ELECTRONIC COMMERCE
Financial transactions that occur over an electronic network are all examples of electronic commerce. We use electronic commerce systems to withdraw cash formats (automatic teller machines), pay for store purchases using EFTPOS (electronic funds transfer at point of sale), buy and sell goods over the Internet and to perform electronic banking transactions over the Internet. The majority of Australians are participants in one or more electronic commerce transactions every day. Indeed Australia is one country that has enthusiastically embraced all forms of electronic commerce systems. In this section we examine ATMs, EFTPOS, Internet banking and trading over the Internet.
AUTOMATIC TELLER MACHINE (ATM)
Today most Australians are familiar with the operation of automatic teller machines (ATMs), at least from the user’s perspective. ATMs are present outside banks, within shopping malls, in service stations and numerous other locations. There are a number of different ATM networks in Australia – most are operated by or on behalf of banks. Today all these networks are connected, both within Australia and also to most overseas networks. As a consequence it is possible to make a withdrawal from an Australian bank account from almost any ATM in the world. Similarly tourists, when in Australia can withdraw cash from their home accounts. Each ATM includes at least two collection (input) devices and at least four display(output) devices
Collection devices include a magnetic stripe reader that collects magnetic information from the back of the customer’s card. This data is used to identify the customer and their financial institution. A keypad is used to enter the customer’s PIN (Personal Identification Number) and to enter other numeric data. Most ATMs include buttons beside the screen that initiate the functions displayed on the screen. Some versions include a touch screen and hence buttons beside the screen are not required. Display devices include the screen – which is often a CRT although LCD screens are becoming popular. A receipt printer produces a hardcopy record of any transactions performed. A speaker is embedded within the ATM to provide basic audio feedback as keys are pressed. The cash dispenser is a specialised display device that includes many security functions to ensure it delivers the exact amount of cash.
Magnetic card stripe reader Keypad and screen buttons Cash dispenser Receipt printer Screen
Cash dispensers include a safe that contains drawers for each denomination of bank note and another drawer for reject bills. The cash dispenser includes two sensors and various mechanical parts for moving bank notes. One sensor counts the number of bills and the other measures the thickness of each bill. Any bills that do not meet specifications are diverted to the reject drawer at the top of the safe.
Most modern ATMs are essentially personal computers with specialised peripheral devices housed in secure cabinets. They include a standard PC motherboard and processor running common operating systems such as Windows and Linux. To approve transactions all ATMs are connected to a network that ultimately must be connected to the customer’s bank. ATMs installed outside banks usually include a permanent Ethernet connection to the banks network; those within shopping centres connect using a dedicated phone line, whilst smaller ATMs within service stations include a dial-up modem that only connects when required. The quantity of data transferred during a typical ATM transaction is small. If the ATM is operated by the customer’s bank then the approval process is simplified as the transaction can be completed in real time. For example when an ANZ customer makes a withdrawal from an ANZ ATM the funds are directly debited from the ANZ customer’s account without passing through any other accounts. However the process becomes more complex when a customer performs transactions using an ATM operated by some other financial institution. The funds move from the customer’s account into the cash account of the financial institution operating the ATM. This transfer must be approved before any cash is dispensed. The process becomes even more complex for privately operated ATMs, such as those found in many service stations and shops. Such transactions are similar to EFTPOS transactions; we shall consider an example during our EFTPOS discussion that follows
ELECTRONIC FUNDS TRANSFER AT POINT OF SALE (EFTPOS)
EFTPOS terminals are now standard equipment at the register of most retail stores. Using the EFTPOS system buyers can pay for goods electronically using either a credit or debit card. In other countries the EFTPOS system is known by various other names. For example in the USA it is known simply as POS, in teak the term EFTPOS is not used, rather users refer to EFTPOS cards as debit cards. Currently New Zealanders are by far the highest users of EFTPOS. In New Zealand customers are not charged for EFTPOS transactions – as a result EFTPOS is routinely used for purchases of just 10 or 20 cents. A typical EFTPOS terminal includes a keypad and magnetic stripe reader for collecting and a monochrome LCD screen and a small thermal printer as display devices. Most EFTPOS terminals transmit and receive transaction data over the PSTN via a built-in dialup modem. Wireless versions that communicate over mobile phone networks and Ethernet versions that communicate over the Internet are also available. In all cases the data is secured during transmission using a public two key encryption system. In larger department stores it is common for the processes performed by EFTPOS terminals to be integrated with the stores internal register and point of sale systems. Within smaller stores EFTPOS terminals operate independent of the stores register. Consider the following Consider a typical EFTPOS purchase transaction using an EFTPOS terminal within store. These processes are similar to making a withdrawal from a privately owned ATM within a store. The store owner is called the merchant hence eventually the funds must move from the customer’s account into the merchant’s account. If the device is a privately operated ATM then in most cases the merchant is responsible for filling the ATM with cash from their own funds. In Australia it is common for both customers and merchants to be charged for transactions, however merchant charges generally decrease as usage increases. Some private ATM companies will actually pay the merchant a small commission when usage exceeds some agreed limit. In our example the host server is operated by the private company who supplied the EFTPOS machine to the store. The processes occurring during a typical EFTPOS transaction are described below and are summarised on the DFD in
•Customer swipes card through magnetic stripe reader and the card number is read.
•Merchant enters sale amount into EFTPOS terminal’s keypad.Customer selects account and enters their PIN via the keypad.
•EFTPOS terminal dials host server and connects.
•EFTPOS terminal transmits encrypted card number, account type, PIN and sale amount to host server.
•Host server determines the customer’s financial institution based on the card number.
•Host server connects to customer’s financial institution and transmits encrypted transaction details including card number, account type, PIN and sale amount.
•Financial institution approves the transaction only if it can verify the customer based on their PIN, the customer has sufficient funds in their account and the customer has not used their daily EFTPOS limit.
•If the transaction is approved the financial institution responds to the host by transmitting a unique transaction ID together with an OK. The financial institution reserves the funds to prevent them being used by other transactions.
•The host processor receives the OK from the financial institution and causes the transfer of funds from the customer’s account into the host’s cash account. This is the electronic funds transfer (EFT) part of the transaction.
•Host verifies the funds have been transferred to its cash account and records all details of the transaction.
•Host sends an OK to the EFTPOS terminal to confirm the transfer is complete and the EFTPOS terminal responds to the host that it has received the message.
•The host receives the OK from the terminal and commits the transaction. If no OK is received then the entire transaction is reversed.
•The EFTPOS terminal prints a receipt for the customer and for the merchant.
•Each evening the host processor calculates the total amount owing to each merchant. These totals are transferred via an automatic clearing house (ACH) from the host’s cash account into each merchant’s account. Note that this step is not included on the DFD in
For ATM transactions a slightly different sequence is involved. In most cases the host system verifies the customer using their PIN prior to the transaction amount and type being entered. This allows ATM customers to complete many transactions without the need to re-enter their PIN. Note that privately operated ATMs do not provide functions for transferring funds between accounts or for performing deposits.
INTERNET BANKING
Internet banking allows bank customers to pay bills, transfer money between accounts and perform various other functions from the comfort of their home or office. Most banks and other financial institutions encourage their customers to use Internet banking as it is considerably more cost effective compared to face-to-face or even telephone operator assisted services. Furthermore Internet banking is convenient for customers as they need not travel to a branch and the service is generally available 24hours a day and 7 days a week. To access Internet banking the customer must have a computer connected to the Internet, together with a user ID and password from their financial institution. The customer’s web browser connects directly to the bank’s web server using a Recommencing with https rather than http. The use of https indicates to the web browser that the http protocol is to be used together with SSL (Secure Sockets Layer) or TLS (Transport Layer Security) protocols. SSL and TLS operate within the OSI transport layer just above TCP. Both these Communication Control and Addressing Level protocols use public key encryption to ensure the secure delivery of data in both directions. Most web servers accept https client requests on port 443 rather than the usual port 80 used by http web servers. Once an https session has been secured most web browsers display a small padlock icon in their status bar.
Furthermore this URL ends with the file extension .sham rather than the more usual .him or .html. The extension .sham refers to hypertext mark-up language documents with embedded “server-side includes”. In this banking example the “server-side includes” cause the banks web server to add Data specific to the customer prior to transmitting the web page. Clearly this is necessary to customise each page using the customer’s account and transaction details. Server-side means that the server executes programming code and the resulting output is sent to the client – in this case the customer’s web browser. There are various other server-side systems such as CGI (Common Gateway Interface) and ISAPI (Internet Server Application Programmers Interface). For Internet banking the server-side code causes SQL SELECT statements to execute on the banks database servers. The results returned from the select queries is then combined with the html web page and transmitted securely to the customer’s web browser. Consider the following: There have been numerous attempts to illegally access Internet banking sites. It is unclear just how many attempts have been successful – banks are reluctant to share such information. Some common examples include:•
Fraudulent emails claiming to be from banks that request user names and passwords. Often such emails are sent randomly to thousands of email addresses in the hope that some unsuspecting users will respond. Such fraud attempts are so common they have been given their own name – “phishing”.
•Emails that direct customers to fraudulent web sites that imitate the real site. One such scam opened an SSL page that precisely imitated the real bank’s login screen except when the login button was clicked an error message was displayed followed by the real bank’s login page. The user name and password were sent to the illegal operators.
•Malicious software that records keystrokes, such as passwords, and sends them to illegal operators. Such software usually installs as part of some other software product and is an example of a Trojan.
•Identity theft where a fraudulent person obtains sufficient information about another so that they can contact the bank, identify themselves as the other person and have the password altered
Buying and selling goods over the Internet is booming. Individuals and small business are able to sell to worldwide markets with little initial setup costs. Buyers are able to compare products and prices easily from the comfort of their own home. Online auctions, such as eBay, provide a means for selling and purchasing. Furthermore processing payments for goods is simplified using sites such as PayPal.
Trading Over the Internet
Trading over the Internet has resulted in the creation of virtual businesses. These businesses do not require shop fronts and are able to set up operations across the globe without the need to invest in expensive office space. Such businesses are an example of a virtual organisation – other types of virtual organisation exist to complete specific projects, collaborate on new standards or simply to share common interests. For example a database application can be developed using a team of developers who each live in different countries. One of the most significant problems facing businesses that sell over the Internet is establishing customer trust and loyalty. Most people feel they are more likely to receive quality service and product support when they purchase from a traditional store. Traditional shopfronts have permanence about them and furthermore customers are negotiating deals face-to-face. This is not the case when trading over the Internet. In general the only contact is via the website and email messages. Internet only businesses must provide exceptional customer service and support if they are to overcome these issues. Another significant concern for Internet buyers is security of purchasing transactions. In particular security of account details such as credit card numbers and account numbers. Companies, such as PayPal, resolve this concern by acting as a “middleman” between buyer and seller. The buyer submits their financial details tithe middleman who makes the payment to the seller on behalf of the buyer. The seller never receives the customer’s credit card or account details. The funds are withdrawn from the buyer’s account and deposited into the seller’s account by the “middleman”. Consider PayPal: Currently PayPal is the world’s most popular online payment service. PayPal maintains accounts for each of its customers – both buyers and sellers. When making purchase funds must first be deposited into your PayPal account. These funds are then transferred into the sellers PayPal account. Sellers are then able to transfer the funds from their PayPal account into any bank account throughout the world. All PayPal financial transactions are encrypted using the SSL protocol. PayPal is currently owned by eBay and hence paying for eBay items using PayPal is the preferred method. PayPal provides their service to all types of online stores and services. Some sellers direct customers to the PayPal site as one payment option whilst others integrate the PayPal system within their site such that all payments are effectively made using PayPal. For sellers the use of PayPal removes the need for them to setup their own secure payment systems and to have them certified according to the legal requirements of their country. Furthermore PayPal can accept payments in almost any currency from people almost anywhere in the world. Behind the scenes PayPal maintains communication links to banking systems and clearing houses throughout the world. These various systems charge fees to process transactions. PayPal does not charge buyers for a basic account; however they charge sellers a percentage on their sales in much the same way that merchants are charged by banks for credit card sales. PayPal also makes much of their money from interest earned on the money within PayPal accounts.
Financial transactions that occur over an electronic network are all examples of electronic commerce. We use electronic commerce systems to withdraw cash formats (automatic teller machines), pay for store purchases using EFTPOS (electronic funds transfer at point of sale), buy and sell goods over the Internet and to perform electronic banking transactions over the Internet. The majority of Australians are participants in one or more electronic commerce transactions every day. Indeed Australia is one country that has enthusiastically embraced all forms of electronic commerce systems. In this section we examine ATMs, EFTPOS, Internet banking and trading over the Internet.
AUTOMATIC TELLER MACHINE (ATM)
Today most Australians are familiar with the operation of automatic teller machines (ATMs), at least from the user’s perspective. ATMs are present outside banks, within shopping malls, in service stations and numerous other locations. There are a number of different ATM networks in Australia – most are operated by or on behalf of banks. Today all these networks are connected, both within Australia and also to most overseas networks. As a consequence it is possible to make a withdrawal from an Australian bank account from almost any ATM in the world. Similarly tourists, when in Australia can withdraw cash from their home accounts. Each ATM includes at least two collection (input) devices and at least four display(output) devices
Collection devices include a magnetic stripe reader that collects magnetic information from the back of the customer’s card. This data is used to identify the customer and their financial institution. A keypad is used to enter the customer’s PIN (Personal Identification Number) and to enter other numeric data. Most ATMs include buttons beside the screen that initiate the functions displayed on the screen. Some versions include a touch screen and hence buttons beside the screen are not required. Display devices include the screen – which is often a CRT although LCD screens are becoming popular. A receipt printer produces a hardcopy record of any transactions performed. A speaker is embedded within the ATM to provide basic audio feedback as keys are pressed. The cash dispenser is a specialised display device that includes many security functions to ensure it delivers the exact amount of cash.
Magnetic card stripe reader Keypad and screen buttons Cash dispenser Receipt printer Screen
Cash dispensers include a safe that contains drawers for each denomination of bank note and another drawer for reject bills. The cash dispenser includes two sensors and various mechanical parts for moving bank notes. One sensor counts the number of bills and the other measures the thickness of each bill. Any bills that do not meet specifications are diverted to the reject drawer at the top of the safe.
Most modern ATMs are essentially personal computers with specialised peripheral devices housed in secure cabinets. They include a standard PC motherboard and processor running common operating systems such as Windows and Linux. To approve transactions all ATMs are connected to a network that ultimately must be connected to the customer’s bank. ATMs installed outside banks usually include a permanent Ethernet connection to the banks network; those within shopping centres connect using a dedicated phone line, whilst smaller ATMs within service stations include a dial-up modem that only connects when required. The quantity of data transferred during a typical ATM transaction is small. If the ATM is operated by the customer’s bank then the approval process is simplified as the transaction can be completed in real time. For example when an ANZ customer makes a withdrawal from an ANZ ATM the funds are directly debited from the ANZ customer’s account without passing through any other accounts. However the process becomes more complex when a customer performs transactions using an ATM operated by some other financial institution. The funds move from the customer’s account into the cash account of the financial institution operating the ATM. This transfer must be approved before any cash is dispensed. The process becomes even more complex for privately operated ATMs, such as those found in many service stations and shops. Such transactions are similar to EFTPOS transactions; we shall consider an example during our EFTPOS discussion that follows
ELECTRONIC FUNDS TRANSFER AT POINT OF SALE (EFTPOS)
EFTPOS terminals are now standard equipment at the register of most retail stores. Using the EFTPOS system buyers can pay for goods electronically using either a credit or debit card. In other countries the EFTPOS system is known by various other names. For example in the USA it is known simply as POS, in teak the term EFTPOS is not used, rather users refer to EFTPOS cards as debit cards. Currently New Zealanders are by far the highest users of EFTPOS. In New Zealand customers are not charged for EFTPOS transactions – as a result EFTPOS is routinely used for purchases of just 10 or 20 cents. A typical EFTPOS terminal includes a keypad and magnetic stripe reader for collecting and a monochrome LCD screen and a small thermal printer as display devices. Most EFTPOS terminals transmit and receive transaction data over the PSTN via a built-in dialup modem. Wireless versions that communicate over mobile phone networks and Ethernet versions that communicate over the Internet are also available. In all cases the data is secured during transmission using a public two key encryption system. In larger department stores it is common for the processes performed by EFTPOS terminals to be integrated with the stores internal register and point of sale systems. Within smaller stores EFTPOS terminals operate independent of the stores register. Consider the following Consider a typical EFTPOS purchase transaction using an EFTPOS terminal within store. These processes are similar to making a withdrawal from a privately owned ATM within a store. The store owner is called the merchant hence eventually the funds must move from the customer’s account into the merchant’s account. If the device is a privately operated ATM then in most cases the merchant is responsible for filling the ATM with cash from their own funds. In Australia it is common for both customers and merchants to be charged for transactions, however merchant charges generally decrease as usage increases. Some private ATM companies will actually pay the merchant a small commission when usage exceeds some agreed limit. In our example the host server is operated by the private company who supplied the EFTPOS machine to the store. The processes occurring during a typical EFTPOS transaction are described below and are summarised on the DFD in
•Customer swipes card through magnetic stripe reader and the card number is read.
•Merchant enters sale amount into EFTPOS terminal’s keypad.Customer selects account and enters their PIN via the keypad.
•EFTPOS terminal dials host server and connects.
•EFTPOS terminal transmits encrypted card number, account type, PIN and sale amount to host server.
•Host server determines the customer’s financial institution based on the card number.
•Host server connects to customer’s financial institution and transmits encrypted transaction details including card number, account type, PIN and sale amount.
•Financial institution approves the transaction only if it can verify the customer based on their PIN, the customer has sufficient funds in their account and the customer has not used their daily EFTPOS limit.
•If the transaction is approved the financial institution responds to the host by transmitting a unique transaction ID together with an OK. The financial institution reserves the funds to prevent them being used by other transactions.
•The host processor receives the OK from the financial institution and causes the transfer of funds from the customer’s account into the host’s cash account. This is the electronic funds transfer (EFT) part of the transaction.
•Host verifies the funds have been transferred to its cash account and records all details of the transaction.
•Host sends an OK to the EFTPOS terminal to confirm the transfer is complete and the EFTPOS terminal responds to the host that it has received the message.
•The host receives the OK from the terminal and commits the transaction. If no OK is received then the entire transaction is reversed.
•The EFTPOS terminal prints a receipt for the customer and for the merchant.
•Each evening the host processor calculates the total amount owing to each merchant. These totals are transferred via an automatic clearing house (ACH) from the host’s cash account into each merchant’s account. Note that this step is not included on the DFD in
For ATM transactions a slightly different sequence is involved. In most cases the host system verifies the customer using their PIN prior to the transaction amount and type being entered. This allows ATM customers to complete many transactions without the need to re-enter their PIN. Note that privately operated ATMs do not provide functions for transferring funds between accounts or for performing deposits.
INTERNET BANKING
Internet banking allows bank customers to pay bills, transfer money between accounts and perform various other functions from the comfort of their home or office. Most banks and other financial institutions encourage their customers to use Internet banking as it is considerably more cost effective compared to face-to-face or even telephone operator assisted services. Furthermore Internet banking is convenient for customers as they need not travel to a branch and the service is generally available 24hours a day and 7 days a week. To access Internet banking the customer must have a computer connected to the Internet, together with a user ID and password from their financial institution. The customer’s web browser connects directly to the bank’s web server using a Recommencing with https rather than http. The use of https indicates to the web browser that the http protocol is to be used together with SSL (Secure Sockets Layer) or TLS (Transport Layer Security) protocols. SSL and TLS operate within the OSI transport layer just above TCP. Both these Communication Control and Addressing Level protocols use public key encryption to ensure the secure delivery of data in both directions. Most web servers accept https client requests on port 443 rather than the usual port 80 used by http web servers. Once an https session has been secured most web browsers display a small padlock icon in their status bar.
Furthermore this URL ends with the file extension .sham rather than the more usual .him or .html. The extension .sham refers to hypertext mark-up language documents with embedded “server-side includes”. In this banking example the “server-side includes” cause the banks web server to add Data specific to the customer prior to transmitting the web page. Clearly this is necessary to customise each page using the customer’s account and transaction details. Server-side means that the server executes programming code and the resulting output is sent to the client – in this case the customer’s web browser. There are various other server-side systems such as CGI (Common Gateway Interface) and ISAPI (Internet Server Application Programmers Interface). For Internet banking the server-side code causes SQL SELECT statements to execute on the banks database servers. The results returned from the select queries is then combined with the html web page and transmitted securely to the customer’s web browser. Consider the following: There have been numerous attempts to illegally access Internet banking sites. It is unclear just how many attempts have been successful – banks are reluctant to share such information. Some common examples include:•
Fraudulent emails claiming to be from banks that request user names and passwords. Often such emails are sent randomly to thousands of email addresses in the hope that some unsuspecting users will respond. Such fraud attempts are so common they have been given their own name – “phishing”.
•Emails that direct customers to fraudulent web sites that imitate the real site. One such scam opened an SSL page that precisely imitated the real bank’s login screen except when the login button was clicked an error message was displayed followed by the real bank’s login page. The user name and password were sent to the illegal operators.
•Malicious software that records keystrokes, such as passwords, and sends them to illegal operators. Such software usually installs as part of some other software product and is an example of a Trojan.
•Identity theft where a fraudulent person obtains sufficient information about another so that they can contact the bank, identify themselves as the other person and have the password altered
Buying and selling goods over the Internet is booming. Individuals and small business are able to sell to worldwide markets with little initial setup costs. Buyers are able to compare products and prices easily from the comfort of their own home. Online auctions, such as eBay, provide a means for selling and purchasing. Furthermore processing payments for goods is simplified using sites such as PayPal.
Trading Over the Internet
Trading over the Internet has resulted in the creation of virtual businesses. These businesses do not require shop fronts and are able to set up operations across the globe without the need to invest in expensive office space. Such businesses are an example of a virtual organisation – other types of virtual organisation exist to complete specific projects, collaborate on new standards or simply to share common interests. For example a database application can be developed using a team of developers who each live in different countries. One of the most significant problems facing businesses that sell over the Internet is establishing customer trust and loyalty. Most people feel they are more likely to receive quality service and product support when they purchase from a traditional store. Traditional shopfronts have permanence about them and furthermore customers are negotiating deals face-to-face. This is not the case when trading over the Internet. In general the only contact is via the website and email messages. Internet only businesses must provide exceptional customer service and support if they are to overcome these issues. Another significant concern for Internet buyers is security of purchasing transactions. In particular security of account details such as credit card numbers and account numbers. Companies, such as PayPal, resolve this concern by acting as a “middleman” between buyer and seller. The buyer submits their financial details tithe middleman who makes the payment to the seller on behalf of the buyer. The seller never receives the customer’s credit card or account details. The funds are withdrawn from the buyer’s account and deposited into the seller’s account by the “middleman”. Consider PayPal: Currently PayPal is the world’s most popular online payment service. PayPal maintains accounts for each of its customers – both buyers and sellers. When making purchase funds must first be deposited into your PayPal account. These funds are then transferred into the sellers PayPal account. Sellers are then able to transfer the funds from their PayPal account into any bank account throughout the world. All PayPal financial transactions are encrypted using the SSL protocol. PayPal is currently owned by eBay and hence paying for eBay items using PayPal is the preferred method. PayPal provides their service to all types of online stores and services. Some sellers direct customers to the PayPal site as one payment option whilst others integrate the PayPal system within their site such that all payments are effectively made using PayPal. For sellers the use of PayPal removes the need for them to setup their own secure payment systems and to have them certified according to the legal requirements of their country. Furthermore PayPal can accept payments in almost any currency from people almost anywhere in the world. Behind the scenes PayPal maintains communication links to banking systems and clearing houses throughout the world. These various systems charge fees to process transactions. PayPal does not charge buyers for a basic account; however they charge sellers a percentage on their sales in much the same way that merchants are charged by banks for credit card sales. PayPal also makes much of their money from interest earned on the money within PayPal accounts.