Preventing Internet Fraud By Preventing Identity Theft
This project concentrates on the area of internet fraud called “Identity Theft”. It focuses on the responsibility of the individual cardholder in preventing or reducing fraud. It is based upon a belief that educating and empowering consumers has the ability to decrease internet/e-Commerce fraud by way of reducing identity theft.
Published on: Mar 4, 2016
Transcripts - Preventing Internet Fraud By Preventing Identity Theft
Information Security Seminar IT 6873 Instructor: Dr. Ming Yang E-Commerce Security: Preventing Fraud By preventing Identity Theft Diane M. Metcalf May 6, 2012
Project SummaryE-Commerce is a relatively new way of doing business. Over the last several years, ithas become a convenient, trusted, accepted and often less expensive way to purchasegoods and services. As E-business continues to grow, the potential for exposure tothreats also increases. As the threats become more damaging and/or widespread,“security” becomes critical in preventing fraud. There are many types of security alreadyin place, however most internet credit card fraud occurs when an e-Commercemerchant is unaware that an order was not placed by, and will not be paid for, by theauthentic cardholder. (1) Typically, with e-commerce fraud, the credit card informationwas gained illegally, and used to order merchandise or services via the internet, under afalse name.This project concentrates on the area of internet fraud called “Identity Theft”. It focuseson the responsibility of the individual cardholder in preventing or reducing fraud. It isbased upon a belief that educating and empowering consumers has the ability todecrease internet/e-Commerce fraud by way of reducing identity theft.Specifically, the project examined the effectiveness of an Identity Theft Prevention classwith a group of elementary school faculty and staff in expanding awareness of personalinternet security. A pre-test, post-test design was used.In doing this research, I had expected to gain a realistic perspective regarding thenature, and the best implementation, of E-Commerce Security, in regard to internetfraud.
IntroductionWhat is Internet fraud?Internet fraud is a type of cybercrime in which transactions are committed by usingdeception. The National Consumer Leagues Fraud Center lists 25 different scamscurrently making the rounds on the Internet including these types of internet fraud: Advance fee (Nigerian letter scam) Business or employment scams Counterfeit checks Credit or debit card fraud Identity theft Freight forwarding or reshipping Investment schemes Non-delivery of goods/services Online auction and other sales Phony escrow (1) Pyramid or “ponzi” schemes (Fraudulent investment operations)Many scams are variations of those that were in existence before the Internet. Theprimary difference is that Internet scammers utilize email, chat, forums and falsewebsites instead of more traditional methods such as telephone and US mail. (2)Utilizingthe internet allows even greater/wider access and greater anonymity to the scammer.Internet credit card fraud occurs when an e-Commerce merchant is unaware that anorder was not placed by, and will not be paid for, by the authentic cardholder. (3)Typically, with e-commerce fraud, credit card information was gained illegally, and usedto order merchandise or services via the internet, under a false name. (It is much easierto commit credit card fraud via an e-commerce transaction than it is to do inperson.)When the authenticcardholder receives the statement from the issuing bankand reports the fraud, a “chargeback” must be issued by the merchant. This means that (4)the merchant refunds all the expenses, and pays an additional fee.
Identity thieves gain access to consumersby stealing checks, bank statements,wallets/purses, or by proffering a phony offer via phone or email. More recently, a morecommon way of obtaining sensitive information is to create imitation, but realisticlooking, bank or merchant websites, or to send emails that request security informationfrom the consumer by instructing them to click on a link and input their personalinformation. The information is then used to steal their identity in order to access theirbank accounts, obtain loans, or to use their credit cards.Merchants who accept credit cards online are subject to additional examination andprocesses in the ongoing effort to protect credit card information. Online merchants arealso subject to:-higher transaction fees to offset the cost of security-more stringent shipping requirements-paying the cost of becoming and staying PCI compliantThe merchant is held responsible for any accepted fraudulent transaction.Through the issuance of the “Red Flags Rule” and “Red Flags Guidelines” for financialinstitutions, our government has provided a means of protecting consumers fromidentity theft. Legislation requires merchant compliance, and this compliance helps tofoster trust-based relationships. (5)Objective“Security” is no longer about keeping “just” networks, or individual computer systems,protected. Today, “security” is considered to be a legitimate business strategy;protecting the business as a whole. Security is not merely a collection of “features”. It isa complex system of multiple processes wherein the weakest link in the security chainestablishes the level of security for the entire system.(6)
Current securitytechnology emphasizes security from the side of the merchant, eventhough it is the consumer whose behavior may often provide the thieves with theinformation they need to commit the crimes.Often times when the security technologyworks seamlessly, utilizing multiple aspects of layered technology, including thoseoffered by credit card issuers, fraud still takes place. This is due to the consumer oftentimes being the “weakest link”.As a result, “security” is not just for businesses or merchants, rather, individualconsumers need to understand the concept of security as it pertains to e-commerce,and to take personal responsibility for their role in the protection of their data and theprevention of fraud.Existing IssuesThe integrity of an ecommerce transaction is based upon four factors:Privacy: information must be kept safe from unauthorized access. This issue iscurrently handled by encrypting the data, using PKI (public key infrastructure) and RSA.Integrity: information must not be altered or tampered with. Maintaining the Integrity ofinformation is achieved by using digital signatures. The use of digital signatures meetsthe need for authentication and integrity.Authentication: sender and recipient must prove their identities to each other. To verifythat a website that is receiving sensitive information is actually the intended website,(not an imposter) a digital certificate is employed.Non-repudiation: proof that the message was actually received.
The vulnerability of a system exists at these entry and exit points: Shopper’s computer Network connection Website’s server Software VendorThere are at least 3 transactions whereby sensitive information is vulnerable during ane-Commerce purchasing transaction: (7) 1. Credit card information supplied by the customer. Handled by the servers SSL and the merchant/servers digital certificates. 2. Credit card information forwarded to the bank for processing. Handled by the security measures of the payment gateway. 3. Order and customer details furnished to the merchant. Handled by SSL, server security, digital certificates and payment gateway.State-of-the-art security/methodologiesPKIA PKI (public key infrastructure) consists of: A certificate authority (CA) that issues and verifies a digital certificate. The certificate includes the public key and/or information about the public key A registration authority (RA) that verifies the certificate authority before a digital certificate is issued to the requestor Directories where the certificates and their public keys are held A certificate management systemPKI enables users of an unsecure public network (i.e.: the Internet ) to securely andprivately trade data and/or currency by using public and private cryptographic key pairs
that are acquired from and shared via a trusted authority. The public key infrastructureprovides digital certificates that identifies an individual or an organization, and alsoprovides directory services that store and even revoke the certificate, if necessary.(8) PKI automates the process of verifying the validity of a certificate. It provides theability to publish, manage, and use public keys easily.RSA algorithm (Rivest-Shamir-Adleman)RSA is the most commonly used encryption and authentication algorithm. It’s includedas part of Microsoft’s and Netscape’s Web browsers, Lotus Notes, Intuits Quicken, andseveral other software products. RSA is also used by banks and governments.Third party key distribution centers use RSA. The RSA algorithm multiplies two largeprime numbers (a number divisible only by itself and one) and in combination with otheroperations, it generates a set of two keys, one publicand one private. The original primenumbers are then discarded.The private key is used to decrypt text that has been encrypted with the public key. Inaddition to encrypting messages (privacy), authentication also takes place with the useof the private key by the encryption of a digital certificate. . Both the public and theprivate keys are needed for encryption /decryption, but the private key never needs totravel across the Internet. The two keys differ from one another, but each key is sharedwith the key distribution center. The keys are encrypted, and rules are set, using avariety of protocols. Private keys must be kept secret, and most security lapses arisehere. (9)Secure Socket Layers (SSL)The Internet uses the set of rules, or protocols, called TCP/IP (Transmission ControlProtocol / Internet Protocol) whereby the information is broken into packets which arenumbered sequentially, and include error control methods. Each packet is sent via a
different route. TCP/IP reassembles the packets in their original order and resubmitspackets that have errors. (10)SSL is a method that utilizes both PKI and digital certificates to ensure privacy andauthentication. The server receives the message from the client, and replies with adigital certificate. Using PKI, the server and client negotiate the creation of sessionkeys, (symmetrical secret keys specially made for that particular communication) andcommunication continues with the session keys and digital certificates in place.Where credit cards are accepted by merchants online and processed in real time, fouroptions arise for the merchant in question:1. Use a service bureau which is responsible for the security of all sensitive informationin the transaction2. Use an e-Commerce merchant account but use the digital certificate supplied by thehosting company which is a less expensive option that is acceptable for transactionswith Small to Medium Enterprises (SME). Certain terms and conditions may apply to thesupplied digital certificate.3. Use an e-Commerce merchant account, but purchase a digital certificate for thebusiness (costing hundreds of dollars).4. Use a merchant account, and run the business from a business-owned privateserver. Requires trained IT staff to maintain security, i.e.: firewalls, Kerberos (anauthentication mechanism), SSL, and the digital certificate for the server (thousands totens of thousands of dollars).
Digital SignaturesDigital signatures help ensure authentication and integrity and are used to confirm onesidentity to another party, and that the data has not been altered. (They verify the originand contents of a message.)Digital signatures are implemented through public-key encryption. A digital signature isprepared by first passing the plain text through a hash function to calculate the messagedigest value. The digest is then encrypted with the private key to produce a signaturewhich is then added to the original message, and the whole package is sent to therecipient.In this way, the recipient can be sure that the message came from the sender. Thereceived message is decoded with the private key, and processed back through thehash function. (The message digest value remains unchanged.)Very often, themessage is also time stamped by a third party agency.(11)Digital CertificatesDigital Certificates provide digital credentials used for identification. They provideidentity and other supporting information about an entity and are valid for only a specificperiod of time. They provide the basis for secure electronic transactions by enabling allparticipants in the transaction to quickly and easily verify the identity of the otherparticipants.Digital Certificates are sold for use with email, and for e-merchants andweb-servers. Digital Certificates uniquely identify merchants, and are issued by the CA(Certification Authority, i.e.: VeriSign, GlobalSign). When a digital certificate is issued,the issuing certification authority signs the certificate with its own private key. Validatingthe authenticity of a digital certificate can be achieved by obtaining the certificationauthoritys public key and use it against the certificate to determine if it was actuallysigned by the certification authority
Digital certificates contain the public key of the entity identified in the certificate. Thecertificate matches the public key to a particular individual. Because the CA guaranteesthe validity of the information in the certificate, digital certificates provides a solution tothe problem of how to find a users public key and know that it is validFor a digital certificate to be useful, it has to be understood, and easily retrieved in areliable way. Digital certificates are standardized for this reason, so that they can be (12)read and understood regardless of the issuer.The technologies listed above use encryption as their primary way of protecting data,individuals and organizations. Although considered strong methods, they are notperfect. Vulnerabilities in PKI have been exploited in order to issue rogue digitalcertificates for secure websites. False CA certificates that were trusted by common webbrowsers have been created. Website impersonation, including banking and e-commerce sites secured with the HTTPS protocol, has occurred. (13) A weaknessrecently found in the MD5 cryptographic hash function has allowed for the creation ofunique messages with the same MD5 hash.There are many other security methods and practices. Creating and maintaining officeand employee security policies (passwords, backups) , protection from viruses, spywareand hackers by implementing firewalls and antivirus solutions, fortifying web server anddatabase security by researching hosting companies , verifying webpage content,customer data, tracking customers (cookies) , and calculating and providing correctinvoices and inventory are a few ways to heighten security. The primary underlying goalof all security methods is to deter and prevent fraud.The goal of this study was to determine whether empowering consumers withinformation and resources for utilization in protecting sensitive information is anecessary and relevant component of preventing identity theft, thereby lowering internetfraud.
Method:The Method of Approach for this paper is a pretest/posttest research study of theeffectiveness of an education program that was developed using the ACM digital libraryand IEEE/IEE Electronic Library, including professional journals, web articles, and whitepapers. Specifically, the study examined two questions: 1. Are individuals who volunteer to participate in the program representative of the teachers, staff, and administrators in the school in their knowledge or awareness of e-commerce security? 2. Does participation in the program increase participants’ knowledge or awareness of methods of protecting their personal e-commerce security?Data were collected using an instrument that asked respondents to answer questionsabout each of ten security scenarios. The pretest instrument was given approximatelyfour days in advance of the Identity Theft Prevention class to all individuals who were toparticipate, and to a group of randomly selected teachers, staff, and administrators whowere not going to participate. The instrument was administered again two days afterthe class to the individuals who had participated in the class.A presentation and interactive class, covering the topic of safeguarding personalinformation, was developed. The class included an on-line interactive quiz to identifyspoofed email, and a power-point presentation about how to identify spoofed telephonecalls, the various ways of preventing victimization, how to safeguard information whenusing public Wifi, how to configure security when using social networking sites likesFacebook, examples of how to check a credit report for fraudulent activities, and stepsto take if victimized, including reporting information for contacting authorities (thepresentation slide are attached).A summarization of the class, in the form of an “Identity Theft Prevention Tool-Kit” wasdeveloped, and was provided in digital format to each participant, for future reference.
Results Aggregated Data: Table 1 Percentage Correct by Item, Group & Test Percent Answering CorrectlyItem Question Pretest Posttest (Treatment Control Treatment only) If an official from your bank or a government agency calls your phone, and asks for 1 your bank account or social security information, you are safe to answer their 100 70 100 questions. However, you should refuse to provide this information to all other callers. When purchasing online, you should always pay with a credit card, rather than other 2 20 60 90 forms of payment (debit card, PayPal, check, etc.). The best passwords for your financial accounts are things only you could know, such 3 as your mothers maiden name, your dead pets name, your childrens names, or the 40 70 90 last four digits of your social security number. 4 It is safe to use a public computer to access your financial information on the internet. 60 70 100 If you get a lot of pop-up ads while surfing the internet, are taken to internet to internet 5 sites other than the ones you type in, or see new tool bars on your computer that you 100 60 100 never added, your computer is probably infected with spyware. You have bid for an item you really want in an online auction. However, you were not the highest bidder. Much to your delight you are contacted a few days later telling you 6 that the seller has decided to sell the exact same item to you, but the transaction must 100 60 90 be conducted privately, not on the auction site. You conduct the transaction, and you arrange payment and delivery with the seller. This transaction was safe. You get an e-mail from your bank saying your account has been frozen due to security 7 precautions. Youre asked to click a link to a website to enter your account number 100 80 100 and PIN. This is a legitimate bank intervention for your protection.
You have placed an online ad for a car you want to sell. A stranger contacts you, offers to buy the car, and sends you a cashiers check for $10,000 more than youre asking. When you ask about the discrepancy, the buyer says it was a mistake and8 asks that you send him a check to refund the excess. You cash his check, your bank 60 80 100 says it looks fine, and you send him his refund. Two weeks later the bank tells you the cashiers check bounced, so you owe the bank $10,000. This scenario can actually happen. When leaving your bank, you are approached by a federal agent who asks you to participate in a "citizens’ investigation." You are instructed to go back into the bank, the drive through, or the ATM and withdraw a certain amount of cash. The agent then9 100 100 100 says, he needs to examine the cash to check serial numbers, potential for counterfeit, etc. He gets your contact information, promises to return your money, and then leaves. This was a legitimate transaction, and your money will be returned. You get a phone call from someone who claims to be with your county courthouse. You check your caller ID, which shows the actual number of the courthouse. This10 60 50 100 person could actually be a criminal calling from overseas, trying to steal your social security number. Mean 75.6 72.2 96.7 Conclusions and Future Work: 1. Are individuals who volunteer to participate in the program representative of the teachers, staff, and administrators in the school in their knowledge or awareness of e-commerce security? The control groups’ mean score on the pre-test was 75.6, and the mean score of the treatment group (the group that attended the Identity Theft Prevention Class) was 72.2. This indicates that performance was similar across both groups, in that the scores were within 4 percentage points of each other. This suggests that the teachers, staff and administrators who participated in the Identity Theft Prevention class, were representative of the teachers, staff and administrators that were offered an opportunity to participate in the class. Neither group was more aware or adept at safeguarding their personal information, than the other.
2. Does participation in the Identity Theft Prevention Class increase participants’ knowledge or awareness of methods of protecting their personal and sensitive information?The treatment groups’ pre-test score of 72.2, and its post-test score of 96.7,demonstrates an overall increase of 24.5 points. This suggests that participating in theIdentity Theft Prevention Class has increased each participant’s knowledge and/orawareness for protecting /safeguarding their personal information.Summary:Mobile e-Commerce along with an increase in wireless Internet applications such asmobile electronic commerce applications will be a trial. Payment devices are rapidlydeveloping and becoming present everywhere. Payment cards are considered to be theprincipal drivers of the transfer from paper to electronic-based payment devices.The use of POS (point-of-sales) devices is increasing. These devices are the equivalentto an electronic cash register and are used in supermarkets, restaurants, hotels,stadiums, taxis, and almost any type of retail establishment..New methods of authenticating are being and need to be developed and improved, (14)many using Biometrics, including internal DNA storage and retinal scanning.Security is more important than ever to ensure the integrity of the payment process andto protect individual and organizational privacy. The technologies mentioned above arethe current methods of ensuring a high measure of security. This measure mustcontinue to grow and develop, as new threats will certainly do the same. It is crucial thatsecurity measures become an integral piece of the structural design, plan, and
implementation of any e-Commerce site. It is equally crucial that consumers bear theresponsibility for safeguarding their personal information.This project was interesting to do, and, if done on a large scale, with the same results,could be useful to merchants who might interpret the results to mean that consumersare able to be educated and empowered, as well as held responsible, for safeguardingtheir personal data. This belief could be utilized in a team approach to preventinginternet fraud, including Identity Theft. A shared, team approach to safeguardingsensitive information would remove sole-responsibility (and the associated costs), fromthe merchant.Problems encountered with this study were: obtaining a large participant sample and inorder to ensure that participants would actually complete the surveys’ pre/post testquestions had to be kept to a minimum.If I did this project again, I would advertise the class for a couple of weeks before theclass, hoping to gain the interest of more participants. I would interject sporadicstatistics and questions regarding internet fraud, in the method that was used foradvertising the class (posters, email, newsletter, etc.) in an attempt to demonstrate thatthe class would be personally useful. I would mention that the format of the class isinformal, interactive and fun, to attract interest.I would have a larger question base for the pre and posttests, (maybe 25-50 questions)and present them in varied formats- true/false, multiple choice and fill-in-the-blank.I would also administer the posttest 2 weeks after the class, at the earliest, and again at6 months, and possibly even a year later, to ascertain whether the material had beenretained. It would also be interesting to see whether anyone in the study had been avictim of internet fraud within the year following the class.
Based on the outcome of this study, it would be interesting to conduct research thatwould demonstrate the amount of online fraud that is due to errant (or lack of) securitymeasures by the merchant or bank, and how much takes place due to the consumers’lack of personal security savvy.The original proposal stated that the results of this study will be compared with theresults of similarly conducted studies to determine whether the hypothesis was correct:that empowering consumers by educating them about internet fraud and specificallyidentity theft can potentially reduce the incidence of both.Instead, I decided that it made more sense to pre-test and posttest the experimentalgroup, and also to see if I could get some willing volunteers who were not participants ofthe class, to answer the pre-test survey as well. In this manner, I would know whethermy experimental group was a good representation of the entire group of faculty/staffthat was offered the class, or whether they were somehow more “fraud savvy” to beginwith. As the results show, the experimental group was a representative sample.By comparing the pre and post test scores of the experimental group, it could bedetermined whether any learning took place, as demonstrated by an increase in testscores2 days after the class. As the results show, the overall increase in scoressuggests that the participants learned ways of safeguarding their personal data.
References1NC State University Office of Information Technology, http://oit.ncsu.edu/safe-computing/net-fraud#types2Online Threats - Internet Fraud http://www.mywot.com/en/online-threats/internet-fraud3 Global Merchant Services, How to Minimize Online e-Commerce Credit Card Fraudhttp://www.gspay.com/how-to-minimize-online-e-commerce-credit-card-fraud.php4Eisen, Ori, Telltale Signs of E-Commerce Fraud02/25/09 E-Commerce Timeshttp://www.ecommercetimes.com/story/66278.html5 Ehrlich, Matt, The Consumers Responsibility in Preventing Identity Theft, 09/20/10,Fraud Management6 Ecommerce Security Issues,http://www.ecommrce-digest.com/ecommerce-security-issues.html7 KhusialandMcKegney , IBM Developer Works, e-Commerce security, ibm.com, 02/02/12, http://www.ibm.com/developerworks/websphere/library/techarticles/0504_mckeg ney/0504_mckegney.html8 Van Vark, J. (1997) e-Commerce and the Security Myth- The real security issues of e-Commerce, mactech.com, 01/24/12, http://www.mactech.com/articles/mactech/Vol.13/13.11/eCommerceandSecurity/inde x.html
9 E-Commerce Security Issues, ecommerce-digest.com 01/21/12 http://www.ecommerce-digest.com/ecommerce-security-issues.html10 RSA-TechTarget, SearchSecurity, 02/02/12, searchsecurity.techtarget.comhttp://searchsecurity.techtarget.com/definition/RSA11 PKI- TechTarget, Search Security- 02/01/2012- searchsecurity.techtarget.com, 02/03/12 http://searchsecurity.techtarget.com/definition/PKI12 Sotirov, A., Stevens, M., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, DA, MD5 considered harmful today-Creating a rogue CA certificate , win.tue.nl, 02/15/12, http://www.win.tue.nl/hashclash/rogue-ca/13 Oracle ThinkQuest-Use of Data Encryption in Todays Context: E-commerce, library.thinkquest.org, 02/9/12, http://library.thinkquest.org/27158/today1_2.html14 Thanh, Do Van, Security Issues in Mobile e-Commerce, 02/13/12 http://books.google.com/books?id=kb69hBiQMiYC&lpg=PA467&ots=6XE- e9QvUo&dq=security%20issues%20in%20mobile%20e%20commerce%20do%20va n%20thanh&pg=PA468#v=onepage&q=security%20issues%20in%20mobile%20e% 20commerce%20do%20van%20thanh&f=false
Appendices1. The Identity Theft Pre and Post Test questions:Please indicate true or false, by typing an “X” next to the answer:1. If an official from your bank or a government agency calls your phone, and asks for your bank account or Social Security information, you are safe to answer their questions. However, you should refuse to provide this information to all other callers. True False2. When purchasing online, you should always pay with a credit card, rather than other forms of payment (debit card, PayPal, check, etc.). True False3. The best passwords for your financial accounts are things only you could know, such as your mothers maiden name, your dead pets name, your children’s names or the last four digits of your Social Security number.
True False4. It is safe to use a public computer to access your financial information on the internet. True False5. If you get a lot of pop-up ads while surfing the internet, are taken to internet sites other than the ones you type in, or see new toolbars on your computer that you never added, your computer is probably infected with spyware. True False6. You have bid for an item you really want in an online auction, however, you were not the highest bidder. Much to your delight you are contacted a few days later telling you that the seller has decided to sell the exact same item to you, but the transaction must be conducted privately, not on the auction site. You conduct the transaction; you arrange payment and delivery with the seller. This transaction was safe. True False
7. You get an e-mail from your bank saying your account has been frozen due to security precautions. Youre asked to click a link to a Web site and enter your account number and PIN. This is a legitimate bank intervention for your protection. True False8. You have placed an online ad for a car you want to sell. A stranger contacts you, offers to buy the car and sends you a cashiers check for $10,000 more than youre asking. When you ask about the discrepancy, the buyer says it was a mistake and asks that you send him a check to refund the excess. You cash his check, your bank says it looks fine, and you send him his refund. Two weeks later the bank tells you the cashiers check bounced, so you owe the bank $10,000. This scenario can actually happen. True False9. When leaving your bank, you are approached by a federal agent who asks you to participate in a "citizen investigation." You are instructed to go back into the bank, the drive-through or the ATM and withdraw a certain amount of cash. The agent then says he needs to examine
the cash to check serial numbers, potential for counterfeit, etc. He gets your contact information, promises to return your money, then leaves. This was a legitimate transaction, and your money will be returned. True False10. You get a phone call from someone who claims to be with your county courthouse. You check your caller ID, which shows the actual phone number of the courthouse. This person could actually be a criminal calling from overseas, trying to steal your Social Security number. True False2. The Identity Theft Prevention Class PowerPoint Presentation:Protecting your Identity On-Line Protecting YourIdentity On-line.ppt