On-line security system doesn't cut it
ONE of the technologies designed to make transactions over the Internet safe is a dud, says Internet expert Mark Shuttleworth, chief executive at international certifying authority Thawte.
SET (Secure Electronic Transactions) is endorsed by credit card companies, but it is too complex, slow and expensive to implement, says Shuttleworth.
"Thousands of banks around the world joined in announcing support for SET," he says, "but, recently, there has been silence.
"The banks have re-evaluated. Electronic commerce is exploding around us and most on-line shoppers are using credit cards to buy, but SET doesn't get a mention."
So what's gone wrong?
Says Shuttleworth: "SET is an example of the mass adoption by institutions of the wrong technology. First, there was already a general-purpose security technology built into the browsers, called SSL, which allows the secure transmission of card information between a browser and a web site.
"Each time the padlock on the bottom of the web site is closed, you know you are in secure mode, and can safely send sensitive information without risking interception by an unknown party. Also, you can view the contents of the digital certificate issued to that web site, so you know exactly which company you are sending your details to.
"Consumers have realised, too, that they are protected from fraud by association rules limiting personal liability to $50 (about R300).
"If you see items on your card statement that you did not buy, simply charge them back. Your bank will refund you.
"SET, itself, has some major technical problems. It's a huge, complex protocol, and that makes it very difficult to find two implementations from different vendors that will actually talk to one another successfully. The Internet has been driven by fast, efficient, open standards, and SET just doesn't cut it. The cost of implementing SET at a medium-sized bank is more than R3-million. That's too much for any bank to pay in order to generate a return on their investment," he says.
But Shuttleworth acknowledges that, from a security point of view, SET does some things that SSL does not. For example, each transaction is digitally signed.
"But," he says, "the overhead to achieve that is vast, and the resulting protocol is so complex that no cryptographer is prepared to call it secure. As a general rule, the more complex a protocol the harder it is to ensure its security."
In the future, merchants need to develop faster ways of communicating with the banking system for real-time credit card verification and fraud detection, so that they can process web orders more efficiently. Banks might like to expand the PIN system into the Internet world using the principles of SET without all of the baggage.
Says Shuttleworth: "SET is not dead - once the real world catches up with the Internet, it might be feasible for banks to justify the investment needed in a full SET implementation.
"For the moment, however, banks should be encouraging their merchants to adopt safe business practices and standard SSL security for credit card transactions."