SlideShare ist ein Scribd-Unternehmen logo

E-Commerce Security Seminar Focuses on Preventing Identity Theft

Als DOCX, PDF herunterladen
Diane M. Metcalf
Diane M. Metcalf

This document summarizes a research study on educating consumers to prevent identity theft and reduce e-commerce fraud. The study involved providing an identity theft prevention class to elementary school staff and measuring its effectiveness through pre- and post-tests. The class covered safe online practices like identifying spoofed emails and calls. It provided an interactive quiz and presentations on topics like privacy on public WiFi and social media. The results showed participants improved their knowledge after the class, correctly answering more questions on the post-test about common fraud scenarios. The study aims to determine if educating consumers empowers them to better protect their personal information and reduce identity theft online.

1 von 22
Information Security Seminar IT 6873 Instructor: Dr. Ming Yang E-Commerce Security: Preventing Fraud By preventing Identity Theft Diane M. Metcalf May 6, 2012
Project Summary E-Commerce is a relatively new way of doing business. Over the last several years, it has become a convenient, trusted, accepted and often less expensive way to purchase goods and services. As E-business continues to grow, the potential for exposure to threats also increases. As the threats become more damaging and/or widespread, “security” becomes critical in preventing fraud. There are many types of security already in place, however most internet credit card fraud occurs when an e-Commerce merchant is unaware that an order was not placed by, and will not be paid for, by the authentic cardholder. (1) Typically, with e-commerce fraud, the credit card information was gained illegally, and used to order merchandise or services via the internet, under a false name. This project concentrates on the area of internet fraud called “Identity Theft”. It focuses on the responsibility of the individual cardholder in preventing or reducing fraud. It is based upon a belief that educating and empowering consumers has the ability to decrease internet/e-Commerce fraud by way of reducing identity theft. Specifically, the project examined the effectiveness of an Identity Theft Prevention class with a group of elementary school faculty and staff in expanding awareness of personal internet security. A pre-test, post-test design was used. In doing this research, I had expected to gain a realistic perspective regarding the nature, and the best implementation, of E-Commerce Security, in regard to internet fraud.
Introduction What is Internet fraud? Internet fraud is a type of cybercrime in which transactions are committed by using deception. The National Consumer League's Fraud Center lists 25 different scams currently making the rounds on the Internet including these types of internet fraud: Advance fee (Nigerian letter scam) Business or employment scams Counterfeit checks Credit or debit card fraud Identity theft Freight forwarding or reshipping Investment schemes Non-delivery of goods/services Online auction and other sales Phony escrow (1) Pyramid or “ponzi” schemes (Fraudulent investment operations) Many scams are variations of those that were in existence before the Internet. The primary difference is that Internet scammers utilize email, chat, forums and false websites instead of more traditional methods such as telephone and US mail. (2)Utilizing the internet allows even greater/wider access and greater anonymity to the scammer. Internet credit card fraud occurs when an e-Commerce merchant is unaware that an order was not placed by, and will not be paid for, by the authentic cardholder. (3) Typically, with e-commerce fraud, credit card information was gained illegally, and used to order merchandise or services via the internet, under a false name. (It is much easier to commit credit card fraud via an e-commerce transaction than it is to do in person.)When the authenticcardholder receives the statement from the issuing bank and reports the fraud, a “chargeback” must be issued by the merchant. This means that (4) the merchant refunds all the expenses, and pays an additional fee.
Identity thieves gain access to consumersby stealing checks, bank statements, wallets/purses, or by proffering a phony offer via phone or email. More recently, a more common way of obtaining sensitive information is to create imitation, but realistic looking, bank or merchant websites, or to send emails that request security information from the consumer by instructing them to click on a link and input their personal information. The information is then used to steal their identity in order to access their bank accounts, obtain loans, or to use their credit cards. Merchants who accept credit cards online are subject to additional examination and processes in the ongoing effort to protect credit card information. Online merchants are also subject to: -higher transaction fees to offset the cost of security -more stringent shipping requirements -paying the cost of becoming and staying PCI compliant The merchant is held responsible for any accepted fraudulent transaction. Through the issuance of the “Red Flags Rule” and “Red Flags Guidelines” for financial institutions, our government has provided a means of protecting consumers from identity theft. Legislation requires merchant compliance, and this compliance helps to foster trust-based relationships. (5) Objective “Security” is no longer about keeping “just” networks, or individual computer systems, protected. Today, “security” is considered to be a legitimate business strategy; protecting the business as a whole. Security is not merely a collection of “features”. It is a complex system of multiple processes wherein the weakest link in the security chain establishes the level of security for the entire system.(6)
Current securitytechnology emphasizes security from the side of the merchant, even though it is the consumer whose behavior may often provide the thieves with the information they need to commit the crimes.Often times when the security technology works seamlessly, utilizing multiple aspects of layered technology, including those offered by credit card issuers, fraud still takes place. This is due to the consumer often times being the “weakest link”. As a result, “security” is not just for businesses or merchants, rather, individual consumers need to understand the concept of security as it pertains to e-commerce, and to take personal responsibility for their role in the protection of their data and the prevention of fraud. Existing Issues The integrity of an ecommerce transaction is based upon four factors: Privacy: information must be kept safe from unauthorized access. This issue is currently handled by encrypting the data, using PKI (public key infrastructure) and RSA. Integrity: information must not be altered or tampered with. Maintaining the Integrity of information is achieved by using digital signatures. The use of digital signatures meets the need for authentication and integrity. Authentication: sender and recipient must prove their identities to each other. To verify that a website that is receiving sensitive information is actually the intended website, (not an imposter) a digital certificate is employed. Non-repudiation: proof that the message was actually received.
The vulnerability of a system exists at these entry and exit points: Shopper’s computer Network connection Website’s server Software Vendor There are at least 3 transactions whereby sensitive information is vulnerable during an e-Commerce purchasing transaction: (7) 1. Credit card information supplied by the customer. Handled by the server's SSL and the merchant/server's digital certificates. 2. Credit card information forwarded to the bank for processing. Handled by the security measures of the payment gateway. 3. Order and customer details furnished to the merchant. Handled by SSL, server security, digital certificates and payment gateway. State-of-the-art security/methodologies PKI A PKI (public key infrastructure) consists of: A certificate authority (CA) that issues and verifies a digital certificate. The certificate includes the public key and/or information about the public key A registration authority (RA) that verifies the certificate authority before a digital certificate is issued to the requestor Directories where the certificates and their public keys are held A certificate management system PKI enables users of an unsecure public network (i.e.: the Internet ) to securely and privately trade data and/or currency by using public and private cryptographic key pairs
that are acquired from and shared via a trusted authority. The public key infrastructure provides digital certificates that identifies an individual or an organization, and also provides directory services that store and even revoke the certificate, if necessary. (8) PKI automates the process of verifying the validity of a certificate. It provides the ability to publish, manage, and use public keys easily. RSA algorithm (Rivest-Shamir-Adleman) RSA is the most commonly used encryption and authentication algorithm. It’s included as part of Microsoft’s and Netscape’s Web browsers, Lotus Notes, Intuit's Quicken, and several other software products. RSA is also used by banks and governments. Third party key distribution centers use RSA. The RSA algorithm multiplies two large prime numbers (a number divisible only by itself and one) and in combination with other operations, it generates a set of two keys, one publicand one private. The original prime numbers are then discarded. The private key is used to decrypt text that has been encrypted with the public key. In addition to encrypting messages (privacy), authentication also takes place with the use of the private key by the encryption of a digital certificate. . Both the public and the private keys are needed for encryption /decryption, but the private key never needs to travel across the Internet. The two keys differ from one another, but each key is shared with the key distribution center. The keys are encrypted, and rules are set, using a variety of protocols. Private keys must be kept secret, and most security lapses arise here. (9) Secure Socket Layers (SSL) The Internet uses the set of rules, or protocols, called TCP/IP (Transmission Control Protocol / Internet Protocol) whereby the information is broken into packets which are numbered sequentially, and include error control methods. Each packet is sent via a
different route. TCP/IP reassembles the packets in their original order and resubmits packets that have errors. (10) SSL is a method that utilizes both PKI and digital certificates to ensure privacy and authentication. The server receives the message from the client, and replies with a digital certificate. Using PKI, the server and client negotiate the creation of session keys, (symmetrical secret keys specially made for that particular communication) and communication continues with the session keys and digital certificates in place. Where credit cards are accepted by merchants online and processed in real time, four options arise for the merchant in question: 1. Use a service bureau which is responsible for the security of all sensitive information in the transaction 2. Use an e-Commerce merchant account but use the digital certificate supplied by the hosting company which is a less expensive option that is acceptable for transactions with Small to Medium Enterprises (SME). Certain terms and conditions may apply to the supplied digital certificate. 3. Use an e-Commerce merchant account, but purchase a digital certificate for the business (costing hundreds of dollars). 4. Use a merchant account, and run the business from a business-owned private server. Requires trained IT staff to maintain security, i.e.: firewalls, Kerberos (an authentication mechanism), SSL, and the digital certificate for the server (thousands to tens of thousands of dollars).
Digital Signatures Digital signatures help ensure authentication and integrity and are used to confirm ones identity to another party, and that the data has not been altered. (They verify the origin and contents of a message.) Digital signatures are implemented through public-key encryption. A digital signature is prepared by first passing the plain text through a hash function to calculate the message digest value. The digest is then encrypted with the private key to produce a signature which is then added to the original message, and the whole package is sent to the recipient. In this way, the recipient can be sure that the message came from the sender. The received message is decoded with the private key, and processed back through the hash function. (The message digest value remains unchanged.)Very often, the message is also time stamped by a third party agency.(11) Digital Certificates Digital Certificates provide digital credentials used for identification. They provide identity and other supporting information about an entity and are valid for only a specific period of time. They provide the basis for secure electronic transactions by enabling all participants in the transaction to quickly and easily verify the identity of the other participants.Digital Certificates are sold for use with email, and for e-merchants and web-servers. Digital Certificates uniquely identify merchants, and are issued by the CA (Certification Authority, i.e.: VeriSign, GlobalSign). When a digital certificate is issued, the issuing certification authority signs the certificate with its own private key. Validating the authenticity of a digital certificate can be achieved by obtaining the certification authority's public key and use it against the certificate to determine if it was actually signed by the certification authority
Digital certificates contain the public key of the entity identified in the certificate. The certificate matches the public key to a particular individual. Because the CA guarantees the validity of the information in the certificate, digital certificates provides a solution to the problem of how to find a user's public key and know that it is valid For a digital certificate to be useful, it has to be understood, and easily retrieved in a reliable way. Digital certificates are standardized for this reason, so that they can be (12) read and understood regardless of the issuer. The technologies listed above use encryption as their primary way of protecting data, individuals and organizations. Although considered strong methods, they are not perfect. Vulnerabilities in PKI have been exploited in order to issue rogue digital certificates for secure websites. False CA certificates that were trusted by common web browsers have been created. Website impersonation, including banking and e- commerce sites secured with the HTTPS protocol, has occurred. (13) A weakness recently found in the MD5 cryptographic hash function has allowed for the creation of unique messages with the same MD5 hash. There are many other security methods and practices. Creating and maintaining office and employee security policies (passwords, backups) , protection from viruses, spyware and hackers by implementing firewalls and antivirus solutions, fortifying web server and database security by researching hosting companies , verifying webpage content, customer data, tracking customers (cookies) , and calculating and providing correct invoices and inventory are a few ways to heighten security. The primary underlying goal of all security methods is to deter and prevent fraud. The goal of this study was to determine whether empowering consumers with information and resources for utilization in protecting sensitive information is a necessary and relevant component of preventing identity theft, thereby lowering internet fraud.
Method: The Method of Approach for this paper is a pretest/posttest research study of the effectiveness of an education program that was developed using the ACM digital library and IEEE/IEE Electronic Library, including professional journals, web articles, and white papers. Specifically, the study examined two questions: 1. Are individuals who volunteer to participate in the program representative of the teachers, staff, and administrators in the school in their knowledge or awareness of e-commerce security? 2. Does participation in the program increase participants’ knowledge or awareness of methods of protecting their personal e-commerce security? Data were collected using an instrument that asked respondents to answer questions about each of ten security scenarios. The pretest instrument was given approximately four days in advance of the Identity Theft Prevention class to all individuals who were to participate, and to a group of randomly selected teachers, staff, and administrators who were not going to participate. The instrument was administered again two days after the class to the individuals who had participated in the class. A presentation and interactive class, covering the topic of safeguarding personal information, was developed. The class included an on-line interactive quiz to identify spoofed email, and a power-point presentation about how to identify spoofed telephone calls, the various ways of preventing victimization, how to safeguard information when using public Wifi, how to configure security when using social networking sites likes Facebook, examples of how to check a credit report for fraudulent activities, and steps to take if victimized, including reporting information for contacting authorities (the presentation slide are attached). A summarization of the class, in the form of an “Identity Theft Prevention Tool-Kit” was developed, and was provided in digital format to each participant, for future reference.
Results Aggregated Data: Table 1 Percentage Correct by Item, Group & Test Percent Answering Correctly Item Question Pretest Posttest (Treatment Control Treatment only) If an official from your bank or a government agency calls your phone, and asks for 1 your bank account or social security information, you are safe to answer their 100 70 100 questions. However, you should refuse to provide this information to all other callers. When purchasing online, you should always pay with a credit card, rather than other 2 20 60 90 forms of payment (debit card, PayPal, check, etc.). The best passwords for your financial accounts are things only you could know, such 3 as your mother's maiden name, your dead pet's name, your children's names, or the 40 70 90 last four digits of your social security number. 4 It is safe to use a public computer to access your financial information on the internet. 60 70 100 If you get a lot of pop-up ads while surfing the internet, are taken to internet to internet 5 sites other than the ones you type in, or see new tool bars on your computer that you 100 60 100 never added, your computer is probably infected with spyware. You have bid for an item you really want in an online auction. However, you were not the highest bidder. Much to your delight you are contacted a few days later telling you 6 that the seller has decided to sell the exact same item to you, but the transaction must 100 60 90 be conducted privately, not on the auction site. You conduct the transaction, and you arrange payment and delivery with the seller. This transaction was safe. You get an e-mail from your bank saying your account has been frozen due to security 7 precautions. You're asked to click a link to a website to enter your account number 100 80 100 and PIN. This is a legitimate bank intervention for your protection.
You have placed an online ad for a car you want to sell. A stranger contacts you, offers to buy the car, and sends you a cashier's check for $10,000 more than you're asking. When you ask about the discrepancy, the buyer says it was a mistake and 8 asks that you send him a check to refund the excess. You cash his check, your bank 60 80 100 says it looks fine, and you send him his refund. Two weeks later the bank tells you the cashier's check bounced, so you owe the bank $10,000. This scenario can actually happen. When leaving your bank, you are approached by a federal agent who asks you to participate in a "citizens’ investigation." You are instructed to go back into the bank, the drive through, or the ATM and withdraw a certain amount of cash. The agent then 9 100 100 100 says, he needs to examine the cash to check serial numbers, potential for counterfeit, etc. He gets your contact information, promises to return your money, and then leaves. This was a legitimate transaction, and your money will be returned. You get a phone call from someone who claims to be with your county courthouse. You check your caller ID, which shows the actual number of the courthouse. This 10 60 50 100 person could actually be a criminal calling from overseas, trying to steal your social security number. Mean 75.6 72.2 96.7 Conclusions and Future Work: 1. Are individuals who volunteer to participate in the program representative of the teachers, staff, and administrators in the school in their knowledge or awareness of e-commerce security? The control groups’ mean score on the pre-test was 75.6, and the mean score of the treatment group (the group that attended the Identity Theft Prevention Class) was 72.2. This indicates that performance was similar across both groups, in that the scores were within 4 percentage points of each other. This suggests that the teachers, staff and administrators who participated in the Identity Theft Prevention class, were representative of the teachers, staff and administrators that were offered an opportunity to participate in the class. Neither group was more aware or adept at safeguarding their personal information, than the other.
2. Does participation in the Identity Theft Prevention Class increase participants’ knowledge or awareness of methods of protecting their personal and sensitive information? The treatment groups’ pre-test score of 72.2, and its post-test score of 96.7, demonstrates an overall increase of 24.5 points. This suggests that participating in the Identity Theft Prevention Class has increased each participant’s knowledge and/or awareness for protecting /safeguarding their personal information. Summary: Mobile e-Commerce along with an increase in wireless Internet applications such as mobile electronic commerce applications will be a trial. Payment devices are rapidly developing and becoming present everywhere. Payment cards are considered to be the principal drivers of the transfer from paper to electronic-based payment devices. The use of POS (point-of-sales) devices is increasing. These devices are the equivalent to an electronic cash register and are used in supermarkets, restaurants, hotels, stadiums, taxis, and almost any type of retail establishment. . New methods of authenticating are being and need to be developed and improved, (14) many using Biometrics, including internal DNA storage and retinal scanning. Security is more important than ever to ensure the integrity of the payment process and to protect individual and organizational privacy. The technologies mentioned above are the current methods of ensuring a high measure of security. This measure must continue to grow and develop, as new threats will certainly do the same. It is crucial that security measures become an integral piece of the structural design, plan, and
implementation of any e-Commerce site. It is equally crucial that consumers bear the responsibility for safeguarding their personal information. This project was interesting to do, and, if done on a large scale, with the same results, could be useful to merchants who might interpret the results to mean that consumers are able to be educated and empowered, as well as held responsible, for safeguarding their personal data. This belief could be utilized in a team approach to preventing internet fraud, including Identity Theft. A shared, team approach to safeguarding sensitive information would remove sole-responsibility (and the associated costs), from the merchant. Problems encountered with this study were: obtaining a large participant sample and in order to ensure that participants would actually complete the surveys’ pre/post test questions had to be kept to a minimum. If I did this project again, I would advertise the class for a couple of weeks before the class, hoping to gain the interest of more participants. I would interject sporadic statistics and questions regarding internet fraud, in the method that was used for advertising the class (posters, email, newsletter, etc.) in an attempt to demonstrate that the class would be personally useful. I would mention that the format of the class is informal, interactive and fun, to attract interest. I would have a larger question base for the pre and posttests, (maybe 25-50 questions) and present them in varied formats- true/false, multiple choice and fill-in-the-blank. I would also administer the posttest 2 weeks after the class, at the earliest, and again at 6 months, and possibly even a year later, to ascertain whether the material had been retained. It would also be interesting to see whether anyone in the study had been a victim of internet fraud within the year following the class.
Based on the outcome of this study, it would be interesting to conduct research that would demonstrate the amount of online fraud that is due to errant (or lack of) security measures by the merchant or bank, and how much takes place due to the consumers’ lack of personal security savvy. The original proposal stated that the results of this study will be compared with the results of similarly conducted studies to determine whether the hypothesis was correct: that empowering consumers by educating them about internet fraud and specifically identity theft can potentially reduce the incidence of both. Instead, I decided that it made more sense to pre-test and posttest the experimental group, and also to see if I could get some willing volunteers who were not participants of the class, to answer the pre-test survey as well. In this manner, I would know whether my experimental group was a good representation of the entire group of faculty/staff that was offered the class, or whether they were somehow more “fraud savvy” to begin with. As the results show, the experimental group was a representative sample. By comparing the pre and post test scores of the experimental group, it could be determined whether any learning took place, as demonstrated by an increase in test scores2 days after the class. As the results show, the overall increase in scores suggests that the participants learned ways of safeguarding their personal data.
References 1NC State University Office of Information Technology, http://oit.ncsu.edu/safe-computing/net- fraud#types 2Online Threats - Internet Fraud http://www.mywot.com/en/online-threats/internet-fraud 3 Global Merchant Services, How to Minimize Online e-Commerce Credit Card Fraud http://www.gspay.com/how-to-minimize-online-e-commerce-credit-card-fraud.php 4Eisen, Ori, Telltale Signs of E-Commerce Fraud02/25/09 E-Commerce Times http://www.ecommercetimes.com/story/66278.html 5 Ehrlich, Matt, The Consumer's Responsibility in Preventing Identity Theft, 09/20/10, Fraud Management 6 Ecommerce Security Issues,http://www.ecommrce-digest.com/ecommerce-security- issues.html 7 KhusialandMcKegney , IBM Developer Works, e-Commerce security, ibm.com, 02/02/12, http://www.ibm.com/developerworks/websphere/library/techarticles/0504_mckeg ney/0504_mckegney.html 8 Van Vark, J. (1997) e-Commerce and the Security Myth- The real security issues of e-Commerce, mactech.com, 01/24/12, http://www.mactech.com/articles/mactech/Vol.13/13.11/eCommerceandSecurity/inde x.html
9 E-Commerce Security Issues, ecommerce-digest.com 01/21/12 http://www.ecommerce-digest.com/ecommerce-security-issues.html 10 RSA-TechTarget, SearchSecurity, 02/02/12, searchsecurity.techtarget.comhttp://searchsecurity.techtarget.com/definition/RSA 11 PKI- TechTarget, Search Security- 02/01/2012- searchsecurity.techtarget.com, 02/03/12 http://searchsecurity.techtarget.com/definition/PKI 12 Sotirov, A., Stevens, M., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, DA, MD5 considered harmful today-Creating a rogue CA certificate , win.tue.nl, 02/15/12, http://www.win.tue.nl/hashclash/rogue-ca/ 13 Oracle ThinkQuest-Use of Data Encryption in Today's Context: E-commerce, library.thinkquest.org, 02/9/12, http://library.thinkquest.org/27158/today1_2.html 14 Thanh, Do Van, Security Issues in Mobile e-Commerce, 02/13/12 http://books.google.com/books?id=kb69hBiQMiYC&lpg=PA467&ots=6XE- e9QvUo&dq=security%20issues%20in%20mobile%20e%20commerce%20do%20va n%20thanh&pg=PA468#v=onepage&q=security%20issues%20in%20mobile%20e% 20commerce%20do%20van%20thanh&f=false
Appendices 1. The Identity Theft Pre and Post Test questions: Please indicate true or false, by typing an “X” next to the answer: 1. If an official from your bank or a government agency calls your phone, and asks for your bank account or Social Security information, you are safe to answer their questions. However, you should refuse to provide this information to all other callers. True False 2. When purchasing online, you should always pay with a credit card, rather than other forms of payment (debit card, PayPal, check, etc.). True False 3. The best passwords for your financial accounts are things only you could know, such as your mother's maiden name, your dead pets name, your children’s names or the last four digits of your Social Security number.
True False 4. It is safe to use a public computer to access your financial information on the internet. True False 5. If you get a lot of pop-up ads while surfing the internet, are taken to internet sites other than the ones you type in, or see new toolbars on your computer that you never added, your computer is probably infected with spyware. True False 6. You have bid for an item you really want in an online auction, however, you were not the highest bidder. Much to your delight you are contacted a few days later telling you that the seller has decided to sell the exact same item to you, but the transaction must be conducted privately, not on the auction site. You conduct the transaction; you arrange payment and delivery with the seller. This transaction was safe. True False
7. You get an e-mail from your bank saying your account has been frozen due to security precautions. You're asked to click a link to a Web site and enter your account number and PIN. This is a legitimate bank intervention for your protection. True False 8. You have placed an online ad for a car you want to sell. A stranger contacts you, offers to buy the car and sends you a cashier's check for $10,000 more than you're asking. When you ask about the discrepancy, the buyer says it was a mistake and asks that you send him a check to refund the excess. You cash his check, your bank says it looks fine, and you send him his refund. Two weeks later the bank tells you the cashier's check bounced, so you owe the bank $10,000. This scenario can actually happen. True False 9. When leaving your bank, you are approached by a federal agent who asks you to participate in a "citizen investigation." You are instructed to go back into the bank, the drive-through or the ATM and withdraw a certain amount of cash. The agent then says he needs to examine
the cash to check serial numbers, potential for counterfeit, etc. He gets your contact information, promises to return your money, then leaves. This was a legitimate transaction, and your money will be returned. True False 10. You get a phone call from someone who claims to be with your county courthouse. You check your caller ID, which shows the actual phone number of the courthouse. This person could actually be a criminal calling from overseas, trying to steal your Social Security number. True False 2. The Identity Theft Prevention Class PowerPoint Presentation: Protecting your Identity On-Line Protecting Your Identity On-line.ppt

Empfohlen

Protection on cyber fraud
Protection on cyber fraudProtection on cyber fraud
Protection on cyber fraudBUSINESS SOFTWARES & SOLUTIONS
 
INTERNET BANKING & SECURITY ANALYSIS
INTERNET BANKING & SECURITY ANALYSISINTERNET BANKING & SECURITY ANALYSIS
INTERNET BANKING & SECURITY ANALYSISRAHUL KUMAR
 
Will The Typical Person Need ID Fraud Insurance Protection?
Will The Typical Person Need ID Fraud Insurance Protection?Will The Typical Person Need ID Fraud Insurance Protection?
Will The Typical Person Need ID Fraud Insurance Protection?tommy2tone44
 
E banking security
E banking securityE banking security
E banking securityIman Rahmanian
 
Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)DCIT, a.s.
 
Review on Fraud Detection in Electronic Payment Gateway
Review on Fraud Detection in Electronic Payment GatewayReview on Fraud Detection in Electronic Payment Gateway
Review on Fraud Detection in Electronic Payment GatewayIRJET Journal
 
E banking & security
E banking & securityE banking & security
E banking & securitySumeer Sharma
 
Dealing with Fraud in E-Banking Sphere
Dealing with Fraud in E-Banking SphereDealing with Fraud in E-Banking Sphere
Dealing with Fraud in E-Banking SphereGoutama Bachtiar
 

Empfohlen

Protection on cyber fraud
Protection on cyber fraudProtection on cyber fraud
Protection on cyber fraudBUSINESS SOFTWARES & SOLUTIONS
 
INTERNET BANKING & SECURITY ANALYSIS
INTERNET BANKING & SECURITY ANALYSISINTERNET BANKING & SECURITY ANALYSIS
INTERNET BANKING & SECURITY ANALYSISRAHUL KUMAR
 
Will The Typical Person Need ID Fraud Insurance Protection?
Will The Typical Person Need ID Fraud Insurance Protection?Will The Typical Person Need ID Fraud Insurance Protection?
Will The Typical Person Need ID Fraud Insurance Protection?tommy2tone44
 
E banking security
E banking securityE banking security
E banking securityIman Rahmanian
 
Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)DCIT, a.s.
 
Review on Fraud Detection in Electronic Payment Gateway
Review on Fraud Detection in Electronic Payment GatewayReview on Fraud Detection in Electronic Payment Gateway
Review on Fraud Detection in Electronic Payment GatewayIRJET Journal
 
E banking & security
E banking & securityE banking & security
E banking & securitySumeer Sharma
 
Dealing with Fraud in E-Banking Sphere
Dealing with Fraud in E-Banking SphereDealing with Fraud in E-Banking Sphere
Dealing with Fraud in E-Banking SphereGoutama Bachtiar
 
Credit Card Duplication and Crime Prevention Using Biometrics
Credit Card Duplication and Crime Prevention Using BiometricsCredit Card Duplication and Crime Prevention Using Biometrics
Credit Card Duplication and Crime Prevention Using BiometricsIOSR Journals
 
E Commerce -Security Threats and Challenges
E Commerce -Security Threats and ChallengesE Commerce -Security Threats and Challenges
E Commerce -Security Threats and ChallengesInderjeet Singh
 
E commerce
E commerceE commerce
E commerceHumayun Khalid Qureshi
 
It act
It actIt act
It actYogesh Thawait
 
Security in E-commerce
Security in E-commerceSecurity in E-commerce
Security in E-commercem8817
 
Requirement of PCI-DSS in India.
Requirement of PCI-DSS in India.Requirement of PCI-DSS in India.
Requirement of PCI-DSS in India.CA Priyadarshan Behera
 
Security consideration with e commerce
Security consideration with e commerceSecurity consideration with e commerce
Security consideration with e commerceStudsPlanet.com
 
Internet Banking
Internet BankingInternet Banking
Internet Bankingguestf9788dc7
 
An Algorithm for Electronic Money Transaction Security (Three Layer Security)...
An Algorithm for Electronic Money Transaction Security (Three Layer Security)...An Algorithm for Electronic Money Transaction Security (Three Layer Security)...
An Algorithm for Electronic Money Transaction Security (Three Layer Security)...Syeful Islam
 
E-commerce Security and Threats
E-commerce Security and ThreatsE-commerce Security and Threats
E-commerce Security and ThreatsBPalmer13
 
E-Commerce Security Workable Attacks Againest E-Commerce
E-Commerce Security Workable Attacks Againest E-CommerceE-Commerce Security Workable Attacks Againest E-Commerce
E-Commerce Security Workable Attacks Againest E-Commerceabe8512000
 
CASE STUDY ON PKI & BIOMETRIC BASED APPLICATION
CASE STUDY ON PKI & BIOMETRIC BASED APPLICATIONCASE STUDY ON PKI & BIOMETRIC BASED APPLICATION
CASE STUDY ON PKI & BIOMETRIC BASED APPLICATIONPankaj Rane
 
It act
It actIt act
It actAbhilasha Agarwal
 
E commerce security system 0605
E commerce security system 0605E commerce security system 0605
E commerce security system 0605SovanChanda
 
E banking & security concern
E banking & security concernE banking & security concern
E banking & security concernSyed Akhtar-Uz-Zaman
 
Business Fraud and Cybersecurity Best Practices in the Office or While Worki...
Business Fraud and Cybersecurity Best Practices in the Office or While Worki... Business Fraud and Cybersecurity Best Practices in the Office or While Worki...
Business Fraud and Cybersecurity Best Practices in the Office or While Worki...ArielMcCurdy
 
Ssp fraud risk vulnerablity in ebanking
Ssp fraud risk vulnerablity in ebanking Ssp fraud risk vulnerablity in ebanking
Ssp fraud risk vulnerablity in ebanking sathyananda prabhu
 
Cyber fraud a threat to E commerce
Cyber fraud a threat to E commerceCyber fraud a threat to E commerce
Cyber fraud a threat to E commerceSudeshna07
 
H029044050
H029044050H029044050
H029044050researchinventy
 
ENFORCING SET AND SSL PROTOCOLS IN EPAYMENT
ENFORCING SET AND SSL PROTOCOLS IN EPAYMENTENFORCING SET AND SSL PROTOCOLS IN EPAYMENT
ENFORCING SET AND SSL PROTOCOLS IN EPAYMENTijcsit
 
All You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptxAll You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptxITIO Innovex
 
protection & security of e-commerce ...
protection & security of e-commerce ...protection & security of e-commerce ...
protection & security of e-commerce ...Rishav Gupta
 

Weitere ähnliche Inhalte

Was ist angesagt?

Credit Card Duplication and Crime Prevention Using Biometrics
Credit Card Duplication and Crime Prevention Using BiometricsCredit Card Duplication and Crime Prevention Using Biometrics
Credit Card Duplication and Crime Prevention Using BiometricsIOSR Journals
 
E Commerce -Security Threats and Challenges
E Commerce -Security Threats and ChallengesE Commerce -Security Threats and Challenges
E Commerce -Security Threats and ChallengesInderjeet Singh
 
Security in E-commerce
Security in E-commerceSecurity in E-commerce
Security in E-commercem8817
 
Security consideration with e commerce
Security consideration with e commerceSecurity consideration with e commerce
Security consideration with e commerceStudsPlanet.com
 
An Algorithm for Electronic Money Transaction Security (Three Layer Security)...
An Algorithm for Electronic Money Transaction Security (Three Layer Security)...An Algorithm for Electronic Money Transaction Security (Three Layer Security)...
An Algorithm for Electronic Money Transaction Security (Three Layer Security)...Syeful Islam
 
E-commerce Security and Threats
E-commerce Security and ThreatsE-commerce Security and Threats
E-commerce Security and ThreatsBPalmer13
 
E-Commerce Security Workable Attacks Againest E-Commerce
E-Commerce Security Workable Attacks Againest E-CommerceE-Commerce Security Workable Attacks Againest E-Commerce
E-Commerce Security Workable Attacks Againest E-Commerceabe8512000
 
CASE STUDY ON PKI & BIOMETRIC BASED APPLICATION
CASE STUDY ON PKI & BIOMETRIC BASED APPLICATIONCASE STUDY ON PKI & BIOMETRIC BASED APPLICATION
CASE STUDY ON PKI & BIOMETRIC BASED APPLICATIONPankaj Rane
 
E commerce security system 0605
E commerce security system 0605E commerce security system 0605
E commerce security system 0605SovanChanda
 
Business Fraud and Cybersecurity Best Practices in the Office or While Worki...
Business Fraud and Cybersecurity Best Practices in the Office or While Worki... Business Fraud and Cybersecurity Best Practices in the Office or While Worki...
Business Fraud and Cybersecurity Best Practices in the Office or While Worki...ArielMcCurdy
 
Ssp fraud risk vulnerablity in ebanking
Ssp fraud risk vulnerablity in ebanking Ssp fraud risk vulnerablity in ebanking
Ssp fraud risk vulnerablity in ebanking sathyananda prabhu
 
Cyber fraud a threat to E commerce
Cyber fraud a threat to E commerceCyber fraud a threat to E commerce
Cyber fraud a threat to E commerceSudeshna07
 
ENFORCING SET AND SSL PROTOCOLS IN EPAYMENT
ENFORCING SET AND SSL PROTOCOLS IN EPAYMENTENFORCING SET AND SSL PROTOCOLS IN EPAYMENT
ENFORCING SET AND SSL PROTOCOLS IN EPAYMENTijcsit
 

Was ist angesagt? (20)

Credit Card Duplication and Crime Prevention Using Biometrics
Credit Card Duplication and Crime Prevention Using BiometricsCredit Card Duplication and Crime Prevention Using Biometrics
Credit Card Duplication and Crime Prevention Using Biometrics
 
E Commerce -Security Threats and Challenges
E Commerce -Security Threats and ChallengesE Commerce -Security Threats and Challenges
E Commerce -Security Threats and Challenges
 
E commerce
E commerceE commerce
E commerce
 
It act
It actIt act
It act
 
Security in E-commerce
Security in E-commerceSecurity in E-commerce
Security in E-commerce
 
Requirement of PCI-DSS in India.
Requirement of PCI-DSS in India.Requirement of PCI-DSS in India.
Requirement of PCI-DSS in India.
 
Security consideration with e commerce
Security consideration with e commerceSecurity consideration with e commerce
Security consideration with e commerce
 
Internet Banking
Internet BankingInternet Banking
Internet Banking
 
An Algorithm for Electronic Money Transaction Security (Three Layer Security)...
An Algorithm for Electronic Money Transaction Security (Three Layer Security)...An Algorithm for Electronic Money Transaction Security (Three Layer Security)...
An Algorithm for Electronic Money Transaction Security (Three Layer Security)...
 
E-commerce Security and Threats
E-commerce Security and ThreatsE-commerce Security and Threats
E-commerce Security and Threats
 
E-Commerce Security Workable Attacks Againest E-Commerce
E-Commerce Security Workable Attacks Againest E-CommerceE-Commerce Security Workable Attacks Againest E-Commerce
E-Commerce Security Workable Attacks Againest E-Commerce
 
CASE STUDY ON PKI & BIOMETRIC BASED APPLICATION
CASE STUDY ON PKI & BIOMETRIC BASED APPLICATIONCASE STUDY ON PKI & BIOMETRIC BASED APPLICATION
CASE STUDY ON PKI & BIOMETRIC BASED APPLICATION
 
It act
It actIt act
It act
 
E commerce security system 0605
E commerce security system 0605E commerce security system 0605
E commerce security system 0605
 
E banking & security concern
E banking & security concernE banking & security concern
E banking & security concern
 
Business Fraud and Cybersecurity Best Practices in the Office or While Worki...
Business Fraud and Cybersecurity Best Practices in the Office or While Worki... Business Fraud and Cybersecurity Best Practices in the Office or While Worki...
Business Fraud and Cybersecurity Best Practices in the Office or While Worki...
 
Ssp fraud risk vulnerablity in ebanking
Ssp fraud risk vulnerablity in ebanking Ssp fraud risk vulnerablity in ebanking
Ssp fraud risk vulnerablity in ebanking
 
Cyber fraud a threat to E commerce
Cyber fraud a threat to E commerceCyber fraud a threat to E commerce
Cyber fraud a threat to E commerce
 
H029044050
H029044050H029044050
H029044050
 
ENFORCING SET AND SSL PROTOCOLS IN EPAYMENT
ENFORCING SET AND SSL PROTOCOLS IN EPAYMENTENFORCING SET AND SSL PROTOCOLS IN EPAYMENT
ENFORCING SET AND SSL PROTOCOLS IN EPAYMENT
 

Ähnlich wie E-Commerce Security Seminar Focuses on Preventing Identity Theft

All You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptxAll You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptxITIO Innovex
 
protection & security of e-commerce ...
protection & security of e-commerce ...protection & security of e-commerce ...
protection & security of e-commerce ...Rishav Gupta
 
Introduction to Computer Forensics & Cyber Security
Introduction to Computer Forensics & Cyber SecurityIntroduction to Computer Forensics & Cyber Security
Introduction to Computer Forensics & Cyber Securitypivisoc989
 
10 Essential Strategies to Safeguard Your Business from Credit Card Fraud 1.pdf
10 Essential Strategies to Safeguard Your Business from Credit Card Fraud 1.pdf10 Essential Strategies to Safeguard Your Business from Credit Card Fraud 1.pdf
10 Essential Strategies to Safeguard Your Business from Credit Card Fraud 1.pdfMerchantech - Payment Processing Services
 
10 Essential Strategies to Safeguard Your Business from Credit Card Fraud 1.pptx
10 Essential Strategies to Safeguard Your Business from Credit Card Fraud 1.pptx10 Essential Strategies to Safeguard Your Business from Credit Card Fraud 1.pptx
10 Essential Strategies to Safeguard Your Business from Credit Card Fraud 1.pptxdarrengracia
 
Key Security Measures Behind Digital Payment Systems
Key Security Measures Behind Digital Payment SystemsKey Security Measures Behind Digital Payment Systems
Key Security Measures Behind Digital Payment SystemsITIO Innovex
 
Cyber Law & Forensics
Cyber Law & ForensicsCyber Law & Forensics
Cyber Law & ForensicsHarshita Ved
 
Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017Anil Jain
 
Best practices in Digital Payments to Minimize Security Threats.pdf
Best practices in Digital Payments to Minimize Security Threats.pdfBest practices in Digital Payments to Minimize Security Threats.pdf
Best practices in Digital Payments to Minimize Security Threats.pdfPay10
 
Cryptograpy Exam
Cryptograpy ExamCryptograpy Exam
Cryptograpy ExamLisa Olive
 
The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)theijes
 

Ähnlich wie E-Commerce Security Seminar Focuses on Preventing Identity Theft (20)

All You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptxAll You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptx
 
protection & security of e-commerce ...
protection & security of e-commerce ...protection & security of e-commerce ...
protection & security of e-commerce ...
 
Introduction to Computer Forensics & Cyber Security
Introduction to Computer Forensics & Cyber SecurityIntroduction to Computer Forensics & Cyber Security
Introduction to Computer Forensics & Cyber Security
 
E Com
E ComE Com
E Com
 
21 ijcse-01230
21 ijcse-0123021 ijcse-01230
21 ijcse-01230
 
10 Essential Strategies to Safeguard Your Business from Credit Card Fraud 1.pdf
10 Essential Strategies to Safeguard Your Business from Credit Card Fraud 1.pdf10 Essential Strategies to Safeguard Your Business from Credit Card Fraud 1.pdf
10 Essential Strategies to Safeguard Your Business from Credit Card Fraud 1.pdf
 
10 Essential Strategies to Safeguard Your Business from Credit Card Fraud 1.pptx
10 Essential Strategies to Safeguard Your Business from Credit Card Fraud 1.pptx10 Essential Strategies to Safeguard Your Business from Credit Card Fraud 1.pptx
10 Essential Strategies to Safeguard Your Business from Credit Card Fraud 1.pptx
 
Key Security Measures Behind Digital Payment Systems
Key Security Measures Behind Digital Payment SystemsKey Security Measures Behind Digital Payment Systems
Key Security Measures Behind Digital Payment Systems
 
Enforcing Set and SSL Protocols in E-Payment
Enforcing Set and SSL Protocols in E-PaymentEnforcing Set and SSL Protocols in E-Payment
Enforcing Set and SSL Protocols in E-Payment
 
Cyber Law & Forensics
Cyber Law & ForensicsCyber Law & Forensics
Cyber Law & Forensics
 
Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017
 
security threats.pptx
security threats.pptxsecurity threats.pptx
security threats.pptx
 
Electronic payment by ahmad
Electronic payment by ahmadElectronic payment by ahmad
Electronic payment by ahmad
 
Digital certificate
Digital certificateDigital certificate
Digital certificate
 
Best practices in Digital Payments to Minimize Security Threats.pdf
Best practices in Digital Payments to Minimize Security Threats.pdfBest practices in Digital Payments to Minimize Security Threats.pdf
Best practices in Digital Payments to Minimize Security Threats.pdf
 
Cryptograpy Exam
Cryptograpy ExamCryptograpy Exam
Cryptograpy Exam
 
E-Business security
E-Business security E-Business security
E-Business security
 
The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)
 
Information security
Information securityInformation security
Information security
 
ENFORCING SET AND SSL PROTOCOLS IN EPAYMENT
ENFORCING SET AND SSL PROTOCOLS IN EPAYMENTENFORCING SET AND SSL PROTOCOLS IN EPAYMENT
ENFORCING SET AND SSL PROTOCOLS IN EPAYMENT
 

E-Commerce Security Seminar Focuses on Preventing Identity Theft

  • 1. Information Security Seminar IT 6873 Instructor: Dr. Ming Yang E-Commerce Security: Preventing Fraud By preventing Identity Theft Diane M. Metcalf May 6, 2012
  • 2. Project Summary E-Commerce is a relatively new way of doing business. Over the last several years, it has become a convenient, trusted, accepted and often less expensive way to purchase goods and services. As E-business continues to grow, the potential for exposure to threats also increases. As the threats become more damaging and/or widespread, “security” becomes critical in preventing fraud. There are many types of security already in place, however most internet credit card fraud occurs when an e-Commerce merchant is unaware that an order was not placed by, and will not be paid for, by the authentic cardholder. (1) Typically, with e-commerce fraud, the credit card information was gained illegally, and used to order merchandise or services via the internet, under a false name. This project concentrates on the area of internet fraud called “Identity Theft”. It focuses on the responsibility of the individual cardholder in preventing or reducing fraud. It is based upon a belief that educating and empowering consumers has the ability to decrease internet/e-Commerce fraud by way of reducing identity theft. Specifically, the project examined the effectiveness of an Identity Theft Prevention class with a group of elementary school faculty and staff in expanding awareness of personal internet security. A pre-test, post-test design was used. In doing this research, I had expected to gain a realistic perspective regarding the nature, and the best implementation, of E-Commerce Security, in regard to internet fraud.
  • 3. Introduction What is Internet fraud? Internet fraud is a type of cybercrime in which transactions are committed by using deception. The National Consumer League's Fraud Center lists 25 different scams currently making the rounds on the Internet including these types of internet fraud: Advance fee (Nigerian letter scam) Business or employment scams Counterfeit checks Credit or debit card fraud Identity theft Freight forwarding or reshipping Investment schemes Non-delivery of goods/services Online auction and other sales Phony escrow (1) Pyramid or “ponzi” schemes (Fraudulent investment operations) Many scams are variations of those that were in existence before the Internet. The primary difference is that Internet scammers utilize email, chat, forums and false websites instead of more traditional methods such as telephone and US mail. (2)Utilizing the internet allows even greater/wider access and greater anonymity to the scammer. Internet credit card fraud occurs when an e-Commerce merchant is unaware that an order was not placed by, and will not be paid for, by the authentic cardholder. (3) Typically, with e-commerce fraud, credit card information was gained illegally, and used to order merchandise or services via the internet, under a false name. (It is much easier to commit credit card fraud via an e-commerce transaction than it is to do in person.)When the authenticcardholder receives the statement from the issuing bank and reports the fraud, a “chargeback” must be issued by the merchant. This means that (4) the merchant refunds all the expenses, and pays an additional fee.
  • 4. Identity thieves gain access to consumersby stealing checks, bank statements, wallets/purses, or by proffering a phony offer via phone or email. More recently, a more common way of obtaining sensitive information is to create imitation, but realistic looking, bank or merchant websites, or to send emails that request security information from the consumer by instructing them to click on a link and input their personal information. The information is then used to steal their identity in order to access their bank accounts, obtain loans, or to use their credit cards. Merchants who accept credit cards online are subject to additional examination and processes in the ongoing effort to protect credit card information. Online merchants are also subject to: -higher transaction fees to offset the cost of security -more stringent shipping requirements -paying the cost of becoming and staying PCI compliant The merchant is held responsible for any accepted fraudulent transaction. Through the issuance of the “Red Flags Rule” and “Red Flags Guidelines” for financial institutions, our government has provided a means of protecting consumers from identity theft. Legislation requires merchant compliance, and this compliance helps to foster trust-based relationships. (5) Objective “Security” is no longer about keeping “just” networks, or individual computer systems, protected. Today, “security” is considered to be a legitimate business strategy; protecting the business as a whole. Security is not merely a collection of “features”. It is a complex system of multiple processes wherein the weakest link in the security chain establishes the level of security for the entire system.(6)
  • 5. Current securitytechnology emphasizes security from the side of the merchant, even though it is the consumer whose behavior may often provide the thieves with the information they need to commit the crimes.Often times when the security technology works seamlessly, utilizing multiple aspects of layered technology, including those offered by credit card issuers, fraud still takes place. This is due to the consumer often times being the “weakest link”. As a result, “security” is not just for businesses or merchants, rather, individual consumers need to understand the concept of security as it pertains to e-commerce, and to take personal responsibility for their role in the protection of their data and the prevention of fraud. Existing Issues The integrity of an ecommerce transaction is based upon four factors: Privacy: information must be kept safe from unauthorized access. This issue is currently handled by encrypting the data, using PKI (public key infrastructure) and RSA. Integrity: information must not be altered or tampered with. Maintaining the Integrity of information is achieved by using digital signatures. The use of digital signatures meets the need for authentication and integrity. Authentication: sender and recipient must prove their identities to each other. To verify that a website that is receiving sensitive information is actually the intended website, (not an imposter) a digital certificate is employed. Non-repudiation: proof that the message was actually received.
  • 6. The vulnerability of a system exists at these entry and exit points: Shopper’s computer Network connection Website’s server Software Vendor There are at least 3 transactions whereby sensitive information is vulnerable during an e-Commerce purchasing transaction: (7) 1. Credit card information supplied by the customer. Handled by the server's SSL and the merchant/server's digital certificates. 2. Credit card information forwarded to the bank for processing. Handled by the security measures of the payment gateway. 3. Order and customer details furnished to the merchant. Handled by SSL, server security, digital certificates and payment gateway. State-of-the-art security/methodologies PKI A PKI (public key infrastructure) consists of: A certificate authority (CA) that issues and verifies a digital certificate. The certificate includes the public key and/or information about the public key A registration authority (RA) that verifies the certificate authority before a digital certificate is issued to the requestor Directories where the certificates and their public keys are held A certificate management system PKI enables users of an unsecure public network (i.e.: the Internet ) to securely and privately trade data and/or currency by using public and private cryptographic key pairs
  • 7. that are acquired from and shared via a trusted authority. The public key infrastructure provides digital certificates that identifies an individual or an organization, and also provides directory services that store and even revoke the certificate, if necessary. (8) PKI automates the process of verifying the validity of a certificate. It provides the ability to publish, manage, and use public keys easily. RSA algorithm (Rivest-Shamir-Adleman) RSA is the most commonly used encryption and authentication algorithm. It’s included as part of Microsoft’s and Netscape’s Web browsers, Lotus Notes, Intuit's Quicken, and several other software products. RSA is also used by banks and governments. Third party key distribution centers use RSA. The RSA algorithm multiplies two large prime numbers (a number divisible only by itself and one) and in combination with other operations, it generates a set of two keys, one publicand one private. The original prime numbers are then discarded. The private key is used to decrypt text that has been encrypted with the public key. In addition to encrypting messages (privacy), authentication also takes place with the use of the private key by the encryption of a digital certificate. . Both the public and the private keys are needed for encryption /decryption, but the private key never needs to travel across the Internet. The two keys differ from one another, but each key is shared with the key distribution center. The keys are encrypted, and rules are set, using a variety of protocols. Private keys must be kept secret, and most security lapses arise here. (9) Secure Socket Layers (SSL) The Internet uses the set of rules, or protocols, called TCP/IP (Transmission Control Protocol / Internet Protocol) whereby the information is broken into packets which are numbered sequentially, and include error control methods. Each packet is sent via a
  • 8. different route. TCP/IP reassembles the packets in their original order and resubmits packets that have errors. (10) SSL is a method that utilizes both PKI and digital certificates to ensure privacy and authentication. The server receives the message from the client, and replies with a digital certificate. Using PKI, the server and client negotiate the creation of session keys, (symmetrical secret keys specially made for that particular communication) and communication continues with the session keys and digital certificates in place. Where credit cards are accepted by merchants online and processed in real time, four options arise for the merchant in question: 1. Use a service bureau which is responsible for the security of all sensitive information in the transaction 2. Use an e-Commerce merchant account but use the digital certificate supplied by the hosting company which is a less expensive option that is acceptable for transactions with Small to Medium Enterprises (SME). Certain terms and conditions may apply to the supplied digital certificate. 3. Use an e-Commerce merchant account, but purchase a digital certificate for the business (costing hundreds of dollars). 4. Use a merchant account, and run the business from a business-owned private server. Requires trained IT staff to maintain security, i.e.: firewalls, Kerberos (an authentication mechanism), SSL, and the digital certificate for the server (thousands to tens of thousands of dollars).
  • 9. Digital Signatures Digital signatures help ensure authentication and integrity and are used to confirm ones identity to another party, and that the data has not been altered. (They verify the origin and contents of a message.) Digital signatures are implemented through public-key encryption. A digital signature is prepared by first passing the plain text through a hash function to calculate the message digest value. The digest is then encrypted with the private key to produce a signature which is then added to the original message, and the whole package is sent to the recipient. In this way, the recipient can be sure that the message came from the sender. The received message is decoded with the private key, and processed back through the hash function. (The message digest value remains unchanged.)Very often, the message is also time stamped by a third party agency.(11) Digital Certificates Digital Certificates provide digital credentials used for identification. They provide identity and other supporting information about an entity and are valid for only a specific period of time. They provide the basis for secure electronic transactions by enabling all participants in the transaction to quickly and easily verify the identity of the other participants.Digital Certificates are sold for use with email, and for e-merchants and web-servers. Digital Certificates uniquely identify merchants, and are issued by the CA (Certification Authority, i.e.: VeriSign, GlobalSign). When a digital certificate is issued, the issuing certification authority signs the certificate with its own private key. Validating the authenticity of a digital certificate can be achieved by obtaining the certification authority's public key and use it against the certificate to determine if it was actually signed by the certification authority
  • 10. Digital certificates contain the public key of the entity identified in the certificate. The certificate matches the public key to a particular individual. Because the CA guarantees the validity of the information in the certificate, digital certificates provides a solution to the problem of how to find a user's public key and know that it is valid For a digital certificate to be useful, it has to be understood, and easily retrieved in a reliable way. Digital certificates are standardized for this reason, so that they can be (12) read and understood regardless of the issuer. The technologies listed above use encryption as their primary way of protecting data, individuals and organizations. Although considered strong methods, they are not perfect. Vulnerabilities in PKI have been exploited in order to issue rogue digital certificates for secure websites. False CA certificates that were trusted by common web browsers have been created. Website impersonation, including banking and e- commerce sites secured with the HTTPS protocol, has occurred. (13) A weakness recently found in the MD5 cryptographic hash function has allowed for the creation of unique messages with the same MD5 hash. There are many other security methods and practices. Creating and maintaining office and employee security policies (passwords, backups) , protection from viruses, spyware and hackers by implementing firewalls and antivirus solutions, fortifying web server and database security by researching hosting companies , verifying webpage content, customer data, tracking customers (cookies) , and calculating and providing correct invoices and inventory are a few ways to heighten security. The primary underlying goal of all security methods is to deter and prevent fraud. The goal of this study was to determine whether empowering consumers with information and resources for utilization in protecting sensitive information is a necessary and relevant component of preventing identity theft, thereby lowering internet fraud.
  • 11. Method: The Method of Approach for this paper is a pretest/posttest research study of the effectiveness of an education program that was developed using the ACM digital library and IEEE/IEE Electronic Library, including professional journals, web articles, and white papers. Specifically, the study examined two questions: 1. Are individuals who volunteer to participate in the program representative of the teachers, staff, and administrators in the school in their knowledge or awareness of e-commerce security? 2. Does participation in the program increase participants’ knowledge or awareness of methods of protecting their personal e-commerce security? Data were collected using an instrument that asked respondents to answer questions about each of ten security scenarios. The pretest instrument was given approximately four days in advance of the Identity Theft Prevention class to all individuals who were to participate, and to a group of randomly selected teachers, staff, and administrators who were not going to participate. The instrument was administered again two days after the class to the individuals who had participated in the class. A presentation and interactive class, covering the topic of safeguarding personal information, was developed. The class included an on-line interactive quiz to identify spoofed email, and a power-point presentation about how to identify spoofed telephone calls, the various ways of preventing victimization, how to safeguard information when using public Wifi, how to configure security when using social networking sites likes Facebook, examples of how to check a credit report for fraudulent activities, and steps to take if victimized, including reporting information for contacting authorities (the presentation slide are attached). A summarization of the class, in the form of an “Identity Theft Prevention Tool-Kit” was developed, and was provided in digital format to each participant, for future reference.
  • 12. Results Aggregated Data: Table 1 Percentage Correct by Item, Group & Test Percent Answering Correctly Item Question Pretest Posttest (Treatment Control Treatment only) If an official from your bank or a government agency calls your phone, and asks for 1 your bank account or social security information, you are safe to answer their 100 70 100 questions. However, you should refuse to provide this information to all other callers. When purchasing online, you should always pay with a credit card, rather than other 2 20 60 90 forms of payment (debit card, PayPal, check, etc.). The best passwords for your financial accounts are things only you could know, such 3 as your mother's maiden name, your dead pet's name, your children's names, or the 40 70 90 last four digits of your social security number. 4 It is safe to use a public computer to access your financial information on the internet. 60 70 100 If you get a lot of pop-up ads while surfing the internet, are taken to internet to internet 5 sites other than the ones you type in, or see new tool bars on your computer that you 100 60 100 never added, your computer is probably infected with spyware. You have bid for an item you really want in an online auction. However, you were not the highest bidder. Much to your delight you are contacted a few days later telling you 6 that the seller has decided to sell the exact same item to you, but the transaction must 100 60 90 be conducted privately, not on the auction site. You conduct the transaction, and you arrange payment and delivery with the seller. This transaction was safe. You get an e-mail from your bank saying your account has been frozen due to security 7 precautions. You're asked to click a link to a website to enter your account number 100 80 100 and PIN. This is a legitimate bank intervention for your protection.
  • 13. You have placed an online ad for a car you want to sell. A stranger contacts you, offers to buy the car, and sends you a cashier's check for $10,000 more than you're asking. When you ask about the discrepancy, the buyer says it was a mistake and 8 asks that you send him a check to refund the excess. You cash his check, your bank 60 80 100 says it looks fine, and you send him his refund. Two weeks later the bank tells you the cashier's check bounced, so you owe the bank $10,000. This scenario can actually happen. When leaving your bank, you are approached by a federal agent who asks you to participate in a "citizens’ investigation." You are instructed to go back into the bank, the drive through, or the ATM and withdraw a certain amount of cash. The agent then 9 100 100 100 says, he needs to examine the cash to check serial numbers, potential for counterfeit, etc. He gets your contact information, promises to return your money, and then leaves. This was a legitimate transaction, and your money will be returned. You get a phone call from someone who claims to be with your county courthouse. You check your caller ID, which shows the actual number of the courthouse. This 10 60 50 100 person could actually be a criminal calling from overseas, trying to steal your social security number. Mean 75.6 72.2 96.7 Conclusions and Future Work: 1. Are individuals who volunteer to participate in the program representative of the teachers, staff, and administrators in the school in their knowledge or awareness of e-commerce security? The control groups’ mean score on the pre-test was 75.6, and the mean score of the treatment group (the group that attended the Identity Theft Prevention Class) was 72.2. This indicates that performance was similar across both groups, in that the scores were within 4 percentage points of each other. This suggests that the teachers, staff and administrators who participated in the Identity Theft Prevention class, were representative of the teachers, staff and administrators that were offered an opportunity to participate in the class. Neither group was more aware or adept at safeguarding their personal information, than the other.
  • 14. 2. Does participation in the Identity Theft Prevention Class increase participants’ knowledge or awareness of methods of protecting their personal and sensitive information? The treatment groups’ pre-test score of 72.2, and its post-test score of 96.7, demonstrates an overall increase of 24.5 points. This suggests that participating in the Identity Theft Prevention Class has increased each participant’s knowledge and/or awareness for protecting /safeguarding their personal information. Summary: Mobile e-Commerce along with an increase in wireless Internet applications such as mobile electronic commerce applications will be a trial. Payment devices are rapidly developing and becoming present everywhere. Payment cards are considered to be the principal drivers of the transfer from paper to electronic-based payment devices. The use of POS (point-of-sales) devices is increasing. These devices are the equivalent to an electronic cash register and are used in supermarkets, restaurants, hotels, stadiums, taxis, and almost any type of retail establishment. . New methods of authenticating are being and need to be developed and improved, (14) many using Biometrics, including internal DNA storage and retinal scanning. Security is more important than ever to ensure the integrity of the payment process and to protect individual and organizational privacy. The technologies mentioned above are the current methods of ensuring a high measure of security. This measure must continue to grow and develop, as new threats will certainly do the same. It is crucial that security measures become an integral piece of the structural design, plan, and
  • 15. implementation of any e-Commerce site. It is equally crucial that consumers bear the responsibility for safeguarding their personal information. This project was interesting to do, and, if done on a large scale, with the same results, could be useful to merchants who might interpret the results to mean that consumers are able to be educated and empowered, as well as held responsible, for safeguarding their personal data. This belief could be utilized in a team approach to preventing internet fraud, including Identity Theft. A shared, team approach to safeguarding sensitive information would remove sole-responsibility (and the associated costs), from the merchant. Problems encountered with this study were: obtaining a large participant sample and in order to ensure that participants would actually complete the surveys’ pre/post test questions had to be kept to a minimum. If I did this project again, I would advertise the class for a couple of weeks before the class, hoping to gain the interest of more participants. I would interject sporadic statistics and questions regarding internet fraud, in the method that was used for advertising the class (posters, email, newsletter, etc.) in an attempt to demonstrate that the class would be personally useful. I would mention that the format of the class is informal, interactive and fun, to attract interest. I would have a larger question base for the pre and posttests, (maybe 25-50 questions) and present them in varied formats- true/false, multiple choice and fill-in-the-blank. I would also administer the posttest 2 weeks after the class, at the earliest, and again at 6 months, and possibly even a year later, to ascertain whether the material had been retained. It would also be interesting to see whether anyone in the study had been a victim of internet fraud within the year following the class.
  • 16. Based on the outcome of this study, it would be interesting to conduct research that would demonstrate the amount of online fraud that is due to errant (or lack of) security measures by the merchant or bank, and how much takes place due to the consumers’ lack of personal security savvy. The original proposal stated that the results of this study will be compared with the results of similarly conducted studies to determine whether the hypothesis was correct: that empowering consumers by educating them about internet fraud and specifically identity theft can potentially reduce the incidence of both. Instead, I decided that it made more sense to pre-test and posttest the experimental group, and also to see if I could get some willing volunteers who were not participants of the class, to answer the pre-test survey as well. In this manner, I would know whether my experimental group was a good representation of the entire group of faculty/staff that was offered the class, or whether they were somehow more “fraud savvy” to begin with. As the results show, the experimental group was a representative sample. By comparing the pre and post test scores of the experimental group, it could be determined whether any learning took place, as demonstrated by an increase in test scores2 days after the class. As the results show, the overall increase in scores suggests that the participants learned ways of safeguarding their personal data.
  • 17. References 1NC State University Office of Information Technology, http://oit.ncsu.edu/safe-computing/net- fraud#types 2Online Threats - Internet Fraud http://www.mywot.com/en/online-threats/internet-fraud 3 Global Merchant Services, How to Minimize Online e-Commerce Credit Card Fraud http://www.gspay.com/how-to-minimize-online-e-commerce-credit-card-fraud.php 4Eisen, Ori, Telltale Signs of E-Commerce Fraud02/25/09 E-Commerce Times http://www.ecommercetimes.com/story/66278.html 5 Ehrlich, Matt, The Consumer's Responsibility in Preventing Identity Theft, 09/20/10, Fraud Management 6 Ecommerce Security Issues,http://www.ecommrce-digest.com/ecommerce-security- issues.html 7 KhusialandMcKegney , IBM Developer Works, e-Commerce security, ibm.com, 02/02/12, http://www.ibm.com/developerworks/websphere/library/techarticles/0504_mckeg ney/0504_mckegney.html 8 Van Vark, J. (1997) e-Commerce and the Security Myth- The real security issues of e-Commerce, mactech.com, 01/24/12, http://www.mactech.com/articles/mactech/Vol.13/13.11/eCommerceandSecurity/inde x.html
  • 18. 9 E-Commerce Security Issues, ecommerce-digest.com 01/21/12 http://www.ecommerce-digest.com/ecommerce-security-issues.html 10 RSA-TechTarget, SearchSecurity, 02/02/12, searchsecurity.techtarget.comhttp://searchsecurity.techtarget.com/definition/RSA 11 PKI- TechTarget, Search Security- 02/01/2012- searchsecurity.techtarget.com, 02/03/12 http://searchsecurity.techtarget.com/definition/PKI 12 Sotirov, A., Stevens, M., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, DA, MD5 considered harmful today-Creating a rogue CA certificate , win.tue.nl, 02/15/12, http://www.win.tue.nl/hashclash/rogue-ca/ 13 Oracle ThinkQuest-Use of Data Encryption in Today's Context: E-commerce, library.thinkquest.org, 02/9/12, http://library.thinkquest.org/27158/today1_2.html 14 Thanh, Do Van, Security Issues in Mobile e-Commerce, 02/13/12 http://books.google.com/books?id=kb69hBiQMiYC&lpg=PA467&ots=6XE- e9QvUo&dq=security%20issues%20in%20mobile%20e%20commerce%20do%20va n%20thanh&pg=PA468#v=onepage&q=security%20issues%20in%20mobile%20e% 20commerce%20do%20van%20thanh&f=false
  • 19. Appendices 1. The Identity Theft Pre and Post Test questions: Please indicate true or false, by typing an “X” next to the answer: 1. If an official from your bank or a government agency calls your phone, and asks for your bank account or Social Security information, you are safe to answer their questions. However, you should refuse to provide this information to all other callers. True False 2. When purchasing online, you should always pay with a credit card, rather than other forms of payment (debit card, PayPal, check, etc.). True False 3. The best passwords for your financial accounts are things only you could know, such as your mother's maiden name, your dead pets name, your children’s names or the last four digits of your Social Security number.
  • 20. True False 4. It is safe to use a public computer to access your financial information on the internet. True False 5. If you get a lot of pop-up ads while surfing the internet, are taken to internet sites other than the ones you type in, or see new toolbars on your computer that you never added, your computer is probably infected with spyware. True False 6. You have bid for an item you really want in an online auction, however, you were not the highest bidder. Much to your delight you are contacted a few days later telling you that the seller has decided to sell the exact same item to you, but the transaction must be conducted privately, not on the auction site. You conduct the transaction; you arrange payment and delivery with the seller. This transaction was safe. True False
  • 21. 7. You get an e-mail from your bank saying your account has been frozen due to security precautions. You're asked to click a link to a Web site and enter your account number and PIN. This is a legitimate bank intervention for your protection. True False 8. You have placed an online ad for a car you want to sell. A stranger contacts you, offers to buy the car and sends you a cashier's check for $10,000 more than you're asking. When you ask about the discrepancy, the buyer says it was a mistake and asks that you send him a check to refund the excess. You cash his check, your bank says it looks fine, and you send him his refund. Two weeks later the bank tells you the cashier's check bounced, so you owe the bank $10,000. This scenario can actually happen. True False 9. When leaving your bank, you are approached by a federal agent who asks you to participate in a "citizen investigation." You are instructed to go back into the bank, the drive-through or the ATM and withdraw a certain amount of cash. The agent then says he needs to examine
  • 22. the cash to check serial numbers, potential for counterfeit, etc. He gets your contact information, promises to return your money, then leaves. This was a legitimate transaction, and your money will be returned. True False 10. You get a phone call from someone who claims to be with your county courthouse. You check your caller ID, which shows the actual phone number of the courthouse. This person could actually be a criminal calling from overseas, trying to steal your Social Security number. True False 2. The Identity Theft Prevention Class PowerPoint Presentation: Protecting your Identity On-Line Protecting Your Identity On-line.ppt