Staying safe in cyberspace

E-commerce is dogged by fears over how safe cyberspace is from net-savvy financial fraudsters, but we have the technology to make it as secure as shopping in the high street, so why don’t we use it? asks Dennis Willetts

Fraud is about lies, damned lies. In that respect, fraud in e-commerce is no different from fraud in traditional business. Although e-commerce is no more than the automation of day-to-day commercial activities with the latest technology, there is a rising trend in fraud as e-commerce solutions are implemented.

The modus of fraud and theft in e-commerce shows quite distinct trends in its two main branches: business-to-business interactions and business-to-customer interactions.

One of the prime differences between the two is the pre-existing raft of agreements in most business-to-business transactions. E-commerce becomes a mechanism for enhancing speed and efficiency within a set of pre-agreed terms, rather than a method of entering into the agreements of contracts.

And that has important implications for opportunities open to fraudsters.

The most frequent fraudulent misrepresentation generally is that of identity. E-commerce is particularly vulnerable to this.

There are two issues. There is the formal proof of identity when two hitherto mutually unknown and physically remote parties enter into an agreement or contract. In addition, there is the ability of those parties to digitally sign documents in a legally admissible framework, with no possibility of subsequent repudiation.

In business-to-business interactions, it is likely that the parties know of each other and have had the opportunity to carry out due diligence or credit checks. Therefore, there are greater opportunities to detect and prevent many of the traditional modes of fraud and theft.

But techniques for fraud detection and prevention are rarely implemented effectively. In recent e-commerce fraud investigations, the risk would have been reduced significantly if the audit information available from the systems had been monitored more rigorously. Furthermore, the use of neural networks, or other self-learning algorithms, could have detected the frauds at a very early stage.

But while e-procurement is set to become the next big business revolution, chaos already reigns in the business-to-customer e-commerce services. In the case of business-to-customer transactions, there is theoretically a much greater potential for a misrepresentation of identity and it is much more difficult to protect against it.

One of the problems is the cavalier attitude of many of the organisations vying to be first into the marketplace with e-commerce applications. The traditional conservative approach to risk taking, which was the hallmark of the financial sector, has been jettisoned in the race to be first into the market.

Also, security is too often viewed as an impediment that causes unnecessary delay to a project. The effect on reputation and reduction in brand value caused by major security failure or fraud is too often brushed aside without assessment of real risk. This exacerbates the security deficiencies in a variety of hardware platforms.

E-commerce holds the key to significant potential for improved security and concomitant reduction in fraud in business processes. This potential has yet to be developed for a variety of reasons, not all of which are technical. There is, for instance, too much creativity and diversity in the implementation of solutions and too many technology platforms with incompatible security capabilities.

The Public Key Infrastructure technology, which can theoretically achieve these security aims, has been in existence for more than a decade. It is geared to an infrastructure of trusted third parties and certification authorities but it is still not universally implemented in cost-effective solutions, leaving businesses very vulnerable to e-commerce fraud.

That said, simple authentication schemes have already been implemented very successfully in web browsers via the duopoly of Microsoft and Netscape.

Although these are basic, they provide useful protection for the use of credit card numbers in internet transactions.

During any transition process, and particularly where technology is concerned, businesses are vulnerable. A reasonable security aim during the transition to e-commerce would be to reduce the weaknesses of business processes which can be exploited by fraudsters during the execution of sales, contracts or banking transactions over an electronic network. But it does not seem to be happening.

Other technical innovations, such as sending time-varying hash functions of credit card numbers rather than the actual card number could provide significant protection against fraud. But widespread implementation is still a matter of debate rather than commitment. Which is good news for some.

Dennis Willetts is director of technology assignments at Kroll Associates.