Information Security Seminar

IT 6873

Instructor: Dr. Ming Yang

E-Commerce Security:

Preventing Fraud

By preventing

Identity Theft

Diane M. Metcalf

May 6, 2012

Project Summary

E-Commerce is a relatively new way of doing business. Over the last several years, it

has become a convenient, trusted, accepted and often less expensive way to purchase

goods and services. As E-business continues to grow, the potential for exposure to

threats also increases. As the threats become more damaging and/or widespread,

“security” becomes critical in preventing fraud. There are many types of security already

in place, however most internet credit card fraud occurs when an e-Commerce

merchant is unaware that an order was not placed by, and will not be paid for, by the

authentic cardholder. (1) Typically, with e-commerce fraud, the credit card information

was gained illegally, and used to order merchandise or services via the internet, under a

false name.

This project concentrates on the area of internet fraud called “Identity Theft”. It focuses

on the responsibility of the individual cardholder in preventing or reducing fraud. It is

based upon a belief that educating and empowering consumers has the ability to

decrease internet/e-Commerce fraud by way of reducing identity theft.

Specifically, the project examined the effectiveness of an Identity Theft Prevention class

with a group of elementary school faculty and staff in expanding awareness of personal

internet security. A pre-test, post-test design was used.

In doing this research, I had expected to gain a realistic perspective regarding the

nature, and the best implementation, of E-Commerce Security, in regard to internet

fraud.

Introduction

What is Internet fraud?

Internet fraud is a type of cybercrime in which transactions are committed by using

deception. The National Consumer League's Fraud Center lists 25 different scams

currently making the rounds on the Internet including these types of internet fraud:

Advance fee (Nigerian letter scam)

Business or employment scams

Counterfeit checks

Credit or debit card fraud

Identity theft

Freight forwarding or reshipping

Investment schemes

Non-delivery of goods/services

Online auction and other sales

Phony escrow

Pyramid or “ponzi” schemes (Fraudulent investment operations) (1)

Many scams are variations of those that were in existence before the Internet. The

primary difference is that Internet scammers utilize email, chat, forums and false

websites instead of more traditional methods such as telephone and US mail. (2)Utilizing

the internet allows even greater/wider access and greater anonymity to the scammer.

Internet credit card fraud occurs when an e-Commerce merchant is unaware that an

order was not placed by, and will not be paid for, by the authentic cardholder. (3)

Typically, with e-commerce fraud, credit card information was gained illegally, and used

to order merchandise or services via the internet, under a false name. (It is much easier

to commit credit card fraud via an e-commerce transaction than it is to do in person.)

When the authentic cardholder receives the statement from the issuing bank and

reports the fraud, a “chargeback” must be issued by the merchant. This means that the

merchant refunds all the expenses, and pays an additional fee. (4)

Identity thieves gain access to consumers by stealing checks, bank statements,

wallets/purses, or by proffering a phony offer via phone or email. More recently, a more

common way of obtaining sensitive information is to create imitation, but realistic

looking, bank or merchant websites, or to send emails that request security information

from the consumer by instructing them to click on a link and input their personal

information. The information is then used to steal their identity in order to access their

bank accounts, obtain loans, or to use their credit cards.

Merchants who accept credit cards online are subject to additional examination and

processes in the ongoing effort to protect credit card information. Online merchants are

also subject to:

-higher transaction fees to offset the cost of security

-more stringent shipping requirements

-paying the cost of becoming and staying PCI compliant

The merchant is held responsible for any accepted fraudulent transaction.

Through the issuance of the “Red Flags Rule” and “Red Flags Guidelines” for financial

institutions, our government has provided a means of protecting consumers from

identity theft. Legislation requires merchant compliance, and this compliance helps to

foster trust-based relationships. (5)

Objective

“Security” is no longer about keeping “just” networks, or individual computer systems,

protected. Today, “security” is considered to be a legitimate business strategy;

protecting the business as a whole. Security is not merely a collection of “features”. It is

a complex system of multiple processes wherein the weakest link in the security chain

establishes the level of security for the entire system. (6)

Current security technology emphasizes security from the side of the merchant, even

though it is the consumer whose behavior may often provide the thieves with the

information they need to commit the crimes. Often times when the security technology

works seamlessly, utilizing multiple aspects of layered technology, including those

offered by credit card issuers, fraud still takes place. This is due to the consumer often

times being the “weakest link”.

As a result, “security” is not just for businesses or merchants, rather, individual

consumers need to understand the concept of security as it pertains to e-commerce,

and to take personal responsibility for their role in the protection of their data and the

prevention of fraud.

Existing Issues

The integrity of an ecommerce transaction is based upon four factors:

Privacy: information must be kept safe from unauthorized access. This issue is

currently handled by encrypting the data, using PKI (public key infrastructure) and RSA.

Integrity: information must not be altered or tampered with. Maintaining the Integrity of

information is achieved by using digital signatures. The use of digital signatures meets

the need for authentication and integrity.

Authentication: sender and recipient must prove their identities to each other. To verify

that a website that is receiving sensitive information is actually the intended website,

(not an imposter) a digital certificate is employed.

Non-repudiation: proof that the message was actually received.

The vulnerability of a system exists at these entry and exit points:

Shopper’s computer

Network connection

Website’s server

Software Vendor

There are at least 3 transactions whereby sensitive information is vulnerable during an

e-Commerce purchasing transaction: (7)

1. Credit card information supplied by the customer. Handled by the server's SSL

and the merchant/server's digital certificates.

2. Credit card information forwarded to the bank for processing. Handled by the

security measures of the payment gateway.

3. Order and customer details furnished to the merchant. Handled by SSL, server

security, digital certificates and payment gateway.

State-of-the-art security/methodologies

PKI

A PKI (public key infrastructure) consists of:

A certificate authority (CA) that issues and verifies a digital certificate. The

certificate includes the public key and/or information about the public key

A registration authority (RA) that verifies the certificate authority before a digital

certificate is issued to the requestor

Directories where the certificates and their public keys are held

A certificate management system

PKI enables users of an unsecure public network (i.e.: the Internet ) to securely and

privately trade data and/or currency by using public and private cryptographic key pairs

that are acquired from and shared via a trusted authority. The public key infrastructure

provides digital certificates that identifies an individual or an organization, and also

provides directory services that store and even revoke the certificate, if necessary. (8)

PKI automates the process of verifying the validity of a certificate. It provides the ability

to publish, manage, and use public keys easily.

RSA algorithm (Rivest-Shamir-Adleman)

RSA is the most commonly used encryption and authentication algorithm. It’s included

as part of Microsoft’s and Netscape’s Web browsers, Lotus Notes, Intuit's Quicken, and

several other software products. RSA is also used by banks and governments.

Third party key distribution centers use RSA. The RSA algorithm multiplies two large

prime numbers (a number divisible only by itself and one) and in combination with other

operations, it generates a set of two keys, one public and one private. The original

prime numbers are then discarded.

The private key is used to decrypt text that has been encrypted with the public key. In

addition to encrypting messages (privacy), authentication also takes place with the use

of the private key by the encryption of a digital certificate. . Both the public and the

private keys are needed for encryption /decryption, but the private key never needs to

travel across the Internet. The two keys differ from one another, but each key is shared

with the key distribution center. The keys are encrypted, and rules are set, using a

variety of protocols. Private keys must be kept secret, and most security lapses arise

here. (9)

Secure Socket Layers (SSL)

The Internet uses the set of rules, or protocols, called TCP/IP (Transmission Control

Protocol / Internet Protocol) whereby the information is broken into packets which are

numbered sequentially, and include error control methods. Each packet is sent via a

different route. TCP/IP reassembles the packets in their original order and resubmits

packets that have errors. (10)

SSL is a method that utilizes both PKI and digital certificates to ensure privacy and

authentication. The server receives the message from the client, and replies with a

digital certificate. Using PKI, the server and client negotiate the creation of session

keys, (symmetrical secret keys specially made for that particular communication) and

communication continues with the session keys and digital certificates in place.

Where credit cards are accepted by merchants online and processed in real time, four

options arise for the merchant in question:

1. Use a service bureau which is responsible for the security of all sensitive information

in the transaction

2. Use an e-Commerce merchant account but use the digital certificate supplied by the

hosting company which is a less expensive option that is acceptable for transactions

with Small to Medium Enterprises (SME). Certain terms and conditions may apply to the

supplied digital certificate.

3. Use an e-Commerce merchant account, but purchase a digital certificate for the

business (costing hundreds of dollars).

4. Use a merchant account, and run the business from a business-owned private

server. Requires trained IT staff to maintain security, i.e.: firewalls, Kerberos (an

authentication mechanism), SSL, and the digital certificate for the server (thousands to

tens of thousands of dollars).

Digital Signatures

Digital signatures help ensure authentication and integrity and are used to confirm ones

identity to another party, and that the data has not been altered. (They verify the origin

and contents of a message.)

Digital signatures are implemented through public-key encryption. A digital signature is

prepared by first passing the plain text through a hash function to calculate the message

digest value. The digest is then encrypted with the private key to produce a signature

which is then added to the original message, and the whole package is sent to the

recipient.

In this way, the recipient can be sure that the message came from the sender. The

received message is decoded with the private key, and processed back through the

hash function. (The message digest value remains unchanged.)Very often, the

message is also time stamped by a third party agency.(11)

Digital Certificates

Digital Certificates provide digital credentials used for identification. They provide

identity and other supporting information about an entity and are valid for only a specific

period of time. They provide the basis for secure electronic transactions by enabling all

participants in the transaction to quickly and easily verify the identity of the other

participants. Digital Certificates are sold for use with email, and for e-merchants and

web-servers. Digital Certificates uniquely identify merchants, and are issued by the CA

(Certification Authority, i.e.: VeriSign, GlobalSign). When a digital certificate is issued,

the issuing certification authority signs the certificate with its own private key. Validating

the authenticity of a digital certificate can be achieved by obtaining the certification

authority's public key and use it against the certificate to determine if it was actually

signed by the certification authority

Digital certificates contain the public key of the entity identified in the certificate. The

certificate matches the public key to a particular individual. Because the CA guarantees

the validity of the information in the certificate, digital certificates provides a solution to

the problem of how to find a user's public key and know that it is valid

For a digital certificate to be useful, it has to be understood, and easily retrieved in a

reliable way. Digital certificates are standardized for this reason, so that they can be

read and understood regardless of the issuer. (12)

The technologies listed above use encryption as their primary way of protecting data,

individuals and organizations. Although considered strong methods, they are not

perfect. Vulnerabilities in PKI have been exploited in order to issue rogue digital

certificates for secure websites. False CA certificates that were trusted by common web

browsers have been created. Website impersonation, including banking and e-

commerce sites secured with the HTTPS protocol, has occurred. (13) A weakness

recently found in the MD5 cryptographic hash function has allowed for the creation of

unique messages with the same MD5 hash.

There are many other security methods and practices. Creating and maintaining office

and employee security policies (passwords, backups) , protection from viruses, spyware

and hackers by implementing firewalls and antivirus solutions, fortifying web server and

database security by researching hosting companies , verifying webpage content,

customer data, tracking customers (cookies) , and calculating and providing correct

invoices and inventory are a few ways to heighten security. The primary underlying goal

of all security methods is to deter and prevent fraud.

The goal of this study was to determine whether empowering consumers with

information and resources for utilization in protecting sensitive information is a

necessary and relevant component of preventing identity theft, thereby lowering internet

fraud.

Method:

The Method of Approach for this paper is a pretest/posttest research study of the

effectiveness of an education program that was developed using the ACM digital library

and IEEE/IEE Electronic Library, including professional journals, web articles, and white

papers. Specifically, the study examined two questions:

1. Are individuals who volunteer to participate in the program representative of the

teachers, staff, and administrators in the school in their knowledge or awareness

of e-commerce security?

2. Does participation in the program increase participants’ knowledge or awareness

of methods of protecting their personal e-commerce security?

Data were collected using an instrument that asked respondents to answer questions

about each of ten security scenarios. The pretest instrument was given approximately

four days in advance of the Identity Theft Prevention class to all individuals who were to

participate, and to a group of randomly selected teachers, staff, and administrators who

were not going to participate. The instrument was administered again two days after

the class to the individuals who had participated in the class.

A presentation and interactive class, covering the topic of safeguarding personal

information, was developed. The class included an on-line interactive quiz to identify

spoofed email, and a power-point presentation about how to identify spoofed telephone

calls, the various ways of preventing victimization, how to safeguard information when

using public Wifi, how to configure security when using social networking sites likes

Facebook, examples of how to check a credit report for fraudulent activities, and steps

to take if victimized, including reporting information for contacting authorities (the

presentation slide are attached).

A summarization of the class, in the form of an “Identity Theft Prevention Tool-Kit” was

developed, and was provided in digital format to each participant, for future reference.

Results

Aggregated Data:

Table 1Percentage Correct by Item, Group & Test

Item Question

Percent Answering Correctly

Pretest Posttest (Treatment

only)Control Treatment

1If an official from your bank or a government agency calls your phone, and asks for

your bank account or social security information, you are safe to answer their

questions. However, you should refuse to provide this information to all other callers.

100 70 100

2When purchasing online, you should always pay with a credit card, rather than other

forms of payment (debit card, PayPal, check, etc.).20 60 90

3The best passwords for your financial accounts are things only you could know, such

as your mother's maiden name, your dead pet's name, your children's names, or the

last four digits of your social security number.

40 70 90

4 It is safe to use a public computer to access your financial information on the internet. 60 70 100

5If you get a lot of pop-up ads while surfing the internet, are taken to internet to internet

sites other than the ones you type in, or see new tool bars on your computer that you

never added, your computer is probably infected with spyware.

100 60 100

6

You have bid for an item you really want in an online auction. However, you were not

the highest bidder. Much to your delight you are contacted a few days later telling you

that the seller has decided to sell the exact same item to you, but the transaction must

be conducted privately, not on the auction site. You conduct the transaction, and you

arrange payment and delivery with the seller. This transaction was safe.

100 60 90

7You get an e-mail from your bank saying your account has been frozen due to security

precautions. You're asked to click a link to a website to enter your account number

and PIN. This is a legitimate bank intervention for your protection.

100 80 100

8

You have placed an online ad for a car you want to sell. A stranger contacts you,

offers to buy the car, and sends you a cashier's check for $10,000 more than you're

asking. When you ask about the discrepancy, the buyer says it was a mistake and

asks that you send him a check to refund the excess. You cash his check, your bank

says it looks fine, and you send him his refund. Two weeks later the bank tells you the

cashier's check bounced, so you owe the bank $10,000. This scenario can actually

happen.

60 80 100

9

When leaving your bank, you are approached by a federal agent who asks you to

participate in a "citizens’ investigation." You are instructed to go back into the bank,

the drive through, or the ATM and withdraw a certain amount of cash. The agent then

says, he needs to examine the cash to check serial numbers, potential for counterfeit,

etc. He gets your contact information, promises to return your money, and then

leaves. This was a legitimate transaction, and your money will be returned.

100 100 100

10

You get a phone call from someone who claims to be with your county courthouse.

You check your caller ID, which shows the actual number of the courthouse. This

person could actually be a criminal calling from overseas, trying to steal your social

security number.

60 50 100

Mean 75.6 72.2 96.7

Conclusions and Future Work:

1. Are individuals who volunteer to participate in the program representative of the

teachers, staff, and administrators in the school in their knowledge or awareness

of e-commerce security?

The control groups’ mean score on the pre-test was 75.6, and the mean score of the

treatment group (the group that attended the Identity Theft Prevention Class) was 72.2.

This indicates that performance was similar across both groups, in that the scores were

within 4 percentage points of each other.

This suggests that the teachers, staff and administrators who participated in the Identity

Theft Prevention class, were representative of the teachers, staff and administrators

that were offered an opportunity to participate in the class. Neither group was more

aware or adept at safeguarding their personal information, than the other.

2. Does participation in the Identity Theft Prevention Class increase participants’

knowledge or awareness of methods of protecting their personal and sensitive

information?

The treatment groups’ pre-test score of 72.2, and its post-test score of 96.7,

demonstrates an overall increase of 24.5 points. This suggests that participating in the

Identity Theft Prevention Class has increased each participant’s knowledge and/or

awareness for protecting /safeguarding their personal information.

Summary:

Mobile e-Commerce along with an increase in wireless Internet applications such as

mobile electronic commerce applications will be a trial. Payment devices are rapidly

developing and becoming present everywhere. Payment cards are considered to be the

principal drivers of the transfer from paper to electronic-based payment devices.

The use of POS (point-of-sales) devices is increasing. These devices are the equivalent

to an electronic cash register and are used in supermarkets, restaurants, hotels,

stadiums, taxis, and almost any type of retail establishment.

.

New methods of authenticating are being and need to be developed and improved,

many using Biometrics, including internal DNA storage and retinal scanning. (14)

Security is more important than ever to ensure the integrity of the payment process and

to protect individual and organizational privacy. The technologies mentioned above are

the current methods of ensuring a high measure of security. This measure must

continue to grow and develop, as new threats will certainly do the same. It is crucial that

security measures become an integral piece of the structural design, plan, and

implementation of any e-Commerce site. It is equally crucial that consumers bear the

responsibility for safeguarding their personal information.

This project was interesting to do, and, if done on a large scale, with the same results,

could be useful to merchants who might interpret the results to mean that consumers

are able to be educated and empowered, as well as held responsible, for safeguarding

their personal data. This belief could be utilized in a team approach to preventing

internet fraud, including Identity Theft. A shared, team approach to safeguarding

sensitive information would remove sole-responsibility (and the associated costs), from

the merchant.

Problems encountered with this study were: obtaining a large participant sample and in

order to ensure that participants would actually complete the surveys’ pre/post test

questions had to be kept to a minimum.

If I did this project again, I would advertise the class for a couple of weeks before the

class, hoping to gain the interest of more participants. I would interject sporadic

statistics and questions regarding internet fraud, in the method that was used for

advertising the class (posters, email, newsletter, etc.) in an attempt to demonstrate that

the class would be personally useful. I would mention that the format of the class is

informal, interactive and fun, to attract interest.

I would have a larger question base for the pre and posttests, (maybe 25-50 questions)

and present them in varied formats- true/false, multiple choice and fill-in-the-blank.

I would also administer the posttest 2 weeks after the class, at the earliest, and again at

6 months, and possibly even a year later, to ascertain whether the material had been

retained. It would also be interesting to see whether anyone in the study had been a

victim of internet fraud within the year following the class.

Based on the outcome of this study, it would be interesting to conduct research that

would demonstrate the amount of online fraud that is due to errant (or lack of) security

measures by the merchant or bank, and how much takes place due to the consumers’

lack of personal security savvy.

The original proposal stated that the results of this study will be compared with the

results of similarly conducted studies to determine whether the hypothesis was correct:

that empowering consumers by educating them about internet fraud and specifically

identity theft can potentially reduce the incidence of both.

Instead, I decided that it made more sense to pre-test and posttest the experimental

group, and also to see if I could get some willing volunteers who were not participants of

the class, to answer the pre-test survey as well. In this manner, I would know whether

my experimental group was a good representation of the entire group of faculty/staff

that was offered the class, or whether they were somehow more “fraud savvy” to begin

with. As the results show, the experimental group was a representative sample.

By comparing the pre and post test scores of the experimental group, it could be

determined whether any learning took place, as demonstrated by an increase in test

scores 2 days after the class. As the results show, the overall increase in scores

suggests that the participants learned ways of safeguarding their personal data.

References

1NC State University Office of Information Technology, http://oit.ncsu.edu/safe-computing/net-

fraud#types

2Online Threats - Internet Fraud http://www.mywot.com/en/online-threats/internet-fraud

3 Global Merchant Services, How to Minimize Online e-Commerce Credit Card Fraud

http://www.gspay.com/how-to-minimize-online-e-commerce-credit-card-fraud.php

4Eisen, Ori, Telltale Signs of E-Commerce Fraud02/25/09 E-Commerce Times

http://www.ecommercetimes.com/story/66278.html

5 Ehrlich, Matt, The Consumer's Responsibility in Preventing Identity Theft, 09/20/10,

Fraud Management

6 Ecommerce Security Issues,http://www.ecommrce-digest.com/ecommerce-security-

issues.html

7 Khusialand

1. McKegney , IBM Developer Works, e-Commerce security, ibm.com, 02/02/12,

http://www.ibm.com/developerworks/websphere/library/techarticles/0504_mckeg

ney/0504_mckegney.html

8 Van Vark, J. (1997) e-Commerce and the Security Myth- The real security issues of

e-Commerce, mactech.com, 01/24/12,

http://www.mactech.com/articles/mactech/Vol.13/13.11/eCommerceandSecurity/

index.html

9 E-Commerce Security Issues, ecommerce-digest.com 01/21/12

http://www.ecommerce-digest.com/ecommerce-security-issues.html

10 RSA-TechTarget, SearchSecurity, 02/02/12,

searchsecurity.techtarget.comhttp://searchsecurity.techtarget.com/definition/RSA

11 PKI- TechTarget, Search Security- 02/01/2012- searchsecurity.techtarget.com,

02/03/12 http://searchsecurity.techtarget.com/definition/PKI

12 Sotirov, A., Stevens, M., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, DA, MD5

considered harmful today-Creating a rogue CA certificate , win.tue.nl, 02/15/12,

http://www.win.tue.nl/hashclash/rogue-ca/

13 Oracle ThinkQuest-Use of Data Encryption in Today's Context: E-commerce,

library.thinkquest.org, 02/9/12, http://library.thinkquest.org/27158/today1_2.html

14 Thanh, Do Van, Security Issues in Mobile e-Commerce, 02/13/12

http://books.google.com/books?id=kb69hBiQMiYC&lpg=PA467&ots=6XE-

e9QvUo&dq=security%20issues%20in%20mobile%20e%20commerce%20do

%20van%20thanh&pg=PA468#v=onepage&q=security%20issues%20in%20mobile

%20e%20commerce%20do%20van%20thanh&f=false

Appendices

1. The Identity Theft Pre and Post Test questions:

Please indicate true or false, by typing an “X” next to the answer:

1. If an official from your bank or a government agency calls your phone, and asks for your

bank account or Social Security information, you are safe to answer their questions.

However, you should refuse to provide this information to all other callers.

True

False

2. When purchasing online, you should always pay with a credit card, rather than other forms of

payment (debit card, PayPal, check, etc.).

True

False

3. The best passwords for your financial accounts are things only you could know, such as your

mother's maiden name, your dead pets name, your children’s names or the last four digits of

your Social Security number.

True

False

4. It is safe to use a public computer to access your financial information on the internet.

True

False

5. If you get a lot of pop-up ads while surfing the internet, are taken to internet sites other than

the ones you type in, or see new toolbars on your computer that you never added, your

computer is probably infected with spyware.

True

False

6. You have bid for an item you really want in an online auction, however, you were not the

highest bidder. Much to your delight you are contacted a few days later telling you that the

seller has decided to sell the exact same item to you, but the transaction must be conducted

privately, not on the auction site. You conduct the transaction; you arrange payment and

delivery with the seller. This transaction was safe.

True

False

7. You get an e-mail from your bank saying your account has been frozen due to security

precautions. You're asked to click a link to a Web site and enter your account number and

PIN. This is a legitimate bank intervention for your protection.

True

False

8. You have placed an online ad for a car you want to sell. A stranger contacts you, offers to

buy the car and sends you a cashier's check for $10,000 more than you're asking. When you

ask about the discrepancy, the buyer says it was a mistake and asks that you send him a

check to refund the excess.

You cash his check, your bank says it looks fine, and you send him his refund. Two weeks

later the bank tells you the cashier's check bounced, so you owe the bank $10,000.

This scenario can actually happen.

True

False

9. When leaving your bank, you are approached by a federal agent who asks you to participate

in a "citizen investigation." You are instructed to go back into the bank, the drive-through or

the ATM and withdraw a certain amount of cash. The agent then says he needs to examine

the cash to check serial numbers, potential for counterfeit, etc. He gets your contact

information, promises to return your money, then leaves.

This was a legitimate transaction, and your money will be returned.

True

False

10. You get a phone call from someone who claims to be with your county courthouse. You

check your caller ID, which shows the actual phone number of the courthouse. This person

could actually be a criminal calling from overseas, trying to steal your Social Security

number.

True

False

2. The Identity Theft Prevention Class PowerPoint Presentation:

Protecting your Identity On-Line