January 2002
Twenty Questions on E-commerce Security
By Thomas Tribunella
1. Why is e-commerce security important?
The growth of electronic commerce
has created the potential for new risks and abuses. Customers routinely buy products,
trade investments, and bank online using personal information such as credit card,
Social Security, and account numbers. A December 1999 study by Meridien Research
found that online credit card fraud cost merchants more than $400 million per
year. Meridien estimates this could rise to $60 billion annually by 2005.
Concerns over the privacy and security of online transactions prevent many from engaging in e-commerce. In a recent IBM/Harris Poll, 94% of U.S. citizens said they were concerned about the possible misuse of their personal information. Knowledge of e-commerce security can be a valuable asset.
2. What are common disruptions
to website stability?
The stability of an e-commerce website can be disrupted
by the following:
All e-commerce sites will eventually be disrupted. Accordingly, e-commerce entrepreneurs must be prepared. They should back up their data regularly and take other security precautions. A study by IDC reported that organizations spent $6.2 billion on security consulting in 1999, which is expected to increase to $14.8 billion by 2003.
3. What is the
difference between external and internal threats?
External security threats
originate from outside the organization, usually in the form of a hacker breaking
into a system. According to the U.S. Department of Justice, nine out of ten organizations
have experienced security breaches; cyber-crime has doubled from 1998 to 1999.
Internal security threats come from inside an organization. They are difficult to defend against because insiders have access to the organization’s internal network (intranet). According to an article published in Network World by S. Gaudin, 70–90% of the attacks on corporate networks are initiated by insiders.
4. What motivates hackers?
Hackers are motivated by the following
factors:
5. What are the types of hacker attacks?
Hacker attacks fall into three
categories:
A denial of service attack occurs when a hacker floods an Internet site with requests, overwhelming the file server or communication channel and rendering the site inaccessible. In February 2000, both the Yahoo and E-Trade websites were disrupted by denial of service attacks.
The theft of customer information can destroy the credibility of an e-business. Since credit cards are used for 90% of all online payments, credit card numbers are a frequent target. According to the FBI, 1 million credit card numbers are stolen each year from online firms. For example, Egghead, an online computer retailer, lost security control of credit card numbers to a hacker who broke into the Egghead customer database in December 2000.
Hackers not sophisticated enough to steal information from a system can more easily destroy information, typically by introducing a virus into the system. A virus can be released as an e-mail attachment. In May 2000, the “I Love You” virus caused an estimated $10–15 billion in damages.
6. What are the costs of computer-related crimes?
Exhibit 1 displays
the total cost of computer crimes in the United States according to a 2001 CSI/FBI
survey. The survey reported a 114% increase in computer-related crimes from 1999
to 2000 (265,337,940 ÷ 123,776,000 = 2.14). The FBI survey also predicts a 42%
increase in computer-related crime from 2000 to 2001.
7. How do computer
viruses work?
A computer virus is program code that has been designed
to copy itself into other such codes or computer files. A virus attaches itself
to other computer programs, usually in the computer’s operating system. In most
cases, the corrupted programs continue to perform their intended functions while
executing the virus’s instructions. Viruses can destroy files, data, programming
code, software, and other elements of a system.
A worm is similar to a virus except that worms do not need to be attached to another program to spread: They can act independently. Worms and viruses generally enter a computer system through e-mail attachments and diskettes. Users should not open attachments or disks unless they trust their source.
8. What is the most common form of Internet protection?
The most common device for controlling access to an Internet site is the firewall.
A firewall is usually a specialized computer running firewall software that prevents
unauthorized communications from flowing between the Internet and an intranet.
9. How do firewalls work?
Firewalls use the following methods to
secure a network:
A firewall can also check data packets via dynamic packet filtering. Data is routed over the Internet in packets under the TCP/IP (transmission control protocol/Internet protocol) model, developed by the U.S. Department of Defense in 1972. The packets have headers that identify the information. Firewalls can monitor these packets and reject any without proper identification.
10. What are common forms of user authentication?
The following is a list of ways a firewall can verify the identity of a party
requesting permission to enter a system:
11. What
is cryptography?
Cryptography is the process of encoding and decoding
messages to prevent unauthorized parties from reading the contents (see Exhibit
2). The encryption and decryption processes involve the substitution, transposition,
or mathematical manipulation of the characters comprising the message.
12.
How is encryption used in e-commerce?
Encryption is primarily used when
transmitting confidential messages. It is also used to transmit data such as electronic
payments, credit card numbers, and other personal information.
13. What
are common types of encryption?
The following are the two main types of
encryption:
14. How do digital signatures
work?
Digital signatures ensure that an electronic message, such as a
credit card number, was not tampered with during transmission over the Internet.
The signatures rely on a one-way hashing algorithm that generates a value from
a string of characters in the message. If the message is altered, it will produce
a different hash value upon receipt, revealing that the message was altered.
15. How do digital certificates work?
Digital certificates are one
of the most widely used security techniques, especially in conjunction with digital
signatures. They provide proof that people or organizations are who they say they
are. Digital certificates are typically issued by a third-party certification
authority. The independent authority verifies the applicant’s identity and generates
a certificate that the applicant can use to engage in legal transactions. The
certificates have the following attributes:
Digital certificates are very secure. Even if a hacker steals a digital certificate, he must also steal the private key from the receiver to decrypt the message.
16. What role
do log files and computer auditing play in e-commerce security?
Log files
store data on network activity. They are usually kept by a firewall program and
should keep track of the following network activity:
Auditors can use embedded audit modules to achieve continuous real-time online auditing of Internet transactions. The audit module can be configured to evaluate control risk based on given risk parameters. When a transaction meets the parameter criteria, it is listed in a log file and reported to the auditor for further review.
17. What are common e-commerce security
protocols?
Most small e-businesses rely on established Internet transaction
providers for their payment and security systems. The two most common security
protocols are secure sockets layer (SSL) and secure electronic transaction (SET).
SSL was developed by Netscape. It uses public key cryptography to secure messages from web browsers (clients) to Internet transaction servers (e.g., Amazon.com). SSL also uses digital certificates to verify the identity of the server.
SET was developed by Visa International and is used by credit card companies. SET uses digital certificates to identify the client (buyer), server (merchant), and merchant bank. SET employs public key cryptography to secure the messages between the three entities as they are transmitted over the Internet.
18. What
is WebTrust?
WebTrust is an attest-level engagement provided by specially
licensed public accounting firms. During the engagement, the WebTrust practitioner
“audits” the online business to verify compliance with the program’s principles
and criteria, which address matters such as privacy, security, availability, confidentiality,
consumer redress, and business practices.
At the client’s request, the WebTrust practitioner often provides preparatory consulting advice. If the business meets the WebTrust principles and criteria, the website can display the WebTrust seal of approval, which is hyperlinked to information about the site’s business practice disclosures, the report of the independent accountant, management’s assertions, and a digital certificate that authenticates the seal.
19. What are steps
to prepare for e-commerce security work?
Before offering Internet security
services, consider the following steps:
The following items, explored more fully in the WebTrust standards, arise as part of any Internet security system:
20. Which resources provide more information about
e-commerce security?
The following are useful sources of e-commerce security
information:
Editor:
Robert
H. Colson, PhD, CPA
The CPA Journal
The
CPA Journal is broadly recognized as an outstanding, technical-refereed publication
aimed at public practitioners, management, educators, and other accounting professionals.
It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting
professionals with the information and news to enable them to be successful accountants,
managers, and executives in today's practice environments.
©2002
CPA Journal. Legal Notices
Visit the new cpajournal.com.
){kind=link}
){kind=link}