Upload
techdee7
View
2.134
Download
0
Embed Size (px)
DESCRIPTION
This paper concentrates on the area of internet fraud called “Identity Theft”. It focuses on the responsibility of the individual cardholder in preventing or reducing fraud. It demonstrates that educating and empowering consumers has the ability to decrease internet/e-Commerce fraud by way of reducing identity theft.
Citation preview
Information Security Seminar
IT 6873
E-Commerce Security:
Preventing Fraud
By preventing
Identity Theft
Diane M. Duhé Metcalf
May 6, 2012
Project Summary: E-Commerce is a relatively new way of doing business. Over the last several years, it
has become a convenient, trusted, accepted and often less expensive way to purchase
goods and services. As E-business continues to grow, the potential for exposure to
threats also increases. As the threats become more damaging and/or widespread,
“security” becomes critical in preventing fraud. There are many types of security already
in place, however most internet credit card fraud occurs when an e-Commerce
merchant is unaware that an order was not placed by, and will not be paid for, by the
authentic cardholder.(1) Typically, with e-commerce fraud, the credit card information
was gained illegally, and used to order merchandise or services via the internet, under a
false name.
This paper concentrates on the area of internet fraud called “Identity Theft”. It focuses
on the responsibility of the individual cardholder in preventing or reducing fraud. It
demonstrates that educating and empowering consumers has the ability to decrease
internet/e-Commerce fraud by way of reducing identity theft.
Conducting an Identity Theft Prevention class with a group of elementary school faculty
and staff was the method used in this study.
I had expected to gain knowledge as well as a realistic perspective regarding the
nature, and the best implementation, of E-Commerce Security, in regard to internet
fraud.
Introduction
What is Internet fraud?
Internet fraud is a type of cybercrime in which fraudulent transactions are committed by
using deception. The National Consumer League's Fraud Center lists 25 different
scams currently making the rounds on the Internet including these types of internet
fraud:
Advance fee (Nigerian letter scam)
Business or employment scams
Counterfeit checks
Credit or debit card fraud
Identity theft
Freight forwarding or reshipping
Investment schemes
Non-delivery of goods/services
Online auction and other sales
Phony escrow
Pyramid or “ponzi” schemes (Fraudulent investment operations) (1)
Many scams are variations of those same scams that were in existence before the
Internet ever existed. The only difference is that Internet scammers utilize email, chat,
forums and false websites instead of more traditional methods such as telephone and
US mail. (2)
Internet credit card fraud occurs when an e-Commerce merchant is unaware that an
order that was placed, was not placed by, and will not be paid for, by the authentic
cardholder.(3) Typically, with e-commerce fraud, credit card information was gained
illegally, and used to order merchandise or services via the internet, under a false
name. (It is much easier to commit credit card fraud via an e-commerce transaction than
it is to do in person.)When the real cardholder receives the statement from the issuing
bank and reports the fraud, a chargeback must be issued by the merchant. This means
that the merchant refunds all the expenses, and pays an additional fee. (4)
Identity thieves gain access to consumers, by stealing checks, bank statements,
wallets/purses, or by proffering a phony offer via phone or email. More recently, the
more common ways of obtaining sensitive information is to create imitation but realistic
looking bank or merchant websites, or to send emails that request security information
from the consumer by instructing them to click on a link and input their personal
information. The information is then used to steal their identity in order to access their
bank accounts, obtain loans, or to use their credit cards.
Merchants who accept credit cards online are subject to additional examination and
processes in the ongoing effort of protecting credit card information. Online merchants
are also subject to:
-higher transaction fees to offset the cost of security
-more stringent shipping requirements
-paying the cost of becoming and staying PCI compliant
The merchant is held responsible for any accepted fraudulent transaction.
Through the issuance of the “Red Flags rule” and “Red Flags guidelines” for financial
institutions, our government has provided a means of protecting consumers from
identity theft. Legislation requires merchant compliance, and this compliance helps to
foster trust-based relationships. (5)
Objective
“Security” is no longer about keeping “just” networks, or individual computer systems,
protected. Today, “security” is considered to be a legitimate business strategy;
protecting the business as a whole. Security is not merely a collection of “features”. It is
a system process whereby the weakest link in the security chain establishes the level of
security for the entire system. (6) Often times when the security technology works
seamlessly, utilizing multiple aspects of layered technology, including those offered by
credit card issuers, fraud still takes place. This is due to the consumer being the
weakest link in the chain!
“Security” is not just for businesses or merchants, rather individual consumers need to
understand the concept of security as it pertains to e-commerce, and to take personal
responsibility for their role in the protection of their data and the prevention of fraud.
Existing Issues
Privacy: information must be kept safe from unauthorized access. Integrity: information must not be altered or tampered with. Authentication: sender and recipient must prove their identities to each other. Non-repudiation: proof is needed that the message was actually received
The vulnerability of a system exists at these entry and exit points:
Shopper’s computer
Network connection
Website’s server
Software Vendor
There are at least 3 transactions whereby sensitive information is vulnerable during an e-Commerce purchasing transaction: (7)
1. Credit card information supplied by the customer. Handled by the server's SSL and the merchant/server's digital certificates.
2. Credit card information forwarded to the bank for processing. Handled by the security measures of the payment gateway.
3. Order and customer details furnished to the merchant. Handled by SSL, server security, digital certificates and payment gateway.
Privacy: information must be kept safe from unauthorized access. This issue is currently handled by encrypting the data, using PKI (public key infrastructure) and RSA.
Integrity: information must not be altered or tampered with. Maintaining the Integrity of information is achieved by using digital signatures. The use of digital signatures meets the need for authentication and integrity.
Authentication: sender and recipient must prove their identities to each other. To verify that a website that is receiving sensitive information is actually the intended website, (not an imposter) a digital certificate is employed.
Non-repudiation: proof that the message was actually received.
State-of-the-art research/methodologies
PKI
A PKI (public key infrastructure) consists of:
A certificate authority (CA) that issues and verifies a digital certificate. The certificate includes the public key and/or information about the public key
A registration authority (RA) that verifies the certificate authority before a digital certificate is issued to the requestor
Directories where the certificates and their public keys are held A certificate management system
PKI enables users of an unsecure public network (i.e.: the Internet ) to securely and privately trade data and/or currency by using public and private cryptographic key pairs that are acquired from and shared via a trusted authority. The public key infrastructure provides digital certificates that identifies an individual or an organization, and also provides directory services that store and even revoke the certificate, if necessary. (8) PKI automates the process of verifying a certificates validity. It provides the ability to publish, manage, and use public keys easily.
RSA algorithm (Rivest-Shamir-Adleman)
RSA is the most commonly used encryption and authentication algorithm. It’s included as part of Microsoft’s and Netscape’s Web browsers , Lotus Notes, Intuit's Quicken, and several other software products. RSA is also used by banks and governments.
Third party key distribution centers use RSA. The RSA algorithm multiplies two large prime numbers (a number divisible only by itself and 1) and in combination with other operations, it generates a set of two keys, one public and one private. The original prime numbers are then discarded
The private key is used to decrypt text that has been encrypted with the public key. In addition to encrypting messages (privacy), authentication also takes place with the use of the private key by the encryption of a digital certificate. . Both the public and the private keys are needed for encryption /decryption, but the private key never needs to travel across the Internet. The two keys differ from one another, but each key is shared with the key distribution center. The keys are encrypted, and rules are set, using a variety of protocols. Private keys must be kept secret, and most security lapses arise here. (9)
Secure Socket Layers (SSL)
The Internet uses the set of rules, or protocols, called TCP/IP (Transmission Control Protocol / Internet Protocol) whereby the information is broken into packets which are numbered sequentially, and include error control methods. Each packet is sent via a
different route. TCP/IP reassembles the packets in their original order and resubmits packets that have errors. (10)
SSL is a method that utilizes both PKI and digital certificates to ensure privacy and authentication. The server receives the message from the client, and replies with a digital certificate. Using PKI, the server and client negotiate the creation of session keys, (symmetrical secret keys specially made for that particular communication) and communication continues with the session keys and digital certificates in place.
Where credit cards are accepted by merchants online and processed in real time, four
different sets of options arise for the merchant in question:
1. Use a service bureau which is responsible for the security of all sensitive information
in the transaction
2. Use an e-Commerce merchant account but use the digital certificate supplied by the
hosting company which is a less expensive option that is acceptable for transactions
with Small to Medium Enterprises (SME). Certain terms and conditions may apply to the
supplied digital certificate.
3. Use an e-Commerce merchant account, but purchase a digital certificate for the
business (costing hundreds of dollars).
4. Use a merchant account, and run the business from a business-owned private
server. Requires trained IT staff to maintain security, i.e.: firewalls, Kerberos (an
authentication mechanism), SSL, and the digital certificate for the server (thousands to
tens of thousands of dollars).
Digital Signatures
Digital signatures help ensure authentication and integrity and are used to confirm ones identity to another party, and that the data has not been altered. (They verify the origin and contents of a message.)
Digital signatures are implemented through public-key encryption. A digital signature is prepared by first passing the plain text through a hash function to calculate the message digest value. The digest is then encrypted with the private key to produce a signature which is then added to the original message, and the whole package is sent to the recipient.
In this way, the recipient can be sure that the message came from the sender. The received message is decoded with the private key, and processed back through the hash function. (The message digest value remains unchanged.)Very often, the message is also time stamped by a third party agency.(11)
Digital Certificates
Digital Certificates provide digital credentials used for identification. They provide identity and other supporting information about an entity and are valid for only a specific period of time. They provide the basis for secure electronic transactions by enabling all participants in the transaction to quickly and easily verify the identity of the other participants. Digital Certificates are sold for use with email, and for e-merchants and web-servers. Digital Certificates uniquely identify merchants, and are issued by the CA (Certification Authority, i.e.: VeriSign, GlobalSign). When a digital certificate is issued, the issuing certification authority signs the certificate with its own private key. Validating the authenticity of a digital certificate can be achieved by obtaining the certification authority's public key and use it against the certificate to determine if it was actually signed by the certification authority
Digital certificates contain the public key of the entity identified in the certificate. The certificate matches the public key to a particular individual. Because the CA guarantees the validity of the information in the certificate, digital certificates provides a solution to the problem of how to find a user's public key and know that it is valid
For a digital certificate to be useful, it has to be understood, and easily retrieved in a reliable way. Digital certificates are standardized for this reason, so that they can be read and understood regardless of the issuer. (12)
The technologies listed above use encryption as their primary way of protecting data, individuals and organizations. Although considered strong methods, they are not perfect. Vulnerabilities in PKI have been exploited in order to issue rogue digital certificates for secure websites. False CA certificates that were trusted by common web browsers have been created. Website impersonation, including banking and e-commerce sites secured with the HTTPS protocol, has occurred. (13) A weakness in the MD5 cryptographic hash function allowed for the creation of unique messages with the same MD5 hash.
There are many other security methods and practices. Creating and maintaining office and employee security policies (passwords, backups) , protection from viruses, spyware and hackers by implementing firewalls and antivirus solutions, fortifying web server and database security by researching hosting companies , verifying webpage content, customer data, tracking customers (cookies) , and calculating and providing correct invoices and inventory are a few ways to heighten security. The primary underlying goal of all security methods is to deter and prevent fraud. The goal of this study was to determine whether empowering consumers with information and resources for utilization in protecting sensitive information is a
necessary and relevant component of preventing identity theft, thereby lowering internet fraud.
Method:
The Method of Approach for this paper includes research, conducted via the ACM
Digital Library, and IEEE/IEE Electronic Library, including professional journals, web
articles, and white papers.
Responses to a pre-test, regarding the safeguarding of personal information, were
collected from two groups: a random experimental group of faculty and staff that did not
attend the Identity Theft Prevention class, and those that did attend. An Identity Theft
Prevention professional-development class was conducted with a voluntary group of
elementary school faculty and staff. A post-test was given 2 days after the class, and
the results were compared between the pre and post-test of the experimental group,
and also between the test results of the control group and the post-test results of the
experimental group.
The pre and post-test consisted of a survey of 10 true/false questions, administered
online via “QuizStar.com”. The results determined whether retention of material was
exhibited 2 days after the class. Ideally the subjects would be tested again at
subsequent intervals, but current scheduling of the school year as well as this course,
does not permit it.
A presentation and interactive class, covering the topic of safeguarding personal
information, was developed and consisted of on-line interactive quiz to identify spoofed
email , a power-point presentation about how to identify spoofed telephone calls, the
various ways of preventing victimization, examples of credit reports and how to check
for fraudulent activities, as well as steps to take if victimized, including reporting
information for contacting authorities.
A summarization of the class, in the form of an “Identity Theft Prevention Tool-Kit” was
developed, and was provided in digital format to each participant, for future reference.
Results
Class Strength: 9
Total Participants: 5
Attempts Allowed per student 1
Average Attempts: 1
Mean % of Maximum Scores obtained in all attempts: 86%
Total number of points (excluding SAShort Answer questions) 100
Class Highest: 90%
Class Lowest: 70%
Conclusions and Future Work: Mobile e-Commerce along with an increase in wireless Internet applications such as mobile electronic commerce applications will be a trial. Payment devices are rapidly developing and becoming present everywhere. Payment cards are considered to be the principal drivers of the transfer from paper to electronic-based payment devices. The use of POS (point-of-sales) devices is increasing. These devices are the equivalent to an electronic cash register and are used in supermarkets, restaurants, hotels, stadiums, taxis, and almost any type of retail establishment. .
New methods of authenticating are being and need to be developed and improved,
many using Biometrics, including internal DNA storage and retinal scanning. (14)
Security is more important than ever to ensure the integrity of the payment process and to protect individual and organizational privacy. The technologies mentioned above are the current methods of ensuring a high measure of security. This measure must continue to grow and develop, as new threats will certainly do the same. It is crucial that security measures become an integral piece of the structural design, plan, and implementation of any e-Commerce site.
References
1NC State University Office of Information Technology, http://oit.ncsu.edu/safe-computing/net-fraud#types
2Online Threats - Internet Fraud http://www.mywot.com/en/online-threats/internet-fraud
3 Global Merchant Services, How to Minimize Online e-Commerce Credit Card Fraud
http://www.gspay.com/how-to-minimize-online-e-commerce-credit-card-fraud.php
4Eisen, Ori, Telltale Signs of E-Commerce Fraud02/25/09 E-Commerce Times
http://www.ecommercetimes.com/story/66278.html
5 Ehrlich, Matt, The Consumer's Responsibility in Preventing Identity Theft, 09/20/10, Fraud
Management
6 Ecommerce Security Issues,http://www.ecommrce-digest.com/ecommerce-security-
issues.html
7 KhusialandMcKegney , IBM Developer Works, e-Commerce security, ibm.com, 02/02/12, http://www.ibm.com/developerworks/websphere/library/techarticles/0504_mckegney/0504_mckegney.html 8 Van Vark, J. (1997) e-Commerce and the Security Myth- The real security issues of e-
Commerce, mactech.com, 01/24/12, http://www.mactech.com/articles/mactech/Vol.13/13.11/eCommerceandSecurity/index.html
9 E-Commerce Security Issues, ecommerce-digest.com 01/21/12 http://www.ecommerce-digest.com/ecommerce-security-issues.html
10 RSA-TechTarget, SearchSecurity, 02/02/12,
searchsecurity.techtarget.comhttp://searchsecurity.techtarget.com/definition/RSA
11 PKI- TechTarget, Search Security- 02/01/2012- searchsecurity.techtarget.com, 02/03/12 http://searchsecurity.techtarget.com/definition/PKI
12 Sotirov, A., Stevens, M., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, DA, MD5 considered harmful today-Creating a rogue CA certificate , win.tue.nl, 02/15/12, http://www.win.tue.nl/hashclash/rogue-ca/
13 Oracle ThinkQuest-Use of Data Encryption in Today's Context: E-commerce, library.thinkquest.org, 02/9/12, http://library.thinkquest.org/27158/today1_2.html
14 Thanh, Do Van, Security Issues in Mobile e-Commerce, 02/13/12
http://books.google.com/books?id=kb69hBiQMiYC&lpg=PA467&ots=6XE-
e9QvUo&dq=security%20issues%20in%20mobile%20e%20commerce%20do%20van%20thanh
&pg=PA468#v=onepage&q=security%20issues%20in%20mobile%20e%20commerce%20do%2
0van%20thanh&f=false