11.

1 STOPPING E-COMMERCE CRIMES

Why cant stop these criminals? One reasons is that strong EC security makes online
shopping inconvenient and demanding on customers. The EC industry does not want to
enforce safeguards that add friction to the profitable wheels of online commerce. It is
possible, for example, to demand passwords or PINs for all credit card to transactions, but
that could discourage or prevent customers from completing their purchase. It is also
possible to demand delivery only to the billing address for a credit card, but that would
eliminate an important convenience for gift senders. In EC transactions, new and better
ways of authenticating legitimate customers and identifying fraudsters could complement
user names and passwords, but that increases transaction costs and time.

A second reason is the lack of cooperation from credit card issuers and foreign ISPs.
There are insufficient incentives for credit card issuers to share leads on criminal activity
with each other or law enforcement. It is much cheaper to block a stolen card and move on
than to invest time and money in a prosecution with an uncertain outcome. While in the
past, not disclosing breaches or attacks might have protected a companys reputation,
todays laws requiring full disclosure when personal data has been compromised make it
difficult to keep secret.

Most foreign ISPs have no incentive to cooperate. If the source ISP would cooperate
and suspend the hackers access, it would be very difficult hackers to do what they do. The
hacker would not be able to hack from the comfort of home because that street address
would be blacklisted by the ISP.

Consider this scenario, which shows the importance of cooperation. A hacker

compromises an EC Web sites database and extracts all the credit card numbers. The
hacker uses those numbers to order services, such as Web hosting and domains via the
Internet. In turn, those services are used for even more malicious activity, primarily for
phishing or to host hacking exploit tools. Most U.S Web hosting providers log all activity so,
in most cases, they can identify the source IP address and source ISP with timestamps and
other identifying information. In addition, most ISPs throughout the world log or have the
capability to log which customer is or was using this IP address on this day and this time.

However, requiring stronger EC standards and information sharing by the credit card
companies would not fix the problem. Many cybercriminals, especially ones that do not
reside in a G8 nation, do not need to worry about prosecution from their government or
even suspension from their ISP. (The Group of Eight) [G8] is an international forum for the
governments of Canada, France, Germany, Italy, Japan, Russia, the United Kingdom, and the
United States). This situation helps explain why a huge majority of the hackers (some
estimate about 95%) reside in Turkey, China, Romania, or Brazil.

The third reason pertains to customers. Online shoppers are to blame for not taking
necessary precautions to avoid becoming a victim. Some shoppers rely too heavily on fraud
protection provided by credit card issuers ignoring the bigger risk of identity theft. Phishing
is rampant because some people respond to itmaking it profitable. While phishing gets
most of the media attention, there are equally dangerous risks that users expose
themselves to by using debit cards on online gambling sites or revealing themselves in
online communities like MySpace (myspace.com), Facebook (facebook.com), and Frances
Skyblog (skyblog.com). Personal information posted on these sites is used for identity theft
or to infect users PCs with malware converting them into zombie computers, or zombies,
for launching attacks or sending e-mail spam. The vast majority of spam is relayed by
zombies because it allows spammers to avoid detection and save bandwidth costs by using
the PCs of others (Sophos 2006).

A fourth reason arises from IS design and security architecture issues. It is well known
that preventing vulnerability during the EC design and preimplementation stage is far less
expensive than mitigating problem later. The IS staff needs to plan security from the design
stage because simple mistakes, such as not insuring that all traffic into and out of a network
pass through a firewall, are often to blame for letting in hackers. If companies dont invest
the resources needed to insure that their applications are secure, they may as well forget
about security elsewhere on the Web site. Security needs to be built into an EC site from the
very beginning and also into the application level. Protection can be added later, but if it has
not been built into the server application level, it may be impossible to b;ock some types of
attack. Sophisticated hackers do not use browsers to crack into Web sites, but rather use
toolkits to gain access to networks or applications and ultimately get into databases from
them.

Previously, it was thought that if a front-end application, such as a Web site, was
secured, then the data itself would be secured, but thats not true because sometimes
applications do not function as planned or expected. Web applications that provide access
to back-end databases or banking applications can provide an attack vector. Since Web
applications can expose critical systems to threats from internal and external sources,
application firewalls are needed. Application firewalls are specialized tools designed to
increase security in Web applications.

Theres no doubt that Web application are attackers target of choice and that every
component in an EC application is subject to some sort of security threat.

The final reason is the lack of due care in business or hiring practices, outsourcing,
and business partnerships. The standard of due care comes from the law and is also known
as the duty to exercise reasonable care. Due care in EC is care that a company is
reasonably expected to take based on the risks affecting its EC business and online
transactions. If managers ignore the standard of due care in business practices, hires
criminals, outsources to fraudulent vendors, or partners with unsecured companies, they
put their EC business and confidential data at risk exposing themselves to legal problems.
Those problems include violating laws like the Foreign Corrupt Practices Act (FCPA) and the
Sarbanes-Oxley Act, facing lawsuits and fines from regulators, such as the FTC and
Securities and Exchange Commission (SEC), and not following industry-specific standards,
such as the and Discover Card standard. See Online File W11.1 for a discussion of the
impacts on ChoicePoint for its negligence for not following reasonable information security
and privacy practices. For a description of the PCI standard and requirements, see
pcistandard.com.

No one really knows the true impact of online security breaches because only 20% of
businesses report computer intrusions to legal authorities, according to the FBI (2005) and
the Computer Security Institute (CSI, gocsi.com). See the Center for Public Policy and Private
Enterprise (2005) for the 2005 CSI/FBI Computer Crime and Security Survey full report. It is
the annual security survey of U.S. corporations, government agencies, financial and medical
institutions, and universities conducted jointly by the FBI and the Computer Security
Institute. Highlights from that Tentb Annual CSI/FBI Computer Crime and Security Survey,
which was based on responses from 700 U.S. corporations, government agencies, financial
and medical institutions, and universities, include the following:

1. Total financial losses from attacks have declined dramatically. They were down 61 percent
on a per respondent basis from 2004 but were still a reported $130 million. Of the types
of attacks:
Virus attacks ranked first.
Unauthorized access ranked second.
Theft of proprietary information ranked third.
Denial of services (DOS) attacks ranked a distant fourth.
2. Attacks on computer system or (detected) misuse of these systems have been slowly but
steadily decreasing in all areas. The one exception was a slight increase in the abuse of
wireless networks.
3. Defacements of Internet Web sites have increased dramatically. Ninety-five percent of
organizations experienced more than 10 Web site incident 2004.
4. Inside Jobs occur about as often as external attacks. The lesson is to anticipate attacks
from current and former employees as well as hackers.
5. Orgganizations largely defend their systems throught firewalls, antivirus software,
intrusion detection system, and server-based access control lists. The use of smart cards
 and other one-time password tokens increased, while use of intrusion prevention systems
decreased.
6. More organizations are conducting security audits to serve as a baseline for a meaningful
security program. Eighty-seven percent had conducted security audits, possibly in
response to regulatory or insurance mandates.
7. Computer security investments per employee vary widely. State governments had the
highest investments at $497 per employee, which was followed in descending order by
utilities, transportation, telecommunication, manufacturing, high-tech, and the federal
government. For the federal government, the investment was $49 per employee.

Every EC business knows the threat of bogus credit card purchases, data breaches,
phishing, malware, and pretexting never endand that these threats must be addressed
comprehensively and strategically. We cannot expect an end to a majority of cybercrime
until there are international Internet laws that have teeth and an international task force to
enforce them.

11.2 E-COMMERCE SECURITY STRATEGY AND LIFE CYCLE APPROACH

EC security is an evolving discipline. Threats change, e-business needs change, and Web-
based technologies to provide greater service changeand so must the methods to defend
against those threats. Information security departments with big workloads and small
budgets are not able to optimize their EC security program for efficiency. Endless worms,
spyware, data privacy vulnerabilities, and other crises keep them working reactively rather
than strategically. And they address security concerns according to attackers schedules
instead of their own. As a result, their security costs and efforts from reacting to crises and
paying for damages are greater than if they had an EC security strategy. The underlying
reason why a comprehensive EC security strategy is needed are discussed next.

THE INTERNETS VULNERABLE DESIGN

There are still many Internet-design problems that become EC problems. Consider the
following cases and reports.

In 2006, the Web sites of three Florida banks, Premier Bank, Wakulla Bank, and
Capital City Bank, were hacked in an attack that security experts described as the
first of its kind. Hackers broke into servers of the ISP hosting the three banks sites
and redirected their traffic to a bogus server to steal credit card numbers, PINs, and
other personal information about the banks customers. Thought the scam affected
fewer than 20 customers, the ability of fraudsters to link a bogus server to a
legitimate Web site was an alarming development.
In January 2007, a worm attack that started in Europe quickly spread across the
globe. The Small.Dam worm was dubbed Storm because it referenced a major storm
in Europe in its subject line. In addition to propagating spam, this malware installed
Trojans that created back doors into systems that could be exploited by future
attacks. Experts forecasted a huge increase in spam because the Storm worm sent
out six separate waves containing hundreds of thousands of e-mails within days.
Storm was distributed to set up a network of infected zombie computers to be used to
launch massive spam campaigns (Prince 2007).
E-mail security firm Commtouch Software (commtouch.com) named 2006 the Year of
the Zombies. According to a 2006 report, their study found that remote-controlled
zombies can number up to 8 million hosts globally on a given day. Zombies were
responsible for increasing the volume of spam by 30% in 2006.
On January 25, 2007, Internet security company Symantec elevated the
Trojan.Peacomm from a category 2 out of 5 to a category 3 threat because of the
speed and volume at which it was aggressively spammed across the Internet.
Trojan.Peacomm was first detected on January 17, 2007. Its threat level was raised to
a higher category after a sustained increase in new versions of the attack. The author
 of Trojan.Peacomm had responded to the defensive efforts by security companies by
adjusting his tactics to over-come new defenses to stop the malware.

THE SHIFTS TO PROFIT-MOTIVATED CRIMES

In the early days of e-commerce, many hackers simply wanted to gain fame or notoriety by
defacing Web sites or gaining root, that is, root access to a network. As the
Trojan.Peacomm and other malware attacks illustrate, criminals are now profit-oriented, and
there are many more of them. And their tactics are not limited to the cyberworld.

TREATING EC SECURITY AS A PROJECT

EC security programs have a life cycle, and throughout that life cycle the EC security
requirements must be continuously evaluated and adjusted. An EC security program is the
set of controls over security processes to protect organizational asstes. There are four high-
level stages in the life cycle of an EC security program, which are

1. Planning and organizing

2. Implementation
3. Operations and maintenance
4. Monitoring and evaluating

Organizations that do not follow such a life cycle approach in developing,

implementing, and maintaining their security management program usually:

Do not have policies and procedures that are linked to or supported by security
activities
Suffer disconnect, confusion, and gaps in responsibilities for protecting assets
Lack methods to fully identify, understand, and improve deficiencies in the security
program
Lack methods to verify compliance to regulations, laws, or policies
Have to rely on patches, hotfixes, and service packs because they lack a holistic EC
security approach.

A patch is a program that makes needed changes to software that is already installed on a
computer. Software companies issue patches to fix bugs in their programs, to address
security problem, or to add functionality. A hotfix is microsofts name for a patch. Microsoft
bundles hotfixes into service packs for easier installation. Service are the means by which
product update are distributed. Service packs may contain updates for system reliability,
program compatibility, security, and more. For information about what particular Microsoft
service packs contain and how to obtain them, visit support.microsoft.com/sp. Other
companies have adopted Microsofts nomenclature of hotfixes and service packs for updates
to their own software.

If a life cycle approach is not used to maintain an EC security program, an organization is

doomed to treating security as a project. Project have a sarting date and ending date, at
which time the resource and project team are reallocated to other project. A project
approach result in a lot of repetitive work that costs much more than a life cycle approach
and with diminishing results.

IGNORING EC SECURITY BEST PRACTICES

Many companies of all sizes fail to implement basicIT security management best practices,
business continuity plans, and disaster recovery plan. In its fourth annual study on
information security and the workforce released in 2006, the Computing Technology
Industry Association (CompTIA), a nonprofit trade group, said human error was responsible
for nearly 60% of information security breaches in organization in 2005-up from 47% the
year before (Comp TIA 2006). Yet despite the known role of human bbehavior in information
security breaches, only 29% of the 574 government, IT, financial, and educational
organizations surveyed worldwide had mandatory security training. Only 36% offered end-
user security awareness training.

In the next section, you will learn the fundamentals of a reasonable EC security strategy,
which is based on the IA model.

11.3 INFORMATION ASSURANCE

Recall that IA is the protection of information system against unauthorized access to or

modification of information that is stored, processed, or being sent over a network. The
importance of the IA model to EC is that it represents the processes for protecting
information by insuring its confidentiality, integrity, and availability. This model is referred to
as the CIA security triad, or simply the CIA triad, and is typically diagrammed as shown in
Exhibit 11.2.

CONFIDENTIALITY, INTEGRITY, AND AVAILABILITY

The success and security of EC depends on the confidentiality, integrity, and availability of
information and business Website.

1. Confidentiality is the the assurance of data privacy. The data or transmitted message is
encrypted so that its readable only by the person for whom its intended. As shown in
Exhibit 11.3. depending on the strength of the encryption method, intruders or eaves
droppers might not be able to break the encryption to read the data or text. The
confidentialityfunction prevents unauthorized of information.

2. Integrity is the assurance that data is accurate or tthat a message has not been altered.
It means that stored data has not been modified whitout authorization; a message that was
sent is the same message that was received. The integrity function detects and prevents
the unauthorized creation, modification, or delection of data or message.

3. Availability is the assurance that access to data, the Web site, or other EC data service is
timely, available, reliable, and restricted to authorized users.

Although the basic security concepts important to information on the Internet are
confidentiality, integrity, and availability, concept relating to the people (users) are
authentication, authozation, and nonrepediation. Confidentiality, integrity, availability,
authentication. Authorization, and nonrepudiation are all assurance processes.

AUTHENTICATION, AUTHORIZATION, AND NONREPUDIATION

All the CIA functions depend on authentication. Authentication is a process to verify (assure)
the real identity of an entity, which could be an individual, computer, computer program, or
EC Web site. For transmissions, authentication verifies that the sender of the messages is
who the person organization claims to be.
Authorization is the process of determining what the authenticated entity is allowed to
access and what operations it is allowed to perform. Authorization of an entity occurs after
authentication.

Closely associated with authentication is nonrepudiation, which is assurance that online

customers or trading partners cannot falsely deny (repudiate) their purchase, transaction,
and so on. For EC and other electronic transactions, including cash machines or ATMs, all
parties in a transaction must be confident that the ttransaction is secure; the parties are
who they say they are (authentication), and that the transaction is verified being completed
or final. Nonrepudiation involves many assurance, including providing:

1. The sender (customer) of data with proof of delivery

2. The recipient (EC company) with proof of the senders identity

Authentication and nonrepudiation are potential are potential defenses against phising and
identity theft. To protect and ensure trust in EC transactions, digital signatures, or digital
certificates, are often used to validate the sender and time stamp of the transaction so it
cannot be later claimed that the transaction was unauthorized or invalid. Exhibit 11.4 shows
how digital signatures work. A technical overview of digital signatures and certificates and
how they provide verification is presented in Section 11.7. unfortunately, phishers and
spammers have devised ways to compromise digital signatures (Jepson 2006).

New or improved methods to ensure the confidentiality of credit card numbers, integrity of
entire messages, authentication the buyer and seller, and nonrepudiation of transactions
are being developed as older ones become ineffective. The trend toward more menacing
cybercrimes and intrusions is evidence that can cause significant financial losses for an
organization. Organization continue to take the problem seriously and exert considerable
effort to prevent unauthorized and illegal activities.

E-COMMERCE SECURITY TAXONOMY

An EC security strategy need to address the three information assurance metrics and three
user assurance metrics. In Exhibit 11.5, an EC security taxonomy is presented that defines
the high-level categories the six assurance metrics map to and their controls. The three
major categories are regulatory, financial, and marketing and operation. Only the key
metrics are listed in the taxonomy, but there is overlap in requirements in each category.

FTC and other regulatory agencies mandate that organizations protect against unauthorized
access and privacy violations. Given the staggering number of data breaches, these
external agencies are imposing increasingly harsh penalties for inadequate database and
network security. The most critical assurance metrics are confidentiality, integrity, and
authorization.

The financial health of an organization is at risk if fraud, embezzlement, and bad debt
expense are not rigorously contained. Doing so requires protecting against the use of stolen
identities, checks, debit card, and credit cards and against unauthorized transactions and
overrides of accounting controls.

EC marketing depends on the trust and confidence of customers. The ability to operate
depends on the availability of the EC site and its ability to provide shopping features and
process the transaction. Among the many ways of impairing marketing and operations are
phishing, spoofing, denial of service attacks, and industrial espionage.

11.4 ENTERPRISEWIDE E-COMMERCE SECURITY AND PRIVACY MODEL

The success of an EC security strategy and program depends on the commitment and
involvement of executive management. This is often called the tone at the top:. A genuine
and well-communicated executive commitment about EC security and privacy measures is
needed to convince that insecure practices, risky or unethical methods, and mistakes due
to ignorance will not be tolerated. Most form of security (e.g., airport and sports arena
security) are unpopular because they are inconvenient, restrictive, time consuming, and
expensive. Security practices tend not to be a priority unless they are mandatory and there
are negative consequences for noncompliance.

Therefore, an EC security and privacy model for effective enterprise-wide security begins
with senior management commitment and support, as shown in Exhibit 11.6 The model
views EC security (as well as the broader IT security) as a combination of commitment,
people, processes, and technology.

SENIOR MANAGEMENT COMMITMENT AND SUPPORT

The authority of senior managers is needed to establish and maintain EC security programs.
EC security programs consist of all policies, procedures, documents, standards, hardware,
software, training, and personnel that work together to protect information, the ability to
conduct business, and other assets. Regulators and government agencies, most often the
FTC and SEC, are imposing harsh penalties to deter weak security programs that allow
confidential data to be compromised. For further information about management
accountability and standards of the attorneys general, see naag.org.

EC SECURITY POLICIES AND TRAINING

The next step is to develop a general EC security policy, as well as policies that specify
acceptable use of computers and networks, access control, enforcement, roles, and
responsibilities. The policies need to be disseminated throughout the organization and
necessary training provided to ensure that everyone is aware of and understands them.
These policies are important because access control rules, access control lists, monitoring,
and rules fo firewalls and routers are devived from them. For example, to avoid violating
privacy legislation when collecting confidential data, policies need to specify that
customers:

Know they are being collected

Give permission, or opt in, for them to be collected
Have some control over how the information is used
Know they will be used in a reasonable and ethical manner

The greater the understanding of how security issues directly impact production
levels, customers and supplier relationships, revenue streams, and managements liability,
the more security will be incorporated into business projects and proposals. It is essential to
have a comprehensive and up-to-date acceptable use policy (AUP) that informs users of
their responsibilities when using company networks, wireless devices, customer data, and
so forth. To be effective, the AUP needs to define the responsibilities of every user by
specifying both acceptable and unacceptable computer usage. Access to the company
networks, databases, and e-mail should never be given to a user until after this process is
completed. Recall that human error was responsible for nearly 60 percent of information
security breaches in organizations in 2005, up from 47 percent in 2004 (CompTIA 2006).