Literature Survey to understand online identity management and its importance in E-commerce

Sathe, Vaibhav1

Indian Institute of Management LucknowIIM Campus, Prabandh Nagar, Off Sitapur Road, Lucknow, Uttar Pradesh – 226013, INDIA

1vaibhav.sathe@iiml.org

I. INTRODUCTION

Last decade we have observed explosion of e-commerce. Forrester projects size of e-commerce market in triad (U.S., Western Europe and Japan) markets in 2012[1] to cross $400 Billion. Even in India, the e-commerce market reached INR 460 Billion or $10 Billion size[2]. This translates to billions of transactions every year on World Wide Web. After launch of Apple’s iPhone, smartphone market suddenly exploded in last couple of years. Forrester also projects total smartphones and tablet will reach 1 billion device mark by 2016. The m-commerce, which is mobile version of e-commerce, is predicted to grow at CAGR of 40% to $40 Billion by 2016.

This e-commerce model is highly fragmented due to low capital requirement and high reach to customers through web as only medium. This means that there are millions of shops online which are selling their products or services. From security point of view, this means there are millions of authentication systems in place. This complicates task of user who wants to access these sites. For e.g. any common online user has several online login username/passwords like email addresses, social network accounts, Amazon ID, eBay login, Netflix login, e-banking IDs, flight booking websites, Apple/iTunes IDs etc. A common tendency is to have same userID or password across sites. But not all websites allow this. Some websites have automated user IDs, some allow email addresses while others have custom IDs. Even different websites have different rules on passwords like minimum length, black list, special characters, uppercase or numbers. This heterogeneity in authentication systems complicates user’s task to remember these dozens of username/passwords that are commonly required.

Some of these sites like email addresses and social networks are very frequently used. Hence, these have less likelihood that users will forget username or password. But when it comes to occasionally used sites like Amazon or eBay, the likelihood that users will forget userID is higher. User also does not have much incentive to take efforts in recovering forgotten passwords on such websites. He has easy way of creating new account in order to cater to the purchase he or she is looking for. When it comes to further more secure sites like banks, they enforce password expirations and detect IP/location changes. This further complicates life of user. But this is generally done due to sensitivity of information and/or legal requirements.

In this paper, we will look at aspects like different identity management methods, steps taken by websites to protect identity, ways to recover lost or stolen identity and finally we will look at value of maintaining consistent identity information to users and the websites.

II. PROBLEM DEFINITION

Following are objectives of this literature review.

(1) Various Identity Management MethodsWe need to identify various authentication and authorization methods used by popular e-commerce websites. We will also look into various security measures undertaken to prevent identity thefts. We will look into details how trust is managed in online transactions.Considering variety of authentication systems, there is high likelihood that users will forget required credentials e.g. passwords. We need to identify what all methods that are used by e-commerce websites that let user recover his/her credentials. We also need to identify how easy it is for user to recover same.

(2) Universal Identity SystemsWe will identify various universal identity systems like Facebook Login, Google Account, and Windows Live ID etc. We will look into Single Sign On and Federated Identity methods and evaluate if such methods will be effective solution for this problem.

(3) Importance of user’s online identityWe need to identify how online identity of user is valuable to user. We will identify benefits that user gets by maintaining his identity with the e-commerce website. We will identify what are potential losses due to loss of such identity. It’s not just user that is benefited from online identity. The e-commerce websites are also benefited by tracking their users. We will also look at benefits that e-commerce companies receive from maintaining online identity of their users.

III. LITERATURE SEARCH

The literature surveyed for this is divided into following sections.

A. Various Identity Management MethodsFollowing articles contribute to first objective to identify

various identity management methods. Detailed reference is included in references section.

Sr. Article/Paper Journal/Publisher1 A Reference Model for

Authentication and Authorisation Infrastructures Respecting Privacy and Flexibility in b2c eCommerce

IEEE

2 An assessment of website Science Direct

password practices3 When the Password Doesn’t Work IEEE4 Identity management in mobile

ubiquitous environmentsIEEE

B. Universal Identity SystemsFollowing articles contribute to second objective of

identifying role of universal identity management systems. Detailed reference is included in references section.

Sr. Article/Paper Journal/Publisher1 Universal Identity Management

Model Based on Anonymous Credentials

IEEE

2 What Makes Users Refuse Web Single Sign-On? An Empirical Investigation of OpenID

ACM

3 OpenID: Single Sign-on for the Internet: A Security Story

Blackhat USA

C. Importance of User’s Online IdentityFollowing articles contribute to third objective of

identifying importance of user’s consistent identity to vendors and customers. Detailed reference is included in references section.

Sr. Article/Paper Journal/Publisher1 Consumer Trust in E-Commerce

Web Sites: A Meta-StudyACM Computing Surveys

2 Ethics of Collecting and Using Consumer Internet Data

IS Management

3 Amazon.com Recommendations IEEE

IV. DATA EVALUATION

This section is split into sections as below.A. Identity Management Methods

Schlager et al [11], in their paper state that security in e-commerce world is not unidirectional i.e. threat to website from malicious users. It is bidirectional. User data is of greater use to websites and hence there is threat to users from possible misuse of the data that user has shared with the website with the trust. The authors focus on b2c i.e. business to consumer e-commerce, which is standard online shopping experience for most users. We also have focussed in this study on such type of e-commerce websites only. The authors refer to AAI which stands for Authentication and Authorization Infrastructure. The authors have proposed following schematic diagram for typical AAI system. Authors further add that important characteristics of such system are that it has power to connect business partners together in order to facilitate exchange of secure data like federated circle of vendors. E.g. if customer is buying from website like Amazon, the site needs to share certain data like shipping address with vendor and logistic partners who are in turn going to ship the product ordered. The AAI system has to be holistic and needs to take care of end-to-end data transfer. The threat to user’s private data exists at each stage. Authors elaborate that there are three most important characteristics expected from any AAI system when it comes to handling e-commerce. These are Privacy, Flexibility and Federation. Privacy means that only required details are shared with the user and strict policies are provided with respect to such data usage. Flexibility means that not all validations are done for each type of access. E.g. email service may require lesser verification rules than a bank authorizing

transaction. Based on qualification of the process, only required number of validation rules should be executed in order to authenticate user and not more. Federation will be explained in more details in later section.

Furnell, in his paper [4], criticizes password based authentication models. He identifies that password authentication has problems like (1) Poor passwords (2) Risk of theft based on general knowledge (3) Same password for long period (4) Use of same password across multiple sites and from multiple systems. He, however does not want to blame users alone. He performs assessment of top 10 websites on their password practices. From our research point of view, this information is important. We are not concerned with actual findings of the paper about effectiveness of password based authentication. The paper includes summary of password restrictions and guidelines for these sites. Furnell also concludes that this heterogeneity is not good from maintaining security of user’s data. He recommends that sites should switch to Single Sign On authentication models or federated security models like Facebook, Windows Live ID or Google Accounts. He makes certain important identifications. This includes that complexity of retrieval techniques is not correlated to sensitivity of information. He cites example of Yahoo which has more complex multi-step retrieval process compared to Amazon, which just emails reset link. And it is Amazon that saves credit card information for easy purchases against Yahoo, where there is less likelihood of user storing credit card details due to nature of its services, which are less paid and more advertisement supported.

We have however, updated same based on current system on these sites. We have included some websites different than discussed in the paper, which are more relevant for our research.

Cat.

Site Authentication

EC Amazon User ID: Email AddressPassword: Min. 6 length

FI BNP Paribas

UserID: Assigned by Bank, numericPassword: 6 digit numeric code, forced change after 80 loginsTransaction verification through SMS

EC eBay UserID: 6 or more alpha numericPassword: 6-20, mix of alpha, numeric, symbols and different than email or userid.Password strength meter shown.

SN Facebook UserID: Email address (Not verified)Password: 6 charactersBirth Date required, but no verification

EC Flipkart UserID: Email address (Not verified)Password: Any

SN Google UserID: @gmail.com address, 6-30 alpha, numeric, _ and .Password: 8 characters, just guideline not to use pet name or other website password

FI HDFC Bank

UserID: assigned by bank, numericPassword: Combination of Alphabet, numbers and symbols, forced change every 3 months, old password can’t be part of new passwordPhishing proof image verificationTransaction verification separate password

SN LinkedIn UserID: Email AddressPassword: Min. 6 length

SN Twitter User ID: Custom/User can choosePassword: Min. 6 length, Obvious passwords Block List e.g. passwordAdditional recommendation for stronger password (password meter)

EC Yatra UserID: Email addressPassword: 6 characters. Mandatory mobile number and name 4 character checks.

Article by Reeder et al [7] identifies that even genuine users are not able to present required password at all times. This is due to password being forgotten, lost or stolen. To clarify on case of stolen, it means that some unauthorized user steals user’s passwords and in order to block him from accessing the account, he changes the password. The website must provide way to retrieve such access for users through means of secondary authentication. This includes techniques like (1) Sending email to registered email address with reset link (2) Answering security question (3) Sending SMS password to registered mobile (4) Ask for old password and (5) Ask third party or friend to verify the user. But as authors identified, these additional secondary authorization methods result in widespread weakness of system. Techniques like secondary questions are standard and based on user’s profile. Many times such information is available in public through resumes or profiles on social network like Facebook. Authors classify these methods into 2 sections – (1) Knowledge Based Systems which rely on genuine user’s knowledge supplied at register time and (2) Transitive mechanism in which task of authentication is delegated to other system like Email. The author identifies several problems with secondary authorization techniques. We will discuss only those which result in user forgetting secondary credentials. With security questions, there are issues like non-configurable e.g. What’s name of first pet to user who never had pet and dynamic e.g. favourite song which changes over time. Problems with email addresses is user may not remember which exact email address he used at time of registration. People are associated with schools, companies and these email addresses change over time. This complicates task of retrieval. Problem with SMS based retrieval is again due to people changing locations or losing their phones resulting in changing phone numbers. Even if user is travelling to different country, he may not have his phone active. In today’s world of extreme mobility, phone based authentications have serious limitations.

Following table summarizes various password retrieval techniques used by 10 websites identified in previous table.

Cat Site Retrieval Method

.EC Amazon Need Email address registered withFI BNP

ParibasNo online recovery, possible from branch office only

EC eBay UserID recoverable via email. For password, answer to secret question from possible drop down.If email address not available, re-register mandatory.

SN Facebook Recovery using email/phone number or information on one of friends. Password reset code is sent.

EC Flipkart Email address entry to receive reset link.SN Google Recovery using other email address asked

at time of registration. Link is sent. Possibility of SMS verification depending upon country.

FI HDFC Bank

No online recovery, possible from branch office only

SN LinkedIn Email address entry to receive reset link.SN Twitter Need Email address for retrieving

forgotten username and passwordEC Yatra Email address entry to receive reset link.

Johansen in his paper [10], describes the identity management challenges in mobile environment. He identifies that mobile environment is characterized by large number of devices like mobile, tablet, laptop, MP3 players etc. Also these devices consume several services in public or private domain based on their spatio-temporal requirements. The services are also classified as high level or low level. High level services are ones which are related to carrier and telecommunication services related to sim card etc. Low level are related to services in local wifi at home or office level. The authentication requirements at all these levels are very different and also impacted due to different protocols of data access. Wifi based systems follow mostly Internet like model, while Sim services authenticate on GSM protocols. There is need to bring Single Sign On across all such protocols through Identity Federation systems. Identity Federation means that multiple systems identity systems are combined and use one server/system and trust authentication performed by it. This facilitates user to login using one credential and receive authorization on all linked services.

B. Universal Identity SystemsIn previous section we have seen the importance of

federated identity systems highlighted by many authors. In this section we will look at some academic papers and real life example of such universal identity systems which will let users login once and use it for all partner websites.

Zhang and Chen [12] explain in their paper on universal identity management model about anonymous credentials. This paper actually talks about extending WS-Federation for anonymous credentials. We will look at partially to understand characteristics of such universal system. The system should have mechanism for brokering of identity, attributes, authentication and authorization assertions between domains, and privacy of federated domains. Since, most e-commerce websites run on SOA, which is Service Oriented Architecture, the users are key in this model. Hence, the user oriented characteristics like easy-to-use, consistent experience and transparent security are critical. Self presentation of valid identity is important considering that user roams across

multiple systems in spatio-temporal frame. This is especially true for mobile devices. What this means is user should hold some sort of encrypted verified identity token, that when it presents to client site, it believes the authenticity of user without actually verifying again with the authenticating server. This can be easily achieved with help of certificates and digital signatures.

Paper by Tsyrklevich [14], explains what OpenID is. The most famous implementation of OpenID is Google Account, the authentication system of Google and allied websites. It can also be used by third party websites through Google Apps and federation. The OpenID as single sign on protocol was designed keeping in mind web 2.0, which is era of e-commerce and web as two-way communication medium. It is a decentralized system with several providers like Google, Yahoo etc. And then he can use this id on all OpenID enabled websites. This is in contrast to services like Microsoft Passport, which are centralized. What that means is, it is Microsoft which will store the authentication of users and provide it as service to any website interested. There is obvious conflict of interest in such models. First, not everyone, especially Microsoft’s competitors would trust it with such information and then they would not want to create such dependency. On other hand, OpenID remains neutral and provides multiple provider options. This helps client websites choose the one they find most suitable to their requirements and business strategy. The benefits of OpenID to end users are Single Sign On and security advantages like certificates, SSL, smartcards etc. due to advantage of scale to providers.

The OpenID and Universal Identity System appear to have solved the problem. But, we need to look at following paper in order to understand the limitations of such systems and why users are still not ready to trust such universal systems.

In paper by Sun et al [13], empirical study was done in 2011 to find out why users are not ready to adopt the universal Single Sign On method like Google Account (OpenID). It was found that there were following behaviours, concerns and misconceptions. (1) Their existing password management strategies reduced the importance of Single Sign On. They are comfortable with weak passwords. They typically save password in browser which reduces their task to enter it every time. (2) Single Point of Failure – This is correctly identified as concern by many users. (3) Users had misconception about OpenID model. They thought that participating websites get access to their username and password from identity provider like Google. (4) Users were concerned about phishing attacks as they could not distinguish fake forms from real one. (5) Many users had privacy concerns due to possible use of their personal data. (6) Users wanted separate identity for website with sensitive information like financial transactions e.g. bank. They do not want to share same username/password for such website with other less important ones. (Natural protection) (7) Many users did not understand why it is necessary to link the accounts across websites. They did not feel the need to have SSO.

C. Importance of User’s Online IdentityIn literature meta study by Beatty et al[5], authors have

identified a qualitative model based on empirically determined factors that affect the trust put by consumers at time of making purchase. Authors identify that consumers disclose a great amount of confidential information to websites like billing details, authorization required by banks for releasing

payments. Users not only trust vendor’s intentions but also trust vendors capability to guard such information. The authors also identify that apart from payment information, huge private information like purchase history is recorded by vendors. User’s buying behaviour can be easily determined. Further, websites store cookies on client side for quick identification next time he visits such site. Authors have performed factor analysis in order to reduce factors with summarization techniques. The most important factor identified is reputation. E.g. user would trust reputed brands like Microsoft, Google with their capability to secure user’s information.

Sipior et al[8] paper’s on ethics in collecting online shopping data explains what all data is collected by websites about consumers. The information collected includes communication tools information like phone, email, social networks etc. which consumer uses mostly. This can help advertisers to target advertisements to correct channel. Also, clickstream data is collected, which includes access to logs, cookies, computer/browser types, IP addresses etc. Even third party websites can track user’s access pattern on other websites through means of web bugs, which are one point pixel images embedded in Html but from different web server source.

Linden et al [9] in their paper highlight that major marketing campaign of Amazon is through linked sales. It recognizes customer purchase patterns and cluster them through associations. These are not necessarily simultaneous purchases, but purchases made over period of time by same consumer. It even tracks time spent between twopurchases. This is used to create recommendations for all customers which are communicated when those users visit website by logging in or through email.

V. ANALYSIS AND INTERPRETATION

A. Identity Management MethodsAs Schlager [11] says, the bidirectional nature of security in

e-commerce, added with privacy laws upcoming in many nations has resulted in additional complexity when it comes to create various authentication systems. The criteria of ideal Authorization and Authentication System mentioned here is very important for discussion and we will look in section B on Global Identity Systems how they fare against these criteria.

As Reeder [7] discusses various reasons due to which users forget the password and find it hard to recover. Interesting recommendation by him is about giving freedom to user to choose what authentication he wants to use. Very few websites gives such freedom to user. Based on user’s own idea of value of his information associated with particular account and conditions apply to his behaviour, user should be best judge of his security needs. Website should not uniformly apply same set of authentication mechanisms to all its clients. Reeder further adds that website also regularly prompt user for updating all such information. This is done frequently done by Google nowadays, which prompts to verify phone number and additional email address once in a while. Reeder further specifies that website should alter authentication requirement based on user activity. If user changes password, accessing computer, location etc. then it indicates some change in behaviour. Then website can request suitable additional authentication to detect illegal attempts of access. This is done by many banks like ICICI when accessing PC changes, bank generates One Time Password and sends it to mobile number

registered with bank. Only upon entering this code, user can access e-banking account. But this also carries problem faced by mobile phone verifications as highlighted by Reeder.

As highlighted by Johansen [10], the system complexity has increased with explosion of smartphones. The identity management is also critical for mobiles as users are continuously online from them and at same time they pose higher risk of physical access through theft. Today, even mobile banking, stock trading are showing increasing trends.

B. Universal Identity SystemsAs explained in paper by Zhang [12], it is important that e-

commerce websites should think about user while framing their authentications. We are not debating here whether the framework proposed by author is the best way to achieve, but desired characteristics of such system identified by authors are important here. Such system can help in bringing consistent identity for user as we have discussed in objectives of this paper.

As explained in paper of OpenID, the open source, decentralized system which is well supported by Internet giants like Google, appears a good solution to this problem of maintaining consistent identity of user. But then there can be many other ways. Possible ones are the operating system of user integrates identity with itself and then federate it with any website that is interested. One such experiment was performed by Microsoft through .NET Cardspace, but it did not find much support. Another way is if users don’t trust username/passwords, the operating systems can integrate biometric security and then federate it. Windows supports login to local PC with fingerprint scan. But, there are obvious limitations with respect to management of such information and physical security of credentials. But still then the trust problem with centralized security providers is not answered.

Paper by Sun [13], helps us understand several issues that impact adoption of Single Sign On methods or universal identity systems. It can be easily identified that users are trusting their local browsers which store passwords in plain text, more than the OpenID providers which take utmost care as per protocol to protect their identity. While concerns like single point of failure or obtaining natural protection through different password are valid, they can be handled through some changes in functionality of OpenID. For example, for critical accounts, in addition to username/password some more advanced credential can be asked like OTP (One time password), or additional password. And remaining misconceptions are clearly matter of knowledge by users. They should be made aware how dangerous it is to store passwords in browsers which are subject to get hacked by so many different means.

C. Importance of User’s Online IdentityCorresponding to observation by Beatty et al[5] about

reputation of site indicating higher trust on capability of vendors to guard user’s information, we would like to cite real-life contradiction to this observation. It further highlights why it is important to consolidate authentication methods. On February 12, 2012, online store of Microsoft India was hacked by a group of Chinese Hackers[6]. The username/password information of thousands of users was stolen. The hackers used this information to compromise email accounts of users as most users had same passwords for their email addresses. The issue happened as the online of store of Microsoft was not

actually run by Microsoft but licensed to one third party vendor company. The company in question did not follow Microsoft’s own Windows Live ID security system, but implemented its own custom security. Further, passwords were not stored in encrypted format. This resulted in store being taken down for several weeks, possibly for security revamp. This highlights negligence on part of Microsoft to license its valued brand name to third company without even performing basic checks on what kind of security is implemented. This indicates that user information on e-commerce websites is extremely sensitive and must be handled carefully. Users trusted online store of Microsoft as one operated by Microsoft, due to lack of knowledge that some vendor company operated the store on Microsoft’s behalf. That’s why they put equal amount of trust on intentions and capability of Microsoft Store India as they would put in any other site under umbrella of Microsoft Corp.

Paper by Sipior et al [8] is little old and several things have changed due to rise of Ajax and Mobile applications, some foundational things still apply. We are not aiming to discuss ethical implications here, but this paper helps us understand all the information that is tracked for the user and how useful such information can be for the e-commerce business. Primary information collected is most effective communication media, access pattern and preferences. Naturally these have huge benefits in optimizing advertisement spending and increasing effectiveness.

E-commerce pioneer Amazon, as in paper of Linden et al [9]

highlights that technology enables businesses to react quickly to changing customer data which benefits businesses. Ability of businesses to accurately track customer preferences is critical for survival. Consistent identity maintenance of user online is therefore very important.

VI. CONCLUSION

Based on this literature survey we learnt about the identity management framework that exist today with popular e-commerce websites. We also understand user behaviour with respect to security management. We have identified importance of maintaining consistent identity from both user and vendor point of view and only possible solution is implementation of single sign on or global identity management system which is decentralized and open like OpenID. But, some of the concerns from the user on its adoption are valid and those should be answered categorically in such design in the future.

REFERENCES

[1] Forrester predictions on E-commerce, retrieved from http://www.fortune3.com/blog/2011/01/ecommerce-sales-2011/ on Feb. 26, 2012.

[2] Internet and Mobile Association of India (IAMAI) report on Indian E-commerce Market Size, retrieved from Economics Times website on Feb. 24, 2012.

[3] Forrester US m-commerce report, retrieved from http://techcrunch.com/2011/06/17/forrester-u-s-mobile-commerce-to-reach-31-billion-by-2016/ on Feb. 26, 2012.

[4] Furnell S., An assessment of website password practices, Computers & Security 26 2007, Science Direct.

[5] Beatty P., Reay I., Dick S., Miller J., Consumer Trust in E-Commerce Web Sites: A Meta-Study, ACM

Computing Surveys, Vol. 43, No. 3, Article 14, April 2011. ACM Digital Library.

[6] Anwer Javed, Microsoft’s India Store Hacked, retrieved from http://articles.timesofindia.indiatimes.com/2012-02-13/security/31054691_1_passwords-security-breach-hackers, Times of India.

[7] Reeder R., Schechter S., When the Password Doesn’t Work – Secondary Authentication for Websites, IEEE Computer and Reliability Societies, March/April 2011.

[8] Sipior J., Ward B., Rongione N., Ethics of Collecting and Using Consumer Internet Data, Information System Management, Winter 2004.

[9] Linden G., Smith B., York J., Amazon.com Recommendations – Item-to-Item Collaborative Filtering, IEEE Internet Computing Jan-Feb 2003, IEEE Computer Society.

[10] Johansen T., Jorstad I., Thanh D., Identity management in mobile ubiquitous environments, Internet Monitoring and Protection, 2008, IEEE Computer Society.

[11] Schlager C., Nowey T., Montenegro J., A Reference Model for Authentication and Authorization Infrastructures Respecting Privacy and Flexibility in b2c eCommerce, Proceedings of Int’l Conference on Availability, Reliability and Security 2006, IEEE.

[12] Zhang Y., Chen J., Universal Identity Management Model Based on Anonymous Credentials, IEEE International Conference on Services Computing, 2010, IEEE Computer Society.

[13] Sun S., Pospisil E., Muslukhov I., Dindar N., Hawkey K., Beznosov K., What Makes Users Refuse Web Single Sign-On? An Empirical Investigation of OpenID, Proceedings of Symposium on Usable Privacy and Security, ACM.

[14] Tsyrklevich E., Tsyrklevich V., OpenID: Single Sign-on for the Internet: A Security Story, Proceedings of Blackhat USA 2007.