Determining the adoption of e-transaction authentication frameworks in Nigerian Commercial Banks

The Internet is a network of networks which gives the business user a global reach. Though many users of the Internet are happy surfing the web and interacting with friends on the social media, there is skeptism when it comes to doing financial transactions over an open network like the Internet. Security of e-transactions has continued to be the number one concern of every user of such platform. The Internet offers great opportunities to businesses but at the same time poses great danger. The only assumption that can be made about the Internet is that it does not offer any security whatsoever. In this work the authors through survey and extensive literature sought to know if Nigeria was mature to adopt e-transaction services. Results from the survey obtained from IT managers among 13 top Nigerian banks show that 70 percent of the respondents have knowledge of legal framework for authenticating etransaction in Nigeria as well as have knowledge of enterprise security policy. While less than 70 percent have knowledge of any disaster recovery plan. SSL and Firewalls were found to be the most popular authentication services in use across these banks.

cashless driven. Apart from online retail shops and e-commerce websites, retail outlets encourage their customers to do cashless transactions on POS terminals by offering some discounts. In this paper we examine the prospects of e-transactions in Nigeria with its attendant security challenges.
II. BACKGROUND RESEARCH In this section we review some background theories and technologies on the subject, as well as provide a review of related literature.

A. Drivers of e-transaction
The Internet is a network of networks which gives the business user a global reach. The Internet offers great opportunities to business but at the same time poses great danger. The Internet does not offer any security whatsoever. Anybody who has the right tools can enter into any company's computer online and steal information or perform one malicious act or the other. While the Internet is dramatically changing the way business is conducted, security and privacy issues are of deeper concern than ever before [4]. The Internet is basically an insecure communication medium. The only assumption which can safely be made when considering the Internet as a communication medium is that it offers no security whatsoever [5].
The growth of the Internet within the last decade is astronomical. A number of options are now more readily available to deliver the Internet to users. From the era of the ARPANET when the only medium was multi-user terminals to the PC era, and now to handheld devices, the Internet is delivered through Wireless Access Protocols (WAP). The pervasiveness of the Internet is motivated by emerging digital mobile terrestrial services and technologies that are bringing data services to hundreds of millions of users worldwide [5]. Some industrialized countries are already providing 4G mobile terrestrial services. The Internet can now be received on the go, anywhere, anytime. Internet appliances and pervasive computing are reducing the technical requirements for network services and are creating direct relationships between business and consumers [6]. A global electronic economy is being created where changes in one part of the globe affect many other parts [7].
E-business or E-commerce is one of the main forces driving this digital revolution. The core activities of ecommerce are business transactions between two parties or possibly mediated by a third party, a trusted third party as it is called. In fact, the practice conducted by a company before the term e-commerce appears is Electronic Data Interchange (EDI), which is basically electronic transaction via computer networks. While it is creating new business models, and opportunities by giving products and services a global reach, it is also creating new challenges to service providers. The challenges are greater in the developing world where infrastructure is poor and technical knowledge is low, due to low investment in IT education and development, as well as non-availability of power. Despite the enactment of electronic transactions Act 2007 in Sudan [8], finds out many deficiencies, such as poor infrastructure, and lack of skilled and well-trained human resource force in the banking sector and security, which remain the key factors that constrain the applicability of ebanking. The major concern of electronic transactions is how to protect transactions from eavesdroppers (which can steal and modify the information in the transactions) and how to make sure those transactions are authenticated [4].
B. Cryptography as an E-transaction Driver E-transaction security has come to occupy an increasingly central place in our lives over the past twenty years. This has been a direct result of the enormous increase in the development and use of networked and distributed systems over this period. Financial transactions on the Internet are gaining currency now. Distributed financial transactions even if they are in the simple form of withdrawing money from an ATM, using Point of Sale (PoS) for payment and other banking transactions have become part of many peoples' lives today. Financial institutions such as banks provide their services online. The advancement of communication technologies has also resulted in huge quantities of digital data in the publicly shared network media. This calls for serious need to secure the communication channels. Secure communication depends upon encryption of messages exchanged between communicating parties.
This section explains the cryptographic techniques used in implementing the authentication services deployed in Nigerian banks as discovered from the results of our survey above. The approach of cryptography is a method of securing data in open networks like the internet and assumes the following: i. It is feasible for each computer in the network to encrypt and decrypt message contents efficiently with arbitrary keys, and that these keys are not readily discoverable by exhaustive search or cryptanalysis. Keys cannot be compromised otherwise the flaws in these systems can be used to subvert the protocol. ii. That both symmetric and asymmetric encryption algorithms are the basis for the protocol presented.
iii. An intruder can interpose a computer in all communication paths, and thus can alter or copy parts of messages, replay messages or emit false material. Figure 1 is the graphical illustration of the cryptographic processes. The algorithm is composed of encryption (E) and decryption (D) processes which usually are identical or simply consist of the same steps performed in order. The encryption and decryption is based upon the type of cryptography scheme being employed and some form of key. Encryption process is represented: C = E k (P) while Decryption process is represented: P = D k ( C ), where P = plain text, C = ciphertext, E = the encryption process, D = the decryption process, and K = the key.
With the advances taking place in cryptography, governments, organizations, military units, and some corporate houses started adopting the applications of cryptography. This leads to the drastic development of cryptographic techniques. Cryptography is considered to be one of the fundamental building blocks of computer security [9]. Data can be encoded with the aid of cryptographic techniques (Encryption) in order to ensure that it appears unintelligible to the public or third party and coherent only to the intended receivers of it. Encryption of data is usually accomplished by the combination of plain text data (the input) with a secret key using a particular encryption algorithm. The result (output) is a cipher-text. Unless someone or a computer has the secret key, they cannot convert the cipher-text back to plain text. This encryption methodology is at the core of any of the secure protocols [10]. Although many types of difficult problems can be classified as cryptography problems, but what people are mostly concerned with today is the ability to keep transmissions private through the use of data encryption techniques and has become a paramount issue due to the changing nature of communications since the information revolution. Cryptography makes use of the following mechanisms: i Data encryption for confidentiality ii Digital signatures to provide non-repudiation, authentication and message integrity iii Digital Certificates for authenticating users, applications and services, and for access control (authorization).
Gray in [11] notes that, in data and telecommunication, cryptography is necessary over any untrusted medium, particularly the Internet and that modern cryptography today performs five primary function such as privacy/confidentiality, Authentication, Integrity, Non-repudiation and key exchange (key distribution and management). These primary functions of cryptography match the important security requirements of etransactions. Hence, the security of any network system is ensured if cryptographic protocols are well implemented. All the fundamental services offered by cryptography has enabled the conduct of business over the networks using the computer systems in extremely efficient and effective manner. The security of cryptography is mainly based on secrecy of the key rather than the cryptographic algorithms. Therefore, there is need for keys to be shared without compromise. This gave rise to key management as additional function of modern cryptography. For the purpose of this research work, cryptographic algorithm is treated in a very abstract way. The work is more concerned with what security properties such algorithms provide and not with details of how they are implemented. There are three cryptographic schemes used for security of e-transaction, as shown in figure 2: Secret key cryptography, public key cryptography and cryptographic hash function. Each scheme is optimized for specific function and application(s). Secret key cryptography is ideally suited to encrypting messages, thus providing privacy and confidentiality. Public key cryptography on the other hand can also be used for non-repudiation and user/message authentication. Public-key cryptography could, theoretically, also be used to encrypt messages although this is rarely done because secret-key cryptography operates about 1000 times faster than public-key cryptography. Eman in [12] asserts that, adopting public key cryptography is important to provide high level of confidentiality, integrity and authentication services for online transactions, but it needs a trusted way of distributing public keys. Public key infrastructures (PKI) is a solution for assuring the authenticity of public keys via qualified digital certificates (DC). Public key cryptography has two basic applications: Digital signature and key management and distribution. Public key cryptography requires a PKI for assuring the authenticity of public keys via qualified digital certificates, managing digital certificates and encryption keys for people, programs and systems Finally, hash functions are well suited for ensuring data integrity because any change made to the contents of the message will result to the receiver calculating a different hash value than the one placed in the transmission by the sender. Since it is highly unlikely that two different messages (inputs to hash function) will yield the same hash value (second pre-image resistance property of cryptographic hash function), data integrity is ensured to a high degree of confidence. There are two specific requirements of key management for Public key schemes; Secrecy of private key and assurance of public keys. The most crucial requirement of assurance of public key can be achieved through the

C. E-transaction Security challenges
The security in question in this work is how to protect transactions from undue disclosure, prevent attack, or how to detect attacks and recover from them. An attack is a deliberate attempt to compromise a system; it usually exploits weaknesses in the system's design, implementation, operation or management [13]; [14]; [15]. Attacks can be active or passive. An active attack involves attempts to alter system resources or affecting their operations, while passive attack involves attempts to learn or make use of information from the system but does not affect system resources. Active attack is difficult to prevent but should be detected while passive attack is difficult to detect, and should be prevented.
Many reports regarding online fraud in Nigeria create scepticism for conducting transactions online, especially through an open network such as the Internet which offers little or no security whatsoever. This calls for urgent attention in improving the security measures required to protect the network, users, businesses, and organizations, especially now that Nigeria has adopted the electronic payment system known as the Treasury Single Account (TSA) in all the Federal Government's financial transactions. By this, all Ministries, Agencies, Departments (MDAs), and Schools, are now paying one form of fee or the other through different online platforms, like REMITA, for example, the Federal Government's licensed partner. Many Schools have introduced web portals and now accept debit/credit cards for payments and other daily activities that are online based that demand serious security framework.
As the scale of e-transactions has grown, it has become very attractive to criminals and the volume of fraudulent e-transactions is also growing rapidly. The Nigerian Inter Bank Settlement System (NIBSS), in 2014 disclosed that Nigeria recorded 1,461 cases of fraud compared to 822 in 2013. Meanwhile, the central switch discloses that fraud in the Nigeria payment system and that of the global community has been on the increase over the past few years as technological advances impact on the way people do their businesses. Therefore, there is urgent need to develop, and implement a security protocol that will provide security services for online transactions. The consequences of lack of e-transactions security are potentially disastrous. This places a high premium on ensuring that e-transaction security is not misused. Security can basically be considered as a study of what the potential misuses of such systems are and how they can be averted.

D.
Review of Related Literature E-Transaction is a phenomenon that has emerged in Nigeria and has been considered as a key component in the trend towards globalization and the creation of the "e-society" as one of the driving forces transforming societies worldwide [16]. Some view electronic transaction as a source of problems, others realized that it also offers many opportunities to fulfil their role more effectively and meet the increased expectations of effective transactions. Some of the benefits of electronic transactions are prevented from being realized because of security threats and lack of legislative enactment [16]. Establishing e-transaction services can bring significant advantages for users and for the businesses but the participants are most concerned of security. Ajeet et. al. in [15] notes that the following are the important security requirements area for successful e-transactions: Authentication, Secrecy/Confidentiality, Data/Information Integrity, Non-repudiation and access control. Mohammad (2002) notes that e-transactions as the new way of commerce creates vast opportunities, but at the same time, poses security challenges. The security and privacy issues are of deeper concern than ever before. The Internet is basically an insecure communication medium. Most people are sceptical about the security of the Internet. The author in [4] also notes that people are happy using the World Wide Web for browsing, searching, reading or downloading information from the Internet but when considering e-transaction activities such as fund transfer, online payment, e-payment, sending a credit card number over the Internet, they are reluctant because of the alarming rate at which network security incidents are occurring. Unfortunately organizations are still faced with the challenges of trying to understand the types of attacks faced by the infrastructural assets [17].
There are a number of ways of classifying and characterizing the counter measures that may be used to reduce vulnerabilities and deal with threats and attacks to information system assets. The most common countermeasure is the functional requirements: those that require computer security technical measures (hardware, software or both) and those that are fundamentally management and non-technical issues. Pita and Wipawan [18] opines that, in order to address e-transaction security requirements, well-established cryptography mechanisms and protocols were believed to be a 'magic pill', and most adequate security toolkit.
Cryptography is the practice and study of techniques for secure communication in the presence of third parties (called adversaries). More generally, it is about constructing and analysing protocols that overcome the influence of adversaries and which are related to various security requirements of e-transaction such as data confidentiality, data integrity, authentication and non-repudiation [19]; [20]. Application of cryptography include ATM cards, computer passwords and electronic commerce [19]. A cryptographic protocol also called security protocol is a message exchange that uses encryption in order to achieve security goals such as secrecy or authenticity over an open network that might be controlled by a hostile party.

III. MATERIALS AND METHOD
This research work adopted a survey approach in which a questionnaire with questions bothering on etransaction technologies awareness and adoption in the banking industry was distributed to IT infrastructure managers at the headquarters of thirteen (13) top commercial banks in Nigeria. For the purpose of this paper we shall focus only on two of the items, which are awareness of legal framework for authenticating e-transaction in Nigeria and the percentage distribution of authentication services used by banks in Nigeria.

IV. RESULTS
The findings are shown in table 1 and figure 3, respectively. Table 1 shows the survey results on legal framework for authenticating e-transaction in Nigeria. The table shows that about 70 percent of the respondents have knowledge of legal framework for authenticating e-transaction in Nigeria. About 46 percent of the legal framework came from the Central Bank of Nigeria (CBN), 15 percent of the legal framework is industry based and less than 8 percent of the legal framework is International. A little above 76 percent of the respondents have knowledge of enterprise security policy. Also, less than 70 percent of the respondents have knowledge of any disaster recovery plan. About 46 percent of the respondents identified Off-site backups as the disaster recovery plan, while 23 percent of the respondents identified Networks redundant links as the disaster recovery plan, and about 15 percent of the respondents use Service and equipment replication as the disaster recovery plan. On knowledge of fraud reporting, about 92 percent of the respondents said yes.
From the above findings it may be safe to say that Nigeria is adopting e-transaction services and there is a legal framework in place for its growth and effective use, which the operators are aware of.
On types of authentication services, figure 3 shows the percentage distribution of authentication services used by banks in Nigeria. The figure shows that SSL with (23 percent) and Firewalls (23 percent), respectively are the most popular authentication services used. `This is followed by Directory-based (15 percent), Radius (8 percent) and Trusted Third Party (8 percent). However, no bank used Kerberos, PKI, and MAC for authentication services. In the following section, the paper discusses the findings of some authors with respect to the results of this work. A.

Discussion
A number of authors agree that Nigeria's developmental goals will be accelerated if she adopts e-transaction in various daily socio-economic activities, but they also sounded a note of caution. Odior and Fadiya in [21] stated that the development of innovative cashless banking has the potential to transform economic activity and achieve developmental goals if an effective cashless banking system can be developed, which will have the desired impact on the Nigerian economy. They also reiterated that central banks and governments must play a key role in promoting the development of popular forms of e-banking channels. The issue of identity theft is a major challenge to wider adoption of e-transaction like e-banking.
While many ICT users find it easier to do a whole lot of things online, they are very sceptical when it comes to financial transactions using online platforms. Ayo and Ukpere in [22] observes that because of lack of safety, security, privacy and reliability in the e-payments platforms there is an increase in cash circulation. They proposed the introduction of a smart card-based ATM with biometric authentication to combat the problem of identity theft. Ayo et.al [23] observed that the major use of the Internet among Nigerian populace is for email and social networking, they suggested a B2C e-commerce system usage, using a combination of information system adoption models. Asokan et. al. in [24] agrees that electronic funds transfer over financial networks is reasonably secure, but securing payments over open networks like the Internet poses a new set of challenges. Kim et. al. [25] sees customers' perceptions of the security of e-payment systems as a major factor in the evolution of electronic commerce in markets.
V. CONCLUSION This paper has investigated the implementation and adoption of e-transaction in the Nigerian context. While e-transaction is rapidly gaining popularity and acceptance among users, there is still a perceived fear about its reliability and security. It is also discovered that there is a policy for the implementation of e-transaction from the government and bank regulating bodies, but like every new technology it is not without its teething problems. Overall, the prospects of its gains seem to out-weigh its perceived challenges. Many authors and users believe that it is the right direction in accelerating the country's socio-economic growth to ensure that Nigeria is at par with other global players. E-transaction, especially when viewed in economic terms encourages policies that promote cashless society and solves the problems of high cost of printing physical cash, monitory instability, excess liquidity, as well as inefficient allocation of resources and a low depth of financial intermediation.