Financial Transactions On The Web

It appears that a proper direction in which to move in attacking the secrecy problem in large military and commercial communication systems, is to design the cryptographic provisions as an integral part of the digital switching system.

Paul Baran, On Distributed Communications, Volume XI, 1964.

It is likely that commercializing the Net would have a negative effect on its open, free-wheeling nature which is certainly its charm and possibly its reason for success. The Net was started on a noncommercial basis and continues that way to this day; it has grown and matured in that atmosphere, showing innovation and growth without the profit motive… If the high-speed network must be experimented with, why not let the commercial interests take over that work and leave unfixed that which is not broken.

– Lee Hauser; The Net Works; Amateur Computerist; 1992.

The Internet is now used for commercial transactions of all kinds, and is often more convenient, less expensive, and more secure than off-line purchases.

In general, buying things on the Internet is as safe as buying something by any other means. The risk of interception of your credit card number in transit over the net is low, and almost impossible when it is properly encrypted. And once it gets to the destination site it is usually as secure as with any other business that processes credit card numbers. There have been few reports of widespread problems using credit cards with well known, trustworthy sites, although there have been a disconcerting number of reports of companies financial databases being hacked with potential disclosure of previously recorded transactions.

Of course, never give your credit card number or other personal information to a site sent to you in spam email or to a site you don’t know anything else about before searching for independent information about it.

If you buy a lot of things over the net, you might want to get a separate credit card for all of your Internet transactions, which makes it easier to keep track of your virtual finances.

The Secure Electronic Transactions (SET) standard was widely promoted in the late 1990’s as the best architecture for secure Internet commerce, had the support of many major industry players, and has influenced the development of subsequent efforts. A key feature of SET was the hiding of a buyer’s credit card number from the organization they are buying from, so that a central organization would authenticate your credit card number, provide the seller with confirmation, and forward the funds, without revealing personal information to every online shop and store you wanted to buy something from. The industry has now implemented many of the SET features in practice, if not quite as the overarching architecture originally envisioned, with the financial aspects of many online sales taking place through large and increasingly trusted online merchants like Yahoo Stores, Paypal, and others.

Most sites that accept your credit card number also use encryption with the Secure Sockets Layer (SSL) protocol to hide your financial data as it is sent from your computer to the web server. You can tell when a site is using SSL when the URL contains the prefix “https:”, often with a picture of a closed lock or key shown on the bottom border of the browser window. The latest update to SSL is the Transport Layer Security (TLS) protocol.

One efficient way to manage your web transactions is described below:

  • Folder. Create a folder called “Transactions”.
  • Document. Create a document for each web site you perform a transaction with, named after the site for easy identification, e.g. “Yahoo.doc”.
  • Information. For each transaction, enter the following in the document:

    – Date and time of the transaction.
    – The item you brought.
    – The method of payment – credit card, etc.
    – Confirmation number.

    Whenever possible, select and copy this information from the confirmation web page. Otherwise, you can type it or capture the web page as follows:

    Mac: Press <Apple><Shift>3, which will sound like a camera shutter and take a picture of the screen, usually stored in a file with a name starting with “Picture” in your hard drive.

    PC: Press <Alt><Print Screen>, which copies the current window into the clipboard, which you can then paste into the tracking document as a picture.

    Unix: Use the built-in window snapshot capability, or a utility like XV.

Resources. Several companies worked on virtual electronic cash technologies in the early years to push forward the processes and technologies, including Cybercash.com, Ecashtechnologies.com, Millicent.com, and Mondex.com, although the rising acceptance of credit card use and browser encryption methods ended up largely displacing most of their efforts. The following references provide information on Internet commercial standards:

  • RFC 2246; T. Dierks, C. Allen; The TLS Protocol Version 1.0; January 1999
  • RFC 2801; D. Burdett; Internet Open Trading Protocol; April 2000
  • RFC 3106; D. Eastlake, T. Goldstein; ECML v1.1: Field Specifications for E-Commerce; April 2001
  • RFC 3506; D. Eastlake; Requirements and Design for Voucher Trading System; March 2003
  • RFC 3538; Y. Kawatsura; Secure Electronic Transaction (SET) Supplement for the v1.0 Internet Open Trading Protocol (IOTP); June 2003
  • RFC 3867; Y. Kawatsura; M. Hiroya; H. Beykirch; Payment Application Programmers Interface (API) for v1.0 Internet Open Trading Protocol (IOTP); November 2004.