Deck 17: E-Commerce Fraud

What principles are important in password use and training

Can e-business fraud risks ever be completely eliminated

Data theft is a bigger problem in e-business transactions than money theft.

Which of the following fraud risks involves viewing information as it passes along network channels a. Sniffing.
B) Spoofing.
C) False Web sites.
D) Web hijacking.

Which of the following types of controls is least often used to protect IT processing equipment a. Physical controls.
B) Authorization controls.
C) Independent checks or reference.
D) Documents and records.

E-Commerce Fraud Prevention Together with other students from your class, identify a small, local company that does e-business and whose owner or manager is willing to talk with you about its operations. With your professor's approval, meet with the company manager and explain to him or her that you are studying fraud examination and would like to discuss the company's vulnerability to fraud. Follow the following steps to proactive fraud examination:
1. Endeavor to understand the business or operation of the organization.
2. Identify what frauds can occur in the operation.
3. Determine the symptoms that the most likely frauds would generate.
4. Propose several queries that might identify those symptoms.
5. Propose methods to follow up on any revelations of those symptoms.
The interview with the owner or manager should only last 30-40 minutes and should cover Steps 1, 2, and 3. After the interview, brainstorm Steps 4 and 5 as a group. Write a 500-word essay that includes your responses to each step. Before the interview, offer to submit a copy of the completed essay to the owner or manager.

As the new intern for the summer, you have been asked to investigate two methods of e-mail encryption: S/ MIME and Pretty Good Privacy (PGP). Compare and contrast the two systems.
1. Why do two standards exist
2. Which do you think your employer should standardize on Why
Optional activity: Set up S/MIME or PGP-based plug-ins in student e-mail clients. Use the activity to learn how to get/create a public/private key pair and encrypt mail.

eBay has become one of the most popular auction sites in the world. Each day, millions of products and services are bought and sold on the site. Because of its popularity, eBay is also a home for many different types of scams. Your business wants to start buying and selling on eBay, and you have been asked to find one type of scam that is popular on eBay. Search the web for common eBay scams and pick one to write about. Include a description of how the scam occurs, what types of products or services it is often found on, and how it can be prevented or detected by potential buyers.

How can the authenticity of a party in an e-business transaction be verified

Customer impersonation is similar to a bust-out fraud.

It is often easier to analyze e-business transaction data than data from other types of transactions because information is captured in databases that can be manipulated.

Which of the following is not an element of a company's control environment a. Audit committee participation.
B) Management's philosophy.
C) Hiring policies.
D) Independent checks.

Why does biometrics offer significant promises as a way to authenticate e-business transactions

What methods of security through obscurity does your school employ How do these methods increase security How do they decrease security

Dan Jones is the new CIO of Ricochet Systems, an Internet securities broker. After assessing the e-commerce risks in his company, he determines that passwords are a weak link that needs additional protection. However, he is unsure as to what the requirements for a robust password are. At your monthly golf outing, Dan asks you-knowing your background in computer forensics-what checks and policies should be in place on passwords in his company.
1. How often should passwords be changed
2. What requirements should be enforced on passwords chosen by employees (length, dictionary words, etc.)
3. Are there alternatives to passwords that Dan should investigate
4. You tell Dan you'll send him a detailed e-mail message answering these questions when you get back to work. Write this message giving Dan advice on his password policies.

Using a subtly different Internet host name to mimic another business is known as: a. Spoofing.
B) Sniffing.
C) Web-visit hijacking.
D) Falsified identity.

What is the most important factor in control effectiveness a. Clear policies regarding controls.
B) An understanding of e-business networks.
C) The use of random monitoring.
D) The "tone at the top."

Sniffing changes e-mail headers or IP addresses.

A number of security/intrusion detection firms exist in the market. Research one of these firms and report on its services, costs, and benefits.
1. Would you hire a firm like this for a start-up company
2. Would you hire one for an established, small company
3. Would you hire one for a Fortune 1000 company Why

One of the riskiest parts of an e-commerce transaction is the payment process. Several different companies, such as Authorize.net, Google, and Yahoo! checkouts, and others provide robust solutions for this risky process. Pick a provider that services the payment process (or some part thereof, such as credit card validation) and write a short summary of what services are provided and why an e-commerce site owner may want to use the services. Include the risks that are mediated by the service.

Two years ago, your best friend Scott Adams started a home business selling custom-made chairs and tables. His original designs quickly became popular, and he began selling in large quantities. To take advantage of the upcoming holiday season, Scott decided to begin selling over the Internet. He contacted a Web page designer and is now ready to go live with the site. Although he is familiar with the gist of Internet retailing, Scott is concerned about the possibility of fraud involving false online purchases where perpetrators impersonate customers and place orders. Knowing about your background in fraud, he asks you how to prevent and detect fraud in his new venture.
Questions
1. List three fraud schemes that Scott should be concerned about.
2. Identify the steps Scott should take to prevent and/ or detect each scheme.

Segregation of duties is an important control in preventing e-business fraud.

Intrusion detection is the activity of trying to break into competitors' computer networks.

E-Commerce Security Identify a local company that conducts e-commerce, preferably one with whom you have previously done business or are otherwise familiar. Research the company and become knowledgeable in its basic operations and services. Contact the company and inform it of your interest as a student, in learning more about its business. Inquire as to how the company guarantees the security of its site and consumers' personal information. Ask the company whether it has a formal code of conduct and, if so, whether it is available to be examined.
In essay format, describe your conversation with the company's representative, explain the security measures the company uses, and comment on the company's code of conduct. Conclude your essay by stating whether and why you would be comfortable engaging in online transactions with this company.

What is sniffing

How is the data-driven, six-step detection approach relevant to e-business fraud detection

What advantages do third-party providers like application service providers offer

In what ways do e-business transactions pose heightened fraud risks

Which of the following is not an internal control activity or procedure a. Physical safeguards.
B) Segregation of duties.
C) Internal auditors.
D) Documents and records.

Passwords and biometrics are both: a. Authorization controls.
B) Independent check controls.
C) Physical controls.
D) Document controls.

Secure web connections are based on: a. DNS.
B) FTP.
C) HTTPS.
D) FTPS.

Which of the following is not a fraud risk unique to e-business transactions a. Innovative technologies where security lags process development.
B) Selling new products.
C) Complex information systems.
D) Removal of personal contact.

1. What is a VPN
2. How do VPNs provide security within organizations
3. Search the Internet for the term "IPsec" What is it Is it considered secure
4. Search for other VPN-related protocols and name two. Are the two protocols you identified considered secure

(If allowed by your school's policy) Download and install a network sniffer application like Wireshark, tcp dump. Sniff the traffic on your local network for 10 minutes and report on your experience.
1. What did you find
2. Why do these applications exist
3. How does their existence and distribution affect worldwide hacking and detection of hackers

Using secret measures as the basis for a security system is generally seen as less effective than using public, time-tested procedures.

Your company, ImSecure Inc., is a security investigation firm. You have been contacted by Darling Company, a producer of cardstock for greeting card companies like Hallmike and Birthday Wishes Company. Darling currently requires orders to be placed several weeks in advance of the delivery date. Orders come in through traditional channels (account reps, paper forms, etc.). Hallmike, Darling's largest client, now requires Darling to use e-commerce for order transmission and payment. Because of this new change, Darling is considering moving all of its clients to EDI for orders and payments.
Detail the new opportunities e-commerce solutions like EDI present for internal and external perpetrators trying to defraud Darling Company.

Falsified identity and customer impersonation are the same thing.

Digital signatures use human features to create secure access controls.

Fraud risks are higher when the entity with which you are transacting business can't be seen.

Why is spoofing a significant risk in e-business

Why can it be dangerous to provide credit card information over the Internet Does it stop the risk if you only use credit cards at local businesses

E-Commerce Survey Conduct a random survey of at least 30 people. From the survey responses, draw several conclusions about attitudes of consumers toward e-commerce. Write a brief essay summarizing your conclusions. Attach to it any spreadsheets or charts used in your analysis. The survey should include, but not necessarily be limited to, the following questions:
1. How often do you purchase products or services over the Internet
a. Never.
b. Two or three times a year.
c. At least once a month.
d. Several times a month.
2. If "never," why
3. Name two or three companies from whom you purchase products online.
4. What steps do you take to check the security of the sites and the legitimacy of the companies from whom you make purchases online
5. How often do you pay your bills over the Internet
a. Never.
b. Two or three times a year.
c. At least once a month.
d. Several times a month.
6. If "never," why
7. Name two or three companies with whom you make online payments
8. What steps do you take to check the security of the sites and the legitimacy of the companies with whom you pay bills online
9. How often do you view and/or manipulate banking and credit card information over the Internet
a. Never.
b. Two or three times a year.
c. At least once a month.
d. Several times a month.
10. If "never," why
11. What is the name of your bank or credit card provider that provides your financial information online
12. What steps do you take to check the security of the sites and the legitimacy of the companies with which you access online financial information
13. How often do you double-check your bank and credit card statements for accuracy
a. Never.
b. Sometimes.
c. Every month.
14. How comfortable are you submitting your Social Security number over the Internet
a. Extremely uncomfortable.
b. Uncomfortable.
c. Neutral.
d. Comfortable.
e. Extremely comfortable.
15. How comfortable are you submitting your credit card number over the Internet
a. Extremely uncomfortable.
b. Uncomfortable.
c. Neutral.
d. Comfortable.
e. Extremely comfortable.
16. How regularly do you run spyware removal programs on your personal computers
a. Never.
b. Once a year.
c. Several times a year.
d. At least monthly.
17. Your age

Which of the following fraud risks involves changing IP addresses a. Spoofing.
B) Sniffing.
C) False Web sites.
D) Customer impersonation.

Which of the following human features is generally not used in biometrics a. Fingerprints.
B) Voice tones.
C) Retina patterns.
D) Weight.

What are some common ways e-business fraud is perpetrated

Your company, ABC Reading, writes unique Open- GLbased reading software for children in grade school. ABC employs about 30 sales representatives who interact with school districts around the nation to sell and support your software. ABC has given each sales representative a powerful laptop on which to demonstrate your 3D software to principals and district representatives. Because of the nature of their jobs, sales reps are constantly connecting their laptops to school and hotel networks during the day and to your corporate network via VPN. You are worried about viruses and worms entering your corporate network through one of their laptops. What protections and preventions would you take to guard against this

1. Where have you seen security through obscurity employed (other than a key under the doormat at home)
2. Did it work
3. How did it make the situation more or less secure
4. Are there more robust methods that could have been used to provide security

E-business transactions make it easier to commit which of the following types of frauds a. Kickbacks.
B) Customer impersonation.
C) Setting up dummy companies.
D) Stealing petty cash.

In many e-business sales, password protection is the only barrier to unauthorized access.

Biometrics is a form of authorization control.