Information Security Seminar
IT 6873
Instructor: Dr. Ming Yang
E-Commerce Security:
Preventing Fraud
By preventing
Identity Theft
Diane M. Metcalf
May 6, 2012
Project Summary
E-Commerce is a relatively new way of doing business. Over the last several years, it
has become a convenient, trusted, accepted and often less expensive way to purchase
goods and services. As E-business continues to grow, the potential for exposure to
threats also increases. As the threats become more damaging and/or widespread,
“security” becomes critical in preventing fraud. There are many types of security already
in place, however most internet credit card fraud occurs when an e-Commerce
merchant is unaware that an order was not placed by, and will not be paid for, by the
authentic cardholder. (1) Typically, with e-commerce fraud, the credit card information
was gained illegally, and used to order merchandise or services via the internet, under a
false name.
This project concentrates on the area of internet fraud called “Identity Theft”. It focuses
on the responsibility of the individual cardholder in preventing or reducing fraud. It is
based upon a belief that educating and empowering consumers has the ability to
decrease internet/e-Commerce fraud by way of reducing identity theft.
Specifically, the project examined the effectiveness of an Identity Theft Prevention class
with a group of elementary school faculty and staff in expanding awareness of personal
internet security. A pre-test, post-test design was used.
In doing this research, I had expected to gain a realistic perspective regarding the
nature, and the best implementation, of E-Commerce Security, in regard to internet
fraud.
Introduction
What is Internet fraud?
Internet fraud is a type of cybercrime in which transactions are committed by using
deception. The National Consumer League's Fraud Center lists 25 different scams
currently making the rounds on the Internet including these types of internet fraud:
Advance fee (Nigerian letter scam)
Business or employment scams
Counterfeit checks
Credit or debit card fraud
Identity theft
Freight forwarding or reshipping
Investment schemes
Non-delivery of goods/services
Online auction and other sales
Phony escrow
Pyramid or “ponzi” schemes (Fraudulent investment operations) (1)
Many scams are variations of those that were in existence before the Internet. The
primary difference is that Internet scammers utilize email, chat, forums and false
websites instead of more traditional methods such as telephone and US mail. (2)Utilizing
the internet allows even greater/wider access and greater anonymity to the scammer.
Internet credit card fraud occurs when an e-Commerce merchant is unaware that an
order was not placed by, and will not be paid for, by the authentic cardholder. (3)
Typically, with e-commerce fraud, credit card information was gained illegally, and used
to order merchandise or services via the internet, under a false name. (It is much easier
to commit credit card fraud via an e-commerce transaction than it is to do in person.)
When the authentic cardholder receives the statement from the issuing bank and
reports the fraud, a “chargeback” must be issued by the merchant. This means that the
merchant refunds all the expenses, and pays an additional fee. (4)
Identity thieves gain access to consumers by stealing checks, bank statements,
wallets/purses, or by proffering a phony offer via phone or email. More recently, a more
common way of obtaining sensitive information is to create imitation, but realistic
looking, bank or merchant websites, or to send emails that request security information
from the consumer by instructing them to click on a link and input their personal
information. The information is then used to steal their identity in order to access their
bank accounts, obtain loans, or to use their credit cards.
Merchants who accept credit cards online are subject to additional examination and
processes in the ongoing effort to protect credit card information. Online merchants are
also subject to:
-higher transaction fees to offset the cost of security
-more stringent shipping requirements
-paying the cost of becoming and staying PCI compliant
The merchant is held responsible for any accepted fraudulent transaction.
Through the issuance of the “Red Flags Rule” and “Red Flags Guidelines” for financial
institutions, our government has provided a means of protecting consumers from
identity theft. Legislation requires merchant compliance, and this compliance helps to
foster trust-based relationships. (5)
Objective
“Security” is no longer about keeping “just” networks, or individual computer systems,
protected. Today, “security” is considered to be a legitimate business strategy;
protecting the business as a whole. Security is not merely a collection of “features”. It is
a complex system of multiple processes wherein the weakest link in the security chain
establishes the level of security for the entire system. (6)
Current security technology emphasizes security from the side of the merchant, even
though it is the consumer whose behavior may often provide the thieves with the
information they need to commit the crimes. Often times when the security technology
works seamlessly, utilizing multiple aspects of layered technology, including those
offered by credit card issuers, fraud still takes place. This is due to the consumer often
times being the “weakest link”.
As a result, “security” is not just for businesses or merchants, rather, individual
consumers need to understand the concept of security as it pertains to e-commerce,
and to take personal responsibility for their role in the protection of their data and the
prevention of fraud.
Existing Issues
The integrity of an ecommerce transaction is based upon four factors:
Privacy: information must be kept safe from unauthorized access. This issue is
currently handled by encrypting the data, using PKI (public key infrastructure) and RSA.
Integrity: information must not be altered or tampered with. Maintaining the Integrity of
information is achieved by using digital signatures. The use of digital signatures meets
the need for authentication and integrity.
Authentication: sender and recipient must prove their identities to each other. To verify
that a website that is receiving sensitive information is actually the intended website,
(not an imposter) a digital certificate is employed.
Non-repudiation: proof that the message was actually received.
The vulnerability of a system exists at these entry and exit points:
Shopper’s computer
Network connection
Website’s server
Software Vendor
There are at least 3 transactions whereby sensitive information is vulnerable during an
e-Commerce purchasing transaction: (7)
1. Credit card information supplied by the customer. Handled by the server's SSL
and the merchant/server's digital certificates.
2. Credit card information forwarded to the bank for processing. Handled by the
security measures of the payment gateway.
3. Order and customer details furnished to the merchant. Handled by SSL, server
security, digital certificates and payment gateway.
State-of-the-art security/methodologies
PKI
A PKI (public key infrastructure) consists of:
A certificate authority (CA) that issues and verifies a digital certificate. The
certificate includes the public key and/or information about the public key
A registration authority (RA) that verifies the certificate authority before a digital
certificate is issued to the requestor
Directories where the certificates and their public keys are held
A certificate management system
PKI enables users of an unsecure public network (i.e.: the Internet ) to securely and
privately trade data and/or currency by using public and private cryptographic key pairs
that are acquired from and shared via a trusted authority. The public key infrastructure
provides digital certificates that identifies an individual or an organization, and also
provides directory services that store and even revoke the certificate, if necessary. (8)
PKI automates the process of verifying the validity of a certificate. It provides the ability
to publish, manage, and use public keys easily.
RSA algorithm (Rivest-Shamir-Adleman)
RSA is the most commonly used encryption and authentication algorithm. It’s included
as part of Microsoft’s and Netscape’s Web browsers, Lotus Notes, Intuit's Quicken, and
several other software products. RSA is also used by banks and governments.
Third party key distribution centers use RSA. The RSA algorithm multiplies two large
prime numbers (a number divisible only by itself and one) and in combination with other
operations, it generates a set of two keys, one public and one private. The original
prime numbers are then discarded.
The private key is used to decrypt text that has been encrypted with the public key. In
addition to encrypting messages (privacy), authentication also takes place with the use
of the private key by the encryption of a digital certificate. . Both the public and the
private keys are needed for encryption /decryption, but the private key never needs to
travel across the Internet. The two keys differ from one another, but each key is shared
with the key distribution center. The keys are encrypted, and rules are set, using a
variety of protocols. Private keys must be kept secret, and most security lapses arise
here. (9)
Secure Socket Layers (SSL)
The Internet uses the set of rules, or protocols, called TCP/IP (Transmission Control
Protocol / Internet Protocol) whereby the information is broken into packets which are
numbered sequentially, and include error control methods. Each packet is sent via a
different route. TCP/IP reassembles the packets in their original order and resubmits
packets that have errors. (10)
SSL is a method that utilizes both PKI and digital certificates to ensure privacy and
authentication. The server receives the message from the client, and replies with a
digital certificate. Using PKI, the server and client negotiate the creation of session
keys, (symmetrical secret keys specially made for that particular communication) and
communication continues with the session keys and digital certificates in place.
Where credit cards are accepted by merchants online and processed in real time, four
options arise for the merchant in question:
1. Use a service bureau which is responsible for the security of all sensitive information
in the transaction
2. Use an e-Commerce merchant account but use the digital certificate supplied by the
hosting company which is a less expensive option that is acceptable for transactions
with Small to Medium Enterprises (SME). Certain terms and conditions may apply to the
supplied digital certificate.
3. Use an e-Commerce merchant account, but purchase a digital certificate for the
business (costing hundreds of dollars).
4. Use a merchant account, and run the business from a business-owned private
server. Requires trained IT staff to maintain security, i.e.: firewalls, Kerberos (an
authentication mechanism), SSL, and the digital certificate for the server (thousands to
tens of thousands of dollars).
Digital Signatures
Digital signatures help ensure authentication and integrity and are used to confirm ones
identity to another party, and that the data has not been altered. (They verify the origin
and contents of a message.)
Digital signatures are implemented through public-key encryption. A digital signature is
prepared by first passing the plain text through a hash function to calculate the message
digest value. The digest is then encrypted with the private key to produce a signature
which is then added to the original message, and the whole package is sent to the
recipient.
In this way, the recipient can be sure that the message came from the sender. The
received message is decoded with the private key, and processed back through the
hash function. (The message digest value remains unchanged.)Very often, the
message is also time stamped by a third party agency.(11)
Digital Certificates
Digital Certificates provide digital credentials used for identification. They provide
identity and other supporting information about an entity and are valid for only a specific
period of time. They provide the basis for secure electronic transactions by enabling all
participants in the transaction to quickly and easily verify the identity of the other
participants. Digital Certificates are sold for use with email, and for e-merchants and
web-servers. Digital Certificates uniquely identify merchants, and are issued by the CA
(Certification Authority, i.e.: VeriSign, GlobalSign). When a digital certificate is issued,
the issuing certification authority signs the certificate with its own private key. Validating
the authenticity of a digital certificate can be achieved by obtaining the certification
authority's public key and use it against the certificate to determine if it was actually
signed by the certification authority
Digital certificates contain the public key of the entity identified in the certificate. The
certificate matches the public key to a particular individual. Because the CA guarantees
the validity of the information in the certificate, digital certificates provides a solution to
the problem of how to find a user's public key and know that it is valid
For a digital certificate to be useful, it has to be understood, and easily retrieved in a
reliable way. Digital certificates are standardized for this reason, so that they can be
read and understood regardless of the issuer. (12)
The technologies listed above use encryption as their primary way of protecting data,
individuals and organizations. Although considered strong methods, they are not
perfect. Vulnerabilities in PKI have been exploited in order to issue rogue digital
certificates for secure websites. False CA certificates that were trusted by common web
browsers have been created. Website impersonation, including banking and e-
commerce sites secured with the HTTPS protocol, has occurred. (13) A weakness
recently found in the MD5 cryptographic hash function has allowed for the creation of
unique messages with the same MD5 hash.
There are many other security methods and practices. Creating and maintaining office
and employee security policies (passwords, backups) , protection from viruses, spyware
and hackers by implementing firewalls and antivirus solutions, fortifying web server and
database security by researching hosting companies , verifying webpage content,
customer data, tracking customers (cookies) , and calculating and providing correct
invoices and inventory are a few ways to heighten security. The primary underlying goal
of all security methods is to deter and prevent fraud.
The goal of this study was to determine whether empowering consumers with
information and resources for utilization in protecting sensitive information is a
necessary and relevant component of preventing identity theft, thereby lowering internet
fraud.
Method:
The Method of Approach for this paper is a pretest/posttest research study of the
effectiveness of an education program that was developed using the ACM digital library
and IEEE/IEE Electronic Library, including professional journals, web articles, and white
papers. Specifically, the study examined two questions:
1. Are individuals who volunteer to participate in the program representative of the
teachers, staff, and administrators in the school in their knowledge or awareness
of e-commerce security?
2. Does participation in the program increase participants’ knowledge or awareness
of methods of protecting their personal e-commerce security?
Data were collected using an instrument that asked respondents to answer questions
about each of ten security scenarios. The pretest instrument was given approximately
four days in advance of the Identity Theft Prevention class to all individuals who were to
participate, and to a group of randomly selected teachers, staff, and administrators who
were not going to participate. The instrument was administered again two days after
the class to the individuals who had participated in the class.
A presentation and interactive class, covering the topic of safeguarding personal
information, was developed. The class included an on-line interactive quiz to identify
spoofed email, and a power-point presentation about how to identify spoofed telephone
calls, the various ways of preventing victimization, how to safeguard information when
using public Wifi, how to configure security when using social networking sites likes
Facebook, examples of how to check a credit report for fraudulent activities, and steps
to take if victimized, including reporting information for contacting authorities (the
presentation slide are attached).
A summarization of the class, in the form of an “Identity Theft Prevention Tool-Kit” was
developed, and was provided in digital format to each participant, for future reference.
Results
Aggregated Data:
Table 1Percentage Correct by Item, Group & Test
Item Question
Percent Answering Correctly
Pretest Posttest (Treatment
only)Control Treatment
1If an official from your bank or a government agency calls your phone, and asks for
your bank account or social security information, you are safe to answer their
questions. However, you should refuse to provide this information to all other callers.
100 70 100
2When purchasing online, you should always pay with a credit card, rather than other
forms of payment (debit card, PayPal, check, etc.).20 60 90
3The best passwords for your financial accounts are things only you could know, such
as your mother's maiden name, your dead pet's name, your children's names, or the
last four digits of your social security number.
40 70 90
4 It is safe to use a public computer to access your financial information on the internet. 60 70 100
5If you get a lot of pop-up ads while surfing the internet, are taken to internet to internet
sites other than the ones you type in, or see new tool bars on your computer that you
never added, your computer is probably infected with spyware.
100 60 100
6
You have bid for an item you really want in an online auction. However, you were not
the highest bidder. Much to your delight you are contacted a few days later telling you
that the seller has decided to sell the exact same item to you, but the transaction must
be conducted privately, not on the auction site. You conduct the transaction, and you
arrange payment and delivery with the seller. This transaction was safe.
100 60 90
7You get an e-mail from your bank saying your account has been frozen due to security
precautions. You're asked to click a link to a website to enter your account number
and PIN. This is a legitimate bank intervention for your protection.
100 80 100
8
You have placed an online ad for a car you want to sell. A stranger contacts you,
offers to buy the car, and sends you a cashier's check for $10,000 more than you're
asking. When you ask about the discrepancy, the buyer says it was a mistake and
asks that you send him a check to refund the excess. You cash his check, your bank
says it looks fine, and you send him his refund. Two weeks later the bank tells you the
cashier's check bounced, so you owe the bank $10,000. This scenario can actually
happen.
60 80 100
9
When leaving your bank, you are approached by a federal agent who asks you to
participate in a "citizens’ investigation." You are instructed to go back into the bank,
the drive through, or the ATM and withdraw a certain amount of cash. The agent then
says, he needs to examine the cash to check serial numbers, potential for counterfeit,
etc. He gets your contact information, promises to return your money, and then
leaves. This was a legitimate transaction, and your money will be returned.
100 100 100
10
You get a phone call from someone who claims to be with your county courthouse.
You check your caller ID, which shows the actual number of the courthouse. This
person could actually be a criminal calling from overseas, trying to steal your social
security number.
60 50 100
Mean 75.6 72.2 96.7
Conclusions and Future Work:
1. Are individuals who volunteer to participate in the program representative of the
teachers, staff, and administrators in the school in their knowledge or awareness
of e-commerce security?
The control groups’ mean score on the pre-test was 75.6, and the mean score of the
treatment group (the group that attended the Identity Theft Prevention Class) was 72.2.
This indicates that performance was similar across both groups, in that the scores were
within 4 percentage points of each other.
This suggests that the teachers, staff and administrators who participated in the Identity
Theft Prevention class, were representative of the teachers, staff and administrators
that were offered an opportunity to participate in the class. Neither group was more
aware or adept at safeguarding their personal information, than the other.
2. Does participation in the Identity Theft Prevention Class increase participants’
knowledge or awareness of methods of protecting their personal and sensitive
information?
The treatment groups’ pre-test score of 72.2, and its post-test score of 96.7,
demonstrates an overall increase of 24.5 points. This suggests that participating in the
Identity Theft Prevention Class has increased each participant’s knowledge and/or
awareness for protecting /safeguarding their personal information.
Summary:
Mobile e-Commerce along with an increase in wireless Internet applications such as
mobile electronic commerce applications will be a trial. Payment devices are rapidly
developing and becoming present everywhere. Payment cards are considered to be the
principal drivers of the transfer from paper to electronic-based payment devices.
The use of POS (point-of-sales) devices is increasing. These devices are the equivalent
to an electronic cash register and are used in supermarkets, restaurants, hotels,
stadiums, taxis, and almost any type of retail establishment.
.
New methods of authenticating are being and need to be developed and improved,
many using Biometrics, including internal DNA storage and retinal scanning. (14)
Security is more important than ever to ensure the integrity of the payment process and
to protect individual and organizational privacy. The technologies mentioned above are
the current methods of ensuring a high measure of security. This measure must
continue to grow and develop, as new threats will certainly do the same. It is crucial that
security measures become an integral piece of the structural design, plan, and
implementation of any e-Commerce site. It is equally crucial that consumers bear the
responsibility for safeguarding their personal information.
This project was interesting to do, and, if done on a large scale, with the same results,
could be useful to merchants who might interpret the results to mean that consumers
are able to be educated and empowered, as well as held responsible, for safeguarding
their personal data. This belief could be utilized in a team approach to preventing
internet fraud, including Identity Theft. A shared, team approach to safeguarding
sensitive information would remove sole-responsibility (and the associated costs), from
the merchant.
Problems encountered with this study were: obtaining a large participant sample and in
order to ensure that participants would actually complete the surveys’ pre/post test
questions had to be kept to a minimum.
If I did this project again, I would advertise the class for a couple of weeks before the
class, hoping to gain the interest of more participants. I would interject sporadic
statistics and questions regarding internet fraud, in the method that was used for
advertising the class (posters, email, newsletter, etc.) in an attempt to demonstrate that
the class would be personally useful. I would mention that the format of the class is
informal, interactive and fun, to attract interest.
I would have a larger question base for the pre and posttests, (maybe 25-50 questions)
and present them in varied formats- true/false, multiple choice and fill-in-the-blank.
I would also administer the posttest 2 weeks after the class, at the earliest, and again at
6 months, and possibly even a year later, to ascertain whether the material had been
retained. It would also be interesting to see whether anyone in the study had been a
victim of internet fraud within the year following the class.
Based on the outcome of this study, it would be interesting to conduct research that
would demonstrate the amount of online fraud that is due to errant (or lack of) security
measures by the merchant or bank, and how much takes place due to the consumers’
lack of personal security savvy.
The original proposal stated that the results of this study will be compared with the
results of similarly conducted studies to determine whether the hypothesis was correct:
that empowering consumers by educating them about internet fraud and specifically
identity theft can potentially reduce the incidence of both.
Instead, I decided that it made more sense to pre-test and posttest the experimental
group, and also to see if I could get some willing volunteers who were not participants of
the class, to answer the pre-test survey as well. In this manner, I would know whether
my experimental group was a good representation of the entire group of faculty/staff
that was offered the class, or whether they were somehow more “fraud savvy” to begin
with. As the results show, the experimental group was a representative sample.
By comparing the pre and post test scores of the experimental group, it could be
determined whether any learning took place, as demonstrated by an increase in test
scores 2 days after the class. As the results show, the overall increase in scores
suggests that the participants learned ways of safeguarding their personal data.
References
1NC State University Office of Information Technology, http://oit.ncsu.edu/safe-computing/net-
fraud#types
2Online Threats - Internet Fraud http://www.mywot.com/en/online-threats/internet-fraud
3 Global Merchant Services, How to Minimize Online e-Commerce Credit Card Fraud
http://www.gspay.com/how-to-minimize-online-e-commerce-credit-card-fraud.php
4Eisen, Ori, Telltale Signs of E-Commerce Fraud02/25/09 E-Commerce Times
http://www.ecommercetimes.com/story/66278.html
5 Ehrlich, Matt, The Consumer's Responsibility in Preventing Identity Theft, 09/20/10,
Fraud Management
6 Ecommerce Security Issues,http://www.ecommrce-digest.com/ecommerce-security-
issues.html
7 Khusialand
1. McKegney , IBM Developer Works, e-Commerce security, ibm.com, 02/02/12,
http://www.ibm.com/developerworks/websphere/library/techarticles/0504_mckeg
ney/0504_mckegney.html
8 Van Vark, J. (1997) e-Commerce and the Security Myth- The real security issues of
e-Commerce, mactech.com, 01/24/12,
http://www.mactech.com/articles/mactech/Vol.13/13.11/eCommerceandSecurity/
index.html
9 E-Commerce Security Issues, ecommerce-digest.com 01/21/12
http://www.ecommerce-digest.com/ecommerce-security-issues.html
10 RSA-TechTarget, SearchSecurity, 02/02/12,
searchsecurity.techtarget.comhttp://searchsecurity.techtarget.com/definition/RSA
11 PKI- TechTarget, Search Security- 02/01/2012- searchsecurity.techtarget.com,
02/03/12 http://searchsecurity.techtarget.com/definition/PKI
12 Sotirov, A., Stevens, M., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, DA, MD5
considered harmful today-Creating a rogue CA certificate , win.tue.nl, 02/15/12,
http://www.win.tue.nl/hashclash/rogue-ca/
13 Oracle ThinkQuest-Use of Data Encryption in Today's Context: E-commerce,
library.thinkquest.org, 02/9/12, http://library.thinkquest.org/27158/today1_2.html
14 Thanh, Do Van, Security Issues in Mobile e-Commerce, 02/13/12
http://books.google.com/books?id=kb69hBiQMiYC&lpg=PA467&ots=6XE-
e9QvUo&dq=security%20issues%20in%20mobile%20e%20commerce%20do
%20van%20thanh&pg=PA468#v=onepage&q=security%20issues%20in%20mobile
%20e%20commerce%20do%20van%20thanh&f=false
Appendices
1. The Identity Theft Pre and Post Test questions:
Please indicate true or false, by typing an “X” next to the answer:
1. If an official from your bank or a government agency calls your phone, and asks for your
bank account or Social Security information, you are safe to answer their questions.
However, you should refuse to provide this information to all other callers.
True
False
2. When purchasing online, you should always pay with a credit card, rather than other forms of
payment (debit card, PayPal, check, etc.).
True
False
3. The best passwords for your financial accounts are things only you could know, such as your
mother's maiden name, your dead pets name, your children’s names or the last four digits of
your Social Security number.
True
False
4. It is safe to use a public computer to access your financial information on the internet.
True
False
5. If you get a lot of pop-up ads while surfing the internet, are taken to internet sites other than
the ones you type in, or see new toolbars on your computer that you never added, your
computer is probably infected with spyware.
True
False
6. You have bid for an item you really want in an online auction, however, you were not the
highest bidder. Much to your delight you are contacted a few days later telling you that the
seller has decided to sell the exact same item to you, but the transaction must be conducted
privately, not on the auction site. You conduct the transaction; you arrange payment and
delivery with the seller. This transaction was safe.
True
False
7. You get an e-mail from your bank saying your account has been frozen due to security
precautions. You're asked to click a link to a Web site and enter your account number and
PIN. This is a legitimate bank intervention for your protection.
True
False
8. You have placed an online ad for a car you want to sell. A stranger contacts you, offers to
buy the car and sends you a cashier's check for $10,000 more than you're asking. When you
ask about the discrepancy, the buyer says it was a mistake and asks that you send him a
check to refund the excess.
You cash his check, your bank says it looks fine, and you send him his refund. Two weeks
later the bank tells you the cashier's check bounced, so you owe the bank $10,000.
This scenario can actually happen.
True
False
9. When leaving your bank, you are approached by a federal agent who asks you to participate
in a "citizen investigation." You are instructed to go back into the bank, the drive-through or
the ATM and withdraw a certain amount of cash. The agent then says he needs to examine
the cash to check serial numbers, potential for counterfeit, etc. He gets your contact
information, promises to return your money, then leaves.
This was a legitimate transaction, and your money will be returned.
True
False
10. You get a phone call from someone who claims to be with your county courthouse. You
check your caller ID, which shows the actual phone number of the courthouse. This person
could actually be a criminal calling from overseas, trying to steal your Social Security
number.
True
False
2. The Identity Theft Prevention Class PowerPoint Presentation:
Protecting your Identity On-Line