Preventing Fraud by Preventing Identity Theft
Upcoming SlideShare
Loading in...5
×
 

Preventing Fraud by Preventing Identity Theft

on

  • 1,967 views

This paper concentrates on the area of internet fraud called “Identity Theft”. It focuses on the responsibility of the individual cardholder in preventing or reducing fraud. It demonstrates that ...

This paper concentrates on the area of internet fraud called “Identity Theft”. It focuses on the responsibility of the individual cardholder in preventing or reducing fraud. It demonstrates that educating and empowering consumers has the ability to decrease internet/e-Commerce fraud by way of reducing identity theft.

Statistics

Views

Total Views
1,967
Views on SlideShare
1,967
Embed Views
0

Actions

Likes
2
Downloads
8
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Preventing Fraud by Preventing Identity Theft Preventing Fraud by Preventing Identity Theft Document Transcript

  • Information Security Seminar IT 6873 E-Commerce Security: Preventing Fraud By preventing Identity Theft Diane M. Duhé Metcalf May 6, 2012
  • Project Summary: E-Commerce is a relatively new way of doing business. Over the last several years, it has become a convenient, trusted, accepted and often less expensive way to purchase goods and services. As E-business continues to grow, the potential for exposure to threats also increases. As the threats become more damaging and/or widespread, “security” becomes critical in preventing fraud. There are many types of security already in place, however most internet credit card fraud occurs when an e-Commerce merchant is unaware that an order was not placed by, and will not be paid for, by the authentic cardholder.(1) Typically, with e-commerce fraud, the credit card information was gained illegally, and used to order merchandise or services via the internet, under a false name. This paper concentrates on the area of internet fraud called “Identity Theft”. It focuses on the responsibility of the individual cardholder in preventing or reducing fraud. It demonstrates that educating and empowering consumers has the ability to decrease internet/e-Commerce fraud by way of reducing identity theft. Conducting an Identity Theft Prevention class with a group of elementary school faculty and staff was the method used in this study. I had expected to gain knowledge as well as a realistic perspective regarding the nature, and the best implementation, of E-Commerce Security, in regard to internet fraud. Introduction What is Internet fraud? Internet fraud is a type of cybercrime in which fraudulent transactions are committed by using deception. The National Consumer League's Fraud Center lists 25 different scams currently making the rounds on the Internet including these types of internet fraud:  Advance fee (Nigerian letter scam)  Business or employment scams  Counterfeit checks  Credit or debit card fraud
  •  Identity theft  Freight forwarding or reshipping  Investment schemes  Non-delivery of goods/services  Online auction and other sales  Phony escrow  Pyramid or “ponzi” schemes (Fraudulent investment operations) (1) Many scams are variations of those same scams that were in existence before the Internet ever existed. The only difference is that Internet scammers utilize email, chat, forums and false websites instead of more traditional methods such as telephone and US mail. (2) Internet credit card fraud occurs when an e-Commerce merchant is unaware that an order that was placed, was not placed by, and will not be paid for, by the authentic cardholder.(3) Typically, with e-commerce fraud, credit card information was gained illegally, and used to order merchandise or services via the internet, under a false name. (It is much easier to commit credit card fraud via an e-commerce transaction than it is to do in person.)When the real cardholder receives the statement from the issuing bank and reports the fraud, a chargeback must be issued by the merchant. This means that the merchant refunds all the expenses, and pays an additional fee. (4) Identity thieves gain access to consumers, by stealing checks, bank statements, wallets/purses, or by proffering a phony offer via phone or email. More recently, the more common ways of obtaining sensitive information is to create imitation but realistic looking bank or merchant websites, or to send emails that request security information from the consumer by instructing them to click on a link and input their personal information. The information is then used to steal their identity in order to access their bank accounts, obtain loans, or to use their credit cards. View slide
  • Merchants who accept credit cards online are subject to additional examination and processes in the ongoing effort of protecting credit card information. Online merchants are also subject to: -higher transaction fees to offset the cost of security -more stringent shipping requirements -paying the cost of becoming and staying PCI compliant The merchant is held responsible for any accepted fraudulent transaction. Through the issuance of the “Red Flags rule” and “Red Flags guidelines” for financial institutions, our government has provided a means of protecting consumers from identity theft. Legislation requires merchant compliance, and this compliance helps to foster trust-based relationships. (5) Objective “Security” is no longer about keeping “just” networks, or individual computer systems, protected. Today, “security” is considered to be a legitimate business strategy; protecting the business as a whole. Security is not merely a collection of “features”. It is a system process whereby the weakest link in the security chain establishes the level of security for the entire system. (6) Often times when the security technology works seamlessly, utilizing multiple aspects of layered technology, including those offered by credit card issuers, fraud still takes place. This is due to the consumer being the weakest link in the chain! “Security” is not just for businesses or merchants, rather individual consumers need to understand the concept of security as it pertains to e-commerce, and to take personal responsibility for their role in the protection of their data and the prevention of fraud. View slide
  • Existing Issues Privacy: information must be kept safe from unauthorized access. Integrity: information must not be altered or tampered with. Authentication: sender and recipient must prove their identities to each other. Non-repudiation: proof is needed that the message was actually received The vulnerability of a system exists at these entry and exit points:  Shopper’s computer  Network connection  Website’s server  Software Vendor There are at least 3 transactions whereby sensitive information is vulnerable during an e-Commerce purchasing transaction: (7) 1. Credit card information supplied by the customer. Handled by the server's SSL and the merchant/server's digital certificates. 2. Credit card information forwarded to the bank for processing. Handled by the security measures of the payment gateway. 3. Order and customer details furnished to the merchant. Handled by SSL, server security, digital certificates and payment gateway. Privacy: information must be kept safe from unauthorized access. This issue is currently handled by encrypting the data, using PKI (public key infrastructure) and RSA. Integrity: information must not be altered or tampered with. Maintaining the Integrity of information is achieved by using digital signatures. The use of digital signatures meets the need for authentication and integrity. Authentication: sender and recipient must prove their identities to each other. To verify that a website that is receiving sensitive information is actually the intended website, (not an imposter) a digital certificate is employed. Non-repudiation: proof that the message was actually received. State-of-the-art research/methodologies
  • PKI A PKI (public key infrastructure) consists of:  A certificate authority (CA) that issues and verifies a digital certificate. The certificate includes the public key and/or information about the public key  A registration authority (RA) that verifies the certificate authority before a digital certificate is issued to the requestor  Directories where the certificates and their public keys are held  A certificate management system PKI enables users of an unsecure public network (i.e.: the Internet ) to securely and privately trade data and/or currency by using public and private cryptographic key pairs that are acquired from and shared via a trusted authority. The public key infrastructure provides digital certificates that identifies an individual or an organization, and also provides directory services that store and even revoke the certificate, if necessary. (8) PKI automates the process of verifying a certificates validity. It provides the ability to publish, manage, and use public keys easily. RSA algorithm (Rivest-Shamir-Adleman) RSA is the most commonly used encryption and authentication algorithm. It’s included as part of Microsoft’s and Netscape’s Web browsers , Lotus Notes, Intuit's Quicken, and several other software products. RSA is also used by banks and governments. Third party key distribution centers use RSA. The RSA algorithm multiplies two large prime numbers (a number divisible only by itself and 1) and in combination with other operations, it generates a set of two keys, one public and one private. The original prime numbers are then discarded The private key is used to decrypt text that has been encrypted with the public key. In addition to encrypting messages (privacy), authentication also takes place with the use of the private key by the encryption of a digital certificate. . Both the public and the private keys are needed for encryption /decryption, but the private key never needs to travel across the Internet. The two keys differ from one another, but each key is shared with the key distribution center. The keys are encrypted, and rules are set, using a variety of protocols. Private keys must be kept secret, and most security lapses arise here. (9) Secure Socket Layers (SSL) The Internet uses the set of rules, or protocols, called TCP/IP (Transmission Control Protocol / Internet Protocol) whereby the information is broken into packets which are numbered sequentially, and include error control methods. Each packet is sent via a
  • different route. TCP/IP reassembles the packets in their original order and resubmits packets that have errors. (10) SSL is a method that utilizes both PKI and digital certificates to ensure privacy and authentication. The server receives the message from the client, and replies with a digital certificate. Using PKI, the server and client negotiate the creation of session keys, (symmetrical secret keys specially made for that particular communication) and communication continues with the session keys and digital certificates in place. Where credit cards are accepted by merchants online and processed in real time, four different sets of options arise for the merchant in question: 1. Use a service bureau which is responsible for the security of all sensitive information in the transaction 2. Use an e-Commerce merchant account but use the digital certificate supplied by the hosting company which is a less expensive option that is acceptable for transactions with Small to Medium Enterprises (SME). Certain terms and conditions may apply to the supplied digital certificate. 3. Use an e-Commerce merchant account, but purchase a digital certificate for the business (costing hundreds of dollars). 4. Use a merchant account, and run the business from a business-owned private server. Requires trained IT staff to maintain security, i.e.: firewalls, Kerberos (an authentication mechanism), SSL, and the digital certificate for the server (thousands to tens of thousands of dollars). Digital Signatures Digital signatures help ensure authentication and integrity and are used to confirm ones identity to another party, and that the data has not been altered. (They verify the origin and contents of a message.) Digital signatures are implemented through public-key encryption. A digital signature is prepared by first passing the plain text through a hash function to calculate the message digest value. The digest is then encrypted with the private key to produce a signature which is then added to the original message, and the whole package is sent to the recipient. In this way, the recipient can be sure that the message came from the sender. The received message is decoded with the private key, and processed back through the hash function. (The message digest value remains unchanged.)Very often, the message is also time stamped by a third party agency.(11)
  • Digital Certificates Digital Certificates provide digital credentials used for identification. They provide identity and other supporting information about an entity and are valid for only a specific period of time. They provide the basis for secure electronic transactions by enabling all participants in the transaction to quickly and easily verify the identity of the other participants. Digital Certificates are sold for use with email, and for e-merchants and web-servers. Digital Certificates uniquely identify merchants, and are issued by the CA (Certification Authority, i.e.: VeriSign, GlobalSign). When a digital certificate is issued, the issuing certification authority signs the certificate with its own private key. Validating the authenticity of a digital certificate can be achieved by obtaining the certification authority's public key and use it against the certificate to determine if it was actually signed by the certification authority Digital certificates contain the public key of the entity identified in the certificate. The certificate matches the public key to a particular individual. Because the CA guarantees the validity of the information in the certificate, digital certificates provides a solution to the problem of how to find a user's public key and know that it is valid For a digital certificate to be useful, it has to be understood, and easily retrieved in a reliable way. Digital certificates are standardized for this reason, so that they can be read and understood regardless of the issuer. (12) The technologies listed above use encryption as their primary way of protecting data, individuals and organizations. Although considered strong methods, they are not perfect. Vulnerabilities in PKI have been exploited in order to issue rogue digital certificates for secure websites. False CA certificates that were trusted by common web browsers have been created. Website impersonation, including banking and e- commerce sites secured with the HTTPS protocol, has occurred. (13) A weakness in the MD5 cryptographic hash function allowed for the creation of unique messages with the same MD5 hash. There are many other security methods and practices. Creating and maintaining office and employee security policies (passwords, backups) , protection from viruses, spyware and hackers by implementing firewalls and antivirus solutions, fortifying web server and database security by researching hosting companies , verifying webpage content, customer data, tracking customers (cookies) , and calculating and providing correct invoices and inventory are a few ways to heighten security. The primary underlying goal of all security methods is to deter and prevent fraud. The goal of this study was to determine whether empowering consumers with information and resources for utilization in protecting sensitive information is a
  • necessary and relevant component of preventing identity theft, thereby lowering internet fraud. Method: The Method of Approach for this paper includes research, conducted via the ACM Digital Library, and IEEE/IEE Electronic Library, including professional journals, web articles, and white papers. Responses to a pre-test, regarding the safeguarding of personal information, were collected from two groups: a random experimental group of faculty and staff that did not attend the Identity Theft Prevention class, and those that did attend. An Identity Theft Prevention professional-development class was conducted with a voluntary group of elementary school faculty and staff. A post-test was given 2 days after the class, and the results were compared between the pre and post-test of the experimental group, and also between the test results of the control group and the post-test results of the experimental group. The pre and post-test consisted of a survey of 10 true/false questions, administered online via “QuizStar.com”. The results determined whether retention of material was exhibited 2 days after the class. Ideally the subjects would be tested again at subsequent intervals, but current scheduling of the school year as well as this course, does not permit it. A presentation and interactive class, covering the topic of safeguarding personal information, was developed and consisted of on-line interactive quiz to identify spoofed email , a power-point presentation about how to identify spoofed telephone calls, the various ways of preventing victimization, examples of credit reports and how to check for fraudulent activities, as well as steps to take if victimized, including reporting information for contacting authorities. A summarization of the class, in the form of an “Identity Theft Prevention Tool-Kit” was developed, and was provided in digital format to each participant, for future reference.
  • Results Class Strength: 9 Total Participants: 5 Attempts Allowed per student 1 Average Attempts: 1 Mean % of Maximum Scores obtained in all attempts: 86% Total number of points (excluding SAShort Answer questions) 100 Class Highest: 90% Class Lowest: 70% Conclusions and Future Work: Mobile e-Commerce along with an increase in wireless Internet applications such as mobile electronic commerce applications will be a trial. Payment devices are rapidly developing and becoming present everywhere. Payment cards are considered to be the principal drivers of the transfer from paper to electronic-based payment devices. The use of POS (point-of-sales) devices is increasing. These devices are the equivalent to an electronic cash register and are used in supermarkets, restaurants, hotels, stadiums, taxis, and almost any type of retail establishment. .
  • New methods of authenticating are being and need to be developed and improved, many using Biometrics, including internal DNA storage and retinal scanning. (14) Security is more important than ever to ensure the integrity of the payment process and to protect individual and organizational privacy. The technologies mentioned above are the current methods of ensuring a high measure of security. This measure must continue to grow and develop, as new threats will certainly do the same. It is crucial that security measures become an integral piece of the structural design, plan, and implementation of any e-Commerce site.
  • References 1NC State University Office of Information Technology, http://oit.ncsu.edu/safe-computing/net-fraud#types 2Online Threats - Internet Fraud http://www.mywot.com/en/online-threats/internet-fraud 3 Global Merchant Services, How to Minimize Online e-Commerce Credit Card Fraud http://www.gspay.com/how-to-minimize-online-e-commerce-credit-card-fraud.php 4Eisen, Ori, Telltale Signs of E-Commerce Fraud02/25/09 E-Commerce Times http://www.ecommercetimes.com/story/66278.html 5 Ehrlich, Matt, The Consumer's Responsibility in Preventing Identity Theft, 09/20/10, Fraud Management 6 Ecommerce Security Issues,http://www.ecommrce-digest.com/ecommerce-security- issues.html 7 KhusialandMcKegney , IBM Developer Works, e-Commerce security, ibm.com, 02/02/12, http://www.ibm.com/developerworks/websphere/library/techarticles/0504_mckegney/0504_mck egney.html 8 Van Vark, J. (1997) e-Commerce and the Security Myth- The real security issues of e- Commerce, mactech.com, 01/24/12, http://www.mactech.com/articles/mactech/Vol.13/13.11/eCommerceandSecurity/index.html 9 E-Commerce Security Issues, ecommerce-digest.com 01/21/12 http://www.ecommerce- digest.com/ecommerce-security-issues.html 10 RSA-TechTarget, SearchSecurity, 02/02/12, searchsecurity.techtarget.comhttp://searchsecurity.techtarget.com/definition/RSA 11 PKI- TechTarget, Search Security- 02/01/2012- searchsecurity.techtarget.com, 02/03/12 http://searchsecurity.techtarget.com/definition/PKI 12 Sotirov, A., Stevens, M., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, DA, MD5 considered harmful today-Creating a rogue CA certificate , win.tue.nl, 02/15/12, http://www.win.tue.nl/hashclash/rogue-ca/
  • 13 Oracle ThinkQuest-Use of Data Encryption in Today's Context: E-commerce, library.thinkquest.org, 02/9/12, http://library.thinkquest.org/27158/today1_2.html 14 Thanh, Do Van, Security Issues in Mobile e-Commerce, 02/13/12 http://books.google.com/books?id=kb69hBiQMiYC&lpg=PA467&ots=6XE- e9QvUo&dq=security%20issues%20in%20mobile%20e%20commerce%20do%20van%20thanh &pg=PA468#v=onepage&q=security%20issues%20in%20mobile%20e%20commerce%20do%2 0van%20thanh&f=false