Chapter 17 a fraud in e commerce Jen

1,463 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,463
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
31
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Can anyone think of any perceived opportunities to commit e-commerce fraud?
  • Can anyone think of any rationalisations of e-commerce fraud?
  • The textbook discusses some surveys in which more than a third of network administrators admitted to snooping into HR records and custom databases, 88% of administrators would take sensitive data if they were fired and 33% said they would take company password lists. This obviously makes it important not to use the same password for work accounts as you do for personal accounts.
  • Some websites allow customers to log in using Facebook. This makes it easier for customers to log in and not have to remember additional passwords, however it can be quite risky as if your Facebook page gets hacked they may have the ability to log in to other websites using facebook connect. How many people leave Facebook logged in on their phones or computers? What happens if your phone gets stolen? Instant access to any website which uses facebook connect.
  • Grabone on the left, gives you the option to remember credit card details. Treatme, on the right doesn’t have an option. I used Treatme to buy something a few weeks ago and saw that it had stored my credit card details from a previous purchase made months earlier. I couldn’t believe I would have been so stupid to save the details so looked into it and found it doesn’t give you the option.If someone obtained your Facebook password, they could use the Facebook connect function to log in to different websites, and if your credit card details are stored, make multiple purchases.
  • We will now look at e-commerce risks outside the organisation. The internet provides a rich medium for external hackers to gain access to personal systems. The ability to hack from across international borders means that tracking and prosecuting hackers is difficult.
  • In the year to 9th August, there were 562 online frauds reported to NetSafe which totalled $4.4 million.However, Netsafe’s Chief Executive estimates annual losses from internet fraud to be between $100m and $400m per year.In 2012, the Ministry of Business, Innovation & Employment reported 670 bank phishing and tax refund scams in NZ.
  • Last month, a major NZ retail chain was targeted by overseas cyber criminals. A phishing attack attempted to convince store staff to install rogue software on their computers.The phishers called stores claiming to be a senior member of the company and directed employees to a fake website that was designed to look like the company’s official tech support site. In this case, no data was lost as it was picked up by IT staff quickly and they were able to block access to the website and clean up the computers.There was a quote from Andy Prow, managing director of Aura Information Security, who said “As soon as there’s real humans involved we as Kiwis are more vulnerable because we’re extremely trusting”.What do you think NZ companies can do to prevent such phishing scams?Need to ensure there is a clear process to follow when phone calls or emails are received claiming to be from a senior employee. For example, returning phone calls to the IT department for confirmation. Also need a clear chain of command so that junior store employees understand they are not to download anything.
  • This is an email I received a few weeks ago. I had actually just bought a new computer and Office software, which includes Outlook so I wasn’t initially suspicious when I saw it in my inbox. It was when I opened it and looked at the address it came from and who it was sent to that made me realise it probably wasn’t legitimate. The sender’s email address is infotechmsn@naver.com. Naver is actually a South Korean search engine. The email also isn’t addressed to my email, but to customer care at Hotmail.co.uk.The fact that such an email wasn’t picked up as spam when it was sent to a Hotmail address, which uses Outlook, is worrying and it would be easy for people to assume it was a legitimate email and click the link.
  • Customers were reported as saying that they thought it was strange that when they Googled GoogleDirectory nothing came up. They had to type in the URL address to access the website. Now when you search for the company on Google the first hit is to the Dodgy Business website and the remaining hits all point to the company being a scam. You can see from the picture that the font is identical to Google’s and “directory” is in smaller text underneath.
  • Chapter 17 a fraud in e commerce Jen

    1. 1. CHAPTER 17A – FRAUD IN E-COMMERCE Jennifer Lowes
    2. 2. E-Business ◦ Uses information technology and electronic communication networks to exchange business information and conduct paperless transactions. ◦ Includes virtual private networks and other specialised connections through which businesses routinely connect to one another. Albrecht, Albrecht, Albrecht & Zimbelman, 2012, p 602
    3. 3. Elements of Fraud Risk in E-Commerce Perceived Opportunity Perceived Pressures: • Dramatic growth leading to tremendous cash flow needs. • Pressure to improve financial results due to mergers/acquisitions. • Borrowing or issuing stock. • New products requiring expensive marketing. • Unproven or flawed business models with tremendous cash flow pressures.
    4. 4. Elements of Fraud Risk in E-Commerce Perceived Opportunity Perceived Opportunities: • Lag between transaction developments and security developments. • Complex information systems that make installing controls difficult. • Removal of personal contact – easier impersonation or falsified identity. • Electronic transfer of funds, allowing large frauds to be committed more easily. • Compromised privacy resulting in theft by using stolen or falsified information.
    5. 5. Elements of Fraud Risk in E-Commerce Perceived Opportunity Rationalisations: • Perceived distance that decreases the personal contact between customer and supplier. • Transactions between anonymous or unknown buyers and sellers – you can’t see who you are hurting. • New economy thinking contends that traditional methods of accounting no longer apply.
    6. 6. E-Commerce Risks Inside Organisations ◦ Easier to infiltrate systems, steal money and information and cause damage when perpetrators are within firewalls and security checks. ◦ Perpetrators with inside access know the control environment, understand security mechanisms, and find ways to bypass security. ◦ Most common problem: Abuse of power granted to users. ◦ I.e. programmers with superuser access – often removal of programmers’ access is overlooked when systems go into production.
    7. 7. Survey ◦ > 1/3 of network administrators admitted to snooping into HR records and custom databases. ◦ 88% of administrators would take sensitive data if they were fired. ◦ 33% would take company password lists.
    8. 8. Data Theft ◦ First concern of e-commerce fraud as data have many useful attributes: 1. Can be converted to cash fairly easily. 2. Information is replicable, allowing perpetrators to simply copy data rather than remove them, leaving the source data intact. 3. Can be transferred easily and quickly to any location. 4. Managers lack the technical expertise to prevent and detect data theft.
    9. 9. Passwords ◦ Password selection cannot be fully controlled, as it is left to the end user. ◦ Common passwords can relate to personal information, so perpetrators may be able to guess the passwords of their employees. ◦ Social engineering techniques are used by hackers to gain access to passwords. ◦ Hackers take information from blogs, Facebook walls and other social network sites and use this information to ask victims for “just a little more”.
    10. 10. Passwords ◦ Companies may require regular password changes to try to mitigate the risk of passwords being stolen. ◦ However many employees will merely add a sequential number to the end of their password. ◦ Companies and websites generally have certain password requirements such as minimum character length, upper case, symbol, number etc.
    11. 11. Passwords – How many do you have? University Bank Work login Email Google Microsoft Facebook Twitter Instagram Skype TradeMe Pinterest Online shops Blogs Online communities Phone login Utility companies YouTube
    12. 12. Need one of these? ◦ http://www.youtube.com/watch?v=Srh_TV_J144
    13. 13. Risk vs Convenience?
    14. 14. Sniffing ◦ Logging, filtering and viewing of information that passes along a network line. ◦ The most common method of gathering information from unencrypted communications. ◦ Easily done on most networks by hackers that run freely available applications. ◦ Organisations can use firewalls, spam filters and anti-virus programmes to prevent sniffing, however employee laptops, tablets and mobile phones can be at risk when on business trips and connecting to other networks.
    15. 15. Wartrapping ◦ Hackers go to places such as airports where business travellers are likely to be and set up internet access points through their laptop. ◦ The access point will appear to be legitimate i.e. Auckland Airport Free Wireless. ◦ Hackers then use sniffing techniques to find passwords and other data as the traveller browses the internet through the connection.
    16. 16. E-Commerce Risks Outside Organisations ◦ Internet provides a rich medium for external hackers to gain access to personal systems. ◦ Ability to hack from across international borders means that tracking and prosecuting hackers is difficult.
    17. 17. NZ Statistics: ◦ Year to 9th August 2013: ◦ 562 online frauds reported to NetSafe ◦ $4.4 million ◦ Netsafe’s Chief Executive estimates annual losses from internet fraud to be between $100m and $400m per year. ◦ In 2012, the Ministry of Business, Innovation & Employment reported 670 bank phishing and tax refund scams in NZ.
    18. 18. Spyware ◦ Installs monitoring software in addition to the regular that a user downloads or buys. ◦ Peer-to-peer music and video-sharing applications are the worst spyware offenders. ◦ Most spyware programs monitor user behaviours so that the company can make a profit selling the personal data they collect. ◦ More advanced spyware can copy financial or other sensitive data from internal directories and files and send it to external entities.
    19. 19. Phishing ◦ Phishing involves sending emails or pop up messages asking for personal information in inventive ways. ◦ Common method is to request victims to update account details by clicking on a link to a website which appears to be the company’s website. ◦ Common targets have been bank customers, TradeMe/ebay customers, even government departments such as IRD.
    20. 20. ANZ ◦ In July 2013, ANZ customers were targeted by a phishing scam. ◦ Phishers sent an email to ANZ customers which appeared to be from ANZ. ◦ It stated that customers must update their account information through the link or service would be suspended. ◦ The link took customers to a fake website which replicated the logos and formatting of ANZ. ◦ The phishers gained access to bank accounts when customers attempted to log in to the fake website. www.stuff.co.nz/technology/digital-living/8985900/Phishing-scam-targets-ANZ-log-in-details
    21. 21. Large Retail Company (Un-named) ◦ Major retail chain targeted by overseas cyber criminals in September 2013. ◦ Phishing attack attempted to convince store staff to install rogue software on their computers. ◦ Phishers called stores claiming to be a senior member of the company and directed employees to a fake website that was designed to look like the company’s official tech support site. ◦ No data was lost as the company’s IT staff noticed what was happening and managed to block access to the website and cleaning it up. ◦ “As soon as there’s real humans involved we as Kiwis are more vulnerable because we’re extremely trusting”. www.nzherald.co.nz/business/news/article.cfm?c_id=3&objected=11130882
    22. 22. Spoofing ◦ Changes the information in e-mail headers or IP addresses. ◦ Perpetrators hide their identities by simply changing the information in the header, thus allowing unauthorised access.
    23. 23. Falsified Identity ◦ Subtle differences in internet hose names often go unnoticed by internet users. ◦ I.e. “.com” “.org” “.nz” can be easily confused but lead to completely different websites. ◦ If two similar names are owned by two different entities, one site could mimic the other and trick users into thinking they are dealing with the original website.
    24. 24. “GoogleDirectory” ◦ NZ company with no links to Google, launched July 2013. ◦ Promotes itself as a new online marketing tool, offering special internet advertisement packages. ◦ Over 100,000 listings – some who were contacted by the NZHerald had no idea they were listed and had not paid. ◦ One customer was told Google was re-launching in NZ as GoogleDirectory. www.nzherald.co.nz/business/news/article.cfm?c_id=3&objected=11111728
    25. 25. Conclusion ◦ Fraud risks in e-commerce systems are significant. ◦ Many employees do not fully appreciate the risks and methodologies that online fraud perpetrators take. ◦ As auditors, it is important to be aware of the fraud risk in e-commerce and test internal controls to minimise the risk.

    ×