Chapter 17

CHAPTER 17
Fraud in E-Commerce
LEARNING OBJECTIVES TO THE STUDENT
After studying this chapter, you should be able to: E-commerce fraud is one
of the most significant pro-
• Understand e-commerce fraud risk. blems in business today. As
• Take measures to prevent fraud in e-commerce. you read this chapter, con-
sider the skills required for
• Detect e-business fraud.
e-commerce fraud detec-
tion and investigation.
Many students find it an
exciting field to specialize
in because of its highly
technical nature and its
need for the modern appli-
cation of fraud principles.
It is one way you can spe-
cialize and differentiate
from other fraud exami-
ners. Use this chapter as a
high-level overview of this
type of work and as a start-
ing point to more in-depth
books.
601
Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
602 Part 6: Other Types of Fraud
ames, Vijay, and Em became good clicks. These robots can impersonate differ-
J friends through their group work in ent IP addresses through the use of anon-
MBA school; after graduation, they decided ymizers and different browsers through
to start an Internet business together. After faked user agents. They fool search
careful research, they started an online engines into thinking each click is a unique
store selling anti-spam software. Sales user. Click-through frauds can cost busi-
were slow for the first year, and the businesses tens or even hundreds of thousands
ness was in danger of failing. Vijay, a mar- of dollars if they are allowed to continue
keting major, contacted Google, Bing, and over time.1
several other search engines and pur-
chased advertisements linked to specific
Although its growth occurred only about 20 years
search terms. ago, the Internet has become a foundation part of
Initially, the advertising campaign went modern society. From business home pages to infor-
very well. During the first few weeks, Vijay’s mational wikis to social networking sites, it has
advertisement campaign generated a 1–2 permeated almost every aspect of professional and
percent click-through rate (CTR), meaning individual life. Consider how its adoption compares
with other technological advances. It took radio
that 1–2 percent of users clicked on his
more than 35 years and television 15 years to reach
advertisement link when it was presented 60 million people; it took just 3 years for the Internet
in search results pages. Vijay knew he had to reach over 90 million people. The Internet is now
to pay a few dollars or cents each time a available in most homes, businesses, and mobile
potential customer clicked on his advertise- devices. When Jack Welch (former CEO of General
Electric) was asked where the Internet ranks in
ment links, but felt this cost was more than
priority in his company, he responded that “it’s
offset in the resulting purchases of anti-
numbers 1, 2, 3 and 4.”2
spam software. This technology revolution has provided perpe-
Imagine Vijay’s surprise when he trators with new ways to commit and conceal fraud
returned from an extended vacation and and to convert their ill-gotten gains. It has challenged
found that his campaign statistics had regulators, educators, and fraud examiners to keep up
jumped from 1 to 2 percent to an abnormal with both technological and cultural advances. New
opportunities exist in the consumer Internet and in
35–40 percent CTR! At first he was elated,
e-business networks. Essentially, e-business3 uses
but then he realized something must be information technology (IT) and electronic commu-
amiss. Overall sales had not changed, and nication networks to exchange business information
Web site traffic had remained relatively and conduct paperless transactions. While most con-
stable. sumers primarily use Web browsers to access the
Vijay had been a victim of click-through Internet, businesses routinely connect to one another
over Internet lines through e-business connections,
fraud. Although names have been chan-
virtual private networks (VPNs), and other special-
ged, this fraud occurred in a real firm ized connections. For example, even if you only pur-
with several large search engines. Click- chase items at local stores and conduct transactions
through fraud occurs when a competitor with your local bank in person, an Internet transac-
or an adverse individual repetitively clicks tion occurs each time you purchase with a credit card
advertisement links with no intention of or conduct a bank transaction. Even though you are
not using the Internet, the businesses you interact
purchasing products or services at the tar-
with use it continually. Because most businesses rely
get site. Advanced implementations of this on Internet-based transactions, many fraud exami-
fraud use custom scripts and robots to ners are consulted for fraud information related to
quickly generate enormous numbers of e-commerce.
Chapter 17: Fraud in E-Commerce 603
In this chapter, we discuss unique aspects of databases4 A related survey found that 88 percent of
e-business fraud, risks specific to e-business, and administrators would take sensitive data if they were
ways to prevent electronic fraud. We discuss e-business fired, and 33 percent said they would take company
fraud detection briefly, but do not discuss fraud investi- password lists.5
gation in detail because technology-based methods are The theft of money is usually the primary goal in
beyond the scope of this book. However, remember that traditional fraud. In the electronic environment, the
the processes used to investigate e-business fraud are the data theft is normally the first concern because data
same as those for other frauds. The specific tasks used to have many useful attributes. First, they can be con-
detect e-business fraud may require more technical verted to cash fairly easy. For example, stolen personal
knowledge, but the overall process is the same. Once information about customers can be sold or misused,
you understand the risks inherent in this new area of and individuals can be blackmailed. Second, informa-
fraud, you will know where to target your detection tion is replicable, allowing the perpetrator to simply
efforts and how to involve advanced forensic specialists copy data rather than remove them as traditional fraud
in the process. would require. Theft acts often leave very few tracks
because the source data remain intact and usable. The
S T O P & T H I N K How has the Internet changed your easy replication of data is one reason that e-commerce
day-to-day life? What security precautions do you take frauds often go undetected for long periods of time—
each time you use the Internet? unless companies are carefully monitoring access logs,
they will not notice the act of replication. Third, data
can be transferred easily and quickly to any location in
the world. If perpetrators use cell phones or other pri-
Fraud Risks in E-Commerce vate connections to the Internet to transfer data, detec-
Although fraud can occur in any environment, tion can be very difficult. Finally, many managers lack
several aspects of e-business environments present the technical expertise to prevent and detect data theft.
unique risks. These characteristics of the Internet- IT managers and assurance providers need to be aware
driven economy create pressures and opportunities of the critical points in e-business infrastructures at
specific to e-commerce fraud. Just like other frauds, which data can be stolen.
these new frauds are perpetrated when pressures, Even if a perpetrator does not have personal access
opportunities, and rationalizations come together. to needed systems, he or she can hijack others’ pass-
E-commerce elements that create increased or unique words to achieve access. Passwords can be the Achil-
risks are listed in Table 17.1. les’ heel of many systems because password selection
is left to the end user and cannot be fully controlled.
E-Commerce Risks Inside Organizations Mothers’ maiden names, birthdays of children, favor-
ite locations, and other personal information used to
Many of the most serious e-commerce fraud risks are
generate passwords can be guessed by perpetrators
found within organizations. Once perpetrators are
when fraud is internal and employees know each
within firewalls and security checks, it is much easier
other personally. Hackers often use social engineer-
to infiltrate systems, steal money and information,
ing techniques to gain access to passwords. Instant
and cause damage. Perpetrators with inside access
messaging, blog entries, Facebook walls, and other
know the control environment, understand security
social networking devices provide perpetrators with
mechanisms, and find ways to bypass security. One
a new method of gathering information. When a
of the most serious problems is the abuse of power
hacker presents valid information to a user and asks
that has been granted to users. For example, program-
for “just a little more,” some users think the request is
mers and technical support personnel usually have
appropriate. For example, a hacker may call a tar-
full, superuser access to the systems they create and
geted user and pose as technical support. Statements
administrate. Often, removal of programmer access is
like the following place users in a position of urgency
overlooked when systems go into production, allow-
and unease, and they often lead users to take risks
ing them free and unlimited access of corporate data
and provide information:
years into the future. In one survey, more than a third
of network administrators admitted to snooping into Hi. This is technical support in room 415. We have
human resource records, layoff lists, and custom been monitoring your account all day, and it appears
T A B LE 1 7 . 1 E L E M E N T S OF FR AU D R IS K I N E - C OM M E R C E
Pressures
• Dramatic growth, which has created tremendous cash flow needs.
• Merger or acquisition activity, which creates pressures to “improve the reported financial results.”
• Borrowing or issuing stock; additional pressures to “cook the books.”
• New products, which require intensive and expensive marketing and for which an existing market does not yet exist.
• Unproven or flawed business models, with tremendous cash flow pressures.
Opportunities
• New and innovative technologies for which security developments often lag transaction developments.
• Complex information systems that make installing controls difficult.
• The transfer of large amounts of information, a factor that poses theft and identity risks such as illegal monitoring and unautho-
rized access.
• Removal of personal contact, which allows for easier impersonation or falsified identity.
• Lack of “brick-and-mortar” and other physical facilities that facilitate falsifying Web sites and business transactions.
• Inability to distinguish large and/or established companies from new and/or smaller companies, making it easy to deceive custo-
mers by falsifying identity and/or business descriptions.
• Electronic transfer of funds, allowing large frauds to be committed more easily.
• Compromised privacy, which results in easier theft by using stolen or falsified information.
Increased Propensity to Rationalize
• The perceived distance that decreases the personal contact between customer and supplier.
• Transactions between anonymous or unknown buyers and sellers—you can’t see who you are hurting.
• New economy thinking contends that traditional methods of accounting no longer apply.
that a hacker is trying to get into your account. If the systems. E-mail text is also not regularly encrypted,
hacker succeeds, it will start an investigation into your even if a user is using an encrypted connection to his
computer use, password selection, and use of company or her server. Unless the e-mail text itself has been
property. We need to stop this before it goes any fur- encrypted using Secure/Multipurpose Internet Mail
ther. Let’s start by verifying your username and pass- Extensions (S/MIME) or another technology, the
word. What is your exact username and password? e-mail transfers in plain text from the sending server
to the receiving server. Sniffing is the logging, filtering,
Even when corporate policies require periodic pass- and viewing of information that passes along a network
word changing, many users circumvent the intent by add- line; it is a common method of gathering information
ing a sequential number or another character to the end from unencrypted communications. Sniffing is easily
of their old password. It is common to find a few employ- done on most networks by hackers that run freely
ees who write their passwords down on sticky notes available applications like Wireshark and tcpdump.
placed in their desk drawers or even on their computer Figure 17.1 shows a screen shot of the Wireshark soft-
monitors! In addition, in a world with increasing num- ware. Note that these applications have legitimate uses
bers of passwords, secret PINs, and account numbers to in activities like troubleshooting network problems, so
remember, many users reuse the same password from the applications themselves are not the problem.
internal system to Internet site and from e-mail client to Even though firewalls, spam filters, and virus applica-
application login. If a perpetrator can discover a user’s tions protect organizations from external attack, employee
password to a relatively unprotected system, that pass- laptops and mobile devices present risks that are difficult
word is likely useful in more secure systems. to manage. For example, each time employees go on busi-
Unencrypted communications between users often ness trips, they connect their laptops to unprotected envir-
pose a threat that many employees do not appreciate. onments like hotel and other business networks. On these
For example, although encrypted e-mail access has networks, computers can be exposed to viruses, spyware,
been available for decades, many users still check their and hackers that are often not as present in work networks.
mail using unencrypted Post Office Protocol 3 (POP3), In addition, information on stolen laptops can provide sig-
Internet Message Access Protocol (IMAP), or other nificant opportunities for perpetrators. Finally, when em-
protocols. Since most e-mail clients log in and check ployees return to the office from trips or home and plug
for new mail every few minutes, perpetrators have sig- their laptops back into the corporate network, they bypass
nificant opportunities to sniff passwords and infiltrate firewalls and controls. Viruses, trojans, and worms are able
FIGU RE 17.1 WIRESHARK SOFTWARE
to enter protected areas because employees physically walk quickly download significant amounts of information
laptops from unprotected networks to protected networks. from internal networks. These devices, including cam-
One of the more recent scams for business travelers is era phones and iPod-like music players, have been
called wartrapping. In this scam, hackers go to known banned at many military installations because of the
business traveler locations like airports and set up access potential threat they pose. For example, when iPods
points through their laptops to the Internet. Their lap- first hit the market, a common tactic by customers at
tops look like regular wireless networks to which others electronics stores was to connect iPods to a demonstra-
can connect. When travelers open their laptops, their tion computer and quickly steal software like Microsoft
wireless cards connect automatically to these “free” Office. Because of the iPod’s fast interface and ubiqui-
Internet access points. Many travelers think they are con- tous appearance, stealing hundreds of megabytes of
nected to the airport’s official wireless network, but they data could be done within just a few minutes.
are actually passing network traffic through the hackers’ Vandalism is always a risk with internal systems.
computers. As the travelers browse the Internet, check e- From sophisticated denial-of-service attempts on local
mail, and use their corporate networks, the hackers sniff machines to deletion of files to physical damage, van-
for passwords and other important information. dalism is an easy way for employees to harm internal
Recently, the advent of USB drives, increased mem- systems. Vandalism can be obvious, or it can be very
ory on phones, and portable external hard drives poses difficult to find—hiding for weeks or months before its
security threats. Their large capacities allow them to effects are discovered.
E-Commerce Risks Outside Organizations in previous years, today’s worms can be written by inter-
In 2009, hackers set a new high score for credit card mediate programmers. Finally, a trojan horse is a pro-
theft by allegedly stealing 130 million credit cards at gram that claims to do something useful, but also
one location.6 Albert Gonzalez, a 28-year-old, used contains hidden behavior. The ubiquitous nature of
SQL injections (described later in this chapter) to get some programs, like Windows, Microsoft Outlook,
around corporate firewalls and steal credit and debit and Internet Explorer, provides rich fields for viruses,
card information. They attacked several companies, in- worms, and trojans to spread through. In addition to their
cluding convenience store chains, credit card processors, ubiquity, these programs are often used by less experi-
and supermarket chains. When federal agents raided his enced users who are more susceptible to social tricks.
home, they found computers, firearms, expensive jew- Spyware has become a difficult online problem in re-
elry, and $1.1 million in cash buried in the backyard. cent years. This type of malware—similar to a trojan
While this case may be the largest in history, it is cer- horse—installs monitoring software in addition to the
tainly not the only one; a web search for “hackers credit regular software that a user downloads or buys. For ex-
cards” yields many such stories of stolen credit cards. ample, peer-to-peer music and video-sharing applica-
The Internet provides a rich medium for external tions are some of the worst spyware offenders. Many of
hackers to gain access to personal systems. Hackers these programs install monitors that send online user be-
are relatively protected because they cross international haviors to companies that turn a profit on the personal
boundaries and are mostly anonymous—making track- information they collect. More targeted spyware can lift
ing and prosecution difficult. When successful investi- financial or other sensitive information from internal di-
gation and prosecution do occur, sentences are rectories and files and send it to external entities.
typically light and do little to deter would-be attackers. Phishing is a common method that hackers use to
For example, Jeffrey Lee Parson, a 19-year-old who extract personal or corporate information from employ-
unleashed part of the MSBlast worm attack, received ees. Phishers send e-mail or pop-up messages to users
18 to 37 months in prison. Jan de Wit, author of the asking for personal information in inventive ways. For
Anna Kournikova virus, was required to complete 150 example, a hacker might send an e-mail impersonating
hours of community service in the Netherlands. These technical support to company employees. If even 1 per-
viruses infected millions of computers and caused sig- cent of the employees respond with their password or
nificant damage, costs, and time loss worldwide. other information, the hacker may be able to access
Computer viruses must be taken seriously in today’s a company’s internal networks and open future back
e-commerce environment. Viruses come in three vari- doors before preventative steps can be taken. False
eties. True viruses attach themselves to existing pro- Web sites are another method of tricking users into
grams on a computer. Viruses were rampant during providing personal information. A well-known scam
the 1980s and 1990s. They are still in existence today, on PayPal involves e-mail being sent to many custo-
but are used less by hackers. Today’s largest threat is mers with a link to a PayPal-like site. Users who click
from Internet worms, self-contained programs that the link are presented with a login page that imperso-
spread via direct transfer, e-mail, or another mecha- nates PayPal’s regular login screen. Their attempt to log
nism. Hackers use social engineering techniques more in with their usernames and passwords inadvertently
than technical prowess to get users to spread their mal- sends their login information to the false site. Users
ware. Compared with previous decades where viruses are then redirected back to the regular PayPal login
were written in the difficult assembly language, today’s screen where they try to log in once again. Most users
worms are extremely easy to write and distribute be- never realize they are at an imposter site on the first try.
cause they are usually written in relatively simple lan- Spoofing changes the information in e-mail headers
guages like Visual Basic or Javascript. Have you ever or IP addresses. Perpetrators hide their identities by
gotten an “urgent” e-mail telling you to click on an simply changing the information in the header, thus
attachment? These attachments often take the form of allowing unauthorized access. Since e-mail was one of
operating system patches, tracking information for the first network-based applications, very few security
packages, or interesting graphics. Despite their appear- measures were placed into its protocols. E-mail headers
ance, the e-mail attachments are actually programs that are created by e-mail clients and, as such, are extremely
infect your computer and spread to your contacts. easy to forge. Most users receive spam on a daily basis,
Whereas viruses were written by sophisticated hackers much of which has forged headers.
Falsified identity is another significant risk in transactions. False Web sites look like the site of a real
e-business. For an electronic transaction to take place, bank or an online broker or retailer and collect identifi-
each party to the transaction needs to be confident that cation and credit card numbers from unsuspecting cus-
the claimed identity of the other party is authentic. tomers. Alternatively, perpetrators use false Web sites to
These threats are less of a concern in traditional elec- conduct business transactions for which they never in-
tronic data interchange (EDI) settings because traditional tend to pay.
EDI uses relatively limited access points, dedicated lines, E-mail messages and Web visits can be hijacked
and established value-added network providers as because subtle differences in Internet host names
intermediaries. But authenticity is a significant concern often go unnoticed by Internet users. For example,
for transactions conducted through public electronic “computer.com” and “computer.org” are two completely
channels in e-business. In particular, identity theft (dis- different host names that can be easily confused. If the
cussed in Chapter 15) is a significant problem today. two names are owned by different entities, one site could
Public and private key encryption technology is one of mimic the other and trick users into thinking they are
the best ways to prevent falsified identity, but advanced dealing with the original Web site or e-mail address.
hackers can spoof this technology as well. Many businesses purchase all the domain names for all
forms of their company names, including misspellings,
to prevent these types of Web sites from being set up
Remember this … and to help customers find the legitimate site.
Fraud risks in e-commerce systems are signifi- Fraud risks in e-commerce systems are significant.
cant. Due to the rapidly changing tactics of While traditional methods of fraud, such as bribery and
perpetrators and new opportunities offered, kickbacks, are understood by many people, many
e-commerce fraud is likely to remain a major employees do not fully appreciate the risks and meth-
problem in the future. odologies that online fraud perpetrators take. Fortu-
nately, users are becoming increasingly educated on
the types of online and e-commerce fraud. For exam-
Database query (SQL) injections and cross-site ple, most business users and students now know they
scripting (XSS) present risks that many sites are not should not click on e-mail attachments from unknown
designed to handle. In an SQL injection, hackers send senders. However, due to the rapidly changing tactics
a database command after regular data in an online of perpetrators and new opportunities presented by
submission form. Since many back-end systems simply changing protocols and technology, e-commerce fraud
relay commands from forms to databases, the SQL in- is likely to remain a major problem in the future.
jection is executed by the corporate database. This
command might insert an unauthorized record giving
a hacker access, or it might simply drop tables with Preventing Fraud in
common names (such as the users table, customers ta-
ble). XSS is a method of injecting Javascript and other
E-Commerce
browser commands into Web site data. When these Preventing fraud in each business setting involves reduc-
commands are interpreted by users’ browsers, unau- ing or eliminating the elements that motivate fraud: pres-
thorized behavior occurs. Common examples are redi- sure, opportunity, and rationalization. In e-business
rection of users to a false Web site and hijacking of user settings, reducing pressures and eliminating rationaliza-
cookie IDs for unauthorized access. tions has thus far proved difficult. The lack of personal
As noted in Chapter 16, one of the most common contact makes it hard to know what pressures exist or
frauds in traditional business is the “bust-out”—the what rationalizations perpetrators are using.
planned bankruptcy. In its simplest form, perpetrators One of the greatest fallacies of e-commerce security
set up a business, buy inventory on credit, sell it for is a prevention measure known as security through
low prices, and then disappear with the money before obscurity. Security through obscurity is the tactic of
the bills are paid. Bust-outs are especially problematic keeping security holes, encryption algorithms, and pro-
in e-business. Instead of renting a brick-and-mortar cesses secret in an effort to confuse attackers. Many
store, the perpetrators merely establish a false Web site managers are lured into a false sense of security when
(at significantly less cost). The false Web site may they feel that entry into their system is convoluted
grab confidential information or conduct fraudulent enough to discourage attackers. Rather than employing
robust, proven security measures, companies that employ to employees that management is only giving lip ser-
security through obscurity play the odds by hoping that vice to the idea of controls, rather than meaningful
attackers will not figure out how their security works. support, the organization’s control objectives will al-
Experience shows that obscurity only heightens the chal- most certainly not be achieved, and fraud is a more
lenge to a hacker! The early computer industry of the likely occurrence. Because controls are so important,
1970s and 1980s is littered with failed attempts at hidden firms endeavoring to prevent e-business fraud must
algorithms and obscure security. For example, try search- do everything possible to establish and observe good
ing the Internet for password crackers for programs like controls. Another key strategy is understanding the
WordPerfect or Microsoft Excel. Because these programs controls in place in the companies with which the
didn’t use robust encryption, password crackers abound. organization conducts its electronic business.
As noted in earlier chapters, the following are the most
C A U T I O N Security through obscurity is an appealing, important components of the control environment:
yet ineffective, type of security. Rather than take chances
with security through obscurity, employ robust, time-tested Integrity and Ethical Values
security methods. An organization’s culture of integrity and ethics is the
product of what its standards are and how they are
In contrast to obscurity, true security is found when communicated and reinforced in the firm. This includes
algorithms and processes are subjected to intense review management’s actions to remove or reduce incentives
and stand the test of time. For example, the triple-DES and temptations that might prompt personnel to engage
and AES encryption algorithms have been public for in fraud. It also includes the communication of organi-
many years, and yet they are still generally considered zational values and behavioral standards to personnel
secure because they seem to be mathematically sound. through policy statements and codes of conduct and
As far as we know, neither algorithm has been broken. by example. A good question to ask about companies
Secure Web connections over HTTPS (the protocol you that engage in electronic business is whether they have a
use when connecting to your bank or credit card site) are formal code of conduct and whether it is available to be
based in these robust algorithms, and they work very examined.
well. VPNs and other security measures based on public,
tested algorithms are always more secure than algo- Board of Directors and Audit Committee
rithms based on private, untested methods. Of course, Participation
we are not suggesting that companies publish their An effective board of directors is independent of man-
security measures on their Web site home page! We are agement, and its members carefully scrutinize manage-
proposing that security measures be based on time- ment’s activities. The board delegates responsibility for
tested methods that have withstood public scrutiny. internal control to management, but it undertakes reg-
ular, independent assessments of management-
The Control Environment established internal controls. In addition, the presence
One of the best ways to prevent fraud in an e-business of an active and objective board often discourages
settings is to focus on reducing opportunities, usually management from overriding existing controls. A study
through the implementation of appropriate internal of financial statement frauds during the period 1987–
controls. In traditional businesses, internal controls in- 1997 revealed that a weak or ineffective board was one
volve five different elements: (1) the control environ- of the most common elements in firms that issued
ment, (2) risk assessment, (3) control activities or fraudulent financial statements7
procedures, (4) information and communication, and
(5) monitoring. In e-businesses, the first three elements Management’s Philosophy and Operating Style
are often the most important. Therefore, we limit our Management provides clear signals to employees about
discussion to the control environment, risk assessment, the importance of internal controls. For example, does
and control activities. management take significant risks, or is it risk-averse?
The essence of effectively controlled organizations lies Are profit plans and budget data set as “best possible”
in the attitude of their management. If top management plans or “most likely” targets? Can management be de-
believes that control is important, others in an orga- scribed as “fat and bureaucratic,” “lean and mean,” or
nization will respond by conscientiously observing dominated by one or a few individuals, or is it just
established controls. On the other hand, if it is clear right? Understanding these and similar aspects of
management’s philosophy and operating styles pro- 3. Adequate documents and records.
vides a sense of management’s attitude about internal 4. Physical control over assets and records.
controls and fraud. 5. Independent checks on performance.
Remember this … Adequate Separation of Duties

In e-business, this control is useful for making sure
The “tone at the top” is the most important factor that individuals who authorize transactions are differ-
in control effectiveness. ent from those who actually execute them. Probably
the most common frauds in purchasing and sales
transactions are kickbacks and bribery. Kickbacks
Human Resources Policies and Practices occur when one individual becomes too close to sup-
The most important aspect of internal control is per- pliers or customers. Adequate segregation of duties
sonnel. If employees are competent and trustworthy, prevents bribery because employees don’t have com-
other controls can be absent and reliable transactions plete control of transactions.
will still result. Honest, efficient people are able to per-
form at a high level, even when there are few other Proper Authorization of
controls to support them. However, dishonest people Transactions and Activities
can reduce to shambles a system with numerous con- Proper authorization is another key control in e-
trols in place. business. The most common authorization controls
are passwords, firewalls, digital signatures and certifi-
Risk Assessment cates, and biometrics. Every transaction must be prop-
Risk assessment identifies the risks of doing business erly authorized.
with e-business partners. A key part of the assessment
Passwords Passwords are a vital part of the security
focuses on the control environment of those organiza-
of any electronic system, but they are also an Achilles’ heel
tions. Another part identifies key risks in the electronic
because they involve people. Compromised passwords
exchange of information and money, so that control
allow unauthorized transactions to be made. To prevent
procedures tailored to the special challenges that these
fraud, organizations should have clearly communicated
exchanges present can be installed—procedures that
policies regarding selecting, changing, and disclosing
counter the risk of data theft, sniffing, unauthorized
passwords. In an electronic environment, no other control
access to passwords, falsified identity, spoofing, cus-
can better prevent fraud than the wise use of passwords
tomer impersonation, false Web sites, and e-mail or
and adequate training of users regarding them.
Web site hijacking.
A specialized branch of risk assessment is intrusion Digital Signatures and Certificates Just as signa-
detection. Firms specializing in intrusion detection try tures on paper documents serve as authorization or
to gain access to networks and secure information, and verification, digital signatures reassure users that trans-
they report their findings directly to management. Nor- actions are valid. Digital signatures and certificates
mally, a security audit includes an investigation into thus prevent falsified identity and impersonation and
technology, processes, controls, and other factors at a as such are increasingly important.
client. The Robert Redford movie Hackers highlighted a
Biometrics One of the most promising areas of
firm doing just this type of work.
technology and systems security is biometrics—the
use of unique features of the human body to create
Preventing Fraud through secure access controls. Because each person possesses
Control Activities unique biological characteristics (for example, iris and
As you learned earlier in this textbook, control activi- retina patterns, fingerprints, voice tones, facial struc-
ties are the policies and procedures that ensure that tures, and writing styles), scientists and technology
necessary actions are taken to address risks and frauds. firms are developing specialized security devices that
As you also learned, control activities generally fall into have the potential to be highly accurate in authenticat-
the following five types: ing identity. Access and permission to execute a trans-
1. Adequate separation of duties. action is granted or denied based on how similar the
2. Proper authorization of transactions and activities. subsequent reading is to the reference template.
Adequate Documents and Records IT infrastructure must be physically secure. Remember

Documents and records (sales invoices, purchase orders, that authorized personnel who can access computers
subsidiary records, sales journals, employee time cards, and servers can also execute unauthorized transactions
and even checks) are the physical objects by which trans- or steal sensitive information. Sometimes physical in-
actions are entered and summarized. frastructure is so sensitive and critical to e-business
In e-business, these documents are present in elec- operations that the system is placed in an isolated loca-
tronic form. This lack of hard-copy documentation, the tion with only high-level security access.
very essence of e-business, creates new opportunities Many firms use third-party providers—often known
for fraud. Documents and records typically are detec- as application service providers—to provide data storage
tive controls, not preventive controls. They are the and application services. Because their entire business is
audit trail and enable auditors and fraud examiners to based on data security, these firms generally take security
investigate suspected wrongdoing. Although most com- very seriously. They provide 24-hour monitoring and se-
puter systems create records of transactions that can be curity and effective password and encryption manage-
accessed or reconstructed, smart perpetrators figure out ment. They are normally located in geographic locations
how to remove evidence of transactions from servers considered “safe” from power outages, political unrest,
and computers. and natural disasters like hurricanes or earthquakes. For
Because many of the traditional document controls many companies, the additional security benefits these
aren’t available in e-commerce, additional controls firms provide are well worth the additional cost. Regard-
must be put in place. The primary electronic transac- less of a company’s security precautions, physical controls
tion and document control is encryption, which pro- must be a primary consideration. A recent twist on offsite
tects confidential and sensitive information (such as location of services is cloud-based architectures like Goo-
checks or purchase or sales transactions) from being gle’s App Engine or Amazon’s S3. These services can co-
“sniffed” or stolen. Public-key encryption allows infor- locate data on multiple continents to provide speed and
mation to be sent in encrypted format over unsecured reliability. If your firm uses these services, be sure to un-
networks like the Internet and is widely used to protect derstand the unique advantages and challenges they have
data and ensure privacy. In public-key arrangements, in regard to fraud risks and protection.
communicating parties have two keys, one that is
made public and another that is held private. These
Remember this …
keys are inversely related: If one key is used to “lock”
a message, the other must be used to “unlock” it. Thus, One of the best ways to prevent e-commerce
a message locked by a public key can be read only by fraud is by focusing on reducing opportunities
the party holding the private key. Similarly, a message through sound security measures and a solid
that can be unlocked by a particular public key can control system.
have originated only from the party holding the corre-
sponding private key. Public-key encryption is thus
used for privacy (by locking a message with the in- Independent Checks on Performance
tended recipient’s public key) and for authenticity (by As with traditional business, a key component in
locking a message with the originator’s private key). e-business controls is the careful and continuous
review of the other four components—the independent
Physical Control over Assets and Records checks and internal verification. The need for indepen-
When records—electronic or paper—are not adequately dent checks arises because internal controls change
protected, they can be stolen, damaged, or lost. Highly over time. Personnel forget or fail to follow procedures,
computerized companies need to go to special lengths to or become careless—unless someone observes and eval-
protect computer equipment, programs, and data files. uates their performance. The likelihood of fraudulent
Three categories of controls protect IT equipment, transactions goes up when controls break down.
programs, and data files from fraud. As with other types Independent checks are particularly important in
of assets, physical controls are used to protect computer preventing fraud in e-business. Organizations should
facilities. Examples are locks on doors to the computer always conduct checks on their e-business partners.
room and terminals and adequate and safe storage space These checks can range from simple Dun & Bradstreet
for software and data files. In addition to software-based reviews to full-fledged investigations of the firm and
security, the software and hardware that comprise the its officers. A quick search of LexisNexis and other
financial databases on the Internet often reveals pro- technology to catch technology fraud. Many of the
blems the organization should be aware of before it hacker tools were actually written to troubleshoot net-
conducts electronic business. works and catch perpetrators rather than to hack into
Electronic fraud, especially that perpetrated by smal- systems. It is extremely important for fraud investiga-
ler companies, is often committed by individuals high tors who specialize in e-commerce to understand the
in the organization, and quite often on behalf of the tools and methods that perpetrators use. Knowledge of
organization as opposed to against the organization. Be- Web servers, e-mail clients and servers, and intrusion
cause management is usually involved, management programs like Nmap, Airsnort, and Wireshark is criti-
and the directors or business partners must be investi- cal to catching perpetrators and securing systems. Fraud
gated to determine their exposure to, and motivation investigators who want to specialize in e-commerce
for, committing fraud. To prevent fraud, gaining an fraud should take several information systems or com-
understanding of the management or the organization’s puter science networking and security courses. Since
business partners and what motivates them is impor- many of today’s corporate servers and the Internet in-
tant. In particular, three items— (1) backgrounds, frastructure are Unix-based, knowledge of Unix/Linux
(2) motivations, and (3) decision-making influence— is imperative. Because clients’ applications are often
must be examined. What organizations and situations Windows-based, knowledge of the security strengths
have management and directors been associated with in and weaknesses in Windows is also important.
the past? What really drives and motivates the organi- Computer scripts, written in languages like Perl,
zation’s leaders? Is their personal worth tied up in the Python, Ruby, and Bash, can monitor logs and systems
organization? Are they under pressure to deliver unre- for potential break-ins. An assortment of different in-
alistic results? Is their compensation primarily based on trusion detection systems (IDS) is on the market today.
performance? Do any debt covenants or other financial Careful use and monitoring of these systems should
pressures exist? Management’s ability to influence deci- be done by every organization.
sions is important to understand because perpetrating
fraud when only one or two individuals have primary S T O P & T H I N K What skills are required to detect
decision-making power is much easier. and investigate e-business fraud? What other classes might
help you learn these skills?
The appendix to Chapter 6 provides an introduction

Detecting E-Business Fraud to detecting fraud in e-commerce systems and corpo-
In Chapter 6, we introduced data-driven fraud detec- rate databases. Planting automated queries in electronic
tion, in which the types of fraud that can occur are purchasing records that examine changes in the per-
identified and then technology and other activities are centage of goods purchased from different vendors by
used to look for fraud symptoms. That is, fraud exam- individual buyer, price changes, the number of returns
iners (1) endeavor to understand the business or opera- (indicating lower quality), and comparisons of these
tions of the organization, (2) identify what frauds can factors with other vendors is easy. These variables can
occur in the operation, (3) determine the symptoms even be analyzed on a combined basis; for example, the
that the most likely frauds would generate, (4) use system will look for increased purchases from the ven-
databases and information systems to search for those dor whose prices are increasing the fastest. Computer
symptoms, (5) analyze the results, and (6) investigate systems can be programmed to provide information
the symptoms to determine if they are being caused by when changes equal or exceed a certain amount. For
actual fraud or by other factors. example, price changes of a certain percentage within
a certain period might be queried.
S T O P & T H I N K How can the data-driven fraud The advantage of e-business transactions is that in-
detection approach be used to detect e-business fraud? formation about the transactions is captured electroni-
What data sources can be used to discover potential cally in databases that can be analyzed in numerous
frauds? ways. These data make fraud detection much faster
than ever before, but the techniques require more com-
This method of fraud detection works very well in puter expertise to run. The most difficult aspect of de-
detecting e-business fraud. One of the best techniques tecting e-business fraud is correctly specifying the types
for implementing this type of fraud detection is to use of frauds that can occur and the symptoms they will
generate. Also, symptoms are only circumstantial evi- or eliminating the elements that motivate fraud:
dence at best. There may be perfectly legitimate explana- pressure, opportunity, and rationalization. In par-
tions for factors that appear to be symptoms. However, ticular, the use of time-tested, publicly available
just as e-business transactions make fraud easier to com- procedures for security is the best measure for se-
mit, they also make it much easier to detect. curity; security through obscurity is seen by most
As discussed earlier in this chapter, a rigorous, time- professionals as a false sense of security.
tested process for security should be used. Security • Detect e-business fraud. E-business fraud occurs in
through obscurity should never be an option. Standards- electronic transactions from business to business—
based systems like VPNs, firewalls, public and private usually from one corporate system to another. The
key infrastructure, strong encryption, and other means data-driven fraud detection approach works well
should be employed and monitored at all times. in discovering this type of fraud because it focuses
on the transactions and log files involved in the
Remember this … electronic process.
The use of time-tested security principles will

help prevent e-business fraud. The data-driven
approach to fraud detection is an excellent way KEY TERMS
to discover and investigate e-business fraud. e-business, p. 602 phishing, p. 606
data theft, p. 603 spoofing, p. 606
passwords, p. 603 falsified identity, p. 607
In addition to technical measures, social preventions
social engineering, security through
and detections are important. Regular audits of user
p. 603 sniffing, obscurity, p. 607
behavior on the system should be done by watching
p. 604 wartrapping, digital signatures and
how users interact with their systems. Employees
p. 605 spyware, p. certificates, p. 609
need to be trained on what e-commerce fraud looks
606 biometrics, p. 609
like so they can spot problems. For example, in the
autobiographical book The Cuckoo’s Egg, Clifford Stoll
discovered an international spy using his systems for
entrance into U.S. military systems. Stoll’s investigation
started with a mere $0.75 discrepancy in system audit QUESTIONS
logs! Users need to be trained that while computer Discussion Questions
anomalies may not look significant, they can often
highlight deeper problems. Just as employee tip lines 1. In what ways do e-business transactions pose
can provide information in traditional fraud cases, heightened fraud risks?
tips can be useful in electronic fraud if employees un- 2. What are some common ways e-business fraud is
derstand what to look for. perpetrated?
3. How can the authenticity of a party in an e-business
Review of the Learning transaction be verified?
4. What is sniffing?
Objectives 5. Why is spoofing a significant risk in e-business?
6. What principles are important in password use and
• Understand e-commerce fraud risk. E-commerce training?
presents new challenges and opportunities for fraud 7. Why does biometrics offer significant promises as
and its detection, but the risks can still be described a way to authenticate e-business transactions?
in terms of pressures, opportunities, and rationaliza- 8. How is the data-driven, six-step detection approach
tions. Because the Internet-driven economy removes relevant to e-business fraud detection?
the need for physical access and interpersonal con- 9. Why can it be dangerous to provide credit card infor-
tact, e-commerce creates risks inside organizations, mation over the Internet? Does it stop the risk if you
outside organizations, and to consumers. only use credit cards at local businesses?
• Take measures to prevent fraud in e-commerce. 10. Can e-business fraud risks ever be completely
Preventing fraud in e-commerce involves reducing eliminated?

Chapter 17

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 17

Uploaded by

Copyright:

Available Formats

CHAPTER 17

LEARNING OBJECTIVES TO THE STUDENT

FIGU RE 17.1 WIRESHARK SOFTWARE

Remember this … Adequate Separation of Duties

Adequate Documents and Records IT infrastructure must be physically secure. Remember

The appendix to Chapter 6 provides an introduction

The use of time-tested security principles will

You might also like