sell specific products and services to a wide range of

companies. Vertical marketplaces supply a smaller number of companies with products

and services of specific interest to their industry, while horizontal marketplaces

supply companies in different industries with a particular type of product and service,

42


such as marketing-related, financial, or computing services For example, Exostar is an online

trading exchange for the aerospace and defense industry, founded by BAE Systems, Boeing,

Lockheed Martin, Raytheon, and Rolls-Royce in 2000. Exostar connects with over 300

procurement systems in 20 different countries and has registered more than 40,000 trading

partners worldwide.

Industry consortia have tended to be more successful than independent

exchanges in part because they are sponsored by powerful, deep-pocketed industry

players, and also because they strengthen traditional purchasing behavior rather than

seek to transform it.

MODEL 5: PRIVATE INDUSTRIAL NETWORKS

Private industrial networks (sometimes referred to as private trading exchanges or

PTXs) constitute about 75% of all B2B expenditures by large firms and far exceed the

expenditures for all forms of Net marketplaces. Private industrial networks are digital

networks (often but not always Internet-based networks) designed to coordinate the flow of

communications among firms engaged in business together. For instance, Wal-Mart

operates one of the largest private industrial networks in the world for its suppliers, who

on a daily basis use Wal-Mart’s network to monitor the sales of their goods, the status of

shipments, and the actual inventory level of their goods. B2B e-commerce relies

overwhelmingly on a technology called electronic data interchange (EDI) (U.S. Census

Bureau, 2008). EDI is useful for one-to-one relationships between a single supplier and a

single purchaser, and originally was designed for proprietary networks, although it is

migrating rapidly to the Internet. Many firms have begun to supplement their EDI

systems, however, with more powerful Web technologies that can enable many-to-one,

and many-to-many market relationships where there are many suppliers selling to a

single or small group of very large purchasers, or, in the case of independent exchanges,

there may be many sellers and many buyers simultaneously in the marketplace. EDI is not

designed for these types of relationships. There are two types of private industrial networks:

single-firm networks and industry-wide networks.

Single-firm private industrial networks are the most common form of private

industrial network. These single-firm networks are owned by a single large

purchasing firm, such as Wal-Mart or Procter & Gamble. Participation is by invitation only to

trusted long-term suppliers of direct inputs. Single-firm networks typically evolve out of a

firm’s own enterprise resource planning system (ERP), and they are an effort to include

key suppliers in the firm’s own business decision making (eMarketer, Inc., 2004).

Industry-wide private industrial networks often evolve out of industry associations.

43


These networks are usually owned by a consortium of the large firms in an industry and

have the following goals: providing a neutral set of standards for commercial

communication over the Internet; having shared and open technology platforms for solving

industry problems; and in some cases, providing operating networks that allow members of an

entire industry to closely collaborate. To some extent, these industry- wide networks are a

response to the success of single-firm private industrial networks. For instance, Wal-Mart has

refused to open its very successful network to other members of the retail industry, in

effect to become an industry standard, for fear it will be sharing technology secrets with other

retailers like Sears.

In response, Sears and other retailers around the world have created their own set of

organizations and networks that are open to all in the industry. For instance, Agentrics is an

industry-wide private industrial network for retailers and suppliers designed to facilitate

and simplify trading among retailers, suppliers, partners, and distributors. Agentrics’

members currently include more than half of the world's top 25 retailers and over 200

suppliers from Africa, Asia, Europe, North America, and South America, with combined sales

of approximately $1.2 trillion. Agentrics provides collaborative design tools; planning and

management; negotiations and auctions; order execution; demand aggregation; worldwide

item management; worldwide logistics; and a global catalog in English, French, German, and

Spanish containing trading relationship data for member- sponsored suppliers totaling more than

30,000 items (Agentrics LLC, 2008). From this list of services and capabilities, it is clear that

industry-wide private industrial networks offer much more functionality than industry

consortia, although the two models appear to be moving closer together (Gebauer and Zagler,

2000).

2.4 BUSINESS MODELS IN EMERGING E-COMMERCE AREAS

When we think about a business, we typically think of a business firm that produces

a product or good, and then sells it to a customer. But the Web has forced us to

recognize new forms of business, such as consumer-to-consumer e-commerce, peer-

to-peer e-commerce, and m-commerce. Table 2.5 lists some of the business models that

can be found in these emerging markets.

CONSUMER-TO-CONSUMER (C2C) BUSINESS MODELS

Consumer-to-consumer (C2C) ventures provide a way for consumers to sell to each

other, with the help of an online business. The first and best example of this type of

business is eBay, utilizing a market creator business model.

Before eBay, individual consumers used garage sales, flea markets, and thrift shops to

both dispose of and acquire used merchandise. With the introduction of online auctions,

44


consumers no longer had to venture out of their homes or offices in order to bid on items

of interest, and sellers could relinquish expensive retail space that was no longer needed

in order to reach buyers. In return for linking like-minded buyers and sellers, eBay takes a

small commission. The more auctions, the more money eBay makes. In fact, it is one

of the few Web companies that has been profitable from day one—and has stayed so for

several years.

Consumers who don’t like auctions but still want to find used merchandise can

visit Half.com (also owned by eBay), which enables consumers to sell unwanted books,

movies, music, and games to other consumers at a fixed price. In return for facilitating the

transaction, Half.com takes a commission on the sale, ranging from

5%–15%, depending on the sale price, plus a fraction of the shipping fee it charges.

PEER-TO-PEER (P2P) BUSINESS MODELS

Like the C2C models, P2P business models link users, enabling them to share files and

computer resources without a common server. The focus in P2P companies is on helping

individuals make information available for anyone’s use by connecting users on the Web.

Historically, peer-to-peer software technology has been used to allow the sharing of

copyrighted music files in violation of digital copyright law. The challenge for P2P

ventures is to develop viable, legal business models that will enable them to make money.

In Chapter 1, we discussed the difficulties faced by Kazaa, one of the most promi- nent examples

of a P2P business model in action. To date, there are few if any examples of successful P2P e-

commerce business models outside of the music and content file- swapping sites. However,

one company that has successfully used this model outside those two arenas is Cloudmark,

which offers a P2P anti-spam solution called Cloudmark Desktop. Cloudmark currently protects

over 180 million e-mailboxes in 163 countries.

M-COMMERCE BUSINESS MODELS

M-commerce, short for mobile-commerce, takes traditional e-commerce models and

leverages emerging new wireless technologies—described more fully in Chapter 3— to

permit mobile access to the Web. Wireless Web technology will be used to enable the

extension of existing Web business models to service the mobile work force and consumer

of the future. Wireless networks utilize newly available bandwidth and communication

protocols to connect mobile users to the Internet. These technologies have already taken

off in Asia and Europe, and will expand greatly in the United States in a few years. The

major advantage of m-commerce is that it provides Internet access to anyone, anytime, and

anywhere, using wireless devices. The key technologies here are cell phone-based 3G

(third-generation wireless), Wi-Fi (wireless local area networks), and Bluetooth (short-

45


range radio frequency Web devices).

There are many more cell phone subscribers (an estimated 3 billion worldwide in

2008) than there are Internet users (TIA, 2008). Cell phone usage is still considerably higher

in Asia and Europe than it is in the United States. However, in the United States, the

introduction of the iPhone in June 2007 and the 3G version in July 2008 has brought about

a resurgence of interest in 3G technologies and their potential role in e-commerce. The

standards implementing Wi-Fi were first introduced in 1997, and since then it has exploded

in the United States and elsewhere. Analysts estimate that there are around 225,000 wireless

hot spots (locations that enable a Wi-Fi–enabled device to connect to a nearby wireless

LAN and access the Internet) worldwide in 2008 (JiWire.com, 2008). Likewise, the

number of Bluetooth-enabled cell phones is also expanding exponentially. For instance,

70%of all the cell phones sold the fourth quarter of 2007 in the United States supported

Bluetooth. Two new wireless technologies that may have an impact are Ultrawideband

(wireless USB technology), which will be able to transfer large files such as movies over

short distances, and Zigbee, which, like Bluetooth, will connect devices to each other but at

a longer range and with lower power requirements.

Despite all of the technological advancements in the last several years, mobile

commerce in the United States has been a disappointment to date. According to a 2007 report,

only 2% of the retail brands in the top 1,000 U.S. brands in 2007 operated a mobile Web

site, and in many instances, they were used purely as a marketing and branding vehicle

(Siwicki, 2007). However, with the introduction of the iPhone and other phones with

similar capabilities, this has begun to change (Figure 2.3) and a September 2008 Internet

Retailer survey found that almost 7% of Web retailers now have an m-commerce site

(Brohan, 2008). The server-side hardware and software platform is in place, and the basic

bandwidth is ready. As with all areas of e-commerce, the challenge for businesses will be

finding ways to use m-commerce to make money while serving customer needs. Currently,

demand is highest for digital content such as customized ringtones, games, and wallpaper.

With the introduction of the iPhone, mobile search applications are likely to become more

popular. Consumer applications are also beginning to appear in high-volume personal

transaction areas such as AOL’s Moviefone reservation system, eBay’s Mobile system, and

mobile payment platforms such as PayPal’s Mobile Checkout.

M-commerce business models that hope to rely on push advertising, as described in Insight

on Society: Is Privacy Possible in a Wireless World? also may face an uphill battle.

E-COMMERCE ENABLERS: THE GOLD RUSH MODEL

Of the nearly 500,000 miners who descended on California in the Gold Rush of

46


1849, less than 1% ever achieved significant wealth. However, the banking firms, shipping

companies, hardware companies, real estate speculators, and clothing companies such as

Levi Strauss built long-lasting fortunes. Likewise in e-commerce. No discussion of e-

commerce business models would be complete without mention of a group of companies

whose business model is focused on providing the infrastructure necessary for e-

commerce companies to exist, grow, and prosper. These are the e-commerce enablers:

the Internet infrastructure companies. They provide the hardware, operating system

software, networks and communications technology, applications software, Web designs,

consulting services, and other tools that make e-commerce over the Web possible (see

Table 2.6). While these firms may not be conducting e-commerce per se (although in

many instances, e-commerce in its traditional sense is in fact one of their sales channels),

they as a group have perhaps profited the most from the development of e-commerce.

We will discuss many of these players in the following chapters.

47


CHAPTER 3

ELECTRONIC COMMERCE PAYMENT SYSTEMS

3.1 Definition and required factors on E-payment

3.1.1 Definition of E-payment

Today, we are in the midst of a worldwide payment revolution, with cards and electronic

payments taking the place of cash and checks. The tipping point of the revolution occurred in

2003. In that year, the combined use of credit and debit cards for in-store payments for the first

time exceeded the combined useof cash and checks. By 2005, debit and credit cards accounted

for 55 per cent of in-store payments, with cash and checks making up the rest use of debit cards

and the decline in the use of cash. In recent years, debit card use has been spurred by a change in

the U.S. Electronic Funds Transfer Act, which eliminated the requirement for merchants to issue

receipts for debit purchases of $15 or less

Similar trends have occurred in non-cash payments of recurring bills. In 2011, over 75

percent of all recurring bills were paid by paper-based methods (e.g paper checks), whereas less

than 25 percent of these payments were made electronically. Now, the percent of recurring bills

paid electronically hovers around 50 percent

For decades people have been talking about the cashless society. Although the demise of

cash and checks is certainly not imminent, many individuals can live without checks and nearly

without cash. In the online B2C world, they already do. Throughout the world, the

overwhelming majority of online purchases are made with credit cards, although there are some

countries where other payments methods prevail. For instance, consumers in Germany prefer to

oay with either direct debit or bank cards, whereas those in China rely on debit cards

For online B2C merchants, the implications of these trends are straightforward. In most

countries, it is hard to run an online business without supporting credit card payments, despite

the costs. It also is becoming increasingly important to support payments by debit card.

Eventually, the volume of debit card payments may surpass credit card payments in the

online world, as they have for offline purchases. For merchants who are interested in

international markets, there is a need to support a variety of e-payment mechanisms, including

bank transfers, COD, electronic checks, private label cards, gift cards, instant credit and other

noncard payment systems, such as Paypal. Merchants who offer multiple payment types have

lower shopping card abandonment rates and higher order conversion, on average, resulting in

increased revenues

The payment system is an operational network - governed by laws, rules and standards -

that links bank accounts and provides the functionality for monetary exchange using bank

deposits. The payment system is the infrastructure (consisting of institutions, instruments, rules,

48


procedures, standards,and technical means) established in effect the transfer of monetary value

between parties discharging mutual obligations. Its technical efficiency determines the efficiency

with which transaction money is used in the economy, and risk associated with its use

(http://en.wikipedia.org/wiki/Payment_system)

3.1.2 Required factors on E-payment

A crucial element in the success of any payment method is the “chicken and egg”

problem: How do you get sellers to adopt a method when there are few buyers using it? And

How do you get buyers to adopt a method when there are new sellers using it? A numbers of

factors come into play in determining whether a particular method of e-payment achieves critical

mass. Some of the crucial factors include the following (Evans and Schmalensee 2005)

Independence. Some forms of e-payment require specialize software or hardware to

make the payment. Almost all forms of e-payment require the seller or merchant to install

specialized softwareto receive and authorize a payment. Those e-payment methods that require

the payer to install specialized components are less likely to succeed.

Interoperability and Portability . All forms of EC run on specialized systems that are

inter-linked with other enterprise systems and applications. An e-payment method must mesh

with these existing system and applications and be supported by standard computing platforms

Security. How safe is the transfer? What are the consequences of the transfer being

compromised? Again, if the risk for the payer is higher than the risk for payee, then the payer is

not likely to accept the method

Anonymity . Unlike credit cards and checks, if a buyer uses cash, there is no way to trace

the cash back to the buyer. Some buyers want their identities and purchase patterns to remain

anonymous. To succeed, special payment methods, such as e-cash, have to maintain anomynity

Divisibility. Most sellers accept credit cards only for purchases within a minimum and

maximum range. If the cost of the item is too small – only a few dollars – a credit card will not

do. In addition, a credit card will not work if an item or set of items costs too much (e.g an airline

company purchasing a new airplane). Any method that can address the lower or higher end of the

price continuum or that can span one of the extremes and the middle has a chance of being

widely accepted

Ease to use. For B2C payments, credit cards are the standard due to their ease of use. For

B2B payments, the question is whether the online e-payment methods can supplant the existing

offline methods of procurement

Transaction Fees. When a credit card is used for payment, the merchant pays a

transaction fee of up to 3 percent of the item’s purchase price (above a minimum fixed fee).

49


These fees make it prohibitive to support smaller purchases with credit cards, which leaves room

for alternative forms of payment

International support. EC is a worldwide phenomenon. A payment method must be

easily adapted to local buying patterns and international requirements before it can be widely

adopted.

Regulations. A munbet of international, federal and state regulations govern all payment

methods. Even when an existing institution or association (e.g Visa) introduces a new payment

method, it faces a number of stringent regulatory hurdles. Paypal, for instance, had to contend

with a number of lawsuits brought by state attorneys general that claimed that Paypal was

violating state banking regulations

3.2 Payment systems

Types of Ecommerce payment systems

3.2.1 Payment cards

Payment cards are electronic cards that contain information that can be used for payment

purposes. They come in three forms:

Credit cards: a credit card provides the holder with credit to make purchases up to a limit fixed

by the card issuer. Credit cards rarely have an annual fee. Instead, holders are charged high

interest – the annual percentage rate – on their average daily unpaid balances. Visa, Master and

EuroPay are the predominant credit cards

Charge cards. The balance on a charge card is supposed to be paid in full upo receipt of the

monthly statement. Technically, holders of a charge card receive a loan for 30 to 45 days equal

to the balance of this statement. Such cards usually have annual fees. Americian Express’s Green

Card is the leading charge card, followed by the Diner’s Club card.

Debit cards. With a debit card, the money for a purchased item comes directly out of the holder’s

checking account to the merchant’s takes place within 1 to 2 days. MasterCard, Visa and

EuroPay are the predominant debit cards.

Processing cards online The processing of card payments has two major phases: authorization and settlement.

Authorization determines whether a buyer’s card is cative and whether the consumer has

sufficient available credit line or funds. Settlement involves the transfer of money from the

buyer’s to the merchant’s account. The way in which these phases actually are performed varies

somewhat depending on the type of payment card. It also varies by the configuration of the

system used by the merchant to process payments.

There are three basic configurations for processing online payment. The EC merchant

may:

50


Own the payment software. A merchant can purchase a payment – processing module

and integrate it with its other EC software. This module communicates with a payment gate way

run by an acquiring bank or another third party

Use a point of sale system (POS) operated by an acquirer . Merchants can redirect

cardholders to a POS run by an acquirer. The POS handles the complete payment process and

directs the cardholder back to the merchant site once payment is complete. In this case, the

merchant system only deals with order information. In this configuration, it is important to find

an acquirer that handles multiple cards and payment instruments. If not, the merchant will need

to connect with a multitude of acquirers

Use a POS operated by a payment service provider. Merchants can rely on servers

operated by third parties known as Payment Service Providers (PSPs). In this case, the PSP

connects with the appropriate acquirers. PSPs must be registered with the various card

associations the support.

For a given type of payment card and processing system, the processes and participants

are essentially the same for offline (card present) and online (card not present) purchases. This

figure compares the steps involed in making a credit card purchase both online and offline. As

the exhibit demonstrates, there is very little difference between the two

Based on the processes outlined the figure, the key participants in processing card

payments online include the following:

+ Acquiring bank. Offers a special account called an Internet Merchant Account that

enables card authorization and payment processing

+ Credit card association. The financial institution providing card services to banks (e.g

Visa, MasterCard)

+ Customer. The individual possessing the card

+ Issuing bank. The financial institution that provides the customer with a card

+ Merchant. A company that sells products or services

+ Payment processing service. The service provides connectivity among merchants,

customers, and financial networks that enable authorization and payments. Usually these

services are operated by companies such as CyberSource (cybersource.com)

+ Processor. The data center that processes card transactions and settles funds to

merchants

51


Firgure 3.1 Credit Card Purchases: Online Versus Offline

(Sources: Paypal (2004) and Lamond and Whitman (1996 )

FRAUDULENT CARD TRANSACTIONS

Although the processes used for authorizing and settling card payments offline an online

are very similar, there is one substantial difference between the two. In the online world,

merchants are held liable for fraudulent transactions. In addition to the lost merchandise and

shipping charges, merchants who accept fraudulent transactions can incur additional fees and

penalties imposed by the card associations. However, these are not the only costs. There also are

the costs associated with combating fraudulent transactions. These include the costs of tools and

systems to review orders, the costs of manually reviewing orders, and the revenue that is lost

from rejecting orders that are valid. In their 12th annual survey of fraudulent online card

transactions, CyberSource (2011) indicated that “managing online fraud continues to be a

52


significant and growing cost for merchants of all sizes.” However, for the past two years

merchants have improved their fraud management performance.

For the past 12 years, CyberSource has sponsored a survey to address the detection,

prevention, and management of fraud perpetrated against online merchants. CyberSource’s 2010

survey of 334 merchants documented the following trends (CyberSource 2011):

◗ Online fraud peaked in 2008 when survey respondents reported $4.0 billion in revenue

losses. Total losses declined to $3.3 billion in 2009 and $2.7 billion in 2010. Likewise, the

percentage of revenue lost to fraud declined from 1.4 percent of revenue in 2008 to 0.9

percent in 2010.

◗ In 2010, merchants declined to accept 2.7 percent of online orders because of a suspicion of

payment fraud. This is a slight increase from the 2.4 percent that were declined in 2009 but

well below the 4 percent average rejection rate prior to 2008. This represents a 1.3 percent

increase in total orders accepted.

◗ The combined reduction in rejected orders and the decline in losses due to payment fraud

imply that merchants are focusing less on sales conversions and reducing order rejection

rates due to suspicion of fraud and more on reducing losses from fraud.

◗ In 2010, fraud risk from international orders averaged 2.1 percent, which is similar to the

2009 levels. This is approximately two times the percent for domestic orders. For this reason,

the rejection rates for international orders are substantially higher than the rate for domestic

orders, hovering near 7 percent on average.

◗ Certain merchants were more susceptible to fraud than others. This was due to a number of

factors: the merchant’s visibility on the Web, the steps the merchant had taken to combat

fraud, the ease with which the merchant’s products could be sold on the open market, and the

merchant’s size. Medium-sized merchants continue to be a prime target because they have a

large enough order volume to allow multiple fraud attempts and less secure environments

than larger firms to detect or prevent fraud.

◗ In 2010, merchants spent about 0.2 percent of their online revenues to manage online

payment fraud. This is about the same level of expenditure over the past couple years. As in

the past, merchants continue to allocate the bulk of their fraud management budget to order

review staff. As the number of online orders continues to increase, manual review is not a

viable long-term strategy for merchants.

In addition to tracking cyberfraud trends, the CyberSource surveys also have monitored

the steps taken by merchants to combat fraud. In 2010, merchants continued to use more fraud

detection tools than in earlier years. In 2010, the median number of tools used by merchants was

53


4.6, compared with an average of 3.0 for the years leading up to 2008. Merchants are also

spending more to combat fraud. The median amount spent to combat fraud in 2010 was 0.2

percent of online revenues. Most of the money was spent on review staff (47 percent), followed

by third-party tools and services (31 percent) and internally developed tools (22 percent). The

key tools used in combating fraud were:

◗ Address verification. Approximately 80 percent of all merchants use the Address

Verification System (AVS), which compares the address entered on a Web page with the

address information on file with the cardholder’s issuing bank. This method results in a

number of false positives, meaning that the merchant may reject a valid order. Cardholders

often have new addresses or simply make mistakes in inputting numeric street addresses or

zip codes. AVS is only available in the United States and Canada.

◗ Manual review. In 2010, over 70 percent of all merchants used the manual review method,

which relies on staff to manually review suspicious orders.

For small merchants with a small volume of orders, this is a reasonable method.

For larger merchants, this method does not scale well, is expensive, and impacts customer

satisfaction. Over the past few years, large merchants have begun to recognize the limitations

of this method and have substantially reduced the percentage of orders that are manually

reviewed.

◗ Fraud screens and automated decision models. Larger merchants (those generating over

$25 million in revenue) often use fraud screens and automated decision models. These tools

are based on automated rules that determine whether a transaction should be accepted,

rejected, or suspended. A key element of this method is the ability of the merchant to easily

change the rules to reflect changing trends in the fraud being perpetrated against the

company.

◗ Card verification number (CVN). Approximately 75 percent of all merchants use the

card verification number (CVN) method, which compares the verification number printed on

the signature strip on the back of the card with the information on file with the cardholder’s

issuing bank. However, if a fraudster possesses a stolen card, the number is in plain view.

Card association payer authentication services. In the last couple of years, the card

associations have developed a new set of payer identification services (e.g., Verified by Visa

and MasterCard SecureCode). These services require cardholders to register with the systems

and merchants to adopt and support both the existing systems and the new systems. In 2004,

it was estimated that over 55 percent of merchants would be using this method by 2005. In

reality, only 23 percent of merchants in the 2010 survey indicated that they had adopted this

method.

54


◗ Negative lists. Approximately 40 percent of all merchants use negative lists. A negative list

is a file that includes a customer’s information (IP address, name, shipping/billing address,

contact numbers, etc.) and the status of that customer. A customer’s transaction is matched

against this file and flagged if the customer is a known problem.

The overall impact of these tools is that merchants are still rejecting a significant number

of orders due to a suspicion of fraud. The problem with these rejection rates is that a number of

the rejected orders are valid, resulting in lost revenue.

SMART CARD

A smart card looks like a plastic payment card, but it is distinguished by the presence of

an embedded microchip (see Figure 3.2). The embedded chip may be a microprocessor

combined with a memory chip or just a memory chip with nonprogrammable logic. Information

on a microprocessor card can be added, deleted, or otherwise manipulated; a memory-chip card

is usually a “read-only” card, similar to a credit card. Although the microprocessor is capable of

running programs like a computer does, it is not a stand-alone computer. The programs and data

must be downloaded from and activated by some other device (such as an ATM machine).

alone, functioning independently. Smart card readers are a key element in determining the

overall cost of a smart card application. Although the cost of a single reader is usually low, the

cost can be quite high when hundreds or thousands are needed to service a large population of

users (e.g., all the passengers traveling on a metropolitan mass transit system).

TYPES OF SMART CARDS

There are two distinct types of smart cards. The first type is a contact card, which is

activated when it is inserted into a smart card reader. The second type of card is a contactless

(proximity) card, meaning that the card only has to be within a certain proximity of a smart card

reader to process a transaction. Hybrid cards combine both types of cards into one.

Contact smart cards have a small gold plate about one-half inch in diameter on the front.

When the card is inserted into the smart card reader, the plate makes electronic contact and data

are passed to and from the chip. Contact cards can have electronically programmable, read-only

memory (EPROM) or electronically erasable, programmable, read-only memory (EEPROM).

EPROM cards can never be erased. Instead, data are written to the available space on the card.

When the card is full, it is discarded. EEPROM cards are erasable and modifiable. They can be

used until they wear out or malfunction. Most contact cards are EEPROM.

In addition to the chip, a contactless card has an embedded antenna. Data and

applications are passed to and from the card through the card’s antenna to another antenna

attached to a smart card reader or other device. Contactless cards are used for those applications

in which the data must be processed very quickly (e.g., mass-transit applications, such as paying

55


bus or train fares) or when contact is difficult (e.g., security-entering mechanisms to buildings).

Proximity cards usually work at short range, just a few inches. For some applications, such as

payments at highway tollbooths, the cards can operate at considerable distances. With hybrid and

dual-interface smart cards, the two types of card interfaces are merged into one. A hybrid smart

card has two separate chips embedded in the card: contact and contactless. In contrast, a dual-

interface, or combi, smart card has a single chip that supports both types of interfaces. The

benefit of either card is that it eliminates the need to carry multiple cards to support the various

smart card readers and applications.

With both types of cards, smart card readers are crucial to the operation of the system.

Technically speaking, a smart card reader is actually a read/write device. The primary purpose of

the smart card reader is to act as a mediator between the card and the host system that stores

application data and processes transactions. Just as there are two basic types of cards, there are

two types of smart card readers—contact and proximity—which match the particular type of

card. Smart card readers can be transparent, requiring a host device to operate, or stand alone,

functioning independently. Smart card readers are a key element in determining the overall cost

of a smart card application. Although the cost of a single reader is usually low, the cost can be

quite high when hundreds or thousands are needed to service a large population of users (e.g., all

the passengers traveling on a metropolitan mass transit system).

Like computers, smart cards have an underlying operating system. A smart card operating

system handles file management, security, input/output (I/O), and command execution and

provides an application programming interface (API). Originally, smart card operating systems

were designed to run on the specific chip embedded in the card. Today, smart cards are moving

toward multiple and open application operating systems such as MULTOS (multos.com) and

Java Card (http://www.oracle.com/technetwork/java/ javacard/overview/index.html). These

operating systems enable new applications to be added during the life of the card.

Figure 3.2 Smart Card

(Source: Courtesy of Visa International Service Association)

56


APPLICATIONS OF SMART CARDS

In many parts of the world, smart cards often are used in place of or in addition to

traditional credit and debit cards. Within EC, smart cards are used in the place of standard credit

cards for general retail purchases and for transit fares. They also are used to support nonretail

and nonfinancial applications. A general discussion of all types of smart card applications can be

found at the GlobalPlatform website (globalplatform.org).

In 2010, the global market for smart cards grew to record levels, with North America

showing the biggest gains. Approximately 6 billion smart cards were shipped in 2010, as

compared to 4 billion in 2008. The biggest driver underlying the growth remains its application

in the financial services market where smart cards are used as banking cards, ATM, and payment

cards. The largest demand for smart cards continues to come from the Asia-Pacific region.

Retail Purchases The credit card associations and financial institutions are transitioning their traditional

credit and debit cards to multiapplication smart cards. In many parts of the world, smart cards

have reached mass-market adoption rates. This is especially true in Europe, where the goal was

to have all bank cards be smart cards with strong authentication and digital signature capabilities

by 2010.

In 2000, the European Commission established an initiative known as the Single Europe

Payment Area (SEPA), encompassing 33 European countries. To bring this initiative to fruition,

all the EU banks agreed to use the same basic bank card standard, enabling the use of credit and

debit cards throughout the EU. The standard, EMV, is named after the three card associations

that developed it (Europay, MasterCard, and Visa). It is based on smart cards with a

microprocessor chip. The chip is capable of storing not only financial information, but other

applications as well, such as strong authentication and digital signatures. The 33 countries have

agreed to shift all their magnetic strip cards to EMV smart cards by December 2010. By April

2010, over 70 percent of the cards, 77 percent of the point of sale (POS) terminals, and 93

percent of ATM machines have been migrated (CapGemini 2010).

One benefit of smart cards versus standard cards is that they are more secure. Because

they are often used to store more valuable or sensitive information (e.g., cash or medical

records), smart cards often are secured against theft, fraud, or misuse. If someone steals a

standard payment card, the number on the card is clearly visible, as is the owner’s signature and

security code. Although it may be hard to forge the signature, in many situations only the number

(and security code) is required to make a purchase. The only protection cardholders have is that

there usually are limits on how much they will be held liable for (e.g., in the United States it is

57


$50). If someone steals a stored-value card (or the owner loses it), the original owner is out of

luck.

However, if someone steals a smart card, the thief is usually out of luck (with the major

exception of contactless, or “wave and go,” cards used for retail purchases). Some smart cards

show account numbers, but others do not. Before the card can be used, the holder may be

required to enter a PIN that is matched with the card. Theoretically, it is possible to “hack” into a

smart card. Most cards, however, now store information in encrypted form. The smart cards can

also encrypt and decrypt data that is downloaded or read from the card. Because of these factors,

the possibility of hacking into a smart card is classified as a “class 3” attack, which means that

the cost of compromising the card far exceeds the benefits.

The other benefit of smart cards versus standard payment cards is that they can be

extended with other payment services. In the retail arena, many of these services are aimed at

those establishments where payments are usually made in cash and speed and convenience are

important. This includes convenience stores, gas stations, fast-food or quick-service restaurants,

and cinemas. Contactless payments exemplify this sort of valueadded service.

A few years ago, the card associations began piloting contactless payment systems in

retail operations where speed and convenience are crucial. All these systems utilize the existing

POS and magnetic strip payment infrastructure used with traditional credit and debit cards. The

only difference is that a special contactless smart card reader is required. To make a purchase, a

cardholder simply waves his or her card near the terminal, and the terminal reads the financial

information on the card. Data supplied by Bank of America supports the contention that

contactless credit cards speed things along. The data indicate, for example, that the average

contactless fast-food restaurant transaction takes 12.5 seconds, versus 26.7 seconds for the

traditional credit card swipe and 33.7 seconds for cash.

In spite of their convenience, the overall uptake of contactless payment cards has been

relatively slow. As an example, consider MasterCard PayPass (mastercard.com/

aboutourcards/paypass.html). This is an EMV-compatible card that supports both magnetic strip

and contactless payments. It was introduced in 2003 in a market trial in Orlando, Florida, and

rolled out worldwide in 2005. In 2009, MasterCard issued around 66 million PayPass cards,

which is approximately 20 percent of the total number of credit and debit MasterCards issued in

that year. Visa’s payWave and American Express’s ExpressPay have had the same kind of

uptake. Again, it is the same chicken-and-egg problem facing any new payment system.

Transit Fares In major U.S. cities, commuters often have to drive to a parking lot, board a train, and

then change to one or more subways or buses to arrive at work. If the whole trip requires a

58


combination of cash and multiple types of tickets, this can be a major hassle. For those

commuters who have a choice, the inconvenience plays a role in discouraging the use of public

transportation. To eliminate the inconvenience, most major transit operators in the United States

have implemented smart card fare-ticketing systems. In addition, the U.S. federal government

has provided incentives to employers to subsidize the use of public transportation by their

employees. In the United States, the transit systems in Washington, D.C.; Baltimore; San

Francisco; Oakland; Los Angeles; Chicago; San Diego; Seattle; Minneapolis; Houston; Boston;

Philadelphia; Atlanta; and the New York/New Jersey area have all instituted smart card payment

systems. These systems have enabled metropolitan transit operators to move away from multiple,

nonintegrated fare systems to systems that require only a single contactless card regardless of

how many modes of transportation or how many transportation agencies or companies are

involved.

The U.S. smart card transit programs are modeled after those used in Asia (Online File

W10.1 provides an example). Like their Asian counterparts, some U.S. transit operators are

looking to partner with retailers and financial institutions to combine their transit cards with

payment cards to purchase goods and services such as snacks, bridge tolls, parking fees, or food

in restaurants or grocery stores located near the transit stations. In addition to handling transit

fares, smart cards and other e-payment systems are being used for other transportation

applications. For instance, Philadelphia has retooled all its 14,500 parking meters to accept

payment from prepaid smart cards issued by the Philadelphia Parking Authority (philapark.org).

Similarly, many of the major toll roads in the United States and elsewhere accept electronic

payments rendered by devices called transponders that operate much like contactless smart cards.

STORED-VALUE CARDS

What looks like a credit or debit card, acts like a credit or debit card, but isn’t a credit or debit

card? The answer is a stored-value card. As the name implies, the monetary value of a stored-

value card is preloaded on the card. From a physical and technical standpoint, a stored-value card

is indistinguishable from a regular credit or debit card. It is plastic and has a magnetic strip on

the back, although it may not have the cardholder’s name printed on it. The magnetic strip stores

the monetary value of the card. This distinguishes a stored-value card from a smart card. With

smart cards, the chip stores the value. Consumers can use stored-value cards to make purchases,

offline or online, in the same way that they use credit and debit cards—relying on the same

networks, encrypted communications, and electronic banking protocols. What is different about a

stored-value card is that anyone can obtain one without regard to prior financial standing or

having an existing bank account as collateral.

59


Stored-value cards come in two varieties: closed loop and open loop. Closed-loop, or

single-purpose, cards are issued by a specific merchant or merchant group (e.g., a shopping mall)

and can only be used to make purchases from that merchant or merchant group. Mall cards, store

cards, gift cards, and prepaid telephone cards are all examples of closed-loop cards. Among

closed-loop cards, gift cards have traditionally represented the strongest growth area, especially

in the United States. Until 2008, spending in the United States on gift cards was growing at a

rapid rate. In 2008, spending retreated to 2006 levels. In 2010, the estimated amount spent on gift

cards in the United States during the holiday season was around $25 billion. This was slightly

higher than the previous two holiday seasons.

In contrast to a closed-loop card, an open-loop, or multipurpose, card can be used to

make debit transactions at a variety of retailers. Open-loop cards also can be used for other

purposes, such as receiving direct deposits or withdrawing cash from ATM machines. Financial

institutions with card-association branding, such as Visa or MasterCard, issue some open-loop

cards. They can be used anywhere that the branded cards are accepted. Payroll cards,

government benefit cards, and prepaid debit cards are all examples of open-loop cards.

Stored-value cards may be acquired in a variety of ways. Employers or government

agencies may issue them as payroll cards or benefit cards in lieu of checks or direct deposits.

Merchants or merchant groups sell and load gift cards. Various financial institutions and

nonfinancial outlets sell preloaded cards by telephone, online, or in person. Cash, bank wire

transfers, money orders, cashiers’ checks, other credit cards, or direct payroll or government

deposits fund preloaded cards.

Stored-value cards have been and continue to be marketed heavily to the “unbanked” and

“overextended.”. Approximately 100 million adults in the United States do not have credit cards

or bank accounts—people with low incomes, young adults, seniors, immigrants, minorities, and

others. Among those with credit cards, 40 percent are running close to their credit limits. The

expectation is that these groups will be major users of prepaid cards in the future.

For example, every year individuals in the United States transferred billions of dollars to

individuals in Mexico. Instead of sending money orders or cash, programs like the EasySend

card from Branch Banking and Trust (BB&T) provide a secure alternative to transferring money

to relatives and friends. With the EasySend program, an individual establishes a banking

account, deposits money in the account, and mails the EasySend card to a relative or friend, who

can then withdraw the cash from an ATM machine. When it was introduced in 2004, EasySend

was focused primarily on the Hispanic community. Today, it is used by immigrant populations

all over the world.

60


In a slightly different vein, the MasterCard MuchMusic and Visa Buxx cards provide

young people with a prepaid, preloaded card alternative to credit cards or cash. Among other

things, these alternatives provide a relatively risk-free way to teach kids fiscal responsibility.

Employers who are using payroll cards as an extension of their direct deposit programs

are driving the growth of the prepaid, preloaded card market. Like direct deposit, payroll cards

can reduce administrative overhead substantially. Payroll cards are especially useful to

companies in the health care and retail sectors and other industries where the workforce is part

time or transient and less likely to have bank accounts.

E-MICROPAYMENTS

Consider the following online shopping scenarios:

◗ A customer goes to an online music store and purchases a single song that costs 99¢.

◗ A person goes online to a leading newspaper or news journal (such as Forbes or

BusinessWeek) and purchases (downloads) a copy of an archived news article for $1.50.

◗ A person goes to an online gaming company, selects a game, and plays it for 30 minutes.

The person owes the company $3 for the playing time.

◗ A person goes to a website selling digital images and clip art. The person purchases a

couple of images at a cost of 80¢.

These are all examples of e-micropayments, which are small online payments, usually under

$10. From the viewpoint of many vendors, credit and debit cards do not work well for such small

payments. Vendors who accept credit cards typically must pay a minimum transaction fee that

ranges from 25¢ to 35¢, plus 2 to 3 percent of the purchase price. The same is true for debit

cards, where the fixed transaction fees are larger even though there are no percentage charges.

These fees are relatively insignificant for card purchases over $5, but can be cost-prohibitive for

smaller transactions. Even if the transaction costs were less onerous, a substantial percentage of

micropayment purchases are made by individuals younger than 18, many of whom do not have

credit or debit cards.

Regardless of the vendor’s point of view, there is substantial evidence, at least in the

offline world, that consumers are willing to use their credit or debit cards for purchases under $5,

as evidenced by the number of micropayment purchases made at convenience stores, quick-

service restaurants, and coffee shops or were for subway or other transportation tolls.

In the online world, the evidence suggests that consumers are interested in making small-

value purchases, but the tie to credit or debit card payments is less direct. For example, as noted

in the opening cases, Apple’s iTunes music store celebrated its 10 billionth download in 2010. A

substantial percentage of these were downloads of single songs at 99¢ a piece. Although most of

iTunes’ customers paid for these downloads with a credit or debit card, the payments were not on

61


a per-transaction basis. Instead, iTunes customers set up accounts and Apple then aggregates

multiple purchases before charging a user’s credit or debit card. Other areas where consumers

have shown a willingness to purchase items under $5 are cell phone ringtones and ring-back

tones and online games. The market for ringtones and ring-back tones is in the billions of dollars.

The download of both types of tones is charged to the consumer’s cell phone bill. Similarly, the

market for online games is in the billions of dollars. Like songs and tones, the download of a

game is usually charged to the consumer’s account, which is, in turn, paid by credit or debit card.

As far back as 2000, a number of companies have attempted to address the perceived

market opportunity by providing e-micropayment solutions that circumvent the fees associated

with credit and debit cards. For the most part, the history of these companies is one of unfulfilled

promises and outright failure. Digicash, First Virtual, Cybercoin, Millicent, and Internet Dollar

are some of the e-micropayment companies that went bankrupt during the dot-com crash. A

number of factors played a role in their demise, including the fact that early users of the Internet

thought that digital content should be free.

More recently, Bitpass declared on January 2007 that it was going out of business. As

late as fall 2006, Bitpass launched a digital wallet service that enabled consumers to store online

downloads of digital content and the payment method used to fund their accounts (i.e., credit

cards, PayPal, or Automated Clearing House debits). Bitpass succeeded in partnering with a

large number of smaller vendors, as well as a number of larger companies, such as Disney

Online and ABC, Inc. However, it purposely focused on the sale of digital content rather than

branching out into other markets. Its narrow focus was probably a major factor in its demise.

Currently, there are five basic micropayment models that do not depend solely or directly

on credit or debit cards and that have enjoyed some amount of success. Some of these are better

suited for offline payments than online payments, although there is nothing that precludes the

application of any of the models to the online world. The models include the following

(D’Agostino 2006):

◗ Aggregation. Payments from a single consumer are batched together and processed only

after a certain time period has expired (20 business days) or a certain monetary threshold

(e.g., $10) is reached.This is the model used by Apple’s iTunes.This model is well suited for

vendors with a lot of repeat business.

◗ Direct payment. Micropayments are added to a monthly bill for existing services, such as a

phone bill. This is the model used by the cellular companies for ringtone downloads. The

payment service provider PaymentOne (paymentone.com) provides a network and e-

commerce platform that enable consumers to add purchases of any size to their phone bills.

They also support other micropayment options.

62


A similar service called Boku is offered by Paymo (paymo.com) in 50 countries around the

world. Boku enables purchases via your mobile phone number and account.

◗ Stored value. Up-front payments are made to a debit account from which purchases are

deducted as they are made. Offline vendors (e.g., Starbucks) often use this model, and music-

download services use variants of this model.

◗ Subscriptions. A single payment covers access to content for a defined period of time.

Online gaming companies often use this model, and a number of online newspapers and

journals (e.g., Wall Street Journal) also use it.

◗ À la carte. Vendors process purchases as they occur and rely on the volume of purchases to

negotiate lower credit and debit card processing fees. The Golden Tee Golf video game uses

this model, and quick-service restaurants (QSRs) such as McDonald’s and Wendy’s also use

it.

In the past few years, micropayments have come to represent a growth opportunity for the credit

card companies, because credit cards are being used increasingly as a substitute for cash. In

response, both Visa and MasterCard have lowered their fees, especially for vendors such as

McDonald’s with high transaction volumes. In August 2005, PayPal also entered the

micropayment market when it announced a new alternative fee structure of 5 percent plus 5¢ per

transaction. This is in contrast to its standard fees of 1.9 to 2.9 percent plus 30¢ per transaction.

If a PayPal vendor is being charged at a rate of 1.9 percent plus 30¢, then the alternative fee of 5

percent plus 5¢ will be cheaper for any item that costs $7 or less (you can do the math). It is $12

or less for 2.9 percent plus the 30¢ rate. Overall, the movement of the credit card companies and

PayPal into the micropayment market does not bode well for those companies that provide

specialized software and services for e-micropayments. In the long run, the credit card

companies and PayPal will dominate this market. One exception, which is discussed in this

chapter’s closing case, is the online social gaming world. Here, there are a number of new

micropayment entrants focused solely on social networks, not the broader micropayment market.

E-CHECKING

In the United States paper checks are the only payment instrument that is being used less

frequently now than 5 years ago. In contrast, e-check usage is growing rapidly. In 2009, the use

of online e-checks grew by 9 percent over the previous year, reaching 2.4 billion transactions.

Web merchants hope that e-checks will raise sales by reaching consumers who do not have credit

cards or who are unwilling to provide credit card numbers online. According to a CyberSource

survey (2008), online merchants that implement e-checks experience a 3 to 8 percent increase in

sales, on average.

63


An e-check is the electronic version or representation of a paper check. E-checks contain

the same information as a paper check, can be used wherever paper checks are used, and are

based on the same legal framework. An e-check works essentially the same way a paper check

works, but in pure electronic form with fewer manual steps. With an online e-check purchase, the

buyer simply provides the merchant with his or her account number, the nine-digit bank ABA

routing number, the bank account type, the name on the bank account, and the transaction

amount.The account number and routing number are found at the bottom of the check in the

magnetic ink character recognition (MICR) numbers and characters.

E-checks rely on current business and banking practices and can be used by any business

that has a checking account, including small and midsize businesses that may notable to afford

other forms of electronic payments (e.g., credit and debit cards). E-checks or their equivalents

also can be used with in-person purchases. In this case, the merchant takes a paper check from

the buyer at the point of purchase, uses the MICR information and the check number to complete

the transaction, and then voids and returns the check to the buyer (see Case 10.1 for a complete

description of the process).

Most businesses rely on third-party software to handle e-check payments. Fiserv

(fiserv.com), Chase Paymentech (paymentech.com), and Authorize.Net (authorize.net) are some

of the major vendors of software and systems that enable an online merchant to accept and

process electronic checks directly from a website. For the most part, these software offerings

work in the same way regardless of the vendor.

The system shown in Firgure 3.3 is based on Authorize.Net and is typical of the

underlying processes used to support e-checks. Basically, it is a seven-step process. First, the

merchant receives written or electronic authorization from a customer to charge his or her bank

account (step 1). Next, the merchant securely transmits the transaction information to the

Authorize.Net Payment Gateway server (step 2). The transaction is accepted or rejected based on

criteria defined by the Payment Gateway. If accepted, Authorize.Net formats the transaction

information and sends it as an ACH transaction to its bank (called the Originating Depository

Financial Institution, or ODFI) with the rest of the transactions received that day (step 3). The

ODFI receives transaction information and passes it to the ACH Network for settlement. The

Automated Clearing House (ACH) Network uses the bank account information provided with the

transaction to determine the bank that holds the customer’s account (which is known as the

Receiving Depository Financial Institution, or RDFI) (step 4). The ACH Network instructs the

RDFI to charge or refund the customer’s account (the customer is the receiver). The RDFI passes

funds from the customer’s account to the ACH Network (step 5). The ACH Network relays the

funds to the ODFI (Authorize.Net’s bank). The ODFI passes any returns to Authorize.Net (step

64


6). After the funds’ holding period, Authorize.Net initiates a separate ACH transaction to deposit

the e-check proceeds into the merchant’s bank account (step 7).

As Figure.3 illustrates, the processing of e-checks in the United States relies quite heavily

on the Automated Clearing House (ACH) Network. The ACH Network is a nationwide batch-

oriented electronic funds transfer (EFT) system that provides for the interbank clearing of

electronic payments for participating financial institutions. The Federal Reserve and Electronic

Payments Network act as ACH operators, which transmit and receive ACH payment entries.

ACH entries are of two sorts: credit and debit. An ACH credit entry credits a receiver’s account.

For example, when a consumer pays a bill sent by a company, the company is the receiver whose

account is credited. In contrast, a debit entry debits a receiver’s account. For instance, if a

consumer preauthorizes a payment to a company, then the consumer is the receiver whose

account is debited. In 2009, the ACH Network handled an estimated 18 billion transactions

worth $30 trillion (NACHA 2010).

Figure 3.3 Processing E-checks with Authorized.net

The vast majority of these were direct payment and deposit entries (e.g., direct deposit

payroll). Only 2.4 billion of these entries were Web-based ones, although this represented a 20

percent increase from 2008 to 2009.

E-check processing provides a number of benefits:

◗ It reduces the merchant’s administrative costs by providing faster and less paper-

intensive collection of funds.

65


◗ It improves the efficiency of the deposit process for merchants and financial

institutions.

◗ It speeds the checkout process for consumers.

◗ It provides consumers with more information about their purchases on their account

statements.

◗ It reduces the float period and the number of checks that bounce because of

nonsufficient funds (NSFs).

MOBILE PAYMENTS

The term mobile payment refers to payment transactions initiated or confirmed using a

person’s cell phone or smartphone. Instead of paying with cash, check, or a credit or debit card, a

buyer uses a mobile phone to pay for a range of services and digital or physical goods such as:

◗ Music, videos, ringtones, online game subscriptions, or other digital goods

◗ Transportation fares (bus, subway, or train), parking meters, and other services

◗ Books, magazines, tickets, and other hard goods

Among the wireless carriers, smartphone vendors, and mobile operators, there is a strong

belief that mobile payments will emerge as a primary way to pay, potentially eliminating

dependence on credit and debit cards, as well as cash. A recent study by Juniper Research (2010)

appears to support this belief. The study estimated that the value of mobile payments for digital

and physical goods, money transfers, and near-field communications (NFC) transactions will

reach approximately $630 billion by 2014, which is a 37 percent increase from last year’s

estimate for 2013. While the bulk of the market involves the sale of digital goods (e.g., music,

tickets, and games), the growth of mobile payments for physical goods is strong and will reach

$100 billion by 2014. The rapid growth in mobile payments is the result of the widespread

adoption of smartphones, the increased use of apps stores (like Apple’s App Store), the

increasing use of mobile payments for railway and other transportation tickets, and shopping at

stores such as Amazon Mobile.

Overall, the study concluded that:

◗ The top three regions for mobile payments (Far East and China, Western Europe and

North America) will represent nearly 70 percent of the global mobile payment gross

transaction value by 2014.

◗ Vendors, retailers, merchants, content providers, mobile operators, and banks are all

actively establishing new services and programs.

◗ However, in some areas such as NFC for example, greater collaboration is required to

establish a widely accepted business model that translates easily into tangible services.

66


Mobile payments come in a variety of flavors including mobile proximity, remote, and POS

payments. Each of these is described in the sections that follow.

MOBILE PROXIMITY PAYMENTS

Mobile proximity payments are used for making purchases in physical stores or

transportation services. Proximity payments involve a special mobile phone equipped with an

integrated chip or smart card, a specialized reader that recognizes the chip when the chip comes

within a short distance of the reader, and a network for handling the payment. Essentially, a

buyer waves the specially equipped mobile phone near a reader to initiate a payment. For this

reason, proximity payments are also called contactless payments. Rarely, is additional

authentication (e.g., a pin number) required to complete a contactless transaction. The payment

could be deducted from a prepaid account or charged directly to a mobile phone or bank account.

In the United States, mobile proximity payments have only been used in a handful of

pilot projects. For instance, from January 2008 to May 2008, a select group of riders of the San

Francisco Bay Area Rapid Transit (BART) were able to pay their fares using their mobile phones

(Feig 2008). The BART project utilized near-field (wireless) communication (NFC). Basically,

the riders’ phones were outfitted with NFC-enabled chips. Likewise, NFC readers were installed

at the BART turnstiles. In this way, the riders simply tapped their phones on the NFC readers to

gain entrance through the turnstiles. The fare was then deducted via the phone from their prepaid

account. These same riders could also use their phones to pay for meals at local Jack in the Box

fast-food restaurants.

Like many other experimental EC payment systems, the BART system relied on

specialized chips, readers, and networks to handle payments. For this reason, the chances against

widespread adoption of this particular system are overwhelming, even though the pilot was

deemed a success. However, this doesn’t mean that NFC won’t form the basis of systems going

forward. In fact, recent announcements suggest that NFC may play a major role in mobile

payments in the next couple of years.

In November 2010, three major U.S. wireless carriers, Verizon, AT&T, and T-Mobile

USA, announced a joint venture called Isis to allow their customers to pay for goods and services

with their handsets. The mobile payment network uses Discover Financial Services’ (DFS)

payment network. For details, see online.wsj.com/article/

SB10001424052748704740604576301482470575092.html. This announcement was followed a

month later by an announcement from Google that its Android phones will be supporting NFC.

Finally, in January 2011 Apple announced that the next versions of its iPhones and iPads will

incorporate NFC chips. While there seems to be agreement among many U.S. firms that NFC

will play a major role in the future of EC mobile payments, there is still disagreement about the

67


specific readers and networks to be used. In order to make payments via NFC, an entire

ecosystem of players must cooperate. That includes network operators, handset and reader

makers, banks, credit card companies, application developers, and the like. At the moment, few

of these participants seem to be on the same page. Additionally, MasterCard and Visa are said to

be developing their own systems. About the only thing they all agree on is that mobile payments

are the wave of the future.

Outside the United States, adoption of mobile contactless payments has been much broader. For

example, in Japan approximately 50 million customers of NTT DOCOMO use mobile phones for

debit card transactions. In the future, they will also use them as credit cards. Interestingly, taxis

in Japan, Germany, and other countries are starting to install wireless systems for receiving

payments.

MOBILE REMOTE PAYMENTS

A number of initiatives have been launched to support mobile remote payments. These

initiatives offer services that enable clients and consumers to use their mobile devices to pay

their monthly bills, to shop on the Internet, to transfer funds to other individuals (P2P payments),

and to “top off ” their prepaid mobile accounts without having to purchase prepaid phone cards.

Making Mobile Payments

A number of initiatives have been launched to support mobile remote payments. These

initiatives offer services that enable clients and customers to pay their monthly bills, shop on the

Internet, transfer funds to other individuals (P2P payments), and “top off ” their prepaid mobile

accounts without having to purchase prepaid phone cards. In each of these cases, the underlying

processes are basically the same and include the following steps:

1. The payer initiating the payment sets up an account with a mobile payment service

provider (MPSP).

2. The user selects an item to purchase. The merchant asks for a payment.

3. To make the payment, the payer sends a text message (or a command) to the MPSP

that includes the dollar amount and the receiver’s mobile phone number.

4. The MPSP receives the information and sends a message back to the payer, confirming

the request and asking for the customer’s PIN.

5. The payer receives the request on his or her mobile device and enters the PIN.

6. After the MPSP receives the payer’s PIN, money is transferred to the receiver’s

account (credit card or bank account). The payer’s account is debited.

7. After the transaction occurs, the payment information is sent to the payer’s mobile

device and his or her account at MPSP is debited.

MOBILE POS PAYMENTS

68


Similar steps are used to enable merchants or service providers the opportunity to conduct POS

transactions without the need for special POS terminals. These payments have been labeled

mobile POS (mPOS) transactions. With mPOS, the merchant utilizes a special mobile service to

send a payment request from his or her mobile device to the customer’s phone number. Once the

request is received, the customer enters his or her PIN. At this point, the service sends a

confirmation to both the merchant and the customer. The transactions are completed by debiting

the customer’s account and crediting the merchant’s account. Even though the merchant is

charged transaction and communication fees by the service operator, the cost is substantially less

than a POS credit card–based transaction. These services are aimed at small businesses and

independent operators such as doctors, dentists, delivery companies, taxis, and plumbers.

B2B ELECTRONIC PAYMENTS

B2B payments usually are much larger and significantly more complex than the

payments made by individual consumers. The dollar values often are in the hundreds of

thousands, the purchases and payments involve multiple items and shipments, and the exchanges

are much more likely to engender disputes that require significant work to resolve. Simple e-

billing or EBPP (i.e., electronic bill presentment and payment) systems lack the rigor and

security to handle these B2B situations. This section examines the processes by which companies

present invoices and make payments to one another over the Internet.

CURRENT B2B PAYMENT PRACTICES

B2B payments are part of a much larger financial supply chain that includes procurement,

contract administration, fulfillment, financing, insurance, credit ratings, shipment validation,

order matching, payment authorization, remittance matching, and general ledger accounting.

From a buyer’s perspective, the chain encompasses the procurement-to-payment process.

From the seller’s perspective, the chain involves the order-to-cash cycle. Regardless of the

perspective, in financial supply chain management the goal is to optimize accounts payable (A/P)

and accounts receivable (A/R), cash management, working capital, transaction costs, financial

risks, and financial administration. Unlike the larger (physical) supply chain, inefficiencies still

characterize the financial supply chains of most companies. A number of factors create these

inefficiencies, including:

The time required to create, transfer, and process paper documentation

◗ The cost and errors associated with manual creation and reconciliation of

documentation

◗ The lack of transparency in inventory and cash positions when goods are in the supply

chain

◗ Disputes arising from inaccurate or missing data

69


◗ Fragmented point solutions that do not address the complete end-to-end processes of

the trade cycle

These inefficiencies are evident especially with A/P and A/R processes where payments are still

made with paper.

The world of B2B payments continues to be slow to change. The vast majority of B2B

payments are still made by check, and the barriers to electronic payments remain essentially the

same—IT and constraints posed by the difficulty of integrating various systems, the inability of

trading partners to send and receive automated remittance information, and difficulty in

convincing customers and suppliers to adopt electronic payments. However, there is some

evidence that companies are beginning to move to B2B e-payments.

For example, in 2009 the number of B2B transactions on the ACH network increased 3

percent from the year before to 2 billion payments.

ENTERPRISE INVOICE PRESENTMENT AND PAYMENT

The process by which companies present invoices and make payments to one another

through the Internet is known as enterprise invoice presentment and payment (EIPP). For many

firms, presentment and payment are costly and time consuming. It can cost up to $15 to generate

a paper invoice and between $25 and $50 to resolve a disputed invoice. On the payment side, it

takes 3 to 5 days for a check to arrive by mail. This means that millions of dollars of B2B

payments are tied up in floats. This reduces the recipients’ cash flow and increases the amount

they must borrow to cover the float. In the same vein, manual billing and remittance can result in

errors, which in turn can result in disputes that hold up payments. Given that most firms handle

thousands of invoices and payments yearly, any reduction in time, cost, or errors can result in

millions of dollars of savings. Improved cash flow, customer service, and data quality, along

with reduced processing costs, are the primary reasons companies turn to EIPP.

EIPP Models EIPP automates the workflow surrounding presentment and payment. Like EBPP, there are three

EIPP models: seller direct, buyer direct, and consolidator.

Seller Direct. This solution links one seller to many buyers for invoice presentment.

Buyers navigate to the seller’s website to enroll in the seller’s EIPP program. The seller

generates invoices on the system and informs the appropriate buyers that they are ready for

viewing. The buyers log into the seller’s website to review and analyze the invoices. The buyers

may authorize invoice payment or communicate any disputes. Based on predetermined rules,

disputes may be accepted, rejected, or reviewed automatically. Once payment is authorized and

made, the seller’s financial institution processes the payment transaction. This model typically is

used when there are preestablished relationships between the seller and its buyers. If a seller

70


issues a large number of invoices or the invoices have a high value, then there can be a

substantial payoff from implementing an EIPP. For this reason, firms in the manufacturing,

telecommunication, utilities, health care, and financial services industries use this model often.

Buyer Direct. In this model, there is one buyer for many sellers. Sellers enroll in the

buyer’s EIPP system at the buyer’s website. Sellers post invoices to the buyer’s EIPP, using the

buyer’s format. Once an invoice is posted, the buyer’s staff will be notified. The buyer reviews

and analyzes the invoices on the system. The buyer communicates any disputes to the

appropriate seller. Based on predetermined rules, disputes may be accepted, rejected, or reviewed

automatically. Once an invoice is approved, the buyer will authorize payment, which the buyer’s

financial institution will process. This is an emerging model based on the buyer’s dominant

position in B2B transactions. Again, it is used when the buyer’s purchases result in a high

volume of invoices. Companies such as Walmart are in a strong position to institute buyer-direct

EIPPs.

Consolidator. This is a many-to-many model with the consolidator acting as an

intermediary, collecting or aggregating invoices from multiple sellers and payments from

multiple buyers. Consolidators are generally third parties who not only provide EIPP services but

also offer other financial services (e.g., insurance, escrow). In this model, the sellers and buyers

register with the consolidator’s EIPP system. The sellers generate and transfer invoice

information to the EIPP system. The consolidator notifies the appropriate buyer organization that

the invoice is ready. The buyer reviews and analyzes the invoice. Disputes are communicated

through the consolidator EIPP. Based on predetermined rules, disputes may be accepted,

rejected, or reviewed automatically. Once the buyer authorizes the invoice payment, the

consolidator initiates the payment. Either the buyer’s or the seller’s financial institution

processes the payment.

The consolidator model eliminates the hassles associated with implementing and running

an EIPP. The model has gained ground in those industries where multiple buyers rely on the

same suppliers. The JPMorgan Chase Xign Business Settlement Network (jpmorgan.com/xign)

and the Global eXchange Services (GXS) Trading Grid (gxs.com) are both third-party

consolidators linking thousands of suppliers and buyers. Xign has more than 100,000 active

suppliers in its network. GSX’s Trading Grid supports online trading among 100,000 customers

in over 50 countries. Each of these networks eliminates the need for point-to-point connections

between suppliers and buyers; automates core functions of the A/P process, including invoice

receipt, validation, routing, dispute management, approval, and payment; and complements and

integrates with the suppliers’ and buyers’ existing purchasing and procurement systems. Online

File W10.2 provides a good example of the benefits of the consolidator model.

71


EIPP Options

A variety of online options are available for making payments in an EIPP system. They

differ in terms of cost, speed, auditability, accessibility, and control. The selection of a particular

mechanism depends on the requirements of the buyers and sellers. Some frequently used B2B

payment options follow. ACH Network. The ACH Network is the same network that underlies

the processing of e-checks. The difference is that there are three types of B2B payments, which

vary by the amount of remittance information that accompanies the payments. The remittance

information enables a buyer or seller to examine the details of a particular invoice or payment.

The three types of ACH entries for B2B transactions are:

Cash Concentration or Disbursement (CCD), which is a simple payment, usually for a

single invoice, that has no accompanying remittance data and is typically initiated by the buyer

who credits the seller’s account; Cash Concentration or Disbursement with Addenda (CCD+),

which is the same as a CCD payment except that it has a small amount of remittance data (up to

80 characters); and Corporate Trade Exchange (CTX), which generally is used to pay multiple

invoices and has a large amount of accompanying remittance data (up to a maximum of 9,999

records of 80 characters each).

The ACH Network does not require any special hardware. The cost of the software

needed to initiate ACH transactions depends on the volume of CTX transactions. High volumes

of CTX transactions require a much larger investment. In addition to hardware and software

costs, the buyer’s and the seller’s financial institutions also charge file, maintenance, transaction,

and exception handling fees for ACH transactions.

Purchasing Cards. Although credit cards are the instrument of choice for B2C

payments, this is not the case in the B2B marketplace. In the B2B marketplace, the major credit

card companies and associations have encouraged businesses and government agencies to rely on

purchasing cards instead of checks for repetitive, low-value transactions. Purchasing cards (p-

cards) are special-purpose payment cards issued to a company’s employees. They are used solely

for the purpose of paying for nonstrategic materials and services (e.g., stationery, office supplies,

computer supplies, repair and maintenance services, courier services, and temporary labor

services) up to a limit (usually $1,000 to $2,000). These purchases often represent the majority of

a company’s payments but only a small percentage of the dollars spent.

Purchasing cards operate essentially the same as any other charge card and are used for

both offline and online purchases. The major difference between a credit card and a purchase

card is that the latter is a nonrevolving account, meaning that it needs to be paid in full each

month, usually within 5 days of the end of the billing period.

72


Purchasing cards enable a company or government agency to consolidate the purchases

of multiple cardholders into a single account and, thus, issue a single invoice that can be paid

through EDI, EFT, or an e-check. This has the benefit of freeing the purchasing department from

day-to-day procurement activities and from the need to deal with the reconciliation of individual

invoices. With a single invoice, accounts can be settled more quickly, enabling a company or

agency to take advantage of discounts associated with faster payment. A single invoice also

enables a company or agency to more easily analyze the spending behavior of the cardholders.

Finally, the spending limits make it easier to control unplanned purchases. Some estimates

suggest that efficiencies resulting from the use of purchasing cards can reduce transaction costs

from 50 percent to 90 percent. To learn more about purchasing cards, see the National

Association of Purchasing Card Professionals (napcp.org) and Purchasing Card News

(purchasingcardnews.co.uk).

Fedwire or Wire Transfer. Among the forms of online B2B payments, Fedwire is

second only to ACH in terms of frequency of use. Fedwire, also known as wire transfer, is a

funds transfer system developed and maintained by the U.S. Federal Reserve system.

It typically is used with larger dollar payments where time is the critical element. The

settlement of real estate transactions, the purchase of securities, and the repayment of loans are

all examples of situations where Fedwire is likely to be used. When Fedwire is used, a

designated Federal Reserve Bank debits the buyer’s bank account and sends a transfer order to

the seller’s Federal Reserve Bank, which credits the seller’s account. All Fedwire payments are

immediate and irrevocable.

Letters of Credit for Global Payments. Letters of credit often are used when global

B2B payments need to be made, especially when there is substantial risk associated with the

payment. A letter of credit (L/C), also called a documentary credit, is issued by a bank on behalf

of a buyer (importer). It guarantees a seller (exporter) that payment for goods or services will be

made, provided the terms of the L/C are met. Before the credit is issued, the buyer and seller

agree on all terms and conditions in a purchase and sale contract. The buying company then

instructs its bank to issue a documentary credit in accordance with the contract. A credit can be

payable at sight or at term. At sight means that payment is due upon presentation of documents

after shipment of the goods or after a service is provided. Alternatively, if the seller allows the

buyer an additional period, after presentation of documents, to pay the credit (30, 60, 90 days,

etc.), then the credit is payable at term. L/C arrangements usually involve a series of steps that

can be conducted much faster online than offline.

For sellers the main benefit of an L/C is reduced risk—the bank assures the

creditworthiness of the buyer. For those global situations where the buyer is a resident in a

73


country with political or financial instability, the risk can be reduced if the L/C is confirmed by a

bank in the seller’s country. Reduced risk also is of benefit to buyers who may use this fact to

negotiate lower prices.

74


CHAPTER 4

ELECTRONIC COMMERCE FRAUD AND SECURITY

4.1 DEFINITION AND E-COMMERCE SECURITY REQUIREMENTS

4.1.1 DEFINITION OF E-COMMERCE SECURITY

If you examine different lists of management concerns regarding the use of EC (and IT),

the information security issue is and has been among the top concerns. Security is considered to

be the backbone of doing business over the Internet. Security-breaching incidents involving all

types of organizations (including high-level, secure government agencies such as the CIA, FBI,

and the military) appear on the news frequently. Few organizations or individuals have not

experienced some security breaches in their computerized systems. The damages of security

breaches, including crimes, can be substantial and sometimes life-threatening, as was

demonstrated in the opening case.

Securing data, transactions, and privacy, and protecting people (buyers and sellers) is of

utmost importance in conducting EC of any type. Information security means protecting

information and information systems from unauthorized access, use, disclosure, disruption,

modification, perusal, inspection, recording, or destruction. In this chapter, we will provide an

overview of the information security problems and solutions as they relate to EC and IT. In this

section we look at the nature of the security problems, the magnitude of the problems, and the

essential terminology and strategy used in dealing with these issues.

WHAT IS EC SECURITY?

Computer security refers to the protection of data, networks, computer programs,

computer power, and other elements of computerized information systems (see en.wikipedia.org/

wiki/Computer_security). It is a very broad field due to the many methods of attack as well as

the many modes of defense. The attacks and defense of computers can affect individuals,

organizations, countries, or the entire Web. Computer security aims to prevent or at least

minimize the attacks. We classify computer security into two categories: generic, relating to any

information system (e.g., encryption), and EC-related, such as buyers’ protection. This chapter

covers both, but it emphasizes the EC-related side. Attacks on EC websites, identify theft of both

individuals and organizations, and a large variety of fraud schemes, such as phishing, are

described in this chapter as well.

THE STATUS OF COMPUTER SECURITY IN THE U.S

Several private and government organizations try to assess the status of computer security

in the United States annually. Notable is the annual CSI report, which is described next. No one

really knows the true impact of online security breaches because, according to the Computer

Security Institute (CSI, gocsi.com), only 27 percent of businesses report to legal authorities about

75


computer intrusions. For the 2010 survey, known as the CSI Computer Crime and Security

Survey, see Richardson (2010). This is an annual security survey of U.S. corporations and

government agencies; financial, medical, and other institutions; and universities, conducted by

the Computer Security Institute. Highlights from the 2010/2011 Security Survey, which was

based on responses from over 500 participants, include the following summary points:

◗ Malware infection continues to be the most commonly seen attack.

◗ Fewer financial frauds were reported than in previous years, with only 8.7 percent saying they

had seen this type of incident.

◗ Tools that improve visibility into networks, Web applications, and endpoints were ranked

among the highest on information security and information technology managers’ wish lists,

including better log management, security information and event management, security data

visualization, and security dashboards.

◗ Of the approximately half of respondents who experienced at least one security incident last

year, 45.6 percent of them reported they had been the subjects of at least one targeted attack.

◗ When asked what actions were taken following a security incident, 18.1 percent of respondents

stated that they notified individuals whose personal information was breached, and 15.9 percent

stated that they provided new security services to users or customers.

◗ Respondents generally said that regulatory compliance efforts have had a positive effect on

their organization’s security programs.

Information security has been ranked consistently as one of the top management concerns in the

United States. The major specific topics cited in various studies as most important in information

security are illustrated in Exhibit. In addition to organizational security issues, there is also the

issue of personal security.

Personal Security

As you will see in Section , fraud is aimed mostly against individuals. In addition, loose

security may mean danger of personal safety due to sex offenders who can find victims on the

Internet, fraud and identity theft, and cyberbullying.

National Security

Protection of the U.S. computer networks is in the hands of the Department of Homeland

Security (DHS), which coordinates government policies for thwarting cyberthreats.

It includes the following programs:

◗ Cyber Security Preparedness and the National Cyber Alert System. Computer users can

stay up-to-date on cyberthreats through this program.

◗ U.S.-CERT Operations. Analyzes and combats cyberthreats and vulnerabilities.

76


◗ National Cyber Response Coordination Group. Comprising 13 federal agencies, it

coordinates the federal response to incidents.

◗ CyberCop Portal. Coordination with law enforcement helps capture and convict those

responsible for cyber attacks.

On February 9, 2009, President Obama ordered the DHS to review U.S. government

cybersecurity plans.

Figure 4.1 Major EC security Management Concerns for 2011 (in descending order of

importance)


Perspective (7th Edition) (Page 495). Prentice Hall )

Security Risks for 2011–2012

According to Baseline, eWeek, and security vendors, the major security risks for the near future

are:

◗ Cyberespionage and cyberwars (discussed below).

◗ Attacks on mobile assets including smartphones and other mobile devices. A particular

target is the enterprise iPhone.

◗ Attacks on social networks and social software tools. User-contributed content is a

major source of malware.

◗ Cybergang consolidation—underground groups are multiplying and getting bigger,

especially in Internet fraud.

◗ Attacks on new technologies such as cloud computing and virtualization.

◗ Attacks on Web applications.

77


Cyberwars, Cyberespionage, and Cybercrimes Across Borders In July 2009, suspected

North Korean hackers launched a cyber attack against some of the most important government

offices in the United States and South Korea, including the White House, the Pentagon, the New

York Stock Exchange, and the Presidential Blue

House in Seoul.

The attack took out some of South Korea’s most important websites, including those of

the defense ministry, the national assembly, and South Korea’s top Internet portal, Naver. All in

all the websites of 11 organizations had either gone down or had access problems. The attack

also targeted the U.S. Joint Strike Fighter project (only a few files were stolen). According to a

CNN report (cnn.com/2009/TECH/03/29/ghostnet.cyber.espionage), nearly 1,300 computers in

more than 100 countries have been attacked and have become part of a computer espionage

network apparently based in China. Computers—including machines at NATO, governments,

and embassies—were infected with software that lets attackers gain complete control of them.

Researchers have dubbed the attacking network as GhostNet. The network can not only search a

computer but also see and hear the people using it. GhostNet is capable of taking full control of

infected computers, including searching and downloading specific files, and covertly operating

attached devices, including microphones and Web cameras.

It resembles an attack that began a week earlier on government websites in the United

States, including some that are responsible for fighting cybercrime. These are not isolated cases

of cross-border cyber attacks. In February 2011, the U.S. security firm McAfee Inc. reported that

Chinese hackers stole sensitive data from oil companies in the United States, Taiwan, Greece,

and Kazakhstan. These attacks started in November 2009 and are increasing in magnitude. The

attacks, which are still going on, are done via e-mails containing a virus sent to tens of thousands

of recipients.

Types of Attacks

The attacks can be classified into two major categories:

1. Corporate espionage that plagues businesses around the world. Many attacks targeted

energy-related companies. The fact that oil companies were targeted might speak more to the

value of their inside information than any attempt to cause damage to pipelines (McAfee 2011).

A separate report in 2010 from McAfee and the Center for Strategic and International Studies in

Washington found that more than half of the 600 operators of power plants and other

infrastructure surveyed said their networks were infiltrated by sophisticated adversaries.

2. Political espionage and warfare. Political espionage and even wars are increasing in

magnitude. Examples. In December 2010, the Iranian nuclear program was attacked via

computer programs rumored to be created by the United States and Israel. The attack was fairly

78


successful causing major physical damage to the nuclear program, delaying it by months or even

years. The attack was perpetrated using a sophisticated computer worm named Stuknet. It was

used as a weapon created by a state to achieve a goal that it otherwise may have achieved only

by multiple cruise missiles. For the implications of such warfare, see Dickye, et al. (2010).

According to the AP and the New York Times, in March 2009, a cyber spy network based

mainly in China hacked into classified documents from government and private organizations in

103 countries, including the computers of the Dalai Lama and Tibetan exiles. Cyberwars are

expected to grow in number and sophistication and hit larger targets. For example, in 2010,

Google’s network infrastructure was attacked repeatedly in China causing Google to discuss the

possibility of leaving China. Also, in 2010, Estonia signed an agreement with NATO to create a

joint cyber defense as a result of an alleged attack by Russia that caused great financial harm to

Estonia via a cyberwar attack (see Murphy 2010 for details).

A final note: The motive for cross-border attacks can be financial. In January 2011, a

hacker breached several government, military, and educational websites from across the globe,

and put on sale the administrative access to high-profile sites such as the official Italian

government website, the Department of Defense PharmacoEconomic Center, and even the U.S.

Army, Communications-Electronics Command. The hacker put on sale dot-gov, dot-mil, and

dot-edu websites from across the globe at a price range of $55 to $499. The hacker was also

offering personal information from the hacked sites at $20 for 1,000 records. For a detailed

discussion on cyberwars and the state of defense readiness in the United States, see Prince

(2011b). International organized crime syndicates, Al-Quaida groups, and other cybercriminals

electronically steal hundreds of millions of dollars every year. Cybercrime is easier and safer

than selling drugs, dealing in black market diamonds, or robbing banks. In addition, online

gambling offers easy fronts for international money laundering operations.

4.1.2 E-COMMERCE SECURITY REQUIREMENTS

To protect EC transactions, we use the following set of requirements:

◗◗◗◗ Authentication. Authentication is a process to verify (assure) the real identity of an entity,

which could be an individual, software agent, computer program, or EC website. For

transmissions, authentication verifies that the sender of the message is who the person or

organization claims to be.

◗ Authorization. Authorization is the process of determining what an authenticated entity is

allowed to access and what operations it is allowed to perform. Authorization of an entity occurs

after authentication.

◗◗◗◗ Auditing. When a person or program accesses a website or queries a database, various pieces

of information are recorded or logged into a file. The process of recording information about

79


what was accessed, when, and by whom is known as auditing. Audits provide the means to

reconstruct what specific actions have occurred and may help EC security investigators identify

the person or program that performed unauthorized actions.

◗ Availability. Technologies such as load-balancing hardware and software help ensure

availability.

◗ Nonrepudiation. Closely associated with authentication is nonrepudiation, which is the

assurance that online customers or trading partners will not be able to falsely deny (repudiate)

their purchase, transaction, or other obligation. Nonrepudiation involves several assurances,

including providing:

◗ the sender of data with proof of delivery

◗ the recipient (EC company) with proof of the sender’s identity

Authentication and nonrepudiation are potential defenses against phishing and identity theft. To

protect and ensure trust in EC transactions, digital signatures, or digital certificates, are often

used to validate the sender and time stamp of the transaction so it cannot be later claimed that the

transaction was unauthorized or invalid. A technical overview of digital signatures and

certificates and how they provide verification is provided in Section 9.6. Unfortunately, phishers

and spammers have devised ways to compromise certain digital signatures.

4.2 SECURITY THREATS IN THE E-COMMERCE ENVIRONMENT

Criminals use many methods to attack information systems and users. Here, we cover

some major representative methods. It’s helpful to distinguish between two types of attacks—

technical (which we discuss in this section) and nontechnical (which we discuss in Section 9.4).

TECHNICAL AND NONTECHNICAL ATTACKS: AN OVERVIEW

Software and systems knowledge are used to perpetrate technical attacks. A computer virus is an

example of a technical attack.

4.2.1 THE MAJOR TECHNICAL ATTACK METHODS

There are three key points of vulnerability:

• Client

• Server

• Communications pipeline

Figure 4.2 Vulnerable Points in an E-commerce environment

80




Hackers often use several software tools readily and freely available over the Internet

together with tutorials on how to use them, in order to learn of vulnerabilities as well as attack

procedures. Although some of the free tools require expertise, novice hackers can easily use

many of the other tools. The major attack methods are illustrated in Exhibit 9.3 and are described

briefly next.

Figure 4.3 The major technical security attack methods (in descending order of impotance)



81


BASIC SECURITY TERMINOLOGY

In the opening case and in Section 9.1, we introduced some key concepts and security

terms. We begin this section by introducing alphabetically the major terms needed to understand

EC security issues:

◗ Business continuity plan

◗ Cybercrime

◗ Cybercriminal

◗ Exposure

◗ Fraud

◗ Malware (malicious software)

◗ Phishing

◗ Risk

◗ Social engineering

◗ Spam

◗ Vulnerability

◗ Zombie

Definitions of these terms can be found in the margin glossary of this chapter, in

webopedia.com/terms, and in cert.org (look for the glossary).

Figure 4.4 The EC Security Battleground



82


MALICIOUS CODE: VIRUSES, WORMS, AND TROJAN HORSES

Malware (or malicious software) is software designed to infiltrate or damage a computer

system without the owner’s informed consent or even knowledge. Malware is a general term

used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying

software or program codes.

Software is considered malware based on the perceived intent of the creator rather than

any particular features. Malware includes computer viruses, worms, Trojan horses, most rootkits,

spyware, dishonest adware, crimeware, and other malicious and unwanted software.

Viruses

A virus is a piece of software code that inserts itself into a host, including the operating

systems; running its host program activates the virus. A virus has two components. First, it has a

propagation mechanism by which it spreads. Second, it has a payload that refers to what the virus

does once it is executed. Sometimes a particular event triggers the virus’s execution. For

instance, Michelangelo’s birth date triggered the Michelangelo virus. On April 1, 2009, the entire

world was waiting for a virus named Conficker (see Brooks 2009). Fortunately only limited

attacks were reported. Some viruses simply infect and spread. Others do substantial damage

(e.g., deleting files or corrupting the hard drive). Web-based malware is very popular today, such

as criminal attack blogging tools, plug-ins, Flash, etc.

◗ E-mail with virus could infect a system reading e-mail and subsequently spread

throughout the entire organization. (Do not open unknown attachments and do not get lured in by

messages such as “just for you” and “here you have.”)

◗ Network viruses could enter through unprotected ports, compromising the whole

network.

◗ Web-based viruses could compromise a system during browsing and subsequently

affect other internal systems. (Do not download free software unless you are 100 percent sure

what it is.) Note that virus attacks are the most frequent computer attacks. The process of a virus

attack is illustrated in Figure 4.4. For tutorials and information about viruses, see

microsoft.com/protect/computer/ basics/virus.mspx.

Worms

Note that in the Microsoft tutorials you will learn how to identify a computer virus, how

to know if you are infected, and how to protect yourself against viruses. Special variations of

viruses are worms and Trojan horses. Unlike a virus, a worm can spread itself without any

human intervention. Worms use networks to propagate and infect a computer or handheld device

(e.g., cell phone) and can even spread via instant messages. Also, unlike viruses that generally

are confined within a target computer, a worm’s ability to self-propagate can degrade network

83


performance. Worms consist of a set of common base elements: a warhead, a propagation

engine, a payload, a target-selection algorithm, and a scanning engine. The warhead is the piece

of code in a worm that exploits some known vulnerability. A huge number of worms have been

spread all over the Internet. In December 2008, the Koobface worm attacked Facebook,

MySpace, and other social networks. It created bogus links that looked innocent, but when you

clicked them, it gave hackers access to sensitive personal data.

Macro Viruses and Microworms. A macro virus (macro worm) is executed when the application

object that contains the macro is opened or a particular procedure is executed. Because worms

spread much more rapidly than viruses, organizations need to proactively track new

vulnerabilities and apply system patches as a defense against their spread.

Trojan Horse

A Trojan horse is a program that appears to have a useful function but contains a hidden

function that presents a security risk. The name is derived from the Trojan horse in Greek

mythology. Legend has it that during the Trojan War the city of Troy was presented with a large

wooden horse as a gift to the goddess Athena. The Trojans hauled the horse inside the city gates.

During the night, Greek soldiers who were hiding in the hollow horse opened the gates of Troy

and let in the Greek army. The army was able to take the city and win the war. There are many

variations of Trojan horse programs. The programs of interest are those that make it possible for

someone else to access and control a person’s computer over the Internet. This type of Trojan

horse has two parts: a server and a client. The server is the program that runs on the computer

under attack. The client program is the program used by the person perpetrating the attack. For

example, a dangerous Trojan is Zeus, which spreads by a large botnet. It uses keystroke logging

to steal financial information (see Falliere and Chien 2009). Another example, the Girlfriend

Trojan, is a server program that arrives in the form of a file that looks like an interesting game or

program. When the unsuspecting user runs the program, the user unknowingly installs the Trojan

program The installed program executes every time the user turns on the attacked computer. The

server simply waits for the associated client program to send a command. This particular Trojan

horse enables the perpetrator to capture user IDs and passwords, to display messages on the

affected computer, to delete and upload files, and so on. Trojan threads are spread in many ways

(e.g., under the guise of Verizon messages). Two examples follow:

Example 1. Spyware researchers at Webroot Software uncovered a stash of tens of

thousands of stolen identities from 125 countries that they believe were collected by a new

variant of a Trojan program the company named Trojan-Phisher-Rebery (Roberts 2006). The

Rebery malicious software is an example of a banking Trojan, which is programmed to come to

life when computer owners visit one of a number of online banking sites.

84


Figure 4.5 How a computer can spread


Perspective (7th Edition) (Page 468). Prentice Hall)

Example 2. Bank of America has more than 20 million customers online and processes

more transactions online than it does in all of its physical banking centers. According to Gage

(2006), Ahlo, a Miami wholesaler of ink and toner cartridges, sued Bank of America for being

responsible for an unauthorized transfer of more than $90,000 from Ahlo’s account to a bank in

Latvia. A Coreflood Trojan infected the company’s PC. The Trojan was spread by a phishing

attack—fraudulent e-mails that tricked bank customers into giving up their account information

and infecting their computers with malware that logged keystrokes. (The bank does not discuss

individual phishing attempts but posted information on its website,

bofa.com/privacy/pdf/fin_security.pdf, to educate customers about online fraud.) In 2010,

researchers developed antivirus products that are based on cloud technologies that were

successful in blocking Trojans. However, in 2011 Microsoft discovered a Chinese Trojan called

Bohu that neuters cloud-based products. Note that as of 2008, criminals moved from e-mail

attacks (e.g., viruses, spam) to sophisticated Web-based attacks. Targeting weaknesses in server-

based applications such as Web 2.0 tools and client-side browser plug-ins including Flash has

allowed malware to be installed when a user simply visits a Web page.

85


DENIAL OF SERVICE (DOS) and DISTRIBUTED DENIAL OF S ERVICE (DDOS)

ATTACKS (DDOS)

DENIAL OF SERVICE (DOS)

A denial-of-service (DoS) attack is an attack in which a large number of requests for

service or access to a site bombard a system, which causes it to crash or become unable to

respond in time. In a DoS attack, an attacker uses specialized software to send a flood of data

packets to the target computer, with the aim of overloading its resources. Many attackers rely on

software created by other hackers, which is available over the Internet for free, rather than

developing it themselves. A common method is the use of zombie PCs to launch DoS attacks.

Some of the cyberwar attacks on the United States and Korean institutions (see Section 4.1)

involved DoS. DoS attackers also target social networks, especially Facebook and Twitter (see

Bradley 2009). DoS attacks can be difficult to stop. Fortunately (or unfortunately), they are so

commonplace that over the past few years, the security community has developed a series of

steps for combating these costly attacks. For a comprehensive coverage, see en.wikipedia.

org/wiki/Denial_of_service_attack.

WEB SERVER AND WEB PAGE HIJACKING

Page hijacking is achieved by creating a rogue copy of a popular website that shows

contents similar to the original. Once there, an unsuspecting user is redirected to malicious

websites. Spammers can use this technique to achieve high rankings in result pages for certain

keywords; so, more people will come to the site. Scammers and phishers can use the rogue copy

to steal information and even money. For details, see

en.wikipedia.org/wiki/Web_page_hijacking.

BOTNETS

A botnet refers to a huge number (as many as hundreds of thousands) of hijacked Internet

computers that have been set up to run autonomously and automatically. It can be used to

forward traffic, including spam and viruses (recall the opening case), to other computers on the

Internet. An infected computer is referred to as a computer robot, or bot. Botmasters, or bot

herders, control botnets. The combined power of these coordinated networks of computers can

scan for and compromise other computers and perpetrate DoS or other attacks. Botnets are used

in scams, spams, and frauds. Botnets appear in different forms (e.g., see the opening case) and

can be worms or viruses. Notable botnets include Srizbi, Cutwail, Torpig, and Conficker.

4.2.2 THE MAJOR NON-TECHNICAL ATTACK METHODS

Non-technical attacks are those in which a perpetrator uses some form of deception or

persuasion to trick people into revealing information or performing actions that can compromise

the security of a network. We include in these financial fraud, spam, social engineering,

86


phishing, and other fraud methods. The goals of social engineering are to gain unauthorized

access to systems or information. Phishing attacks rely on social engineering.

SOCIAL ENGINEERING AND FRAUD

Social engineering is the act of psychologically or socially manipulating people into

performing actions or divulging confidential information. While similar to a confidence trick or

simple fraud, the term typically applies to trickery or deception for the purpose of information

gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face

with the victim. The major social engineering methods are: phishing (several submethods),

pretexting, and diversion theft. For details, see en.wikipedia.

org/wiki/Social_engineering_(security). Once information is obtained from a victim (e.g., via

phishing) it is used for committing a crime.

As you can see in the exhibit, phishers (or other criminals) obtain confidential

information by methods ranging from social engineering to physical theft. The stolen

information (e.g., credit card numbers, social security numbers) is used by thieves to commit

financial fraud or is sold in the underground Internet marketplace to another set of criminals,

who then use the information to conduct financial crimes. In this section, we will describe how

such systems work with phishing.

SOCIAL PHISHING

In the field of computer security, phishing is defined as the criminal, fraudulent process

of attempting to acquire confidential information such as user names, passwords, and credit card

details by masquerading as a trustworthy entity such as a well-known bank, credit card company,

a friend, a large social network, or a telecommunication company. This is done usually via e-

mail or IM. Phishing typically directs users to enter details at a fake (e.g., hijacked) website that

looks and feels almost identical to a legitimate one. Even when using server authentication, it

may require skill to detect that the website is fake. For a discussion of what is phishing and how

to recognize it, see ehow.com/how_5361193_ recognize-phishing-scams.html.

Online shoppers and those conducting transactions electronically are attractive targets

because they typically have higher incomes. Phishers, electronic shoplifters, con artists, and

scammers stalk online shoppers because these cyber cons want shoppers’ money or

theirconfidential information—today’s most valuable form of international currency.

Figure 4.6 Social Engineering: From phising to Financial Fraud and Crime

87




Selling stolen information, like selling any stolen goods, can be profitable and

unstoppable. Unfortunately, potential e-commerce customers list “too much risk of fraud,” and “I

don’t trust online merchants” as their primary reasons for not shopping online. Of the total fraud

complaints reported to the FTC, Internet-related fraud complaints accounted for 79 percent in

2008 (McMillan 2009b). Not only do concerns about cyber cons stunt EC growth, but defending

against these cons and compensating for damages also significantly increases the costs of

conducting EC. As companies try to expand their e-business in countries where the legal systems

are underdeveloped, opportunities for fraud expand with it, making it difficult to conduct EC.

Example. German phishers sent out messages pretending to come from a utility company

that provides an electronic invoice as an Adobe PDF file. This social engineering trick worked.

Many customers clicked the link to download an “important document,” which contained a

Trojan horse. The program gave the phishers control of the infected computers. The Trojan

monitored every Internet connection and keystroke, and reported passwords back to the Trojan’s

creator.

Sophisticated Phishing Methods

Phishing is a major provider of information used for financial fraud on the Internet.

Figure 4.6 illustrates a typical phishing process called “drive-by downloads,” a top Web threat

(Symantec 2009). For other methods, see en.wikipedia.org/wiki/Phishing. For the latest phishing

tactics and their potential impact on business, see VeriSign (2009).

For an overview of social phishing, its process, techniques, and the damage, see Jagatic, et al.

(2007).

FRAUD ON THE INTERNET

88


Phishing is a first step that leads to many fraud schemes. An environment where buyers

and sellers cannot see each other breeds fraud. Fraud is a problem for online retailers and

customers alike. However, even though actual losses per incident are rising, the rate of those

losses is flattening out. In other words, the threat actually may be lessening—somewhat.

Online merchants reject roughly 4 percent of incoming orders because of suspicion of

fraud. An estimated 1 percent of accepted orders turn out to be fraudulent. As an adjustment to a

slowing economy, merchants shifted fraud-fighting priorities since 2008, dropping the

unaccepted orders from 4.2 percent to 2.9 percent. Among online orders from outside the United

States and Canada, 2.7 percent of the orders were fraudulent. That rate is three times higher than

the rate associated with orders from the United States and Canada (Marketing Charts 2009).

Figure 4.7 How Phising is Accomplished

(Source: Synmantec, “Web-based Attacks,”, 2009, Used with permission/ Turban, Efraim; King,

David (2011-09-23). Electronic Commerce 2012: A Managerial Perspective (7th Edition) (Page

471). Prentice Hall.)

During the first few years of EC, many types of financial crime came to light, ranging

from the online manipulation of stock prices to the creation of a virtual bank that disappeared

with the investors’ deposits. Internet fraud has grown even faster than the Internet itself. The

following examples demonstrate the scope of the problem. Also, visit the Open Directory Project

at dmoz.org/Society/Issues/Fraud/Internet for a comprehensive collection of fraud resources.

A typical e-mail that looks like an official Yahoo! Request is shown in the box below:

Figure 4.8 Yahoo’s email in Fraud attacks

89




Types of Scams. The following are some representative types of scams (per spam

laws.com/scams.html): Literary scams, poetry scams, jury duty scams, chain letters and e-mail

scams, lottery scams, Nigerian scams, work at home scams, credit card scams, IRS e-mail scams,

Vector Marketing scams, PayPal scams, missing persons scams, envelope stuffing scams, work

from home scams, and free vacation scams. Many more can be found at the website.

Identity Theft and Identify Fraud

Identity theft refers to stealing an identity of a person; that information is then used by

someone pretending to be someone else in order to steal money or get other benefits. The term is

relatively new and is actually a misnomer, since it is not inherently possible to steal an identity,

only to use it. The person whose identity is used can suffer serious consequences when he or she

is held responsible for the perpetrator’s actions. In many countries, specific laws make it a crime

to use another person’s identity for personal gain.

90


Identity theft is the number one concern of EC shoppers, according to the U.S. Federal

Trade Commission (ftc.gov). According to 2010 statistics, identity fraud affects over 10 million

Americans each year, for a loss of over $50 billion, growing about 20 percent annually.

Identity theft is somewhat different from identity fraud, which is related to the unlawful usage of

a “false identity” to commit fraud. Identity fraud activities include:

◗ Financial identity theft (using another’s identity to obtain goods and services)

◗ Business/commercial identity theft (using another’s business name to obtain credit)

◗ Criminal identity theft (posing as another when apprehended for a crime)

◗ Money laundering

Example. No one is immune from identity theft, even the sheriff of Merced County, California.

On March 11, 2009, while the sheriff ’s deputies were searching the home of a woman accused

of forging checks, they discovered on her computer the copied signature of their boss.

Investigators said the woman lifted the sheriff ’s signature from a standard check given to

departing inmates to reimburse them for pocket money confiscated during booking. She had

uploaded the signature to a check-writing program. She used the checks to pay for services she

received.

For additional information, see en.wikipedia.org/wiki/Identity_theft.

CYBER BANK ROBBERIES

Cyberattacks can happen to individuals and organizations including banks.

Example. An international computer-crime ring that was broken up in October 2010 siphoned

about $70 million from over 400 bank accounts of small businesses, municipalities, and

churches. Authorities in the United States, United Kingdom, the Netherlands, and Ukraine have

detained or charged more than 100 people. According to the FBI, the organization running the

hacking ring included computer-code writers in Ukraine, and the mule-network operators

(“mules” are those recruited to move stolen funds via bank accounts opened with fake names)

spread out across the United States, United Kingdom, and Ukraine. Victims were mostly in the

United States, though some bank accounts were also targeted in the United Kingdom, the

Netherlands, and Mexico.

The thieves used iterations of Zeus (a Trojan horse, described earlier that has become the

weapon of choice for most cyber bank robbers) to steal hundreds of thousands of dollars at a

time—the result of focusing on business accounts instead of individual consumers. Investigators

said the transactions attempted could have led to losses of up to $220 million. The thieves

particularly focused on small and medium businesses because of their poorly protected systems,

which are often found at smaller companies (see Wagley 2010).

In addition to stealing bank accounts, criminals steal checks as well.

91


Example. Secureworks.com uncovered the following check fraud operations (per Prince 2010):

Russian cybercriminals used malware, money mules and sophisticated technical methods to get

their hands on data from check image repositories run by services that archive checks on behalf

of businesses. The cybercriminals used a network of 2,000 computers in a scam to steal check

information. The scammers used the names and addresses of 2,884 job seekers who responded to

recruit e-mails as well as account information and check templates of five companies. The

attackers then downloaded images of the checks used by businesses along with bank routing

numbers, account-holder names, and other information.

Next, the scammers used off-the-shelf commercial check printing software to print

counterfeit checks, which were given to money mules to deposit in their personal banking

accounts. The mules were also tasked with wiring the deposited money to bank accounts in St.

Petersburg, Russia, where the money might have been transferred, then converted into cash. The

“mules” initially thought they were signing up for legitimate jobs. People became suspicious

when they got the second set of instructions that said, “now you are going to wire the money to

St. Petersburg.”

Other Financial Fraud

Stock market fraud is a common area where swindlers are active. Other areas include the

sale of bogus investments, phantom business opportunities, and other “get rich quick” schemes.

In addition, foreign-currency-trading scams are increasing on the Internet because most online

currency exchange shops are not licensed. For many examples of financial fraud, see Symantec

(2009).

SPAM AND SPYWARE ATTACKS

E-mail spam also known as junk e-mail or just spam, is a subset of spam that involves

nearly identical messages sent to numerous recipients by e-mail. A common synonym for spam

is unsolicited bulk e-mail. Over 90 percent of messages on corporate networks in April 2009

were e-mail spam. An estimated worldwide total of 62 trillion spam e-mails were sent in 2008.

Globally, annual spam energy use totals 33 billion kilowatt-hours (KWh). That’s equivalent to

the electricity used in 2.4 million homes in the United States, with the same GHG emissions as

3.1 million passenger cars using 2 billion gallons of gasoline. (McMillan 2009a). E-mail spam

has grown steadily since the early 1990s to several billion messages a day. Spam has frustrated,

confused, and annoyed e-mail users.

Laws against spam have been sporadically initiated. The total volume of spam (more

than120 billion e-mails per day as of March 2011) has leveled off slightly in recent years and is

no longer growing exponentially. But the amount received by most e-mail users has decreased

mostly because of better automatic filtering. Approximately 80 percent of all spam is sent by

92


fewer than 200 spammers. Botnets, networks of virus-infected computers, are used to do it. Since

the cost of the spam is borne mostly by the recipient, spam is effective e-mail advertising.

E-mail addresses are collected from chat rooms, websites, newsgroups, and viruses that

harvest users’ address books. Much spam is sent to invalid e-mail addresses. ISPs have attempted

to recover the cost of spam through lawsuits against spammers, although they have been mostly

unsuccessful in collecting damages despite winning in court. Symantec provides a monthly report, titled “The State of Spam: A Monthly Report.” In

the report, it provides examples of current popular scams, categories of spam, originating

countries, volume, and much more.

Spyware

Spyware is computer software that is installed surreptitiously on a personal computer to

intercept or take partial control over the user’s interaction with the computer, without the user’s

knowledge or consent. Although the term spyware suggests software that secretly monitors the

user’s behavior, the functions of spyware extend well beyond simple monitoring. Spyware

programs can collect various types of personal information, such as Internet surfing habits and

sites that have been visited, which violate your privacy, but they can also interfere with user

control of the computer in other ways, such as installing additional (even malicious) software

and redirecting Web browser activity.

Spyware is known to change computer settings, resulting in slow surfing speeds and/or

loss of functionality of other programs. In an attempt to increase the understanding of spyware, a

more formal classification includes software types that are captured under the term privacy-

invasive software. Although spyware is used mainly by advertisers, it may also be used by

criminals.

SOCIAL NETWORKING MAKES SOCIAL ENGINEERING EASY

Social engineering tactics have been diversified. In the past, social engineers used

cleverly worded e-mails and face-to-face conversations to get information from their victims to

launch attacks. But now, social networking sites that contain goldmines of information are major

targets for new attack methods. Social engineering tactics or scams that depended on user

interaction to execute an attack against them rose dramatically as of 2006. As more users take

advantage of Web 2.0 applications like social networking sites, blogs, wikis, and RSS feeds,

malware authors, identity thieves, and other criminals are going to exploit the weak points there.

With the rise of Web 2.0 and more social interactions on social network sites, security experts

warn of an increase in the incidence of hackers inserting malicious code into dynamically

generated Web pages. The most popular sites such as Facebook and Twitter are attacked most

frequently.

93


Social networking sites are creating a means for hackers and con artists to worm their

way into the confidence of users, which leaves Internet users and businesses at a greater risk of

attack, according to a study by Danish security firm CSIS.

The CSIS Example. Dennis Rand, a security researcher at CSIS, created a fictitious

entry on the LinkedIn network before inviting random and unknown users to LinkedIn to join his

private network. By posing as an ex-employee of “targeted” firms, he was able to prompt real

workers from these firms into establishing connections. Within a few weeks, Rand created a

network of 1,340 trusted connections. In a research paper, Rand explains how information

gleaned through this network might be used to harvest e-mail addresses to send messages

containing links to malicious codes that are more likely to be accepted because they come from a

“trusted” source (Rand 2007).

How Hackers Are Attacking Social Networks Hackers are manipulating the trusted nature of Facebook, MySpace, and other social

networks to launch exploits and spread malware attacks. One reason is that social networks are

designed to facilitate sharing of personal information, and the more data a person discloses.

Unfortunately, these sites have poor track records for security controls. They do not even

encourage users to select strong passwords, and passwords on these sites never expire.

Here are some examples of security problems in social networking:

◗ Upon downloading an application, an unsuspecting user can inadvertently insert

malicious code onto his or her profile page, computer, and potentially network of friends.

◗ Users received “buddy” requests from fake profiles. Traditional antispam solutions

cannot differentiate between these requests and genuine ones; so bad guys can get

specific, private information about users and potentially gather enough information to

formulate a targeted attack.

◗ Big name social networking sites offer users attractive applications to enhance their

profile pages. Often times these applications are built by third parties where the security

is lax.

◗ One popular scammers’ approach is to create a fake profile on a social networking site

and use it to post malicious links and to phish other users.

◗ A scammer obtains your friends’ user names and log-ins via password stealing or

phishing. Then sends you a message on Facebook that your friends are stranded

someplace and desperately need you to wire them money (to the scammer account, of

course).

94


◗ Researchers at NetWitness uncovered a 75,000-strong botnet that infected companies

around the world with the Zeus Trojan. Among its targets were Facebook, Yahoo!, and

other sites. According to security pros, the botnet is part of a growing trend to use social

networking sites as a stepping stone to steal valuable financial data.

◗ Messages left on Facebook users’ walls (message area) urge them to view a superb

video that portends to be hosted on Google’s website. Clicking on the link leads users to

a site that tries to entice them into downloading a program to watch the movie. The

program is the Troj/Dloadr-BPL Trojan horse, which in turn downloads malicious code

detected as Troj/Agent-HJX and displays an image of a court jester poking out his

tongue.

Spam in Social Networks and in the Web 2.0 Environment Social networks attracted spammers due to the large number of potential recipients and

the less secured Internet platforms. Spammers like Facebook in particular despite the heavy fines

imposed on them by the courts. Another area is blog spam.

Automated Blog Spam. Bloggers have found hundreds of automatically generated

comments with links to herbal Viagra and gambling vendors on their pages. Software bots that

trawl the Internet looking for suitable forms to fill in automatically generate the majority of blog

spam. Blog owners can use tools to ensure that humans—and not an automated system—enter

comments on their blogs.

Search Engine Spam and Splogs

Although content spam impacts media users, a greater concern to ethical e-commerce

sites is search engine spam, which Yahoo! defines as “pages created deliberately to trick the

search engine into offering inappropriate, redundant, or poor-quality search results.” Those

pages, called spam sites, use techniques that deliberately subvert a search engine’s algorithms to

artificially inflate the page’s rankings. A similar tactic involves the use of splogs (short for spam

blog sites), which are blogs created solely for marketing purposes.

Spammers create hundreds of splogs that they link to the spammer’s site to increase that

site’s search engine ranking. For information on search engine algorithms and page rankings, see

google.com/corporate/tech.html.

Sploggers work on the principle that once Web surfers arrive at their site, a few will click

on one of the linked advertisements. Each of these clicks earns a few cents for the splogger. And

because any one splogger can run many millions of splogs, the spam can be very profitable.

Examples. Some examples of spam attacks in social networks are:

◗ In January 2009, Facebook won $1.3 billion from spammers in Canada who falsely

obtained log-in information for Facebook users and then sent spam to those users’

95


friends, violating the CAN-SPAM Act. In 2008, MySpace was awarded $230 million in a

similar case (in both cases, the companies were unable to collect).

◗ In January 2009, Twitter became a hot target for hackers who hijacked the accounts of

several high-profile users including that of President Obama (now users are protected).

◗ Instant messaging in social networks was found to be very vulnerable to hackers and

other cybercriminals.

◗ Phishing for authentic social networking accounts lets spammers post comments on

other members’ pages and send messages from the phished accounts. These messages are

often used to distribute spam. A link within a message could redirect the browser to a

page that, say, purportedly hosts a video. The user is directed to install a new codec, but

downloads malicious software.

◗ Hackers are posting content loaded with malicious software that is difficult to detect on

YouTube, Facebook, MySpace, and other social network sites. Other methods are

frequently invented.

◗ VoIP is used extensively in social networks, yet it is vulnerable to many attacks

(products such as VoIPguard can help).

THE DEFENSE SIDE OF EC SYSTEMS

We organize the defense into six categories:

1. Defending access to computing systems, data flow, and EC transactions.

Here we present three topics: Access control (including biometrics), encryption of

content, and public key infrastructure (PKI). These are presented in the next section. This line of

defense protects data, applications, and computing facilities within organizations. Intruders that

circumvent access control will face encrypted material even if they pass a firewall.

2. Defending EC networks. Here we recognize first and foremost the protection provided

by firewalls. The firewall isolates the corporate network and computing devices from the public

networks, mostly the Internet. To make the Internet more secure we can use virtual private

networks. On top of all these measures we can use intrusion detecting systems. When networks

are protected, we can protect the incoming (usually not encrypted e-mail). Also, we protect

against viruses and other malware that come over the networks. Note that these can be installed

inside organizations, as well.

3. General, administrative, and application controls. These are safeguards of a variety of

types that are intended to protect computing assets by establishing guidelines, check procedures,

etc.

96


4. Protection against social engineering and fraud. Here we describe protection against

spam, phishing, and spyware.

5. Disaster preparation, business continuity, and risk management. These topics are

managerial issues that are supported by software.

6. Implementing enterprisewide security programs. Here we place all the items

previously mentioned under the implementation umbrella.

4.3 TECHNOLOGY SOLUTIONS

4.3.1 PROTECTING INTERNET COMMUNICATIONS

The defense I: Access control, encryption, and PKI

A. ACCESS CONTROL

Network security depends on access control. Access control determines who (person,

program, or machine) can legitimately use a network resource and which resources he, she, or it

can use. A resource can be anything—Web pages, text files, databases, applications, servers,

printers, or any other information source or network component. Typically, access control lists

define which users have access to which resources and what rights they have with respect to

those resources (i.e., read, view, write, print, copy, delete, execute, modify, or move).

Authorization and Authentication Access control involves authorization (having the right to access) and authentication,

which is also called user identification (proving that the user is who he or she claims to be).

Authentication. After a user has been identified, the user must be authenticated. Authentication

is the process of verifying that the user is who he or she claims to be (see VeriSign 2008).

Verification usually is based on one or more characteristics that distinguish the individual from

others.

Authentication methods include:

◗ Something only the user knows, such as a password.

◗ Something only the user has, for example, a smart card or a token.

◗ Something only the user is, or possesses, such as a signature, voice, fingerprint, or

retinal (eye) scan. It is implemented via biometric controls, which can be physical or

behavioral.

Traditionally, authentication has been based on passwords. Passwords are notoriously

insecure because people have a habit of writing them down in easy-to-find places, choosing

values that are guessed easily, and willingly telling other people their passwords when asked.

Today there is an increased use of biometrics.

Biometric Systems

97


A biometric control is an automated method for verifying the identity of a person based

on physical or behavioral characteristics.

Biometric systems can identify a person from a population of enrolled users by searching

through a database for a match based on the person’s biometric trait, or the system can verify a

person’s claimed identity by matching the individual’s biometric trait against a previously stored

version. Biometric verification is much simpler than biometric identification, and it is the process

used in two-factor authentication.

The most common biometrics are:

◗ Thumbprint or fingerprint. Each time a user wants access, a thumb- or fingerprint

(finger scan) is matched against a template containing the authorized person’s fingerprint

to identify him or her.

◗ Retinal scan. A match is attempted between the pattern of the blood vessels in the retina

that is being scanned and a prestored picture of the retina.

◗ Voice scan. A match is attempted between the user’s voice and the voice pattern stored

on templates.

◗ Signature. Signatures are matched against the prestored authentic signature. This

method can supplement a photo-card ID system.

Other biometrics are:

◗ Facial recognition

◗ Facial thermograph

◗ Hand geometry

◗ Hand veins

◗ Keystrokes

◗ DNA test

◗ Iris

For details, comparisons with regard to human characteristics, and cost–benefit analyses, see

en.wikipedia.org/wiki/Biometrics.

To implement a biometric authentication system, the physiological or behavioral

characteristics of a participant must be scanned repeatedly under different settings. The scans are

then averaged to produce a biometric template, or identifier. The template is stored in a database

as a series of numbers that can range from a few bytes for hand geometry to several thousand

bytes for facial recognition. When a person uses a biometric system, a live scan is conducted,

and the scan is converted to a series of numbers that is then compared against the template stored

in the database.

98


B. ENCRYPTION AND THE ONE-KEY (SYMMETRIC) SYSTEM

Encryption is the process of transforming or scrambling (encrypting) data in such a way

that it is difficult, expensive, or time-consuming for an unauthorized person to unscramble

(decrypt) it. All encryption methods have five basic parts (refer to Figure 4.9): plaintext,

ciphertext, an encryption algorithm, the key, and key space. Plaintext is a human-readable text

or message. Ciphertext is not human-readable because it has been encrypted. The encryption

algorithm is the set of procedures or mathematical functions used to encrypt or decrypt a

message. Typically, the algorithm is not the secret piece of the encryption process. The key (key

value) is the secret value used with the algorithm to transform the message. The key space is the

large number of possible key values (keys) created by the algorithm to use when transforming

messages. Both encryption and trying to break the encryption codes are done today by powerful

computers. However, the trick is to decide what data to encrypt, how to best manage encryption,

and how to make the process as transparent as possible.

The major benefits of encryption are:

◗ Allows users to carry data on their laptops, PDAs, and flash drives.

◗ Protects backup media while they are offsite.

◗ Allows for highly secure virtual private networks.

◗ Enforces policies regarding who handles what corporate data.

◗ Ensures compliance with privacy laws and regulations, and reduces the risk of lawsuits.

◗ Protects the organization’s reputation and secrets.

Encryption is the foundation for two major security systems: the symmetric system, with one

secret key, and the asymmetric system, with two keys. The second method is the basis for the

PKI system (described in the next section).

Symmetric (Private) Key Encryption In a symmetric (private) key encryption, the same key is used to encrypt and decrypt the

plaintext (see Figure 4.10). The sender and receiver of the text must share the same key without

revealing it to anyone else-making it a so-called private system.

Figure 4.9 Encryption components

99



Perspective (7th Edition). Prentice Hall)

The Data Encryption Standard (DES) was at one time the standard symmetric encryption

algorithm supported by U.S. government agencies. However, DES became too susceptible to

attacks. In 2000, the National Institute of Standards and Technology (NIST) replaced DES with

Rijndael, the new advanced encryption standard for encrypting sensitive but unclassified

government data. Because the algorithms used to encrypt a message are well known, the

confidentiality of a message depends on the key. It is possible to guess a key simply by having a

computer try all the encryption combinations until the message is decrypted. High-speed and

parallel processing computers can try millions of guesses in one second. This is why the length

of the key (in bits) is the main factor in securing a message. If a key were 4 bits long (e.g., 1011),

there would be only 16 possible combinations (i.e., 2 raised to the fourth power). However, a 64-

bit encryption key would take 58.5 years to be broken using parallel processing (at 10 million

keys per second). There are 2 raised to the 64th power possible combinations!

100


Figure 4.10 Symmetric (Private) Key Encryption



PUBLIC KEY INFRASTRUCTURE (PKI)

Public key infrastructure (PKI) is a scheme for securing e-payments using public key

encryption and various technical components. It overcomes some of the shortcomings of the one-

key system. The symmetric one-key encryption requires the movement of a key from the writer

of a message to its recipient. Imagine trying to use one-key encryption to buy something offered

on a particular Web server. If the seller’s key was distributed to thousands of buyers, then the

key would not remain secret for long. If the transfer of the key is intercepted, the key may be

stolen or changed. The PKI solution uses two keys, public and private, and additional features

that create a powerful system, which is very secure. In addition to the keys, PKI includes digital

signatures, hash digests (function), and digital certificates. Let’s see how PKI works.

Public (Asymmetric) Key Encryption

Public (asymmetric) key encryption uses a pair of matched keys—a public key that is

publicly available to anyone and a private key that is known only to its owner. If a message is

encrypted with a public key, then the associated private key is required to decrypt the message.

If, for example, a person wanted to send a purchase order to a company and have the contents

remain private, he or she would encrypt the message with the company’s public key. When the

company received the order, it would decrypt it with the associated private key, being the only

one able to read the purchase order. A most common public key encryption algorithm is RSA

(rsa.com). RSA uses keys ranging in length from 512 bits to 1,024 bits. The main problem with

such public key encryption is speed. Symmetrical algorithms are significantly faster than

asymmetrical key algorithms. Therefore, public key encryption cannot be used effectively to

encrypt and decrypt large amounts of data.

101


Figure 4.11 Asymmetric (Public) Key Encryption – A simple Case

( Source: Ecommerce: Business, Technology, and Society - Kenneth C. Laudon)

In practice, a combination of symmetric and asymmetric encryption is used to encrypt messages.

Public key encryption is supplemented by digital signature and certificate authority.

The PKI Process: Digital Signatures and Certificate Authorities

Digital signatures are the electronic equivalent of personal signatures that cannot be

forged. Digital signatures are based on public keys for authenticating the identity of the sender of

a message or document. They also can ensure that the original content of an electronic message

or document is unchanged. Digital signatures have additional benefits in the online world. They

are portable, cannot be easily repudiated or imitated, and can be time-stamped. According to the

U.S. Federal Electronic Signatures in Global and National Commerce Act of 2000, digital

signatures in the United States have the same legal standing as a signature written in ink on

paper. Figure 4.11 illustrates how the PKI process works. Suppose a person wants to send a draft

of a financial contract to a company with whom he or she plans to do business as an e-mail

message. The sender wants to assure the company that the content of the draft has not been

changed en route and that he or she really is the sender. To do so, the sender takes the following

steps:

1. The sender creates the e-mail message with the contract in it.

2. Using special software, a secured mathematical algorithm called a hash function is

applied to the message, which results in a special summary of the message, converted

into a string of digits that is called a message digest (MD).

102


3. The sender uses his or her private key to encrypt the hash. This is the sender’s digital

signature. No one else can replicate the sender’s digital signature because it is based on

the sender’s private key, which no one else knows. (Continue…step 4-9)

Figure 4.12 Digital Signatures



4. The sender encrypts both the original message and the digital signature using the

recipient’s public key. This couple forms a digital envelope.

5. The sender e-mails the digital envelope to the receiver.

103


6. Upon receipt, the receiver uses his or her private key to decrypt the contents of the

digital envelope. This produces a copy of the message and the sender’s digital signature.

No one else can do it since there is only one copy of the private key.

7. The receiver uses the sender’s public key to decrypt the digital signature, resulting in a

copy of the original message digest.

8. Using the same hash function employed in step 2, the recipient then creates a message

digest from the decrypted message.

9. The recipient then compares this digest with the original message digest.

10. If the two digests match, then the recipient concludes that the message is authentic.

In this scenario, the company has evidence that the sender sent the e-mail because the

sender is the only one with access to the private key. The recipient knows that the

message has not been tampered with because if it had been, the two hashes would not

have matched.

Certificate Authority . Third parties called certificate authorities (CAs) issue digital certificates

or SSL certificates. This is an electronic file that uniquely identifies individuals and websites and

enables encrypted communication. The certificate contains things such as the holder’s name,

validity period, public key information, and a signed hash of the certificate data (i.e., hashed

contents of the certificate signed with the CA’s private key).

There are different types of certificates, namely those used to authenticate websites (site

certificates), individuals (personal certificates), and software companies (software publisher

certificates).

There are several third-party CAs. VeriSign (verisign.com) is the best known of the CAs

(see VeriSign 2008). VeriSign issues three classes of certificates: Class 1 verifies that an e-mail

actually comes from the user’s address. Class 2 checks the user’s identity against a commercial

credit database. Class 3 requires notarized documents. Companies such as Microsoft offer

systems that enable companies to issue their own private, in-house certificates.

Secure Socket Layer (SSL)

PKI systems are further secured with SSL—the protocol for e-commerce. If the average

user had to figure out how to use encryption, digital certificates, digital signatures, and the like,

there would be few secure transactions on the Web. It is clever but difficult. Fortunately, Web

browsers and Web servers handle many of these activities in a transparent fashion. Given that

different companies, financial institutions, and governments in many countries are involved in e-

commerce, it is necessary to have generally accepted protocols for securing e-commerce. One of

the major protocols in use today is Secure Socket Layer (SSL), now renamed as Transport Layer

Security (TLS). For further details, see en.wikipedia.org/wiki/Transport_Layer_Security.

104


4.3.2 SECURING CHANNELS OF COMMUNICATION

The defense II: Securing E-commerce networks

Several technologies exist that ensure that an organization’s network boundaries are

secure from cyber attack or intrusion and that if the organization’s boundaries are compromised,

the intrusion is detected quickly and combated. A slew of cyber attack techniques can arrive on

the network, most known are viruses and other malware, DoS, botnet attacks, and more. The

selection and operation of defense mechanisms against these attack technologies should be based

on certain design concepts, as described at perimeterusa.com/ solution.html. The major

components for protecting internal information resources inside organizations from outside

attackers are described next.

FIREWALLS

Firewalls are barriers between an internal trusted network, or a PC, and the untrustworthy

Internet. Technically, it is a network node consisting of both hardware and software that isolates

a private network from a public network. On the Internet, the data and requests sent from one

computer to another are broken into segments called packets. Each packet contains the Internet

address of the computer sending the data, as well as the Internet address of the computer

receiving the data. Packets also contain other identifying information that can distinguish one

packet from another. A firewall examines all data packets that pass through it and then takes

appropriate action—to allow or not to allow. Firewalls can be designed mainly to protect against

remote log-in, access via backdoors, spam, and different types of malware (e.g., viruses or

macros). Firewalls can come in several shapes and forms and there can be a single one or

several. For details, see Online File W9.4. A popular defense system is the one that includes two

firewalls. It is known as the DMZ architecture.

The Dual Firewall Architecture: The DMZ In the simple one firewall case, there is a firewall between the Internet and the internal

users (usually sitting on the corporate intranet). In the DMZ architecture (DMZ stands for

demilitarized zone), there are two firewalls between the Internet and the internal users. The area

between the two firewalls is referred to as the DMZ and it is dedicated as the one for business

partners. The architecture is shown in figure 4.13

In this architecture, there are two firewalls: one between the Internet and the DMZ

(border firewall) and another internal firewall between the DMZ and the internal network. All

public servers are placed in the DMZ. With this setup, it is possible to have firewall rules that

allow trusted partners access to the public servers but the interior firewall can restrict all

incoming connections. By having the DMZ, the public servers are still provided more protection

than if they were just placed outside a single firewall site.

105


Using internal firewalls at various intranet boundaries can also help limit damage from internal

threats and things like worms that have managed to traverse the border firewalls.

Personal Firewalls The number of users with high-speed broadband (cable modem or digital subscriber lines

[DSL]) has increased the number of Internet connections to homes or small businesses.

These “always-on” connections are much more vulnerable to attack than simple dial-up

connections. With these connections, the home owner or small business owner runs the risk of

information being stolen or destroyed, of sensitive information (e.g., personal or business

financial information) being stolen, and of the computer being used in a DoS attack against

others.

Personal firewalls protect desktop systems by monitoring all the traffic that passes

through the computer’s network interface card. They operate in one of two ways. With the first

method, the owner can create filtering rules (much like packet filtering) that the firewall uses to

permit or delete packets. With the second method, the firewall can learn, by asking the user

questions, how it should handle particular traffic. For a detailed comparison of several of these

products, see firewallguide.com/software.htm.

Additional Virus, Malware, and Botnet Protection Firewalls can protect against some but

not all viruses. Your Windows operating system includes a firewall, but it may not be updated

for all new viruses—the same goes for applications such as Microsoft Office. Thus, it is a good

idea to subscribe to antivirus software such as from McAfee, Norton, or Windows Live One

Care. Be very careful when you select antivirus software; some of them include malware. Using

industry standard software is safe. For details about viruses including how to remove them, see

microsoft.com/protect/computer/basics/virus.mspx,andmicrosoft.com/protect/computer/viruses/r

emove.mspx. All major vendors offer many products that can protect against different types of

malware.

Figure 4.13 The two firewalls: DMZ Architecture

106




VIRTUAL PRIVATE NETWORKS (VPNS)

Suppose a company wants to establish a B2B application, providing suppliers, partners,

and others access not only to data residing on its internal website, but also to data contained in

other files (e.g., Word documents) or in legacy systems (e.g., large relational databases).

Traditionally, communications with the company would have taken place over a private leased

line or through a dial-up line to a bank of modems or a remote access server (RAS) that provided

direct connections to the company’s LAN. With a private line, (value-added line, VAL) the

chances of a hacker eavesdropping on the communications between the companies would be

minimal, but it is an expensive way to do business.

A VPN allows a computer user to access a network via an IP address other than the one

that actually connects the computer to the Internet. This is a less expensive solution. For details,

see en.wikipedia.org/wiki/Virtual_private_network.

A virtual private network (VPN) uses the public Internet to carry information but remains

private by using a combination of encryption to scramble the communications and authentication

to ensure that the information has not been tampered with and comes from a legitimate source. A

VPN verifies the identity of anyone using the network. In addition, a VPN can also support site-

to-site communications between branch offices and corporate headquarters and the

107


communications between mobile workers and their workplace. VPNs can reduce communication

costs dramatically. The costs are lower because VPN equipment is cheaper than other remote

solutions; private leased lines are not needed to support remote access; remote users can use

broadband connections rather than make long-distance calls to access an organization’s private

network; and a single access line can be used to support multiple purposes.

The main technical challenge of a VPN is to ensure the confidentiality and integrity of the data

transmitted over the Internet. This is where protocol tunneling comes into play. With protocol

tunneling, data packets are first encrypted and then encapsulated into packets that can be

transmitted across the Internet. A special host or router decrypts the packets at the destination

address. Cisco provides several types of VPNs including for wireless networks and smartphones.

For details, see en.wikipedia.org/wiki/Virtual_private_network.

INTRUSION DETECTION SYSTEMS (IDS)

Even if an organization has a well-formulated security policy and a number of security

technologies in place, it still is vulnerable to some attacks. For example, most organizations have

antivirus software, yet most are subjected to virus attacks as was shown in the opening case. This

is why an organization must continually watch for attempted, as well as actual, security breaches.

This can be done by using intrusion detectors.

An intrusion detection system (IDS) is software and/or hardware designed to detect

illegal attempts to access, manipulate, and/or disable computer systems through a network.

An IDS is used to detect several types of malicious behaviors that can compromise the security

and trust of a computer system. This includes network attacks against vulnerable services, data-

driven attacks on applications, host-based attacks such as privilege escalation, unauthorized log-

ins, access to sensitive files, and malware (viruses, Trojan horses, and worms).

The IDS checks files on a regular basis to see if the current signatures match the previous

signatures. If the signatures do not match, security personnel are notified immediately. Some

examples of commercial host-based systems are Symantec’s Intruder Alert (symantec.com),

Tripwire Security’s Tripwire (tripwire.com), and McAfee’s Entercept Desktop and Server

Agents (mcafee.com).

Dealing with DoS attacks

As seen in the opening case it usually takes time to deal with a DoS attack. Early

intrusion detecting can help. Since there are several types of DoS attacks (e.g., DDoS), there are

several defense methods. For examples, see fxtechsupport.forumotion.com/t27-how-toprevent-

dos-ddos-attacks, and learn-networking.com/network-security/how-to-preventdenial-of-service-

attacks.

108


Cloud Computing Prevents DoS Attacks. In 2011, cyber attacks have demonstrated that cloud

computing (Online Tutorial T7) can handle distributed denial-of-service (DDoS) attacks that

crash traditional servers—for instance, when WikiLeaks briefly hosted its latest disclosure on

Amazon Web Services (AWS). The three main ingredients in cloud computing that make it more

resilient against cyber attacks are elasticity, bandwidth, and redundancy. While there is evidence

that cloud computing can prevent DoS attacks, there were cases in 2010 and 2011 where DoS

attacks occurred.

HONEYNETS AND HONEYPOTS

Honeynets are another technology that can detect and analyze intrusions. A honeynet is a

network of honeypots designed to attract hackers like honey attracts bees. In this case, the

honeypots are information system resources—firewalls, routers, Web servers, database servers,

files, and the like—that look like production systems but they do not do real work.

The main difference between a honeypot and the real thing is that the activities in a honeypot

come from intruders attempting to compromise the system. In this way, security experts

watching the honeynet can gather information about why hackers attack, when they attack, how

they attack, what they do after the system is compromised, and how they communicate with one

another during and after the attack.

The Honeynet Project is a worldwide, not-for-profit research group of security

professionals (see honeynet.org). The group focuses on raising awareness of security risks that

confront any system connected to the Internet and teaching and informing the security

community about better ways to secure and defend network resources. The project runs its own

honeynets. They simply connect the honeypots to the Internet and wait for attacks to occur. They

can advise companies about how to set up honeynets.

Before a company deploys a honeynet, it needs to think about what it will do when it

becomes the scene of a cybercrime or contains evidence of a crime and about the legal

restrictions and ramifications of monitoring legal and illegal activity. Online File W9.5 discusses

these issues. A similar technique is the penetration test discussed earlier.

E-Mail Security

E-mail brings many of the security problems we have discussed. To begin with, we get

viruses from e-mail attachments (we can get them of course from software downloads). Spam

arrives via e-mail and so do social engineering attacks. Unfortunately firewalls may not be so

effective in protecting e-mail, and therefore one should use antivirus as well as antispam

software (available from dozens of vendors). E-mail encryption is advisable and it also available

from many vendors. Finally, a technique called outbound filtering may be used. A brief

description of each of these methods follows:

109


◗ Antivirus and antispam. Detect and quarantine messages that contain viruses, worms,

spam, phishing attacks, or other unwanted content.

◗ E-mail encryption. Scrambles sensitive data in messages and attachments so they can

be read only by intended recipients.

◗ Outbound filtering . Scan for unauthorized content, such as a customer’s Social

Security number, included in outgoing e-mail or other communications.

Note that e-mail is related to IM and chats that can be subject to attacks as well. For Google’s e-

mail security, see google.com.postini. Companies can beef up e-mail security by adding

additional layers of defense, use only authorize e-mail servers, scan e-mail logs, and most of all

educate people about e-mail dangers. For defense suggestions, see gfi.com/emailsecuritytest/ and

Wiens (2010). For other guidelines, visit messagelab.com.

Cloud Computing May Help. As of 2008 there has been an increased interest in using

cloud computing to improve e-mail security. Furthermore, this can be done by cutting costs 50 to

80 percent (per Habal 2010). There is growing support for moving e-mail to the cloud

environment as well as moving e-mail archiving to the cloud. Despite the benefits, the adoption

of cloud-based e-mail security solutions is still a very gradual process for most companies. It can

be hard to cut through the marketing hype when nearly every vendor seems to be making a cloud

claim. To help companies deciding on cloud-based e-mail security adoption and vendor

selection, Habal (2010) provides some key questions enterprise EC buyers should ask when

evaluating cloud-based e-mail security services.

110


Figure 4.14 Major defense controls



4.3.3 GENRAL CONTROLS AND OTHER DEFENSE MECHANISMS

The defense III: General controls and other defense mechanisms

The objective of IT security management practices is to defend all the components of an

information system, specifically data, software applications, hardware, and networks. A defense

strategy requires several controls, as shown in Exhibit 9.13. General controls are established to

protect the system regardless of the specific application. For example, protecting hardware and

controlling access to the data center are independent of the specific application. Application

controls are safeguards that are intended to protect specific applications. In this and the following

sections, we discuss the major types of these two groups of information systems controls. Later

in the section we cover spam and fraud mitigation.

GENERAL, ADMINISTRATIVE, AND OTHER CONTROLS

The major categories of general controls are physical controls, administrative controls, and other

controls. A brief description of general controls is provided next

111


Physical Controls

Physical security refers to the protection of computer facilities and resources. This

includes protecting physical property such as computers, data centers, software, manuals, and

networks. It provides protection against most natural hazards as well as against some human

hazards. Appropriate physical security may include several controls, such as the following:

◗ Appropriate design of the data center. For example, the site should be noncombustible

and waterproof.

◗ Shielding against electromagnetic fields.

◗ Good fire prevention, detection, and extinguishing systems, including sprinkler system,

water pumps, and adequate drainage facilities.

◗ Emergency power shutoff and backup batteries, which must be maintained in

operational condition.

◗ Properly designed, maintained, and operated air-conditioning systems.

◗ Motion detector alarms that detect physical intrusion.

Network access control software is offered by all major security vendors (e.g., see

symantec.com/business/network-access-control).

Administrative Controls

While the previously discussed general controls were technical in nature, administrative

controls deal with issuing guidelines and monitoring compliance with the guidelines. Exhibit

9.14 gives examples of such controls.

Administrative Controls

While the previously discussed general controls were technical in nature,

administrativecontrols deal with issuing guidelines and monitoring compliance with the

guidelines. Exhibit 9.14 gives examples of such controls.

APPLICATION CONTROLS AND INTELLIGENT AGENTS

Sophisticated attacks are aimed at the application level, and many applications were not

designed to withstand such attacks. For better survivability, information processing

methodologies are being replaced with agent technology. Intelligent agents, also referred to as

softbots or knowbots, are highly intelligent applications. The term intelligent agents generally

means applications that have some degree of reactivity, autonomy, and adaptability— as it is

used in unpredictable attack situations. An agent is able to adapt itself based on changes

occurring in its environment, as shown in Figure 4.16.

PROTECTING AGAINST SPAM

112


Sending spam that disguises a sales pitch to look like a personal e-mail to bypass filters

violates the U.S. Controlling the Assault of Non-Solicited Pornography and Marketing

(CANSPAM) Act of 2003. However, many spammers hide their identity to escape detection by

using hijacked PCs, or spam zombies, to send spam. For protecting your system against botnet

attacks, which also spread a huge volume of spam, see MessageLabs (2009).

Figure 4.15 Representative Administrative Controls



Figure 4.16 Intelligent Agents

(Source: Courtesy of Sandia Labs)

113


The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-

SPAM Act) makes it a crime to send commercial e-mail messages with false or misleading

message headers or misleading subject lines. The following are other provisions of the law:

◗ Requires marketers to identify their physical location by including their postal address

in the text of the e-mail messages.

◗ Requires an opt-out link in each message, which must also give recipients the option of

telling senders to stop all segments of their marketing campaigns.

◗ Allows for suits to be brought by ISPs, state attorneys general, and the federal

government.

◗ Carries penalties of up to $250 per spammed e-mail message, with a cap of $2 million,

which can be tripled for aggravated violations. There is no cap on penalties for e-mail

sent with false or deceptive headers.

◗ Carries other penalties—those found guilty of violating the law may face up to 5 years

in prison.

For more details, see spamlaws.com/federal/can-spam.shtml.

To protect users of e-mail, most e-mail providers introduce fairly successful filters that

direct spam e-mails to junk folders. However, several spam e-mails still get into your in-box and

several nonspam e-mails may end up in the junk folder. For more on protection against spam and

spam blogs, see Online File W9.6. Spam is closely related to pop-up ads.

PROTECTING AGAINST POP-UP ADS

The use of pop-ups and similar advertising programs is exploding. Sometimes it is even

difficult to close these ads when they appear on the screen. Some of these ads may be part of a

consumer’s permission marketing agreement, but most are unsolicited. What can a user do about

unsolicited pop-up ads? The following tools help

minimize pop-ups.

Tools for Stopping Pop-Ups. One way to avoid the potential danger lurking behind

pop-up ads is to install software that will block pop-up ads and prevent them from appearing in

the first place. Several software packages offer pop-up stoppers. Some are free (e.g.,

panicware.com and adscleaner.com); others are available for a fee. For a list of pop-up blocking

software, visit snapfiles.com/Freeware/misctools/fwpopblock.html and netsecurity.

about.com/od/popupadblocking/a/aafreepopup.htm.

Many ISPs offer tools to stop pop-ups from appearing. The Mozilla Firefox Web browser

does not allow pop-ups. The Google Toolbar will block pop-up ads as well. Microsoft offers free

pop-up blocking for its Internet Explorer browser.

114


However, adware or software that gets bundled with other popular applications like

person-to-person file sharing is able to deliver the pop-up ads because they originate from the

desktop, not the browser, and blocking tools do not govern them.

PROTECTING AGAINST SOCIAL ENGINEERING ATTACKS

With the increased number of social engineering attacks via Web attacks and in social

networks comes the need for better protection. The open source environment and the interactive

nature of the technology also create risks (see Chapter 7 and Section 9.4). Thus, EC security

becomes a necessity for any successful social networking initiative.

Social networking spans many different applications and services (recall Exhibit 7.3 on p.

306). Therefore, there are many methods and tools that can be used to defend such systems.

Many of the solutions are technical in nature and are outside the scope of this book. There is

another issue with defense—sometimes you can use several methods for protecting the same

problem. The question is which alternative should be selected.

Example. An impostor became a user’s Facebook friend and then e-mailed him a link to

a malware site. Security approaches that could be involved in countering this include: e-mail

filtering, Web filtering, and desktop antimalware. DLP (data loss prevention) and network

monitoring can also play a role. For further discussion, see Sarrel (2010) and Greengard (2010).

Protecting Against Phishing Because there are many phishing attack methods, there are many defense methods as

well. Illustrative examples are provided by Symantec (2009), ftc.gov, and en.wikipedia.org/

wiki/Phishing. For analytical fraud protection, see sas.com/solutions/fraud/index.html and also

IBM’s ZTIC.

Protecting Against Malvertising

Microsoft combats malvertising by filing civil lawsuits against companies who allegedly

create these fake ads. For more information about lawsuits, see

stopmalvertising.com/news/microsoft-going-after-malvertising-threats.html and

digwin.com/microsoftadvertising-and-internet-safety enforcement-team-to-fight-malvertisers.

To help protect yourself against malvertising or scareware, you can:

◗ Install a firewall and keep it turned on.

◗ Use automatic updating to keep your operating system and software up to date.

◗ Install antivirus and antispyware software such as Microsoft Security Essentials and

keep it updated.

◗ If your antivirus software does not include antispyware software, you should install a

separate antispyware program such as Windows Defender and keep it updated.

115


(Windows Defender is available as a free download for Windows XP and is included in

Windows Vista and Windows 7.)

◗ Use caution when you click links in e-mail messages or on social networking websites.

◗ Familiarize yourself with common phishing scams.

PROTECTING AGAINST SPYWARE

In response to the emergence of spyware, a large variety of antispyware software exists.

Running antispyware software has become a widely recognized element of computer security

best practices for Microsoft Windows desktop computers. A number of jurisdictions have passed

antispyware laws, which usually target any software that is surreptitiously installed to control a

user’s computer. The U.S. Federal Trade Commission (ftc.gov) has placed on the Internet a page

of advice to consumers about how to lower the risk of spyware infection, including a list of dos

and don’ts.

Using Policies and Training Because successful social engineering attacks depend, in effect, on the cooperation of the

victims, stopping social engineering attacks also depends on the victims. Certain positions within

an organization are clearly vulnerable, such as those with access to private and confidential

information or those that interact with customers or vendors. In the acceptable use policy (AUP)

and employee training programs, all users should learn how to avoid becoming a victim of

manipulation. Specific policies and procedures need to be developed for securing confidential

information, guiding employee behavior with respect to confidential information, and taking the

steps needed to respond to and report any social engineering breaches.

guidebook ecommerce

Documents