Information Security Seminar

IT 6873

E-Commerce Security:

Preventing Fraud

By preventing

Identity Theft

Diane M. Duhé Metcalf

May 6, 2012

Project Summary: E-Commerce is a relatively new way of doing business. Over the last several years, it

has become a convenient, trusted, accepted and often less expensive way to purchase

goods and services. As E-business continues to grow, the potential for exposure to

threats also increases. As the threats become more damaging and/or widespread,

“security” becomes critical in preventing fraud. There are many types of security already

in place, however most internet credit card fraud occurs when an e-Commerce

merchant is unaware that an order was not placed by, and will not be paid for, by the

authentic cardholder.(1) Typically, with e-commerce fraud, the credit card information

was gained illegally, and used to order merchandise or services via the internet, under a

false name.

This paper concentrates on the area of internet fraud called “Identity Theft”. It focuses

on the responsibility of the individual cardholder in preventing or reducing fraud. It

demonstrates that educating and empowering consumers has the ability to decrease

internet/e-Commerce fraud by way of reducing identity theft.

Conducting an Identity Theft Prevention class with a group of elementary school faculty

and staff was the method used in this study.

I had expected to gain knowledge as well as a realistic perspective regarding the

nature, and the best implementation, of E-Commerce Security, in regard to internet

fraud.

Introduction

What is Internet fraud?

Internet fraud is a type of cybercrime in which fraudulent transactions are committed by

using deception. The National Consumer League's Fraud Center lists 25 different

scams currently making the rounds on the Internet including these types of internet

fraud:

Advance fee (Nigerian letter scam)

Business or employment scams

Counterfeit checks

Credit or debit card fraud

Identity theft

Freight forwarding or reshipping

Investment schemes

Non-delivery of goods/services

Online auction and other sales

Phony escrow

Pyramid or “ponzi” schemes (Fraudulent investment operations) (1)

Many scams are variations of those same scams that were in existence before the

Internet ever existed. The only difference is that Internet scammers utilize email, chat,

forums and false websites instead of more traditional methods such as telephone and

US mail. (2)

Internet credit card fraud occurs when an e-Commerce merchant is unaware that an

order that was placed, was not placed by, and will not be paid for, by the authentic

cardholder.(3) Typically, with e-commerce fraud, credit card information was gained

illegally, and used to order merchandise or services via the internet, under a false

name. (It is much easier to commit credit card fraud via an e-commerce transaction than

it is to do in person.)When the real cardholder receives the statement from the issuing

bank and reports the fraud, a chargeback must be issued by the merchant. This means

that the merchant refunds all the expenses, and pays an additional fee. (4)

Identity thieves gain access to consumers, by stealing checks, bank statements,

wallets/purses, or by proffering a phony offer via phone or email. More recently, the

more common ways of obtaining sensitive information is to create imitation but realistic

looking bank or merchant websites, or to send emails that request security information

from the consumer by instructing them to click on a link and input their personal

information. The information is then used to steal their identity in order to access their

bank accounts, obtain loans, or to use their credit cards.

Merchants who accept credit cards online are subject to additional examination and

processes in the ongoing effort of protecting credit card information. Online merchants

are also subject to:

-higher transaction fees to offset the cost of security

-more stringent shipping requirements

-paying the cost of becoming and staying PCI compliant

The merchant is held responsible for any accepted fraudulent transaction.

Through the issuance of the “Red Flags rule” and “Red Flags guidelines” for financial

institutions, our government has provided a means of protecting consumers from

identity theft. Legislation requires merchant compliance, and this compliance helps to

foster trust-based relationships. (5)

Objective

“Security” is no longer about keeping “just” networks, or individual computer systems,

protected. Today, “security” is considered to be a legitimate business strategy;

protecting the business as a whole. Security is not merely a collection of “features”. It is

a system process whereby the weakest link in the security chain establishes the level of

security for the entire system. (6) Often times when the security technology works

seamlessly, utilizing multiple aspects of layered technology, including those offered by

credit card issuers, fraud still takes place. This is due to the consumer being the

weakest link in the chain!

“Security” is not just for businesses or merchants, rather individual consumers need to

understand the concept of security as it pertains to e-commerce, and to take personal

responsibility for their role in the protection of their data and the prevention of fraud.

Existing Issues

Privacy: information must be kept safe from unauthorized access. Integrity: information must not be altered or tampered with. Authentication: sender and recipient must prove their identities to each other. Non-repudiation: proof is needed that the message was actually received

The vulnerability of a system exists at these entry and exit points:

Shopper’s computer

Network connection

Website’s server

Software Vendor

There are at least 3 transactions whereby sensitive information is vulnerable during an e-Commerce purchasing transaction: (7)

1. Credit card information supplied by the customer. Handled by the server's SSL and the merchant/server's digital certificates.

2. Credit card information forwarded to the bank for processing. Handled by the security measures of the payment gateway.

3. Order and customer details furnished to the merchant. Handled by SSL, server security, digital certificates and payment gateway.

Privacy: information must be kept safe from unauthorized access. This issue is currently handled by encrypting the data, using PKI (public key infrastructure) and RSA.

Integrity: information must not be altered or tampered with. Maintaining the Integrity of information is achieved by using digital signatures. The use of digital signatures meets the need for authentication and integrity.

Authentication: sender and recipient must prove their identities to each other. To verify that a website that is receiving sensitive information is actually the intended website, (not an imposter) a digital certificate is employed.

Non-repudiation: proof that the message was actually received.

State-of-the-art research/methodologies

PKI

A PKI (public key infrastructure) consists of:

A certificate authority (CA) that issues and verifies a digital certificate. The certificate includes the public key and/or information about the public key

A registration authority (RA) that verifies the certificate authority before a digital certificate is issued to the requestor

Directories where the certificates and their public keys are held A certificate management system

PKI enables users of an unsecure public network (i.e.: the Internet ) to securely and privately trade data and/or currency by using public and private cryptographic key pairs that are acquired from and shared via a trusted authority. The public key infrastructure provides digital certificates that identifies an individual or an organization, and also provides directory services that store and even revoke the certificate, if necessary. (8) PKI automates the process of verifying a certificates validity. It provides the ability to publish, manage, and use public keys easily.

RSA algorithm (Rivest-Shamir-Adleman)

RSA is the most commonly used encryption and authentication algorithm. It’s included as part of Microsoft’s and Netscape’s Web browsers , Lotus Notes, Intuit's Quicken, and several other software products. RSA is also used by banks and governments.

Third party key distribution centers use RSA. The RSA algorithm multiplies two large prime numbers (a number divisible only by itself and 1) and in combination with other operations, it generates a set of two keys, one public and one private. The original prime numbers are then discarded

The private key is used to decrypt text that has been encrypted with the public key. In addition to encrypting messages (privacy), authentication also takes place with the use of the private key by the encryption of a digital certificate. . Both the public and the private keys are needed for encryption /decryption, but the private key never needs to travel across the Internet. The two keys differ from one another, but each key is shared with the key distribution center. The keys are encrypted, and rules are set, using a variety of protocols. Private keys must be kept secret, and most security lapses arise here. (9)

Secure Socket Layers (SSL)

The Internet uses the set of rules, or protocols, called TCP/IP (Transmission Control Protocol / Internet Protocol) whereby the information is broken into packets which are numbered sequentially, and include error control methods. Each packet is sent via a

different route. TCP/IP reassembles the packets in their original order and resubmits packets that have errors. (10)

SSL is a method that utilizes both PKI and digital certificates to ensure privacy and authentication. The server receives the message from the client, and replies with a digital certificate. Using PKI, the server and client negotiate the creation of session keys, (symmetrical secret keys specially made for that particular communication) and communication continues with the session keys and digital certificates in place.

Where credit cards are accepted by merchants online and processed in real time, four

different sets of options arise for the merchant in question:

1. Use a service bureau which is responsible for the security of all sensitive information

in the transaction

2. Use an e-Commerce merchant account but use the digital certificate supplied by the

hosting company which is a less expensive option that is acceptable for transactions

with Small to Medium Enterprises (SME). Certain terms and conditions may apply to the

supplied digital certificate.

3. Use an e-Commerce merchant account, but purchase a digital certificate for the

business (costing hundreds of dollars).

4. Use a merchant account, and run the business from a business-owned private

server. Requires trained IT staff to maintain security, i.e.: firewalls, Kerberos (an

authentication mechanism), SSL, and the digital certificate for the server (thousands to

tens of thousands of dollars).

Digital Signatures

Digital signatures help ensure authentication and integrity and are used to confirm ones identity to another party, and that the data has not been altered. (They verify the origin and contents of a message.)

Digital signatures are implemented through public-key encryption. A digital signature is prepared by first passing the plain text through a hash function to calculate the message digest value. The digest is then encrypted with the private key to produce a signature which is then added to the original message, and the whole package is sent to the recipient.

In this way, the recipient can be sure that the message came from the sender. The received message is decoded with the private key, and processed back through the hash function. (The message digest value remains unchanged.)Very often, the message is also time stamped by a third party agency.(11)

Digital Certificates

Digital Certificates provide digital credentials used for identification. They provide identity and other supporting information about an entity and are valid for only a specific period of time. They provide the basis for secure electronic transactions by enabling all participants in the transaction to quickly and easily verify the identity of the other participants. Digital Certificates are sold for use with email, and for e-merchants and web-servers. Digital Certificates uniquely identify merchants, and are issued by the CA (Certification Authority, i.e.: VeriSign, GlobalSign). When a digital certificate is issued, the issuing certification authority signs the certificate with its own private key. Validating the authenticity of a digital certificate can be achieved by obtaining the certification authority's public key and use it against the certificate to determine if it was actually signed by the certification authority

Digital certificates contain the public key of the entity identified in the certificate. The certificate matches the public key to a particular individual. Because the CA guarantees the validity of the information in the certificate, digital certificates provides a solution to the problem of how to find a user's public key and know that it is valid

For a digital certificate to be useful, it has to be understood, and easily retrieved in a reliable way. Digital certificates are standardized for this reason, so that they can be read and understood regardless of the issuer. (12)

The technologies listed above use encryption as their primary way of protecting data, individuals and organizations. Although considered strong methods, they are not perfect. Vulnerabilities in PKI have been exploited in order to issue rogue digital certificates for secure websites. False CA certificates that were trusted by common web browsers have been created. Website impersonation, including banking and e-commerce sites secured with the HTTPS protocol, has occurred. (13) A weakness in the MD5 cryptographic hash function allowed for the creation of unique messages with the same MD5 hash.

There are many other security methods and practices. Creating and maintaining office and employee security policies (passwords, backups) , protection from viruses, spyware and hackers by implementing firewalls and antivirus solutions, fortifying web server and database security by researching hosting companies , verifying webpage content, customer data, tracking customers (cookies) , and calculating and providing correct invoices and inventory are a few ways to heighten security. The primary underlying goal of all security methods is to deter and prevent fraud. The goal of this study was to determine whether empowering consumers with information and resources for utilization in protecting sensitive information is a

necessary and relevant component of preventing identity theft, thereby lowering internet fraud.

Method:

The Method of Approach for this paper includes research, conducted via the ACM

Digital Library, and IEEE/IEE Electronic Library, including professional journals, web

articles, and white papers.

Responses to a pre-test, regarding the safeguarding of personal information, were

collected from two groups: a random experimental group of faculty and staff that did not

attend the Identity Theft Prevention class, and those that did attend. An Identity Theft

Prevention professional-development class was conducted with a voluntary group of

elementary school faculty and staff. A post-test was given 2 days after the class, and

the results were compared between the pre and post-test of the experimental group,

and also between the test results of the control group and the post-test results of the

experimental group.

The pre and post-test consisted of a survey of 10 true/false questions, administered

online via “QuizStar.com”. The results determined whether retention of material was

exhibited 2 days after the class. Ideally the subjects would be tested again at

subsequent intervals, but current scheduling of the school year as well as this course,

does not permit it.

A presentation and interactive class, covering the topic of safeguarding personal

information, was developed and consisted of on-line interactive quiz to identify spoofed

email , a power-point presentation about how to identify spoofed telephone calls, the

various ways of preventing victimization, examples of credit reports and how to check

for fraudulent activities, as well as steps to take if victimized, including reporting

information for contacting authorities.

A summarization of the class, in the form of an “Identity Theft Prevention Tool-Kit” was

developed, and was provided in digital format to each participant, for future reference.

Results

Class Strength: 9

Total Participants: 5

Attempts Allowed per student 1

Average Attempts: 1

Mean % of Maximum Scores obtained in all attempts: 86%

Total number of points (excluding SAShort Answer questions) 100

Class Highest: 90%

Class Lowest: 70%

Conclusions and Future Work: Mobile e-Commerce along with an increase in wireless Internet applications such as mobile electronic commerce applications will be a trial. Payment devices are rapidly developing and becoming present everywhere. Payment cards are considered to be the principal drivers of the transfer from paper to electronic-based payment devices. The use of POS (point-of-sales) devices is increasing. These devices are the equivalent to an electronic cash register and are used in supermarkets, restaurants, hotels, stadiums, taxis, and almost any type of retail establishment. .

New methods of authenticating are being and need to be developed and improved,

many using Biometrics, including internal DNA storage and retinal scanning. (14)

Security is more important than ever to ensure the integrity of the payment process and to protect individual and organizational privacy. The technologies mentioned above are the current methods of ensuring a high measure of security. This measure must continue to grow and develop, as new threats will certainly do the same. It is crucial that security measures become an integral piece of the structural design, plan, and implementation of any e-Commerce site.

References

1NC State University Office of Information Technology, http://oit.ncsu.edu/safe-computing/net-fraud#types

2Online Threats - Internet Fraud http://www.mywot.com/en/online-threats/internet-fraud

3 Global Merchant Services, How to Minimize Online e-Commerce Credit Card Fraud

http://www.gspay.com/how-to-minimize-online-e-commerce-credit-card-fraud.php

4Eisen, Ori, Telltale Signs of E-Commerce Fraud02/25/09 E-Commerce Times

http://www.ecommercetimes.com/story/66278.html

5 Ehrlich, Matt, The Consumer's Responsibility in Preventing Identity Theft, 09/20/10, Fraud

Management

6 Ecommerce Security Issues,http://www.ecommrce-digest.com/ecommerce-security-

issues.html

7 KhusialandMcKegney , IBM Developer Works, e-Commerce security, ibm.com, 02/02/12, http://www.ibm.com/developerworks/websphere/library/techarticles/0504_mckegney/0504_mckegney.html 8 Van Vark, J. (1997) e-Commerce and the Security Myth- The real security issues of e-

Commerce, mactech.com, 01/24/12, http://www.mactech.com/articles/mactech/Vol.13/13.11/eCommerceandSecurity/index.html

9 E-Commerce Security Issues, ecommerce-digest.com 01/21/12 http://www.ecommerce-digest.com/ecommerce-security-issues.html

10 RSA-TechTarget, SearchSecurity, 02/02/12,

searchsecurity.techtarget.comhttp://searchsecurity.techtarget.com/definition/RSA

11 PKI- TechTarget, Search Security- 02/01/2012- searchsecurity.techtarget.com, 02/03/12 http://searchsecurity.techtarget.com/definition/PKI

12 Sotirov, A., Stevens, M., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, DA, MD5 considered harmful today-Creating a rogue CA certificate , win.tue.nl, 02/15/12, http://www.win.tue.nl/hashclash/rogue-ca/

13 Oracle ThinkQuest-Use of Data Encryption in Today's Context: E-commerce, library.thinkquest.org, 02/9/12, http://library.thinkquest.org/27158/today1_2.html

14 Thanh, Do Van, Security Issues in Mobile e-Commerce, 02/13/12

http://books.google.com/books?id=kb69hBiQMiYC&lpg=PA467&ots=6XE-

e9QvUo&dq=security%20issues%20in%20mobile%20e%20commerce%20do%20van%20thanh

&pg=PA468#v=onepage&q=security%20issues%20in%20mobile%20e%20commerce%20do%2

0van%20thanh&f=false