|
Global Summit of Women 2003
Marrakech, Morocco
Your
Business and Information Technology: Protecting Your Enterprise in a
“Virtual” Market
Dr. Zeinab Safar, Technical Advisor,
National Council For Women, Cairo, Egypt
Since the early and
mid-nineties, the world is becoming smaller, and this still amazing
development, the spread and use of information technologies at a
breathtaking speed have changed the whole world. Technological and
scientific progress has developed productivity, efficiency and effectiveness
of business operations. Traditional business has given way to new
business models. The wide internet use and related technologies have
increased the speed, quality and ease of communications between business
partners and between organizations and their stakeholders, transcending
geographical boundaries and reaching billions of customers in
every country of the world. Even small dot.com companies with websites are
attracting a client base never before thought possible. Many are discovering
just how international the Internet really is. Orders are now placed
not only from the next town, but from the next continent, too.
Every day, millions of
items are offered for transactions on the Internet and these are expected to
increase every year with the instant flow of information.
E-businesses and e-commerce have allowed companies to build partnerships and
strategic alliances, and have extended their products or service lines, all
over the world, increasing their growth and introducing innovative
production lines. Some of these companies have in fact become virtual
organizations.
What are the
threats to e-business? As businesses and partners grow, systems become
increasingly sophisticated and less dependent on human monitoring, thus
becoming more vulnerable to electronic crime. As organizations
develop and refine their e-businesses strategies, they will need to know
that they can be affected by the new risks of e-crime and that they need to
be adequately prepared for an external attack. New vulnerabilities
resulting from globalization, and the rapid development of information
technology, have shown that it is vital to secure our countries and our
businesses from cyber crimes
What Are Cyber Crimes?
Cyber crime refers to all unlawful conducts, wrong
actions and the resulting damage or harm inflicted on persons – property –
nations done with criminal intent in cyberspace or using the medium of
Internet. There are various cyber crimes such as:
-
Unauthorized access:
accessing or misusing a computer system to intercept transmissions, steal
sensitive information, destroy or change data for financial gain
-
Spoofing: fake websites that falsely present themselves as the sites of
established companies for fraudulent purposes
-
Data alteration: altering
the content of a transaction, credit card numbers etc...
-
Monitoring: tracking of
keystrokes to capture confidential Information
-
Viruses: spreading of
computer viruses that are capable of destroying data files
-
Software piracy: Illegal
registration and distribution of commercial software.
-
Denial of service: a
hacker denies access to visitors of your website.
-
Trojan horses: gaining total remote control of a
user’s machine without his/her consent by installing a small piece of
software on the machine and using another companion software to gain that
remote access.
In recent surveys, most of
the respondents detected computer security breaches, while a substantial
number acknowledged financial losses due to computer breaches. Internet
attacks against public and private organizations are increasing by the day.
Most of the serious financial losses occur through theft of proprietary
information and financial fraud.
Impact of Cyber Crimes
Cyber crimes
affect people, businesses and governments, at the personal, corporate and
government levels. Cyber crime is indeed catching the attention of every
Government. It is by its very nature a trans-border crime and may involve
overlap of several distinct national legal jurisdictions.
Protection Measures at
All Levels
The precautionary and protection measures should address
three levels, personal, corporate and governmental/intergovernmental. The
challenge lies in the difficulty of bringing cyber criminals to justice
because perpetrators are usually able to conceal their identity.
Personal Precautions
Internet
shoppers who buy through the internet need to follow a set of guidelines,
maintaining a high level of trust and satisfaction when dealing with online
stores. They should always buy from stores with a good reputation.
This can be known from various sellers’ rating web sites. Another important
aspect that should be taken into consideration is not to enter any credit
card information unless communication is over a secure channel (SSL:
Secure Sockets Layer) and any communication should not be carried out
on a public computer. Also online customers should not respond to spamming,
because usually spammers use spy software components that can automatically
be loaded on their machines and can start grabbing some personal
information. The use of anti-virus software and connecting to the internet
through secure firewalls is highly recommended.
Corporate Precautions
Online stores should strive
to maintain strong and stable relationships with their customers, especially
the frequent customers. They should use digital certificates to ensure that
their clients’ credit cards are not compromised during an online
transaction. Reliable web hosting is also an important factor to avoid
connection-related problems during transactions.
Governments
Countries must
provide legal recognition of the electronic format. In addition, there
has to be general recognition that wherever any law prevailing in the
country requires anything to be in writing or hand written or printed or
type written form, then notwithstanding anything contained in any such law
for the time being in force. Such requirement of law shall be deemed to be
satisfied if the concerned information or matter is rendered or made
available in the electronic format or remains accessible so as to capable of
being used for subsequent references.
Countries also
need to legislate on the issue of data protection so as to insure that
people get the appropriate legal fruits of their association with the
E-commerce revolution. Security needs to be given a legal backing and
mandate.
Technologies to Combat Cyber Crimes and Fraud
-
Honeypots and The Cybernetic Sting
Honeypots are servers or
workstations that are deliberately exposed to attackers and just waiting for
the attackers to expose themselves. The attacker thinks that he is entering
a defenseless file server, for example, and then proceeds to install his
Trojan horse, back door and maybe a zombie bot, all without realizing that
he is being observed by a clever network security specialist.
-
Online Virus Scanning
Protects your PC, files and
email address book from high-risk, productivity-killing viruses, worms and
trojans like Slammer, Code Red, Nimda, SirCam and Nichello.
-
AVS - Address Verification System
The idea behind it is
simple: all credit cards are billed to the customer's address, which is
usually on the form or can be asked for during the transaction. If the
information given by the customer can be matched against the information
included in the issuing bank's records, there is a higher chance the card
and transaction are legitimate.
-
CVM - Card Verification Methods
Although relatively new,
this method is gaining momentum for one reason: it almost guarantees the
person using the card has the card in his or her hand at the time of use. In
other words, it removes many of the doubts associated with online
transactions.
It works simply: on the
credit card is printed a short number (usually three or four characters in
length). This number is not embossed or stored on the strip of the card
itself, but is usually printed on the back in ink - generally on the
signature strip. When prompted for this number, the cardholder enters it by
physically looking at the card, and the merchant verifies it with the bank
for a match/no-match response.
-
Lockout and Refusal Systems
One of the more common ways
for the less-sophisticated thief to gain valid credit card numbers is
through brute trial-and-error. Using an automatic card number generator and
a simple script or program to fill out a form for them, a would-be thief can
generate and test thousands of credit card numbers in minutes.
The easiest form is to
reject more than X number of transactions from a certain IP address (whether
they fail or not) in X amount of time (day, week, month). These attacks will
also fail to pass an AVS and CVM check as well.
-
Bad Customer Lists
A list of customers with a
history of failed transactions due to invalid credit card numbers can be
created for a web-based merchant as well. As each bad transaction takes
place, it is recorded for future reference. When a new order is placed, the
transaction information is checked to see if it matches any of the entries
in the ‘bad customer list’ and rejected if a match is found. If done before
any other processing takes place, this can flatly refuse any customer who
has a history of fraud.
-
Risk Scoring and Refusal Rules
These are the best methods
to include in your strategy, as they are usually a strategy within
themselves. Utilizing combinations of the above methods plus specifics about
the order itself, these "scores" are assessed based on the type of risk
believed to be involved.
This type of system uses
several fraud prevention techniques, thereby significantly lowering the risk
of fraud. It also allows the merchant to set standards for the
characteristics of what he or she considers a good or bad transaction. The
better the rules, the less the chance of theft. Over time, a risk-based
system can become very good at its job and virtually eliminate most
fraudulent transactions.
“Recommended fraud
prevention strategy”
Although I cannot recommend
something specifically for your needs, on a broad scale, I can recommend a
strategy that anyone doing business online should include in their overall
scheme to prevent theft.
The first thing your system
should do is compare the order against your existing "Bad Customer" List. If
it passes that check, then the following flags should be included in your
rule-based risk scoring system:
*
Larger-Than-Normal-Orders: any order that seems larger than
would normally be placed, especially for multiples of the same item, should
have a high-risk score.
*Fast-Shipping/Overnight-Shipping: any order that is shipped overnight
should have a moderate risk score attached to it
*
Orders-To-An-Out-Of-State-Address: any order that is shipped
to an address in a different state than the billing address of the credit
card should be given a high-risk score.
* Failed-AVS-Verification: an
order that fails this check should be given a moderate risk score.
* Failed-CVM: an order that
fails this check should be given a moderate-high risk score.
* "Free"-Email-Address: an order
which includes an anonymous email address such as Hotmail.com or Yahoo.com
should be given a moderate risk score as many thieves use these addresses so
that they can dump them easily.
*
Multiple-Orders-From-The-Same-Card/IP/Shipping-Address: more
than one or two orders from the same credit card or the same IP address,
especially if the second order is significantly higher than the first,
should be flagged with a high-risk score.
Reporting Fraud
While there is little
incentive, monetarily, for a merchant to report fraud, it should be done. It
is a sad fact that most thieves who use Internet fraud are rarely caught and
most stolen items are rarely returned to the merchant (not to mention costs
reimbursed).
The basics needed are
simple:
-
a solid policy that is hard to screw up internally
-
detailed information kept on file to support
investigations or prosecution (including what was taken and how much was
lost in money and time)
-
consistent reporting
-
helpful and timely response
-
a policy for direct negotiation with the thief.
These will help any investigation, whether internal or external. You will
need to know who you should report fraud to (usually local law enforcement
will direct you to the correct bureau and you should also include your
merchant bank as a contact), what information they require, and who is the
primary contact person at your business for these investigations.
|
