Wednesday, September 28, 2011

IMPROVING THE TRUSTWORTHINESS OF ONLINE TRANSACTIONS IN NIGERIA

The Cashless Lagos initiative currently led by the Central Bank of Nigeria (CBN) is set to go live on the 1st of January, 2012. The next couple of weeks will also see the CBN sensitizing stakeholders in Lagos on this new initiative for a cashless economy and the safe and secure options for making electronic payments. An electronic payment in its simplest sense is the making of payment(s) via an electronic terminal or platform and forms an integral part of the e-commerce ecosystem. The importance of e-commerce seems to be hinged on the prediction of JP Morgan senior analyst Imran Khan that global ecommerce revenue is expected to grow nearly 19 per cent in 2011 to the tune of $680 billion.

Electronic payment systems can be grouped into four broad categories: online electronic cash system, electronic cheque system, smart cards based electronic payment system and online credit card payment system (which is the main emphasis of this article). Each payment scheme has its advantages and disadvantages for the customers and merchants. These payment systems have a number of unique requirements: e.g. security, acceptability, convenience, cost, anonymity, control, and traceability. Online credit card payment system seeks to extend the functionality of existing credit cards for use as an online payment tools. According to Laudon and Traver 2002, this payment system has been widely accepted by consumers and merchants throughout the world, and by far the most popular methods of payments especially in the retail markets. This form of payment system has several advantages, which were never available through the traditional channels of payment. Some of the most important are: privacy, integrity, compatibility, good transaction efficiency, acceptability, convenience, mobility, low financial risk and anonymity.

But this payment system has raised several problems before the consumers and merchants. Irrespective of the convenience offered by this form of payment, it is still fraught with a lot of security challenges. Recent experience has shown that cyber criminals have evolved in response to the current trend for making payments online by engaging in phishing attacks such as website spoofing. Web site spoofing occurs where the cybercriminal masquerades as a known entity by setting up a phony website very similar to the website operated by the entity and attempts to obtain valuable information such as the credit card details from the online consumer. In response to this threat, trusted entities in the website community established the Extended Validation (EV) Certificate. An EV certificate is a type of public key certificate issued to a website operator according to a specific set of identity verification criteria. These criteria require extensive verification of the requesting entity's identity by the issuing “trusted third-party” certification authority before the certificate is issued. A website secured with the EV certificate is important in two ways; it identifies the legal entity that operates the web site by providing a reasonable assurance to the online consumer that the web site the consumer is accessing is controlled by a specific legal entity identified in the EV Certificate by name, address of place of business, jurisdiction of incorporation or registration and registration number or other disambiguating information and prevents a a-man-in-middle attack by facilitating the exchange of encryption keys in order to enable the scrambling of debit/credit card details when exchanged between the online consumer and the web site, however the primary purpose seems to be in establishing the legitimacy of a business claiming to operate a web site.

A recent development in website assurance is the use Trustmarks. Trustmarks are electronic labels or visual labels indicating that an e-merchant has demonstrated its conformity to standards regarding e.g. security, privacy and fair business practices. E-merchants hope that, by displaying the trustmark on their websites, online consumers will trust their certificate practice and be more likely to divulge their personal data and transact with them. Against this background, it is worthwhile to mention that the guidelines on electronic banking introduced by the CBN in 2003 is silent on the obligations of financial service providers to ensure that websites used for e-banking are protected with EV certificates or even any forms of secure socket layer (SSL) encryption technologies. The closest this guidelines comes to mentioning this obligation is by requiring that banks Ensure that adequate information is provided on their websites to allow potential customers to make an informed conclusion about the bank's identity and regulatory status of the bank prior to entering into e-banking transactions and that ISPs should exercise due diligence to ensure that only websites of financial institutions duly licensed by the CBN are hosted on their servers. ISPs that host unlicensed financial institutions would therefore be held liable for all acts committed through the hosted websites. However the circumstances under which the information provided by the banks on their websites is deemed to be adequate and that due diligence has properly been exhibited by ISPs has unfortunately not been made any clearer under the Guidelines. In my view, such operators of websites capable of processing online transactions owe it as a duty of care to their numerous online consumers to ensure that as a minimum their websites are “trusted” and that transactions processed on it are secure. On this score, the need arises for our federal legislators to pass the cybercrime bill which was unfortunately killed in the last legislative session. Recently the demand for a Cybercrime Framework has been renewed by the charismatic IT evangelist Gbenga Sesan through an e-petition on the www.change.org website. A cybercrime regime will go a long way in complementing the efforts of website operators in assuring their websites and will also work decisively to intervene where phishing attacks and other forms of cyber nuisance are committed in cyberspace.