E-commerce Fraud and Protection

December 1, 2005 07:41 by anonymous

Lax IT security on the part of a trading partner could have significant consequences for the trader, which might result in legal claims. The trader's inability to prove the integrity of his data may prevent him from relying on the evidence from hard copy provided by his system in a court of law. Information security in the UK, for example, since the passing of the Civil Evidence Act, made security of computer systems a major issue and one that could be ignored only at the trader's peril.

The seriousness of the problem is illustrated by a report quoted in Britain's Sunday Times of 5th August 2001 which stated that an estimated $378,000,000 per year was lost to businesses through damage caused by disgruntled employees. As the economy and downsizing requirements cause companies to lay off staff the problem can only get worse. Resentful IT employees can set up logic bombs, or disruptive programs that are activated once they have left. These programs can subtly disrupt a massive database by setting up a phenomenon known as "creeping corruption". Creeping corruption means that if one part of a relational database is inaccurate everything that derives from that part is also inaccurate. As a result wrong quantities of suppliers materials may be ordered, erroneous payments made or critical payments ignored. This in turn can mean that contracts are not kept and litigation follows. If this is not enough the cost of restoring a large relational database can be astronomic. A City of London insurer was hacked and had to revalidate their database at an estimated cost of £15,000,000.

The situation is exacerbated if a company has established an extranet. This is a network and database that selected customers are allowed to access to find out for example, what their deliveries will be, or prices they will be charged or even the latest modifications to products that will affect them. If the supplied information is wrong and the customer acts on it to his detriment then there is a legal liability.

Skilled and experienced IT professionals are always much sought after. There is a world-wide shortage and as a result companies fall over themselves to employ the person they perceive as being "right" for them. Often references are not bothered with and on the basis of a couple of interviews, the IT expert is employed. Nothing is known of his or her financial stability, social views, religious motivations or political idealism. Responsibility for corporate software and databases is passed to a person the employer may know less well than their window cleaner. If after employing him for several months the employer decides to retrench him he may very well find he is the owner of an unworkable database and corrupted backing store. Since most companies cannot function without a database the situation becomes critical to survival.

Even if there is no question of downsizing what is known of IT employees' morals? Are they honest? Are they fulfilled by the job? Are they resentful and dishonest? The American Bar Association study of 1,000 corporations showed that 48% of the companies had experienced computer fraud in the last five years and that the losses fell between $2 million and $10 million per respondent. 78% are said to have been perpetrated by insiders and 46% by outsiders indicating a very high level of collusion.

Collusion between employees and criminal gangs is a common way that systems may be attacked. The employee provides system information or brings into the work place discs that the gang have prepared and runs them. The gang set up their fraud, take the money and pay their collaborator handsomely. Even if the crime is discovered in time to do something about it, it would be very difficult to establish how it happened or who was involved. The term "in time" is relevant since most computer based frauds go on for about three years and then stop for reasons known only to the perpetrators.

Extortion is also gaining momentum through advances in hitech. The crime is usually implemented through an implanted program worm. This invariably means that someone within the company co-operated by bringing the software worm into the building and loading it into the network. In the UK it has been estimated that £400 million in extortion money has been paid following threats to wipe out infected computer systems. Banks, brokers and investment houses in the USA have also, it is believed, secretly paid ransoms to prevent, costly computer meltdowns and a collapse of confidence amongst their customers. British and American agencies, have been investigating more than 40 attacks on financial institutions in London and New York. Victims have allegedly paid around £13 million a time after the blackmailers demonstrated their ability to bring trading to a halt.

Given the litigious climate that has evolved over the past years and the rapid advances made in e-business, there is much that companies need to know when it comes to the potential legal proceedings they could face. From e-mail and authentication issues to confidentiality concerns, the potential for lawsuits in today's Internet-connected world are considerable. The need for security is paramount since a company will, generally, not be held liable, or may at least avoid punitive sanctions, if it took reasonable precautions to prevent attacks. However, reasonableness is a sliding scale based on knowledge of a threatand the ability to avoid that threat..

A further complication exists because hackers tend to electronically move from machine to machine without the owner's knowledge. So a third party Web site might suffer a denial of service attack originating from a legitimate and honest business. Clearly, it could be possible for victims to file suits against the honest and innocent businesses and especially if they are found to be lax in their security controls.

Europe and the USA have tried to frame laws that can be sensibly used against miscreants. The UK 1990 Act tried and failed to deal with this problem but it did introduce a new concept which said that a case could be tried in the UK providing there was a significant link. So a hacker based in Kuala Lumpur who used an innocent host in the UK to attack an American Web site could be tried in the UK. Relief came for the innocent host by a requirement under the Act that the prosecution must prove that the accused had knowledge, ability and intention to attack a site. Additional relief came with the 1995 Civil Evidence Act where documents that were encoded by Public key encryption and sealed with a Digital Signature could be accepted by courts, also that e-mail headers could be accepted but not the content and file save dates could be accepted but not the file.

Regulatory liability is also another area that is gaining more ground, with the passage of government legislation to protect the privacy of citizens in the health, financial and other areas. In many of the cases seen around the world today, most courts award the alleged victims huge damages. Again the liability rests with owner of the system that is breached.

IT security is not only necessary to protect information and data it is essential to avoid the critical affects of litigation. An organisation must meet the standard of due diligence to minimise potential liability from information security breaches. In effect, due diligence requires managers to implement standard business practices and take precautions that a reasonable business manager in their business environment would take. Unfortunately, due diligence is a difficult standard to meet because there are many, often ambiguous, sources for what constitutes standard or reasonable business practices.

Policy. The board of directors must make a clear statement on how they view security and what they expect from their employees. Written security procedures that are understood and followed by all staff must be in place.

Screening. All IT and other staff that have sufficient skills to attack the system must be screened before being offered employment. This screening should include their background, friends, work-experience and academic qualifications. The civil service and military vet their staff for the best reasons of security, so should boards of directors with their staff. Nor should screening start and finish with employment but it should be carried out on a cyclical basis. The cost of hiring an external organisation to do this could be minimal compared with damages awarded by a court, or the cost of recovering a corrupted database.

Encryption. Since most messages on the Internet can be read and so it is essential that they are encrypted. Today there are cheap manifestations of the unbreakable public key cryptology which give a very high level of protection. This combined with digital signatures, a cryptographic check sum, will ensure that the message is not only confidential but that it has not been tampered with in passage.

Security software. Firewalls are thought of as the ultimate in protection but they are as only as effective as the software that is available and utilised. Strong exclusion policies should be in place and control over the types and form of e-mails that are being sent so that any reference to race, religion or gender is qualified. Software that determines who may do what and when and where is another step forward as are Intrusion detection systems that alarm as soon as an intruder appears or an employee acts uncharacteristically.

Authentication. Robust password mechanisms must be in place to ensure that only the authorised access systems. Perhaps frequently changed passwords could be supported by some form of smart card. The card would be inserted into the machine at the time of access and after the password has been given, would in local mode ask the holder personal questions. Inability to respond or delays in responding would disenable the terminal.

Disc drives. Except for centrally locate and secure terminals there should be no A or D drives on terminals. This prevents staff bringing into the area pre-programmed discets or CD-ROMs that hold spurious code. Similarly, terminals that can write CD-ROMs should be in secure areas and not accessable to all staff.

Physical security. It goes without saying if physical security is poor any other security will be pointless. This form of security should reflect the value of the data that the countermeasures are protecting.

Risk management. Without good risk management tools it is not possible to determine which countermeasures are most effective and security can be ad hoc or cosmetic and therefore easy to compromise.

The eight points mentioned are just a beginning. Recovery of databases, backup procedures, personnel procedures, training, security manuals and contingency plans also play a significant part. However, by treating security seriously and implementing strong security measures will mitigate due diligence claims, prevent fraud and other crimes and at the same time allow you to sleep undisturbed in your bed at night.

Sadly legal sanctions are not a deterrent. The only true way to prevent telephone number losses is to have strong security and procedures. What is to be introduced and how it will be implemented is another concern. In this respect the Web site http://www.IPTsite.com offers both books and courses that will help Web sites and networks successfully and securely profit from the Internet.

© Dr Ian C Palmer
Principal Consultant
International Professional Training

Dr Palmer has over 35 years experience in data processing and in the last twenty years has specialised in the security of information systems and computer crime investigation. He has successfully lead security studies on large networked computer systems in the UK, Middle and Far East and Africa. He also assisted various police forces investigating computer crime as well as advising them on computer malpractice.