An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 29 July 2004

About me Joint Computer Science and Information Systems Honours. Interest in computer security and its implications in e-commerce.

Definition of project in one sentence An investigation into e-commerce frauds, and how they are best avoided by internet merchants.

The Problem and Background

What is E-commerce ? “E-commerce focuses on the electronic exchange of information using information and telecommunications infrastructures to perform a wide range of commercial activities that can be divided into business-to- consumer and business-to-business sectors” - Hutchinson and Warren [2003] Project focuses on business-to-consumer

Importance of E-Commerce Electronic commerce is a “strategic imperative for most competitive organisations today as it is a key to finding new sources of revenue, expanding into new markets, reducing costs, and creating breakaway business strategies” - VeriSign [2004]

E-Commerce statistics - Burrows [2004] General increase in the use of e-commerce around the world. The number of online banking accounts in South Africa grew by 28% to 1.04 million in the last year. These figures are expected to increase to 30% in percent of Americans used online banking services by the end of 2002 and this figure will continue to grow by 14 percent up to the end of US Online Retail revenue is projected to increase from $ 47.8 Billion in 2002 to billion in 2005

Fraud statistics Fraud complaints rose by around two-thirds in the US according to the Federal Trade Commission (FTC) from 2001 to Identity theft accounting for 43% of complaints. The cost of fraud in 2002 more than doubled that in 2001.

Fraud statistics (Continued)

Result of combination of statistics “Hacker cleans out bank accounts.” “Hundreds of thousands of rands stolen via Internet from Absa clients.” – Who covers the costs? Irreversible damage to Absa’s image. “New security fears for web banking” “Major online credit card theft exposed”

Threats Vandalism and sabotage – defacing web site Denial of service – flooding of service Breach of privacy or confidentiality – disclosure of personal info Theft and fraud – theft and use of credit card number Violations of data integrity – changing of an orders delivery address Repudiation – denying a transaction took place

Securing E-Commerce 3 Fronts 1.Merchant - System offering service - Web server and OS - Firewalls, encrypted data stores 2. Transport - Channel between the client and merchant - Protocols (SSL, SET) 3.Client - System accessing the service - Difficult to secure and control

Data Transport Security Four basic security requirements of e- commerce transactions : 1. Authentication – proof of identity 2. Confidentiality – keeping data “secret” 3. Data integrity – Ensuring data doesn’t change while transported by unauthorised entity 4. Non-repudiation - prevents a denial of actions by a person or entity

Security Mechanisms User IDs and passwords – Concerned with authentication – Insecure : poor passwords, password written down, shared – Increase security by using in conjunction with tokens and biometrics

Public Key Infrastructure (PKI), Digital Certificates and Digital signatures Confidentiality through encryption Virtual Keys used to encrypt/decrypt data Symmetrical – 1 private key to encrypt and decrypt, key is shared (less secure) Asymmetrical – private and public key which are inversely related

Public Key Infrastructure (PKI), Digital Certificates and Digital signatures Data integrity and non repudiation through digital signatures Digital Certificates provide authentication Used by other protocols

Secure Socket Layer (SSL) Provides confidentiality, authentication, and data integrity through the use of PKI. Resides above the transport layer and below the application layer at the socket layer in the protocol stack. Most prominent e-commerce protocol

SSL (Cont) Does not provide non-repudiation or facilitate transferring of payments. Leaves payment details up to merchant. Credit Card details can be read by the merchant and may be vulnerable to theft if the data store is not encrypted.

Scenario 1 Insecure Merchant Secure cc no over SSL

Scenario 1 (Cont) Insecure Merchant

Scenario 2 Illegitimate Merchant SSL Channel

Payment Protocols Merchant has no need to read credit card details Guarantee the merchant receives payment Keeps credit card details confidential Eliminates storage of credit card details on merchants system

Scenario 3 Payment protocol Payment Protocol Payment Protocol

Secure Electronic Transactions (SET) Technical standard for secure payments focusing on credit cards Developed by MasterCard and VISA. Failed to be adopted. Why? – Merchants are liable for chargebacks, therefore banks resist liability. – Banks generate revenue from chargebacks. – Banks make money selling anti fraud software – Timing – Merchants only worried about market share not losses – Certificate management was cumbersome

Where to from here ? Investigate case studies of e-commerce security breaches eg: CD Universe Investigate, critically analyse and compare emerging protocols and techniques that could help secure e-commerce eg: Secure Payment Application (SPA) by Mastercard and Verified by VISA

The expected result Evaluation of some of the current security protocols and procedures used in e- commerce. Exposure of security flaws in some of the major e-commercial systems. Establish possible countermeasures to attacks and threats from e-commerce security frauds.

Questions