Oleh:Wiji Nurastuti, SE, MT

e-commerce involves the real-time processing of business transactions with full contractual liability either on a business-to-business (B2B) or business-to-customer (B2C) basis.

Effectively it replaces business forms such as invoices, purchase orders, checks and so forth with electronic transmissions.

Degrees of implementation may vary from the basic reception of a transmission on a micro computer and printing it, to a complex management of “distribution pipelines” integrating accounting and operational systems and effectively replacing paper audit trails with electronic signals.

EDI is not electronic mail, fax, or video text although all of these may have a part in the overall network and to effectively function, EDI requires three primary components:• A standard format of a common language spoken

between trading partners• Translation software performing file conversions

from internal application formats to a standard format and back.

• A data communications link providing information transport capabilities.

EDI is now in use by wide variety of companies worldwide covering all market sectors including:• Manufacturing • Shipping • Construction • Transport • Finance• Retail

The benefits of successful e-commerce implementation in an organization include:• Reduced transaction costs and greater

productivity • Service availability 24 hours a day, 7 days

a week • Opportunities for fundamental reform of

how organizations and their supply chains communicate and work with business

• Opportunities for local business to grow and compete in the global marketplace.

Fraud is a highly publicized risk in an e-commerce environment. Because of its global impact, fraud can be either perpetrated by a staff member within the firewalls or by anonymous parties in a foreign country using the Web as a tool and includes such activities as:• Unauthorized movement of money such as

payment to fictitious suppliers located in jurisdictions where recovery of money will be difficult

• Corruption of the electronic ordering or invoicing

• Duplication of payment• Repudiation of a transaction at either end

Suppliers not being paid for goods and services delivered

Agencies not receiving services/goods already paid for

denying receipt of goods

For e-commerce to be successful, information about an organization or individual needs to be made available to other participants in the trading community. This can put information at risk such as:

Services and prices, which are not normally provided to the general public

Cost structures-particularly relating to tenders Catalogs of technical details, prices or discounts

offered Individuals’ information such as name, address,

contact details, previous purchase, services provided, and activity (such as criminal or medical). This, in turn, may lead inadvertent breaches of privacy legislation.

Public confidence may be adversely impacted if information is accessed without due authorization.

Proper authentication is a critical component of an e-commerce transaction because, once the party has been accepted in the systems, a legally binding transaction process has begun. The risk will therefore involve creating liability for a party by, for example:• Creation of fictitious suppliers (“masquerade”); for

example, an agency believe it is dealing with its supplier when in fact it is dealing with a hacker in a foreign jurisdiction.

• Unauthorized ordering or approving of a transaction

• Corruption of list of agreed suppliers

The commonly held view is that risks involve activities that can be performed remotely through Web resources.

Corruption may be accidental or malicious and could result in:• Amending catalogs without authorization

(advertising, reporting, approval)• Destruction of audit trail • Tampering with the ordering process• Interrupting the recording of transaction • Disrupting online tendering

Business interruption is considered a key risk; if companies cannot promptly and adequately resume business after a crisis, there may be legal liabilities because services/goods were not delivered or payments were not made.

From an audit ability point of view the way in which we must approach our audit for these systems changes dramatically because the loss of source documents removes a large part of the auditors evidence of: Authorization and execution Completeness Single processing of transactions Capability of batching transactions

At present, payment transmission as a form EDI is one of the major growth areas and utilization of this form of EDI involves a mutual trust in systems between trading partners as well as comprehensive data security policy, because failure of security in one partner may lead to uncontrolled risk in others.

Third party service providers are also a new source of potential risk including risks such as:• Disclosure of confidential information • Loss of transactions en-route• Loss of the network at the service provider’s site• Loss of audit trails when going intra network • Due to the risk of the “domino effect,” failures of

applications can have a major impact not only on the host site but on all trading partners.

Risk factors may be unique to each organization and must be determined by a risk assessment. This must cover:• Inherent risk. The gross risk of a specific threat

ignoring risk reduction elements. It becomes an informed, subjective evaluation of maximum risk

• Control risk. That portion of inherent risk not covered by a single control element. That is the net exposure after a given control as accounted for.

• Control structure risk. An informed, subjective evaluation of the maximum potential net exposure after assessing the full control structure.

In identifying threats, a threat itself is an event that will result in direct damage unless averted or mitigated by controls. These should be identified by mixed discipline team consisting of:• System or users• Information systems staff• Auditors

The initial threat list should be developed by the design team at the system proposal stage and modified constantly during system design. Typical threats could include (although not be limited to):• Manipulation of input by an authorized user• Outsider accessing messages in transit and amending

them • Message adulteration resulting in an overstatement of

transaction • Loss of transaction • Duplication of transaction

Indicators are therefore required to detect:• Circumstances leading to new threats• Elimination of previously identified threats• Conditions influencing the severity of previously

identified threats (inherent risk)• Conditions influencing the control structure risk

associated with the threat

The overall need for security technology and the application thereof will be determined largely by the nature of risks to the system itself.

The most common model used for EDI is probably the ISO/OSI Seven Layer model:• Physical. Specifies the mechanical and

electrical circuits• Data Link. Specification to move

through physical links• Network. Routing and relaying through

the data links.

Kevin Mandia and Chris Prosise: Incident Response-Investigating Computer Crime, Berkeley, California: Osborne/McGraw-Hill, 2001, pp. 16-17