Prudens Information Resources for the Internet


E-CRIME, SECURITY & PRIVACY

A Prudens e-Report


Introduction

E-Business security measures are aimed at protecting Internet users from the illegal online actions of others, also known as e-Crime. They protect online transactions and sensitive information stored in Web site data bases from crimes such as:

But sometimes, as discussed below, security measures conflict with an individual's privacy.

e-Crime

e-Crime offers many advantages for criminals compared to traditional crime. Usually there is no physical crime scene and little if any interaction among victims, witnesses and perpetrators. Sometimes the crime is discovered long after it was committed, and in some cases may never be detected. Criminals leave little evidence, and the investigation of an e-crime may require expertise not readily found in a local police department. Further, there are many potential victims and crime often occurs far away from the perpetrator, which makes apprehension difficult and raises the issue of jurisdiction.

Another break for criminals is that if a corporation is victimized, it may not report the crime to the police because its reputation might be affected and its stock price might drop.

Web Site Intrusion

The elimination of "Web site intrusion" is a significant first step to protect organizations and individuals from e-crime and violations of privacy. The success of measures to keep intruders out of web sites is debatable. According to various surveys of computer crime, it appears that corporate security measures are beginning to take hold, even though number of complaints is rising, and the sophistication of the attackers is increasing. For example in 2004, the Internet Fraud Complaint Center (IFCC) received 207,449 complaints, over 10 times the complaints registered in 2001. Online fraud, including online auction fraud, continues to be the biggest complaint.

After gaining access to the site the intruder may be able to make up a new identity, or take over the identity of an existing user, usually to engage in identity theft or fraud, or to send threatening messages.

Unauthorized intrusion into a site often results in significant monetary damages since the victim must thoroughly review the site for damage. All of the code and data stored on the site must be examined for the possible inclusion of hidden programs such as "Zombies" or "Trojan Horses" that could have disastrous consequences at a later time. On occasion someone will enter a site to destroy or modify account, employee, educational or environmental database records for personal gain or to hide illegal activity. Another activity of the site intruder is to store data that can be accessed from another site.


Child Pornography Storage

Files of illegal pornographic images are often stored on servers in foreign countries, beyond the reach of law enforcement officials. Sometimes they are stored on the web servers of unsuspecting organizations, even churches or youth groups!

Electronic Theft and Online Espionage

Theft can include taking trade secrets, credit card numbers, and different types of intellectual property from a Web site. This type of crime has grown along with the increase on Web site or computer intrusion, giving rise to the Economic Espionage Act of 1996 that makes trade secret theft a federal offense.


Difficulties in Reporting Trade Secret Theft

Companies struggle to place a value on the theft of trade secrets because business success may depend on an unproven technology, an untried pricing scheme, or factors in the business environment. However, the law enforcement response to the theft will usually depend on the dollar amount of the loss. For example, a Federal prosecutor may decide not to bring charges against the perpetrator if the value of the crime is determined to be less than $20 million - due to a shortage of personnel! Also, if a company reports a high-value crime, it will have to justify that value by describing the technology and thus giving away the very trade secrets it had tried to protect.

Identity Theft

The Federal Trade Commission warned that identity theft affected 25 million people in 2004 and is on the rise. In order to commit identity theft, enough information must be collected to "become" that person online. This may include the social security number, birthplace and date, credit card numbers with date of expiration, and mother's maiden name of the victim. Many merchants, utility and government Web sites have large databases of sensitive personal and business information that are high profile targets for online thieves.

Viruses and Self-Propagating Worms

A "virus" unleashed on the Internet may cause significant damage to a Web site and disrupt operations. The selection of attacked Web sites may be random, or it may rely on a weakness in a particular software product such as Microsoft's Outlook, and may spread the offending code to all the contacts in the associated address book.

Online vandals also launch self-propagating worms, small programs which replicate and forward themselves from one site to another. These worms overload the victim's site with meaningless data to the point where the site can't process any requests or transactions. The site will slow down and may shutdown, succumbing to what is known as a denial-of-service attack. The subsequent downtime can result in a significant monetary loss to the host.

In a "distributed denial-of-service (DDOS)" attack, a two stage approach is used, where in the first stage Zombies, or the attacking programs, are clandestinely placed in third-party PCs and servers. Some "crackers" maintain networks, or botnets, of thousands of PCs, each containing a zombie ready for action. In the second stage the zombies are simultaneously activated ("called forth") to attack a particular site.

Each week about 80 successful attacks on Web sites are reported to CERT, a federally funded security group. The number is rising due to the increasing number of sites and because more sites are being connected to the Internet with "24/7" high speed DSL or cable access.

Online Fraud

Online fraud, primarily credit card fraud, and auction fraud, are the biggest complaints about doing business on the Internet.

Credit Card Fraud

Security in e-commerce has essentially become the responsibility of the seller. If a stolen credit card number is used for an online purchase, the seller may have to pay, whereas in the physical world, the issuing bank of the credit card is liable. When a charge is disputed, and the selling site has no signature or other identification of the buyer, the site becomes responsible for any loss that might occur; otherwise the financial institution that issued the card is responsible. Credit card fraud offers little risk to the buyer since the Fair Credit Billing Act of 1975 sets a $50 dollar limit on fraudulent charges.

Although the online use of credit cards is relatively small compared to offline use, it has historically accounted for 50% of credit card fraud. This should be dramatically reduced as online purchasers begin to use a PIN number known only to them and the credit card company.

Auction Fraud

Auction-related fraud, such as non-payment or non-delivery of goods, is the crime most frequently reported to the Internet Fraud Complaint Center. Complaints are also received against the intermediary payment services, such as PayPal, but these are diminishing with improvements in service due to increased experience, and as new consumer-friendly competitors enter the market.

Piracy

The piracy of intellectual property includes the illegal copying or manufacturing of software, content and other unlawful duplication of information. Included in this type of crime is the illegal copying and distribution of software, music and motion pictures. Entertainment-related content is created to be shared. The question is how can it be shared so that its owner is fairly compensated?

Software Piracy

Although much publicity has been given to the billions of dollars of pirated music and movies, there is a long-standing problem of international software piracy since the beginning of the digital age. The Business Software Alliance and the Software Publishers Association have conducted annual surveys since 1994. Even with a continuing drop in software piracy, the 2004 study found that 23% of the business applications software installed in the U.S. was pirated, which resulted in a loss of $7.2 billion to software companies. Globally the figure was 36% representing a loss of $29 billion.

Music Piracy

The Recording Industry Association of America (RIAA) and several recording artists successfully filed a lawsuit to prevent Napster from promoting the illicit copying and distribution of copyright-protected MP3 music files on the Internet. However, the Napster case ended the strangulation hold that the major recording companies held on the music industry and forced them to come up with competing models for the distribution and sale of music over the Internet.

Since many illegal music distribution companies have moved offshore, the RIAA is turning its attention to individuals that download large amounts of music, and to the places, such as universities, where they operate.

Movie Piracy

Hundreds of thousands of movies are illegally transferred on the Internet each day according to the Motion Picture Association of America. File sharing services that are known to transfer movies as well as music include Morpheus of Streamcast Networks, Grokster, based in the West Indies, and Kazaa BV, which has been sold by a Dutch firm to Australian interests. Both the RIAA, buoyed by its success against Napster, and the MPAA, with its international affiliate, MPA, have filed lawsuits against these and similar firms.

On the positive side, the major studios are sponsoring Movielink in an attempt to have a legal and profitable approach for the public to download movies.

Security Against e-Crime

Security in e-business involves Web site security and security in e-business transactions. Web site security refers to the prevention of web site intrusion and the protection of data stored on a Web site, such as data stored in a database accessed by an outside application. This is accomplished with security programs, and technical solutions such as firewalls and identity management, which are designed to keep uninvited guests out and track those who attempt to access the site. The use of encryption and special protections against specific crimes also play a role.

Security in e-business transactions refers to the security of data as it is processed or transferred between sites, such as when web services are performed. The provision of transaction security involves measures such as encryption, digital signatures and digital watermarks.

Security Programs

The first and most important defense against e-crime is common sense and correct behavior in the form of policies and procedures. A system protected with a password doesn't have to be bypassed by an online criminal if he obtains the password from a system user. This is also why a disgruntled employee is a threat to security; he may have inside knowledge of how the protection systems can be by-passed.


Common Sense Approach to Security

Bruce Schneier in his book, Secrets and Lies, believes that a focus on risk, rather than technology or algorithms, should improve security on the Internet. Schneier recommends that organizations use common sense to establish accountability, promote awareness, provide extra protection for the most valuable assets, mitigate risk, be vigilant and maintain an understanding of likely threats, in order to detect and respond to Internet attacks.

Web site security also relies on fixing bugs in software that can be exploited for e-crime, and on technical fixes such as improving software algorithms. In many cases, intrusion crimes can be traced to the incorrect setup of software applications, especially those with multiple features. The SANS Institute has a running top ten list of Internet security threats, which are primarily caused by a small number of security flaws in software products. Most can be corrected by downloading and installing a software patch or turning off unneeded application options. But some system administrators have a dilemma about installing software patches. The patches can interfere with other applications since they are developed quickly to correct a specific problem without consideration of how they interact with other applications and systems.

Site Protection Systems

The level of security to be maintained on a Web site will depend on the level of acceptable risk, monetary restrictions, and organization policy, all of which reflect the objectives of the organization and the purpose of the Web site. Generally, the cost of protecting a resource shouldn't exceed the value of the resource. If the site has invaluable information that could affect national security, then every possible means should be taken to protect it. Otherwise the level of security is a trade-off between risk versus cost.

One approach to reduce risk is to avoid using the Internet, a public network. However, the cost of this option is so high that only critical government and financial operations use it. Another approach, which uses the Internet, is to create a grid for internal operations or among "partners" (e.g. supply chain partners). This provides added security since every user on the grid should be authenticated.

A basic principle of site security is to separate servers for different functions. For example, sensitive data and operations (e.g. financial transactions) could be placed on a separate "secure" server, which cannot be directly accessed from the Internet. This principle could be used to divert would-be web site users to a proxy web server, where their identity can be evaluated, prior to allowing them to proceed further on the site. Since proxy servers may also be used to provide web site scaling during bursts of Internet activity, these proxy sites may be copies of the real site, but their use could be switched to that of a "dummy site" during an emergency, where information about would-be intruders could be determined.

The traditional approach to site security is to provide a firewall, which is a general term to describe combinations of software and hardware solutions to preventing web site intrusion. Firewalls are based on password protection, and even though there may be firewalls within firewalls to limit access to sensitive data, knowledge of the passwords will provide access. Some web site intruders have been known to take over the administrative function of the site and assign themselves passwords, or back doors that can be used at a later time.

The identity of a user may be assigned indirectly through the identity of a work station that can be authenticated at a later time. The assumption is that only a particular user will be able to sign on to the work station. A better form of establishing the identity of an individual is through the use of biometric data such as a fingerprint or retinal scan.

Once the user's identity is confirmed, a directory provides him or her with the permissions required to access specific data files on a Web site. This differs from the traditional approach of entering the Web site through a series of firewalls since many users could have the access codes.

Single sign-on, eliminates the necessity for the user to re-enter identification authentication information, since identity is authenticated by a single identity service provider, usually the host enterprise, or grid manager. When the authentication of a user by one identity service provider is accepted by another identity service provider, the user is said to have a federated identity.

Protection Against DOS Attacks

Specific measures are needed to protect against Denial of Service (DOS) attacks, especially Distributed Denial of Service (DDOS) attacks, because of the their speed and intensity. Some sites employ a honeypot defense, in which suspicious incoming traffic is sent to a honeypot, or proxy site, where information from the attacking site is collected and used to defend the site by, for example, rejecting messages from it. In a tarpit defense, a suspected attacking site is not allowed to transfer data and its access to the site is not allowed to immediately disconnect, thus slowing down the attack to a manageable level.

Data Protection

Data protection exemplifies one dilemma posed by the Internet. On one hand making data available to those who need it is one of its benefits. On the other hand the damage caused by unwittingly making data available to the wrong persons can cause substantial damage. If the benefit of making the data available outweighs the danger of its misuse then every effort should be made to protect it. Otherwise it shouldn't be accessible via the Internet.

First sensitive data should be difficult to access through the use of "protection systems within protection systems". Access should be limited to known individuals, and monitored by systems and managers. Firewalls and identity management schemes should be used as appropriate. And, finally, encryption should be used as final resort, even for data stored on a web site.

Encryption

An ancient art, encryption allows the transmission of messages or information which only the sender and the recipient can understand. Cryptographic software such as Pretty Good Privacy (PGP), a public key system, arrived on the scene in 1996 to threaten the Government's ability to read email and other encrypted messages when the need arose.

With public key infrastructure, the remote server or user utilizes the recipient's widely available public key to encrypt a message. Once encrypted with the public key, it can be deciphered only with the recipient's private key. The private key may be a password (or PIN number), or a biometric identifier such as a retinal or fingerprint scan. The advantage of a biometric identifier is that the individual is certified, rather than the device from which the key is sent. Public key encryption is also used in the Secure Socket Layer (SSL), a security protocol embedded in most Web browsers.

Digital Signatures

A digital signature relies on encryption, such as public key infrastructure, to uniquely identify both the sending and receiving parties. The act of identifying the parties replaces that of writing a signature on a piece of paper. The Global and National Commerce Act of 2000, has a provision that makes electronic signatures as binding as a hand-written signature on contracts and other legal documents.

Digital Watermarks

A digital watermark is a type of Digital Rights Management (DRM), which embeds an indelible binary code in a digital object such as a movie, song, or e-book. In theory, the presence of a watermark can be used to either automatically pay the author for its use, or to prevent unauthorized copying without the author's permission. However, digital watermarks, as well as other DRM technologies, have proven to be ineffective in protecting a copyright.

The successful implementation of digital watermark technology depends on the agreement and cooperation of many organizations, in particular those in the software and communications industries.

There are technical problems as well. Digital watermarks may be accidentally erased by compression algorithms, or the embedded code may be digitally stripped by pirates.

Secure Payment Systems

A secure payment system must authenticate, or verify, the buyer's identity in real-time. This may be done with a biometric technology (e.g. fingerprint or retina scan), by entering a password or pin number, or automatically when the seller's server recognizes a cookie.

Secure Electronic Transaction

Secure Electronic Transaction (SET) uses encrypted digital certificates and digital signatures to authenticate and authorize both the seller and the buyer. Developed by MasterCard, Visa and other corporate partners, SET is an open, multi-party protocol for transmitting bankcard payments via open networks such as the Internet.

Smart Cards

Smart cards are about the size of a credit card and come in two types. The first is the magnetic strip card, such as a telephone calling card, which can "remember" a debit and deduct it from a stored total as it is used in a transaction.

The second type of smart card has an embedded chip, which allows it to store much more data than the strip. It also enables the card to connect to a communications network where it can receive credits transferred from sources of "digital cash" such as bank accounts and other smart cards. In addition, the major credit card companies are developing a digital certificate for the chip-based card that acts like a key in order for the card to send or receive secure transfers. Smart cards with chips have caught on in Europe and Japan but have not been popular in the US.


Online Money Laundering and Wire Fraud

Money laundering includes the illegal transfer of funds accomplished with the aid of computer networks and electronic banking transfers. An estimated $500 billion is laundered globally each year, although exact figures are not given out by the investigating agencies. In comparison to the international wire transfer of trillions of dollars each day, money laundering is relatively small, but is growing rapidly.

Electronic cash, smart cards and the offshore location of cyberbanks, or Internet-based banks, increase the potential for high tech money laundering. Large amounts of money can be downloaded to a smart card and then be transferred to another card without leaving a record. If smart cards become common-place, Internet-based money launderers will not need to enter money into the banking system or carry around bulky amounts of cash.

Digital Cash Transfer Systems

Digital cash transfer systems are a trusted means of exchanging funds between a buyer and a seller. They are not true P2P applications since they rely on an intermediary to perform the cash transfer and guarantee its credibility. But they do remove the very real chance of fraud from person-to-person transactions. Complaints, when they arise, are usually about the actions of the intermediary.

PayPal is the leader in the expanding digital cash transfer phenomenon, although it is by no means the first digital cash transfer system. Western Union has performed electronic money transfers for 125 years and is attempting to continue on the Internet with its MoneyZap service.

Privacy and Security

Market research firms have been collecting and selling information about individual preferences long before the Internet existed. Information is collected every time a person places an order, enters a contest or joins a buyers' club. Individuals willingly provide personal information in order to receive a gift such as a free computer.

But e-business Web sites are being held to a higher standard and receive a higher level of scrutiny than traditional businesses since consumers may feel that too much information is being collected about them. There is also a concern that online personal information can be cross-tabulated with other data bases to develop a very detailed file about an individual.

Polls continue to show that the loss of privacy ranks as a greater concern than health care, crime or taxes. Many indicate that their greatest online concern is that Web sites will provide their personal information to others without their knowledge or permission.


DoubleClick

DoubleClick specializes in the placement and management of online advertising on the Internet using ads that reside on its own server network. DoubleClick uses its database of Web site users built up by profiling visitors at hundreds of sites in its partner network, to target personalized audiences with particular Web site offerings.

DoubleClick was sued for invasion in privacy in January 1999, and has been investigated for privacy violations related to merging its database of online preferences with offline demographic information. So far DoubleClick hasn't been found guilty of any misconduct, but by 2004 competitors and other means of web site personalization have left the company in difficult financial straits. The 2005 resurgence in online advertising may make the company successful once again.

Identity Management for Customers

Many e-business sites make a concerted effort to protect each transaction using the security existing in each browser, including encryption. However, most of the sensitive information resides on the server and is protected from theft by the best efforts of the seller. Identity management for the consumer changes the control of this information by placing the customer in control of personal information at each Web site.

Using identity management, customers may store personal information, such as addresses and credit card numbers, in a directory on a site controlled by a third party, known as a security provider. Only the user can enter and update information to identify, authenticate, and provide other personal information. The user can also control the information given to each site. What may defeat this approach is the sharing and aggregation of identity information by the third parties entrusted with it.

Single Sign-On

In addition to controlling sensitive information users may not want to remember passwords for all the sites that use the information. The aggregation of identity information in one location also allows users to have a single sign-on for all of their accounts, including access to information needed on the Web such as bank and credit card accounts.

A range of companies such as banks and major portals are offering to maintain and protect the customer's sensitive information. However, portals, such as Yahoo!, have not be able to access financial information since they are not required to use the Federal Reserve Board Regulation E - Electronic Funds Transfer, the standard for security of Internet transactions by financial institutions.

Again, the question arises -- who owns the consumer's data, the individual or the institution storing the data? Banks provide their customers online access to their personal information but must develop or partner with firms that have identity management software to allow the bank to share this information as a single point of access.

Another approach is for Internet users to have control over their own identity management system, including the use of aliases. Many people use false identities when they go online. They do this for a variety of reasons: lack of trust that their personal information will be protected, to thwart cyber-criminals (e.g. identity theft, cyber-stalking), and to avoid spam.

Privacy and Crime

High technology crime investigators have been demanding for years that chip manufacturers place an identification code, or "mark" their chips. That would allow investigators to identify stolen chips and possibly to trace how the chips recovered from a crime scene got there.

While some progress is being made, privacy advocates have impeded the use of identification technology. When it first came on the market, Windows 98 generated a unique serial number that was implanted in every electronic document to trace the identity of the originating software, and presumably, its author. Microsoft is also alleged to have let the National Security Agency place an encryption key in its Word Office Suite such that the author of any Office output can be traced back to a specific software package. Additionally, Intel developed the Celeron chip to place a digital watermark on any document from a particular computer. However, each of these technologies has been attacked as undermining privacy on the Internet.

Technology known as clickstream surveillance tracks keystrokes, and copies information transferred between a browser and a server. This type of intrusive technology was first developed for distance learning, now known as e-learning, so that a remote instructor could track every keystroke of the student in order to review progress and to assist in the correction of misunderstandings.

In addition to violating privacy, a major problem of clickstream surveillance is the complexity and cost of capturing and analyzing vast amounts of data, on the order of terabits of data each day. Corporations and government agencies that use this technology to track visitors as they move through a Web site, must be prepared to commit sufficient resources.

E-Crime Forensics and Privacy

Digital forensics uncover digital evidence and attempt to provide an "audit trail" that links the crime to its perpetrator. Forensic evidence may be encrypted or hidden in innovative ways on a computer; even set to be erased if it is accessed randomly. Any computer, personal digital assistant or cell phone associated with a suspected criminal may be a source of evidence.

Digital forensics are important in the fight against e-crime since they unveil the anonymity sought by the criminal. The use of forensics may involve breaking encryption codes since the use of encryption in criminal activities is increasing rapidly. The availability of encryption to anyone, including criminals, the subject remains an issue between law enforcement officials and privacy advocates.



Dr. James E. Burke is a Principal in Burke Technology Services (BTS). BTS provides business assistance to startup technology companies, or organizations planning or integrating new technologies; develops and manages technology projects; performs technology evaluation and commercialization, and assists in technology-based economic development.

Home | e-Reports | Knowledgebase | Books | Glossary


This web site is maintained by Burke Technology Services. Copyright © 2005-2006 PIRI. All rights reserved.