January 2002

Twenty Questions on E-commerce Security

By Thomas Tribunella

1. Why is e-commerce security important?
The growth of electronic commerce has created the potential for new risks and abuses. Customers routinely buy products, trade investments, and bank online using personal information such as credit card, Social Security, and account numbers. A December 1999 study by Meridien Research found that online credit card fraud cost merchants more than $400 million per year. Meridien estimates this could rise to $60 billion annually by 2005.

Concerns over the privacy and security of online transactions prevent many from engaging in e-commerce. In a recent IBM/Harris Poll, 94% of U.S. citizens said they were concerned about the possible misuse of their personal information. Knowledge of e-commerce security can be a valuable asset.

2. What are common disruptions to website stability?
The stability of an e-commerce website can be disrupted by the following:

All e-commerce sites will eventually be disrupted. Accordingly, e-commerce entrepreneurs must be prepared. They should back up their data regularly and take other security precautions. A study by IDC reported that organizations spent $6.2 billion on security consulting in 1999, which is expected to increase to $14.8 billion by 2003.

3. What is the difference between external and internal threats?
External security threats originate from outside the organization, usually in the form of a hacker breaking into a system. According to the U.S. Department of Justice, nine out of ten organizations have experienced security breaches; cyber-crime has doubled from 1998 to 1999.

Internal security threats come from inside an organization. They are difficult to defend against because insiders have access to the organization’s internal network (intranet). According to an article published in Network World by S. Gaudin, 70–90% of the attacks on corporate networks are initiated by insiders.

4. What motivates hackers?
Hackers are motivated by the following factors:

5. What are the types of hacker attacks?
Hacker attacks fall into three categories:

A denial of service attack occurs when a hacker floods an Internet site with requests, overwhelming the file server or communication channel and rendering the site inaccessible. In February 2000, both the Yahoo and E-Trade websites were disrupted by denial of service attacks.

The theft of customer information can destroy the credibility of an e-business. Since credit cards are used for 90% of all online payments, credit card numbers are a frequent target. According to the FBI, 1 million credit card numbers are stolen each year from online firms. For example, Egghead, an online computer retailer, lost security control of credit card numbers to a hacker who broke into the Egghead customer database in December 2000.

Hackers not sophisticated enough to steal information from a system can more easily destroy information, typically by introducing a virus into the system. A virus can be released as an e-mail attachment. In May 2000, the “I Love You” virus caused an estimated $10–15 billion in damages.

6. What are the costs of computer-related crimes?
Exhibit 1 displays the total cost of computer crimes in the United States according to a 2001 CSI/FBI survey. The survey reported a 114% increase in computer-related crimes from 1999 to 2000 (265,337,940 ÷ 123,776,000 = 2.14). The FBI survey also predicts a 42% increase in computer-related crime from 2000 to 2001.

7. How do computer viruses work?
A computer virus is program code that has been designed to copy itself into other such codes or computer files. A virus attaches itself to other computer programs, usually in the computer’s operating system. In most cases, the corrupted programs continue to perform their intended functions while executing the virus’s instructions. Viruses can destroy files, data, programming code, software, and other elements of a system.

A worm is similar to a virus except that worms do not need to be attached to another program to spread: They can act independently. Worms and viruses generally enter a computer system through e-mail attachments and diskettes. Users should not open attachments or disks unless they trust their source.

8. What is the most common form of Internet protection?
The most common device for controlling access to an Internet site is the firewall. A firewall is usually a specialized computer running firewall software that prevents unauthorized communications from flowing between the Internet and an intranet.

9. How do firewalls work?
Firewalls use the following methods to secure a network:

When firewalls enforce user authentication protocols, users must ask the firewall for entry into the system by inputting identification codes such as user names and passwords. The firewall checks an ACL that verifies the user’s identity.

A firewall can also check data packets via dynamic packet filtering. Data is routed over the Internet in packets under the TCP/IP (transmission control protocol/Internet protocol) model, developed by the U.S. Department of Defense in 1972. The packets have headers that identify the information. Firewalls can monitor these packets and reject any without proper identification.

10. What are common forms of user authentication?
The following is a list of ways a firewall can verify the identity of a party requesting permission to enter a system:

11. What is cryptography?
Cryptography is the process of encoding and decoding messages to prevent unauthorized parties from reading the contents (see Exhibit 2). The encryption and decryption processes involve the substitution, transposition, or mathematical manipulation of the characters comprising the message.

12. How is encryption used in e-commerce?
Encryption is primarily used when transmitting confidential messages. It is also used to transmit data such as electronic payments, credit card numbers, and other personal information.

13. What are common types of encryption?
The following are the two main types of encryption:

14. How do digital signatures work?
Digital signatures ensure that an electronic message, such as a credit card number, was not tampered with during transmission over the Internet. The signatures rely on a one-way hashing algorithm that generates a value from a string of characters in the message. If the message is altered, it will produce a different hash value upon receipt, revealing that the message was altered.

15. How do digital certificates work?
Digital certificates are one of the most widely used security techniques, especially in conjunction with digital signatures. They provide proof that people or organizations are who they say they are. Digital certificates are typically issued by a third-party certification authority. The independent authority verifies the applicant’s identity and generates a certificate that the applicant can use to engage in legal transactions. The certificates have the following attributes:

Digital certificates are very secure. Even if a hacker steals a digital certificate, he must also steal the private key from the receiver to decrypt the message.

16. What role do log files and computer auditing play in e-commerce security?
Log files store data on network activity. They are usually kept by a firewall program and should keep track of the following network activity:

Auditors can use embedded audit modules to achieve continuous real-time online auditing of Internet transactions. The audit module can be configured to evaluate control risk based on given risk parameters. When a transaction meets the parameter criteria, it is listed in a log file and reported to the auditor for further review.

17. What are common e-commerce security protocols?
Most small e-businesses rely on established Internet transaction providers for their payment and security systems. The two most common security protocols are secure sockets layer (SSL) and secure electronic transaction (SET).

SSL was developed by Netscape. It uses public key cryptography to secure messages from web browsers (clients) to Internet transaction servers (e.g., SSL also uses digital certificates to verify the identity of the server.

SET was developed by Visa International and is used by credit card companies. SET uses digital certificates to identify the client (buyer), server (merchant), and merchant bank. SET employs public key cryptography to secure the messages between the three entities as they are transmitted over the Internet.

18. What is WebTrust?
WebTrust is an attest-level engagement provided by specially licensed public accounting firms. During the engagement, the WebTrust practitioner “audits” the online business to verify compliance with the program’s principles and criteria, which address matters such as privacy, security, availability, confidentiality, consumer redress, and business practices.

At the client’s request, the WebTrust practitioner often provides preparatory consulting advice. If the business meets the WebTrust principles and criteria, the website can display the WebTrust seal of approval, which is hyperlinked to information about the site’s business practice disclosures, the report of the independent accountant, management’s assertions, and a digital certificate that authenticates the seal.

19. What are steps to prepare for e-commerce security work?
Before offering Internet security services, consider the following steps:

The following items, explored more fully in the WebTrust standards, arise as part of any Internet security system:

20. Which resources provide more information about e-commerce security?
The following are useful sources of e-commerce security information:

Thomas Tribunella, PhD, CPA, is the director of accounting programs at the State University of New York–Institute of Technology and an information systems consultant.


Robert H. Colson, PhD, CPA
The CPA Journal

This Month | About Us | Archives | Advertise| NYSSCPA

The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2002 CPA Journal. Legal Notices

Visit the new