Embed Size (px)
Citation preview
CHAPTER 17A – FRAUD IN E-COMMERCE
Jennifer Lowes
E-Business
◦Uses information technology and electronic communication networks to exchange business information and conduct paperless transactions.
◦ Includes virtual private networks and other specialised connections through which businesses routinely connect to one another.
Albrecht, Albrecht, Albrecht & Zimbelman, 2012, p 602
Elements of Fraud Risk in E-Commerce
Per
ceiv
ed
Pre
ssure
Rationalisation
Perceived Opportunity
Perceived Pressures:
• Dramatic growth leading to tremendous cash flow needs.
• Pressure to improve financial results due to mergers/acquisitions.
• Borrowing or issuing stock.
• New products requiring expensive marketing.
• Unproven or flawed business models with tremendous cash flow pressures.
Elements of Fraud Risk in E-Commerce
Rationalisation
Perceived Opportunity
Perceived Opportunities:
• Lag between transaction developments and security developments.
• Complex information systems that make installing controls difficult.
• Removal of personal contact – easier impersonation or falsified identity.
• Electronic transfer of funds, allowing large frauds to be committed more easily.
• Compromised privacy resulting in theft by using stolen or falsified information.
Elements of Fraud Risk in E-Commerce
Perc
eive
d Pr
essu
re
Perceived Opportunity
Rationalisation
Rationalisations:
• Perceived distance that decreases the personal contact between customer and supplier.
• Transactions between anonymous or unknown buyers and sellers – you can’t see who you are hurting.
• New economy thinking contends that traditional methods of accounting no longer apply.
E-Commerce Risks Inside Organisations
◦ Easier to infiltrate systems, steal money and information and cause damage when perpetrators are within firewalls and security checks.
◦ Perpetrators with inside access know the control environment, understand security mechanisms, and find ways to bypass security.
◦Most common problem: Abuse of power granted to users.◦ I.e. programmers with superuser access – often removal of programmers’ access is
overlooked when systems go into production.
Survey
◦> 1/3 of network administrators admitted to snooping into HR records and custom databases.
◦ 88% of administrators would take sensitive data if they were fired.
◦ 33% would take company password lists.
Data Theft
◦ First concern of e-commerce fraud as data have many useful attributes:
1. Can be converted to cash fairly easily.
2. Information is replicable, allowing perpetrators to simply copy data rather than remove them, leaving the source data intact.
3. Can be transferred easily and quickly to any location.
4. Managers lack the technical expertise to prevent and detect data theft.
Passwords
◦ Password selection cannot be fully controlled, as it is left to the end user.
◦ Common passwords can relate to personal information, so perpetrators may be able to guess the passwords of their employees.
◦ Social engineering techniques are used by hackers to gain access to passwords.
◦Hackers take information from blogs, Facebook walls and other social network sites and use this information to ask victims for “just a little more”.
Passwords
◦ Companies may require regular password changes to try to mitigate the risk of passwords being stolen.
◦However many employees will merely add a sequential number to the end of their password.
◦ Companies and websites generally have certain password requirements such as minimum character length, upper case, symbol, number etc.
Passwords – How many do you have?
University Bank Work login
Email Google Microsoft
Facebook Twitter Instagram
Skype TradeMe Pinterest
Online shops Blogs Online communities
Phone login Utility companies YouTube
Need one of these?
◦ http://www.youtube.com/watch?v=Srh_TV_J144
Risk vs Convenience?
Sniffing◦ Logging, filtering and viewing of information that passes along a network line.
◦ The most common method of gathering information from unencrypted communications.
◦ Easily done on most networks by hackers that run freely available applications.
◦Organisations can use firewalls, spam filters and anti-virus programmes to prevent sniffing, however employee laptops, tablets and mobile phones can be at risk when on business trips and connecting to other networks.
Wartrapping◦Hackers go to places such as airports where business travellers are likely to be and
set up internet access points through their laptop.
◦ The access point will appear to be legitimate i.e. Auckland Airport Free Wireless.
◦Hackers then use sniffing techniques to find passwords and other data as the traveller browses the internet through the connection.
E-Commerce Risks Outside Organisations
◦ Internet provides a rich medium for external hackers to gain access to personal systems.
◦ Ability to hack from across international borders means that tracking and prosecuting hackers is difficult.
NZ Statistics:◦ Year to 9th August 2013:
◦ 562 online frauds reported to NetSafe◦ $4.4 million
◦Netsafe’s Chief Executive estimates annual losses from internet fraud to be between $100m and $400m per year.
◦ In 2012, the Ministry of Business, Innovation & Employment reported 670 bank phishing and tax refund scams in NZ.
Spyware◦ Installs monitoring software in addition to the regular that a user downloads or
buys.
◦ Peer-to-peer music and video-sharing applications are the worst spyware offenders.
◦Most spyware programs monitor user behaviours so that the company can make a profit selling the personal data they collect.
◦More advanced spyware can copy financial or other sensitive data from internal directories and files and send it to external entities.
Phishing
◦ Phishing involves sending emails or pop up messages asking for personal information in inventive ways.
◦ Common method is to request victims to update account details by clicking on a link to a website which appears to be the company’s website.
◦ Common targets have been bank customers, TradeMe/ebay customers, even government departments such as IRD.
ANZ◦ In July 2013, ANZ customers were targeted by a phishing scam.
◦ Phishers sent an email to ANZ customers which appeared to be from ANZ.
◦ It stated that customers must update their account information through the link or service would be suspended.
◦ The link took customers to a fake website which replicated the logos and formatting of ANZ.
◦ The phishers gained access to bank accounts when customers attempted to log in to the fake website.
www.stuff.co.nz/technology/digital-living/8985900/Phishing-scam-targets-ANZ-log-in-details
Large Retail Company (Un-named) ◦ Major retail chain targeted by overseas cyber criminals in September 2013.
◦ Phishing attack attempted to convince store staff to install rogue software on their computers.
◦ Phishers called stores claiming to be a senior member of the company and directed employees to a fake website that was designed to look like the company’s official tech support site.
◦ No data was lost as the company’s IT staff noticed what was happening and managed to block access to the website and cleaning it up.
◦ “As soon as there’s real humans involved we as Kiwis are more vulnerable because we’re extremely trusting”.
www.nzherald.co.nz/business/news/article.cfm?c_id=3&objected=11130882
Spoofing◦ Changes the information in e-mail headers or IP addresses.
◦ Perpetrators hide their identities by simply changing the information in the header, thus allowing unauthorised access.
Falsified Identity◦ Subtle differences in internet hose names often go unnoticed by internet users.
◦ I.e. “.com” “.org” “.nz” can be easily confused but lead to completely different websites.
◦ If two similar names are owned by two different entities, one site could mimic the other and trick users into thinking they are dealing with the original website.
“GoogleDirectory”◦NZ company with no links to Google, launched July 2013.
◦ Promotes itself as a new online marketing tool, offering special internet advertisement packages.
◦Over 100,000 listings – some who were contacted by the NZHerald had no idea they were listed and had not paid.
◦One customer was told Google was re-launching in NZ as GoogleDirectory.
www.nzherald.co.nz/business/news/article.cfm?c_id=3&objected=11111728
Conclusion◦ Fraud risks in e-commerce systems are significant.
◦Many employees do not fully appreciate the risks and methodologies that online fraud perpetrators take.
◦ As auditors, it is important to be aware of the fraud risk in e-commerce and test internal controls to minimise the risk.
