2. E-Business
◦ Uses information technology and electronic communication networks to exchange
business information and conduct paperless transactions.
◦ Includes virtual private networks and other specialised connections through which
businesses routinely connect to one another.
Albrecht, Albrecht, Albrecht & Zimbelman, 2012, p 602
3. Elements of Fraud Risk in E-Commerce
Perceived Opportunity
Perceived Pressures:
• Dramatic growth leading to
tremendous cash flow needs.
• Pressure to improve financial results
due to mergers/acquisitions.
• Borrowing or issuing stock.
• New products requiring expensive
marketing.
• Unproven or flawed business
models with tremendous cash flow
pressures.
4. Elements of Fraud Risk in E-Commerce
Perceived Opportunity
Perceived Opportunities:
• Lag between transaction developments
and security developments.
• Complex information systems that make
installing controls difficult.
• Removal of personal contact – easier
impersonation or falsified identity.
• Electronic transfer of funds, allowing large
frauds to be committed more easily.
• Compromised privacy resulting in theft by
using stolen or falsified information.
5. Elements of Fraud Risk in E-Commerce
Perceived Opportunity
Rationalisations:
• Perceived distance that decreases
the personal contact between
customer and supplier.
• Transactions between anonymous or
unknown buyers and sellers – you
can’t see who you are hurting.
• New economy thinking contends that
traditional methods of accounting no
longer apply.
6. E-Commerce Risks Inside Organisations
◦ Easier to infiltrate systems, steal money and information and cause damage when
perpetrators are within firewalls and security checks.
◦ Perpetrators with inside access know the control environment, understand security
mechanisms, and find ways to bypass security.
◦ Most common problem: Abuse of power granted to users.
◦ I.e. programmers with superuser access – often removal of programmers’ access is overlooked
when systems go into production.
7. Survey
◦ > 1/3 of network administrators admitted to snooping into HR records and custom
databases.
◦ 88% of administrators would take sensitive data if they were fired.
◦ 33% would take company password lists.
8. Data Theft
◦ First concern of e-commerce fraud as data have many useful attributes:
1. Can be converted to cash fairly easily.
2. Information is replicable, allowing perpetrators to simply copy data rather than remove
them, leaving the source data intact.
3. Can be transferred easily and quickly to any location.
4. Managers lack the technical expertise to prevent and detect data theft.
9. Passwords
◦ Password selection cannot be fully controlled, as it is left to
the end user.
◦ Common passwords can relate to personal information, so
perpetrators may be able to guess the passwords of their
employees.
◦ Social engineering techniques are used by hackers to gain
access to passwords.
◦ Hackers take information from blogs, Facebook walls and
other social network sites and use this information to ask
victims for “just a little more”.
10. Passwords
◦ Companies may require regular password changes to try
to mitigate the risk of passwords being stolen.
◦ However many employees will merely add a sequential
number to the end of their password.
◦ Companies and websites generally have certain
password requirements such as minimum character
length, upper case, symbol, number etc.
11. Passwords – How many do you have?
University Bank Work login
Email Google Microsoft
Facebook Twitter Instagram
Skype TradeMe Pinterest
Online shops Blogs Online communities
Phone login Utility companies YouTube
12. Need one of these?
◦ http://www.youtube.com/watch?v=Srh_TV_J144
15. Sniffing
◦ Logging, filtering and viewing of information that passes along a network line.
◦ The most common method of gathering information from unencrypted
communications.
◦ Easily done on most networks by hackers that run freely available applications.
◦ Organisations can use firewalls, spam filters and anti-virus programmes to prevent
sniffing, however employee laptops, tablets and mobile phones can be at risk when on
business trips and connecting to other networks.
16. Wartrapping
◦ Hackers go to places such as airports where business travellers are likely to be and set
up internet access points through their laptop.
◦ The access point will appear to be legitimate i.e. Auckland Airport Free Wireless.
◦ Hackers then use sniffing techniques to find passwords and other data as the traveller
browses the internet through the connection.
17. E-Commerce Risks Outside Organisations
◦ Internet provides a rich medium for external hackers to gain access to personal
systems.
◦ Ability to hack from across international borders means that tracking and prosecuting
hackers is difficult.
18. NZ Statistics:
◦ Year to 9th August 2013:
◦ 562 online frauds reported to NetSafe
◦ $4.4 million
◦ Netsafe’s Chief Executive estimates annual losses from internet fraud to be between
$100m and $400m per year.
◦ In 2012, the Ministry of Business, Innovation & Employment reported 670 bank phishing
and tax refund scams in NZ.
19. Spyware
◦ Installs monitoring software in addition to the regular that a user downloads or buys.
◦ Peer-to-peer music and video-sharing applications are the worst spyware offenders.
◦ Most spyware programs monitor user behaviours so that the company can make a
profit selling the personal data they collect.
◦ More advanced spyware can copy financial or other sensitive data from internal
directories and files and send it to external entities.
20. Phishing
◦ Phishing involves sending emails or pop up messages asking for personal information in
inventive ways.
◦ Common method is to request victims to update account details by clicking on a link
to a website which appears to be the company’s website.
◦ Common targets have been bank customers, TradeMe/ebay customers, even
government departments such as IRD.
21. ANZ
◦ In July 2013, ANZ customers were targeted by a phishing scam.
◦ Phishers sent an email to ANZ customers which appeared to be from ANZ.
◦ It stated that customers must update their account information through the link or service
would be suspended.
◦ The link took customers to a fake website which replicated the logos and formatting of ANZ.
◦ The phishers gained access to bank accounts when customers attempted to log in to the
fake website.
www.stuff.co.nz/technology/digital-living/8985900/Phishing-scam-targets-ANZ-log-in-details
22. Large Retail Company (Un-named)
◦ Major retail chain targeted by overseas cyber criminals in September 2013.
◦ Phishing attack attempted to convince store staff to install rogue software on their
computers.
◦ Phishers called stores claiming to be a senior member of the company and directed
employees to a fake website that was designed to look like the company’s official tech
support site.
◦ No data was lost as the company’s IT staff noticed what was happening and managed to
block access to the website and cleaning it up.
◦ “As soon as there’s real humans involved we as Kiwis are more vulnerable because we’re
extremely trusting”.
www.nzherald.co.nz/business/news/article.cfm?c_id=3&objected=11130882
23. Spoofing
◦ Changes the information in e-mail headers or IP addresses.
◦ Perpetrators hide their identities by simply changing the information in the header, thus
allowing unauthorised access.
24.
25. Falsified Identity
◦ Subtle differences in internet hose names often go unnoticed by internet users.
◦ I.e. “.com” “.org” “.nz” can be easily confused but lead to completely different
websites.
◦ If two similar names are owned by two different entities, one site could mimic the other
and trick users into thinking they are dealing with the original website.
26. “GoogleDirectory”
◦ NZ company with no links to Google, launched July 2013.
◦ Promotes itself as a new online marketing tool, offering special internet advertisement
packages.
◦ Over 100,000 listings – some who were contacted by the NZHerald had no idea they
were listed and had not paid.
◦ One customer was told Google was re-launching in NZ as GoogleDirectory.
www.nzherald.co.nz/business/news/article.cfm?c_id=3&objected=11111728
27. Conclusion
◦ Fraud risks in e-commerce systems are significant.
◦ Many employees do not fully appreciate the risks and methodologies that online fraud
perpetrators take.
◦ As auditors, it is important to be aware of the fraud risk in e-commerce and test internal
controls to minimise the risk.
Hinweis der Redaktion
Can anyone think of any perceived opportunities to commit e-commerce fraud?
Can anyone think of any rationalisations of e-commerce fraud?
The textbook discusses some surveys in which more than a third of network administrators admitted to snooping into HR records and custom databases, 88% of administrators would take sensitive data if they were fired and 33% said they would take company password lists. This obviously makes it important not to use the same password for work accounts as you do for personal accounts.
Some websites allow customers to log in using Facebook. This makes it easier for customers to log in and not have to remember additional passwords, however it can be quite risky as if your Facebook page gets hacked they may have the ability to log in to other websites using facebook connect. How many people leave Facebook logged in on their phones or computers? What happens if your phone gets stolen? Instant access to any website which uses facebook connect.
Grabone on the left, gives you the option to remember credit card details. Treatme, on the right doesn’t have an option. I used Treatme to buy something a few weeks ago and saw that it had stored my credit card details from a previous purchase made months earlier. I couldn’t believe I would have been so stupid to save the details so looked into it and found it doesn’t give you the option.If someone obtained your Facebook password, they could use the Facebook connect function to log in to different websites, and if your credit card details are stored, make multiple purchases.
We will now look at e-commerce risks outside the organisation. The internet provides a rich medium for external hackers to gain access to personal systems. The ability to hack from across international borders means that tracking and prosecuting hackers is difficult.
In the year to 9th August, there were 562 online frauds reported to NetSafe which totalled $4.4 million.However, Netsafe’s Chief Executive estimates annual losses from internet fraud to be between $100m and $400m per year.In 2012, the Ministry of Business, Innovation & Employment reported 670 bank phishing and tax refund scams in NZ.
Last month, a major NZ retail chain was targeted by overseas cyber criminals. A phishing attack attempted to convince store staff to install rogue software on their computers.The phishers called stores claiming to be a senior member of the company and directed employees to a fake website that was designed to look like the company’s official tech support site. In this case, no data was lost as it was picked up by IT staff quickly and they were able to block access to the website and clean up the computers.There was a quote from Andy Prow, managing director of Aura Information Security, who said “As soon as there’s real humans involved we as Kiwis are more vulnerable because we’re extremely trusting”.What do you think NZ companies can do to prevent such phishing scams?Need to ensure there is a clear process to follow when phone calls or emails are received claiming to be from a senior employee. For example, returning phone calls to the IT department for confirmation. Also need a clear chain of command so that junior store employees understand they are not to download anything.
This is an email I received a few weeks ago. I had actually just bought a new computer and Office software, which includes Outlook so I wasn’t initially suspicious when I saw it in my inbox. It was when I opened it and looked at the address it came from and who it was sent to that made me realise it probably wasn’t legitimate. The sender’s email address is infotechmsn@naver.com. Naver is actually a South Korean search engine. The email also isn’t addressed to my email, but to customer care at Hotmail.co.uk.The fact that such an email wasn’t picked up as spam when it was sent to a Hotmail address, which uses Outlook, is worrying and it would be easy for people to assume it was a legitimate email and click the link.
Customers were reported as saying that they thought it was strange that when they Googled GoogleDirectory nothing came up. They had to type in the URL address to access the website. Now when you search for the company on Google the first hit is to the Dodgy Business website and the remaining hits all point to the company being a scam. You can see from the picture that the font is identical to Google’s and “directory” is in smaller text underneath.