0115 966 7955 Today's Opening Times 10:00 - 20:00 (BST)

Impact of Identity Theft in E-Commerce

Disclaimer: This dissertation has been submitted by a student. This is not an example of the work written by our professional dissertation writers. You can view samples of our professional work here.

Any opinions, findings, conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of UK Essays.

ABSTRACT

In the world of today, where time is money and information is a corporate asset, protection of data confidentiality and integrity has become critical. Today, companies are focusing much more on how to secure their businesses from identity fraud, which has emerged as the modern day menace. As I found research on identity theft is rather limited. This research will provide more knowledge of the subject.

The aim of this research therefore was to find and assess the impact and the level of identity theft in e-commerce. This was achieved by using analytic induction from the existing research literature and analysis of feed back from the various business executives, industry specialists and company clients through a questionnaire.

After introducing identity theft and its impact on the corporate sector in detail, in the first two chapters with the data protection laws; it discusses their merits, demerits, controls and loopholes, the third chapter of this study delves into the methods and techniques used to prevent identity theft, it discusses in detail their efficacy, efficiency, implications and limitations while the last chapter is a case study of an organization where , existing data has been collected from various sources and has been critically analyzed and reviewed.

A quantitative method approach has been employed in carrying out this research, besides carrying out a case study of an organization

Moreover, aim to decrease the risk and effects of identity theft in e-commerce possible best practice techniques were identified through this research which was achieved through a study of existing literature which results the formation of a policy document. This policy document was also evaluated by industry experts.

INTRODUCTION

Like Mcleod and Scheel (2001) says, “e-business creates higher customer satisfaction, by providing quicker service, less effort to buy a product or service, and less business cost compared to a business run without the use of information technology (IT)”.

Internet is also called worldwide network of computers. It provides excellent opportunities for an organization to do their business online. To get more customers and to increase the public's awareness of the business, it is very important to represent themselves on the Internet and their products, resulting in increased sales volume and higher profits. Security implications hold back the business. Nowadays, Credit card companies, banks and software companies' work together to produce a broad standard to do safe online business. Whereas on the other hand System Hackers are trying to get as much information as possible, which they can easily sell in the black market. Some of the staff in companies also busy in selling their customer's details in the same black market. Specific guidelines should be followed by companies to develop a safe and successful appearance in the online business.

Some critics like Professor Richard Walton CB, (2005) however quarrel, "The rise of the Internet and other modern technologies has brought about a fundamental change in commercial life. He further says that thieves have been stealing wallets and credit cards for a long time, but the growth of online buying and on-line banking has made Identify Theft the fastest growing white-collar crime in the U.K. and America, It's a big problem, and it can happen to anyone".

On the other hand, some people are disagreed that the major cause of Identity theft is internet. As per Thomas C. Greene (2005) he said, that "The vast majority of incidents can be traced to (what he calls) skimming, or dumpster diving, he goes further to say that plain stupidity among those who own our personal data are also contributive. Only a small fraction of such incidences result from on line transactions." I found majority of research is on the topic of identity theft, which usually consists of some variations in the phrase "identity theft is the fastest growing crime in the United kingdom" or it begins with a quaint anecdote about the tens of thousands of identity theft victims that emerge each year.

According to a report published in the American angle, Anne P.Minz (2002) which says that the consumer sentinel network of agencies gathering data on e-commerce fraud, reports that in 2001 alone, there were 204,000 complaints, compared to 138,900 reported in 2000. It is noticeable that 47% increase demonstrates the growing nature of the problem. Figures such as the ones noted above are apparently disconcerting, in other to glean possible remedies which in turn demands for additional research on this issue.

There are so many occasioning of identity theft and different ways this may be consummate. The overheads and wounded are considerable to financial institutions as well as individuals, but the overheads are often difficult to reveal or enumerate, mainly for individual punter sufferers. If an individual is auspicious enough to avoid financial responsibility for the theft, in so many ways they still endure losses in different ways, which may not be substantial; most of the time the affecting damage is very heavy that some sufferers commend suicide while so many others hunt for therapeutic or psychiatric assistance. In an attempt to recover from the theft or loss, sufferer may end up costs more money and time.

These two must not be perplexed as theft resembles fraud in that and both engagedin some form of unlawful takings, but fraud requires an extra component of false pretenses formed to persuade a sufferer to turn over wealth, property or other services. Theft, by difference, needs only the illegal captivating of another's possessions withthe aim to enduringly divest the other of the possessions. Harsh punishment is for fraud because of more planning is involved in that than does the theft.

However, for the use of this study we are going to focus on identity theft in e-commerce in accessing the effect on online business in UK.

Definition of Identity

Definition of Theft

“Theft” can be defined as per English Law act 1968 section (1). Subsection (1), that a person is guilty of theft if he is deceitfully appropriates property belongs to another with the purpose of enduringly miserly the additional of it; and that 'steal' and 'theft' shall be construed consequently. It is irrelevant whether the appropriation is made with a view to expand, or is made for the thief's own benefit.

As per encyclopedia dictionary 2007, Sometimes theft is used synonymously with larceny as a term; however, we can say that, it is actually a broader term, encircling many forms of dishonestly taking of property, including cheating, double-crossing and false pretenses. Some states categorize all these offenses under a single statutory crime of theft. Property belonging to another is taken without that person's consent will be assumed as theft, where Theft could be regarded as criminal act.

Sense of Identity Theft

In the Identity theft and assumption prevention Act of 1998 the term "identity theft" was first codified, where the act makes it as a "federal crime when someone deliberately uses or transfers, without legal permission, a means of identification of another person with the aim to commit, or to aid or support, any unlawful activity that constitutes a breach of federal law, or that constitutes a offense under any applicable state or local law." In addition, the act defines it as a "means of identification" as "any name or number that may be used, alone, or in combination with any other information, to identify a specific person." Identifying information is noted to be, surrounded by other things, passport number, a name, date of birth, driver's license or national insurance number (NI), access device or telecommunication identifying information.

Identity theft may be broadly defined as the unlawful acquirement or the use of any aspect of an individual's personal information for committing some form of criminal activity (Hoar, 2001; LoPucki, 201; Slosarik 2002). This definition is proposed to cover any type of crime that falsely uses a victim's name, home address, bank account, credit / debit card number, national insurance number, date of birth, etc. (Federal trade commission, 2004)

Formal Definition of Identity Theft

Although the act of simply embezzlement one's private information is an offense, the key factor to be notable here is that this information is then used to declare to be someone else. In other words we can say when someone else uses your identity as his own with the ultimate ambition for fiscal, material, and monetary gain.

The Internet, the evolution of e-commerce, online shopping, and wireless capability, the explanation of identity theft can be further extended to comprise such things as the hacking into the customer databases of large organizations; stealing of usernames and passwords; the theft and hacking of network login sessions; and onwards.

The development of e-commerce and particularly Wireless has compounded the problem of identity theft. Basically, it can happen worst yet to anyone, anywhere and at anytime, at variable edges in the way that information can easily be stolen. For example, Identity theft can occur by an individual simply rummaging through the trash cans at the local dumpster (the technically it is well-known as “Dumpster Diving”, and will be discussed later).

Identity theft can also happen at your workplace, particularly if you do most of your work through telecommuting over a wireless link. Suppose yourself sitting in a café at the train station, and while you are waiting for your train. Your laptop computer is connected to the “Hot Spot” or wireless link at the café, and you access your confidential customer data as well as an important work e-mail, but how do you know if the wireless link is for authentic? For example, there could be someone sitting next to you, and this person could have set up a fake wireless access point, and you unintentionally logged into that, thinking that you have really linked to a legitimate, safe and encrypted wireless link. Now, you can see that, this person has all the right to use your customer information, usernames and passwords as a result of that fake link, or “rogue” Wireless access link, And then you are completely unaware to all of this (this situation is well-known as “The Evil Twins”).

Nowadays, you can see every where there is always a case of theft of identity going on almost every day. First, it was simply stealing a Bank Account Number or 16 digits credit card numbers, but now this crime is going on a large scale, where it affects millions of people all at once. Some peoples working in companies where they are steeling and selling customers full details under the table. As according to the BBC world report - (March-2008) on local TV news, that HSBC Bank lost one data disk (compact disk) of their customer details.

As we move more towards a wireless and mobile world, people who launch identity theft attacks are becoming much more stylish in the manner in which these attacks are launched. We are also seeing a trend today where large corporations are becoming very complacent in protecting their customer databases from these attacks. There are also trends going on where small, Wireless devices with huge capacity are being used in identity theft crime, and private information is even sold during auctioning processes over the internet.

Definition of the term “Electronic Commerce”:

Electronic Commerce refers generally to all forms of commercial transactions involving both organizations and individuals, that are based upon the electronic processing and transmission of data, including text, sound and visual images” (OECD, 1997),

“Electronic commerce is about doing business electronically. It is based on the electronic processing and transmission of data, including text, sound and video. It encompasses many diverse activities including electronic trading of goods and services, online delivery of digital content, electronic fund transfers, electronic share trading, electronic bills of lading, commercial auctions, collaborative design and engineering, online products (e.g. consumer goods, specialized medical equipment) and services (e.g. information services, financial and legal services); traditional activities (e.g. healthcare, education) and new activities (e.g. virtual malls).” (EC document, 1997)

“Electronic commerce is the carrying out of business activities that lead to an exchange of value across telecommunication networks” (EITO, 1997)

“E-commerce involves business transactions conducted through computer networks. The e-business literature deals with the technical facilities needed to run a business smoothly.”(Laudon and Laudon, 2000) “E-business creates higher customer satisfaction, by providing quicker service, less effort to buy a product or service, and less business cost compared to a business run without the use of information technology (IT)” (McLeod and Schell, 2001). Both of these approaches to e-business point to changes in the entire vision of a classical understanding of business.

Service industry's challenges

Companies are using electronic funds transfer (EFT) for their customers as the fast and secure way of transactions, at present; there are two most excellent ways to handle money online: personal checks and credit cards, there are other fast and secure methods to exchange funds online. Electronic funds transfer (EFT) is another name for online money exchange. Here, the exchange of digital money is involved between buyers and sellers. In the front customer authorization is made over the Internet where Banks handles the transactions behind. To ensure higher level of security specialized authentication systems should be adopted. IDs and passwords are one of the most fashionable methods of data security are in use to access a server or Internet site, but these are often poor. To address this problem, Axent Technologies has developed hardware and software solution called Defender that creates unique, one-time passwords that cannot be guessed, shared, or cracked (Venetis, 1999).

“The system incorporates software on the user's computer that communicates with the Defender Security Server on the other end. When the user connects with the server, a software token is activated that automatically establishes a dialogue with the server. A new password is generated during each session, removing any possibility that the user will forget to change his/her password on a regular basis” (Venetis, 1999).

This study aims not only to evaluate benefits of adopting secure solution to identity-theft, but also to see that what best practices should be adopted by the Companies, which add value to their online business. Through in-depth research, I will be able to examine why customers switch to new online companies for their shopping. I will see techniques other company's uses to give confidence to their customers to retain them. Although there is a very limited research available on prevention of identity theft in e-business, but my aim is to study how I can contribute from the experiences of other company's perspective. By using quantitative method approach, I will try to test the current literature available on the subject matter.

The study is based upon research conducted throughout the report from a variety of sources. The scope of the study is the assessment of tools, technologies and architectures that may involve in identify theft in e-commerce. As the scope of “Identity theft in e-commerce” is a diversified, so I have limited my research to online fraud detection and prevention methods.

Why this research?

The Literature provides insights into factors underlying the impacts of identity theft on e-business and failure results: customer's lack of confidence, inappropriate variety of technologies structures, lack of ability to control and secure online businesses, lack of adoptable techniques and processes, but lack of study on how to secure online business.

Research Questions

To concentrate the research primary and secondary questions have been devised to establish a central path to guide the research.

PRQ:What technologies are currently in place to combat fraud and how do they work?

SRQ:Looking at previous fraud prevention techniques, have new technologies actually prevented and deterred fraud from the mainstream areas?

The past study on identity theft in e-commerce was not enough to solve the problems. As the cyber crime growing rapidly, it is very difficult to secure online business. The purpose of this dissertation was to investigate why the organization like XYZ UK Limited not able to continue their online businesses and what new techniques and best practices are in use by others to run their online businesses. What are the techniques that were appropriate for identity management and how well the organization (XYZ UK limited) complies with these

techniques? The quantitative data was collected through an online questionnaire addressed to approximately 50 business executives, partners, experts and consumers.

AIMS AND OBJECTIVES

This research emphasizes the issues in private company (XYZ-UK Limited) regarding the risk and impact of identity theft that company had faced while doing online business and also the problems they had been through in transactions, made on the Internet.

I will also put forward what new techniques should be adopted to increase more business and customer's satisfaction. To see companies involved in e-business and how to overcome their problems. Adopt new techniques and ideas to have secure online business.

Following are research objectives:

  • To analyze, the affect of cyber crime on businesses and with its consequences on customer relationship.
  • Determine the protection level that the company has provided through its security

Policy to maintain the privacy of their customer's sensitive information and determine it's compliance with industry best practices.

  • To identify the reasons that results for the company in suffering loses and losing business opportunities and determining their plan to overcome those constraints.
  • Analyzing new strategies acquired by the company to achieve the level of protection and review their effectiveness in accordance with existing practices.
  • To provide opinion whether new methods for safe on-line business ensure customers' satisfaction or need of improvement.

Organization of Research

This research is organized as follows. The first chapter, as noted, introduces the research and objectives. The second chapter provides the brief overview of literature on identity theft in e-commerce and describes the critical background identity theft associated with e-commerce., and third Chapter consists of Methodology. Chapter 4 Analysis of the findings of Survey as well as content analysis to assess the scale of the effect of these factors on e-commerce success as supposed. Chapter 5 is a policy document can be used as best practices.

CHAPTER2

Literature Review

“What's my ROI on e-commerce? Are you crazy? This is Columbus in the new world.

What was his ROI?” (Andy Grove, chairman of Intel)

CHAPTER TWO

Literature Review

DEFINITION OF E-COMMERCE

Various definitions of e-commerce are there; the one given at this point is an attempt to relate to this research.

“Electronic commerce is about doing business electronically. It is based on the electronic processing and transmission of data, including text, sound and video. It encompasses many diverse activities including electronic trading of goods and services, online delivery of digital content, electronic fund transfers, electronic share trading, electronic bills of lading, commercial auctions, collaborative design and engineering, online products (e.g. consumer goods, specialized medical equipment) and services (e.g. information services, financial and legal services); traditional activities (e.g. healthcare, education) and new activities (e.g. virtual malls).” (EC document, 1997)

While, defining the term “Electronic Commerce” ranges from broad (EITO) to the very narrow (OECD), basically they are equivalent. A patent description of transactions rather than the scope of activities are there. A hurdle in drafting a precise definition of e-commerce is the continuing evolution of science and technology and its impact on ever-changing environment. (Civil Jurisdiction, 2002)

Identity theft may be broadly defined as the unlawful acquirement or the use of any aspect of an individual's personal information for committing some form of criminal activity (Hoar, 2001; LoPucki, 201; Slosarik 2002). This definition is proposed to cover any type of crime that falsely uses a victim's name, home address, bank account, credit / debit card number, national insurance number, date of birth, etc. (Federal trade commission, 2004)

Some authors and authorities have obviously been some hard work on the result of identity theft to those whom their identity had been stolen; they were trying to see how identity theft can be avoided and possible ways to avoid one's identity being stolen by the criminal specially in online business and to find what identity theft in e-commerce is about.

For instance, Mehdi Khosrowpour (2002) defines “identity theft is a form of hacking which results in possession of personal data and information by the hackers to masquerade as the true identity owners for future use”.

IMPACT OF CYBER CRIMES ON BUSINESS

E-commerce oriented Businesses are often having a fear that exposing security weakness gives the opportunity to hackers to penetrate into business sensitive information and do the damage. These concerns have shown to have negative impact on consumer attitudes toward using the Internet to make purchases. (Koufaris, 2002) The outcome is failure in doing business online. The losses can be divided into “direct” and “indirect losses”. The complete impact of identity theft is not completely understood so far, but latest researches importance the fast development and major costs linked with the offense have discussed and looking to solve it. Near the beginning debate around identity theft relied on subjective proof which is mainly reported by the popular press Identity theft is in many ways a more harmful act that can have continuous effects on major financial effect on merchants as well as on customers.

Recent studies have found that identity theft victims often suffer the same emotional consequences as victims of other crimes. The crime of identity theft can be difficult to track because it takes many forms and is used to facilitate other crimes, such as credit card fraud, immigration fraud, Internet scams, and terrorism.

"Identity fraud arises when someone takes over fictitious name or adopts the name of another person with or without their consent" Rt Hon David Blunkett MP (2002)

DIRECT LOSSES

"Direct losses can be defined as losses in terms of monetary value. Reflection of such costs can be seen as incorporated costs of the market incentives faced by such parties addressing the issue. Surveys conducted by experts show the range of financial losses that the businesses have suffered. Identity theft losses to companies are over two times greater whereas to consumers three times that are linked with conventional payment deception. Analysis of recent consumer surveys has suggested that while users may view the internet as a marketing channel valued for its convenience and ease of use for shopping, security and privacy issues are very influential on decisions to buy online”. (Smith and Rupp, 2002a, b)

In e-businesses associated fraud losses are also normally charged back to merchants. From the perspective of the credit card issuer, the cost of identity theft for illegally purchased products is most likely to be claimed against the applicable retailers by the credit card issuer. Internet merchants' fraud-related costs are high, and when those costs are combined with growing consumer fears of identity theft it results in significant damage to the business. For consumers, the main impact of identity theft is the unauthorized use of their credit card accounts that could make them suffer financial losses. Corporate identity theft provides perpetrators to conduct industrial sabotage resulting in possible fines to businesses for breach of regulatory rules.

Another form of direct losses is the loss of data, according to studies data breaches cost companies losses in terms of administrative performance, management defections and loss of critical and sensitive business data as well as customer data. It will also allow consumers to sue if their personal information is improperly taken from online transactions (Tillman, 2002). It also results in cost overheads for companies to implement preventive measures and techniques. Additionally there will be costs for the recovery of loss-data. It also impacts the company to continue its business processes, above all companies may go out of business because of major data-loss.

One more category of direct loss is the loss of equipments and products, since it is very easy for id theft criminal to divert the delivery or shipment of goods by having unauthorized access to the place where it is convenient to pick it up.

INDIRECT LOSSES

There could be many indirect losses because of identity theft. For example, the time and resources spent on corrective action after the identities and personal information have compromised. However, the ultimate indirect loss, in this regard is, the loss of goodwill, company reputation, customer confidence and relationship with trading partners. Reputation is one of trustworthy behaviour and plays an important part in determining the willingness of others to enter into an exchange with a given actor (Grabner-Kraeuter, 2002, p. 48).

It has also estimated that businesses fear to accept large number of orders because of their susceptibility, especially they turn away overseas transactions and hence get to lose business. The combination of financial losses coupled with reputation and customer trust provide great level of damage to the e-businesses. In terms of reputation, it can said that any e-commerce scandal will become headline of news immediately and the media is always curious about such scandals, thus the publicity of any such incident ruins the company reputation largely.

Consumers always worry about their privacy. Many researchers have found that, a majority of internet users worry about spreading of personal data, because the person stealing someone's data can use it to misuse the bank accounts, conduct a crime using the details of somebody else, can easily get away from worst situations or can even cross countries borders using fake identities, all of the above can create problem for the person whose identity has been used for all such crimes.

Liability issues are always in concern when companies are dealing with trading partners or doing the business within a country having strict laws for companies to be found liable if they do not protect their own and critical information of others. Theft of corporate identities may adversely affect morale of third party employees as well as the competitive advantages that a company may have with its trading partners. Using a network perspective, concerning interrelationships between people and organizations, economic relationships between organizations embedded in networks of social relationships (Galaskiewicz, 1985; Granovetter, 1985; Uzzi, 1997).

Improper handling of information can also take companies to court where they can held accountable for negligence and can face severe fines including imprisonments. Another aspect of indirect loss is the damage to the credit history of both customers and businesses. Businesses will no longer be able to obtain business loans to boost their business and also cannot obtain insurance benefits from insurance companies. Similar things happens to customers, once their history has been marked susceptible they cannot obtain bank loans, credit cards, health claims and even a better carrier.

In summary, the above psychoanalysis shows a picture what an individual or a business might suffer from if cyber criminals steal their identities.

E-commerce and Main Categories

Nowadays businesses are using heterogeneous computer environments to integrate their proprietary systems with the external world. Database servers and application servers supported with middleware to interface with online connections; these include HR management, supply chain management and customer relationship management.

Through electronic networks where the purpose is to achieve businesses, E-Commerce can be separated into major categories:

  • Business-to-Business (B-TO-B) relationship
  • Business-to-Customer (B-TO-C) relationship
  • Business-to-Government (B-TO-G) relationship
  • Consumer-to-Consumer (C-TO-C) relationship
  • Mobile Commerce (m-commerce) relationship

The two core categories are Business to Business and Business to Customer.

Business to Customer (B-TO-C)

B-TO-C e-commerce is a part of the business, which deals with commercial activities between companies and customers. Companies can easily make their strategies according to the needs and requirements of customers, based on analysis of customer's statistics in this model, these statistics can be based on marketing, sales and customer service components (e.g. ordering, online assisting, delivering and customers interaction etc.).

E-tailing

The most common form of business-to-consumer (B2C) transaction is E-tailing. (Electronic retailing) It is the selling of sellable merchandise over the Internet.

E-Tailing: Revolutionary Trends in E-Business

Recent studies have found that 1997 was the first big year for e-tailing. Dell Computers claimed as they processed a multimillion dollar orders taken through their Web site. In 1996, was the success for Amazon.com welcomed Noble & Barnes to launch its

E-business site whereas, Commerce Net/Nielsen Media disclosed that 10 million customers had completed purchases on-line.

A systematic approach in this regard, needs a good combination of business strategies and dynamic networks. “The total of these structures is called a dynamic strategic network” (Dyke, 1998). One of the best examples of B-to-C e-commerce is Amazon.com, an online bookstore that launched its site in 1995. The benefits of B-TO-C e-commerce includes that it provides instantaneous communication between consumer and trader as well as products and services can be access globally and transactions happens in real time, whereas the risk includes, the confidentiality and privacy of customer's information.

Business-to-business (B2B) and business-to-customer (B2C) transactions are used in e-commerce and is a type of online shopping.

Advantages of B2C e-commerce;

The subsequent advantages are:

  • Shopping can be quicker and expedient.
  • Prices and Offers can alter immediately.
  • The website can be incorporated with Call centers directly.
  • The buying experience will be improved by Broadband communications.

Background of E-Shopping

E-Shopping was introduced in 1990. It has emerged into every corner of life, as internet converted the world into a global village, which results joined people to the society of free enterprise in regular and on a daily basis. It helps us buy what we wish for at our ease, having positive results by the stuff obtainable to buy online. Since its first arrival on the internet in society, E-shopping has always been middle to high class goods.

The first World Wide Web Browser was created in 1990 by Tim Berners-Lee. After that in 1994, an online Banking was launched and introduced. The first online shop was a pizza shop by Pizza Hut. 1995 and 1996 are the years when Amazon and eBay's started online-shopping. SSL encryption was introduced by Netscape, to enable encrypted transmission on data transferred over internet which result as a very useful for online shopping.

IDENTITY THEFT

Due to the heavy success of e-commerce, identity fraud has become a major concern for consumers, retailers, bankers and suchlike. Identity fraud was initially recognized in the mid 1990's due to the rapid growth of the e-commerce industry. Identity-theft problem continues to grow as a worldwide problem. In UK, the percentage of identity theft is very high.

There are many different ways with which perpetrators can obtain Id's of people and the purpose is either a financial gain or sometimes because of professional competency or industrial espionage. One more reason for committing such illegal action is that the hackers want to try the new techniques or to test their skills.

“A useful definitional model of identity theft has been proposed by Sproule and Archer. Identity theft encompasses the collection of personal information and the development of false identities. Identity fraud refers to the use of a false identity to commit fraud.”

(Ottawa, 13 October 2006).

Definitional Model of Identity Theft

TECHNIQUES USED IN ID THEFT

“In May 2003, the Government of Canada identified the five most common methods of identity theft in Canada.” (Public Safety and Emergency Preparedness Canada, Public Advisory: Special Report for Consumers on Identity Theft, May 21, 2003.)

Some of the techniques used for identity-theft are discussed below;

Phishing:“Phishing is a form of online identity theft that employs both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials” (APWG). The rate of phishing attacks are increasing day by day, most of the times security faults in websites become the reason of leakage of personal information that gives phishers an opportunity to obtain that information by using tools and techniques. Phishing results in both direct and indirect losses in terms of reputation and finance. Studies by the Anti Phishing Working Group (APWG) have concluded that Phishers are likely to succeed with as much as 5 percent of all message recipients.

Dumpster diving:In the world of information technology, dumpster diving is a technique which is used to retrieve information that could be used to carry out a fraudulent activity. Many people throw away their sensitive documents that contain their personal information without destroying them properly that a fraudster can find in trash cans and as a result use this information to commit a fraud. Dumpster diving is not too meant to probing through the trash for noticeable resources like identity numbers or passwords written down on papers. Apparently useless information like a phone list, calendar, or organizational chart can be used to obtain valuable information. Shopping, can easily memorize your details including name, address and the last three numbers of your credit card during the short time it takes you to write a check.

Social engineering:An art of impersonation. It is so easy to call someone or meet someone and pretend like an authorized and reliable person and take out the necessary information, people often do not realize that they are giving their personal information to a false person. According to Kevin Mitnick (who is considered as a godfather of social engineering) "Social engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he isn't, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology."

E-mail spoofing:It is a practice of sending false e-mails, the contents of e-mail lure the curious reader and force them to follow the directions given in e-mail with which one can easily become a victim. The header of the e-mail is usually appeared to be from a renowned source and the aim is to obtain the credit card or bank account information. Unfortunately, there is no prevention of this technique, that's why people are easily fooled and tricked by identity thieves. Masquerading and spamming are also the terms that can be used in this regard as the motive behind all these tactics is the same.

Theft from databases:There are new developments going on by identity thieves to get on large amount of databases of personal information that government agencies and private companies holds. These criminals have broken into offices to get computer hard drives, some times employees also involved into obtaining useful personal data for them, they also hacked into databases to get information and damage the records.

Shoulder Surfing:An identity thief can stand next to a public phone booth and watch you keying in your credit card numbers (or even take note in when you give your credit-card details for ordering a new sofa for home over the phone or booking a hotel room) near the till when you paying for your shopping.

Card skimming:Another most common method used now days is Card skimming. These Identity thieves also “swipe” or “skim” customer credit cards at cash points, small local grocery shops and specially restaurants, using special electronic popular device known as a skimmer. Identity thieves then transfer those data to another location where it is re-copied onto fraudulently made credit cards.

Please note that using the same technique Identity thieves can easily convert the local point's card called “nectar” into credit card. In other words I can say that, Identity Thieves can easily steal your credit/debit card account numbers as the card is used at a restaurant, store or other business location, using a special data collection/storage device Known as (skimmer)

Identity theft in e-commerce has created a scary result. As according to Source: TNS Research, August 2006, “87% of online shoppers are concerned about credit card fraud, 85% of online shoppers are concerned about identity theft, 83% of online shoppers are concerned about sharing personal information, and 77% of online shoppers are concerned about spyware”. According to the VeriSign Secured Seal Research Review, “65% of online consumers shop only at sites they know and trust, and 54% of UK online shoppers have abandoned a shopping cart/basket or failed to complete an online purchase due to security concerns.” Where as according to the Forrester Research found that; “24% of online consumers stopped purchasing online during the 2005 Christmas shopping season due to security concerns.” (Forrester Research, December 2005)

“The system incorporates software on the user's computer that communicates with the Defender Security Server on the other end. When the user connects with the server, a software token is activated that automatically establishes a dialogue with the server. A new password is generated during each session, removing any possibility that the user will forget to change his/her password on a regular basis”. (Venetis, 1999)

Laws and Regulations

Several laws and regulations are applicable to organizations regardless of the nature of their business that addressed data protection. A company should comply with some or all of these regulatory requirements. E-commerce business management is responsible for adherence with legal requirements. Several countries make effort in this regard to protect the information's confidentiality and integrity. Since conventional law is somewhat lacking, it is necessary to look at the national systems of the Private International Law. However, the reply differs from one system to other. They differ also within each system (André (2001). Brief description of legislations affecting protection of information is as under.

EU Privacy and E-Communications Directive (DPEC):

2.5.1.July 2002, the European Commission adopted the Directive on Privacy and Electronic Communications (DPEC) [2002/58/EC] in order to adapt data protection principles to “the markets and technologies for electronic communications services in order to provide an equal level of protection of personal data and privacy for users of publicly available electronic communications services, regardless of the technologies used.” Sometimes referred to as the EU Privacy Directive, the law requires organizations in the electronic communications sector of the European Union to abide by a number of regulations including:

Article 4 - Security: a) the provider of a publicly available electronic communications service, must take appropriate technical and organizational measures to safeguard the security of its services. b) In case of a breach of network security, network and service providers are required to inform subscribers of risks of such breaches, as well as possible remedies and the likely associated costs.

Article 5 - Confidentiality: Members must ensure the confidentiality of communications and data traffic, and prohibit interception or surveillance (specifically prohibit listening, tapping, or storage) of communications without the user's consent.

Article 6 - Traffic Data: Network and service providers must delete traffic data once it is no longer required.

PRIVACY ACT 1986:

This act provides prosecution of unauthorized interception of electronic communication. Penalties for disclosing personal information has been dictated by this act. Management is responsible for protection of personally identifiable information.

HIPAA:

Health Insurance Portability and Accountability Act 1996 enforce the efficient electronic transmission of health information and its maintenance. HIPAA also provides for civil and criminal penalties including fines, imprisonment or both.

SAFE HARBOR:

The safe harbor approved by the EU (European Union) in 2000 is an important way for U.S (United States of America). Companies avoid experiencing and interruptions in their business dealings with the EU or facing prosecution by European authorities under European privacy laws. Certifying to the safe harbor assure that EU organizations know that the company provides adequate privacy protection.

DPA:

The Data Protection Act 1998 is a United Kingdom Act of Parliament that provides legal basis and allow for the privacy and protection of data of individuals in the UK (United Kingdom). The act places restrictions on organizations, which collect or hold data, which can identify a living person.

ELECTRONIC SIGNATURE ACT 2000:

This act allows electronic signatures to have the same legal authority as written signatures to authorize transactions.

PRIVATE INTERNATIONAL LAW:

Whenever a court confronted with a case that contains a foreign element, there are two issues, which need to address before court can resolve conflicts. A common problem arises when the parties reside in different countries, and whether the court then has jurisdiction to adjudicate upon the cases. If not, then the case must move to a court having that jurisdiction. In addition, if the court does have jurisdiction, it must determine what rules shall apply to the case (Michael, 2001).

The final issue is to solve the question of recognition and enforcement of judgment. The rules and principles a court will use to determine these questions constitute the field of law usually referred to as either Private International Law or the conflict of laws. Unlike uniform law, Private International Law is in fact national law (Lawrence Collins, 2000) hence the forum will always apply its domestic Private International Law to determine applicable law to the contracts and to decide whether it has the jurisdiction over the cases. However, a number of International conventions to harmonize private International Law exists; Private International Law conventions are to be implemented by national legislators, hence their provisions are national law and thus subject to the differing interpretations.

JURISDICATION:

Technological innovations on the Internet has promoted globalization trend and spawned an industry of "E-commerce” which has forever changed the way companies provide goods and services. Company web sites are accessible to virtually any of the Internet user in the world. It is a unique global character of the Internet to develop, however, which has prevented the uniform approach to jurisdiction over cases involving the consumer transactions via web. "Jurisdiction is the power and authority of a court to hear and determine a judicial proceeding." (X.M. Frascogna, 2001). The lack of the uniform legal framework for jurisdiction regarding internet transactions between different countries impacts a company's vulnerability to foreign legal judgments in which their web sites can be accessed.

The unpredictability of the jurisdiction makes it difficult for the companies with web sites to limit their legal liability and inhibits the growth of e-commerce. In Europe, little law concerning Jurisdiction on internet is so far been established and the main body for establishing Jurisdiction in Europe has been the Brussels Convention, which was later superseded by the Brussels Regulation, which accommodates the issues as pertaining to E-commerce.

Jurisdiction Rules for E-Consumer Contracts:

The purpose of E-commerce Directive and the Brussels Regulation is to ensure consistency of rules for on-line transactions conducted across borders. However like the E-commerce Directive, the Brussels Regulation, would apply only to entities established in the European Union. Thus, these measures are simply for the benefit of the Internal Market and are not to be treated either as an attempt at creating international private law rules nor to deal with the global issue of jurisdiction for electronic consumer contracts. The impact on businesses located inside and outside the European Union is the same. The consumer has the right to sue them in their own jurisdiction. No matter where the business is located (whether in Europe or elsewhere) Businesses are likely to encounter difficulties in knowing and understanding the consumer protection and private international laws of each Member State.

To that extent, the Draft Hague Convention is likely to be of great significance. It deals with the same material as the Brussels Convention and Brussels Regulation but for a far wider area: 47 countries are members of the Hague Conference. However, the Draft Hague Convention, like the Brussels Convention and Brussels Regulation, deals only with which courts should have jurisdiction in a dispute and not with what the applicable law should be. This is how the global Quest for jurisdiction Rules for Electronic Consumer Contracts arises. The conflict between national consumer protection laws, Private International Laws and the “virtual”, borderless nature of electronic commerce is evident and must be addressed.

Rules for Consumer Contracts:

The rules governing consumer contracts apply in the specific situations listed in Article 5(2). Where there is no choice of law. The applicable law is the law of the country where the consumer has its habitual residence (Art 5(3), Brussels Regulation). If the contract contains a choice of law clause, it may not deprive the consumer of the protection afforded to him by the mandatory rules of the law of the country in which he had his habitual residence (Art 5(2), Brussels Regulation).

The special rules concerning consumer contracts apply under certain circumstances. The contract conclusion must have been preceded by a specific invitation to the consumer, or by previous advertising in the country where he is domiciled and finally the consumer must have taken the necessary steps for concluding the contract in that country. Thus under the terms of Rome Convention consumer cannot be deprived of the consumer legislation of his country, as long as conditions in the Article 5(2) are fulfilled. These conditions correspond to the conditions for consumer protection according to the Brussels convention, which have now been amended by Article 15 of Brussels Regulation with the view to taking account of Internet.

Consumer transactions were dealt differently from regular commercial transactions as it gave consumers a choice of the jurisdictions. Article 13 of the Brussels Convention defined a consumer contract as B-TO-C contract for goods and services for purposes outside a consumer's normal trade or the profession if it met the following requirements:

  • The contract was for the sale of goods on installment credit terms; or
  • A contract for a loan repayable by installments, or for any other form of credit, made to finance the sale of goods; or
  • Any other contract for the supply of goods or services (Art (13), Brussels Regulation).

The conclusion of the contract had to be preceded by a specific invitation addressed to the consumer or by advertising in his state of domicile and the consumer had to take in his state of domicile the steps necessary for the conclusion of the contract (Ibid). Article 14 gave the consumer a choice of jurisdictions between either his own domicile, or that of the supplier (e.g., website owner). This bright-line rule left little room for debate. If the contract met the requirements of a consumer contract, the consumer had the option of choosing the jurisdiction in which to litigate (Michael Cordera, 2001).

A consumer could also choose to forgo choice of jurisdiction by opting to be made an agreement with supplier as to which court would have jurisdiction before agreeing to a contract in a forum selection clause. This opt-out choice was allowed only if it fulfilled several formal requirements. The agreement had to: (1) be in writing; (2) be in a form which conformed to practices established between the parties; and (3) in International Trade or commerce, be in a form which accorded with a usage of certain dignity (A.Lindberg, 1997). However, jurisdiction was an entirely different scenario for suppliers (e.g., sellers). In a restriction against suppliers, Article 14 only permitted suppliers to bring suit in a consumer's domicile. The restriction against suppliers also applied to non-EU suppliers who had branch offices in the EU (Art 13, Brussels Regulation).

The Brussels Convention clearly favored consumers in its jurisdiction provisions.

The appearance of new forms of commerce non-existent in 1968, one of them being of course E-Commerce prompted the adoption of an updated version of the Brussels Convention. To address the advent of E-Commerce in the context of the existing Brussels Convention, the EU's Council of Ministers adopted Brussels Regulation, which came into force in March 2002 (Council Regulation EC, 2000). When revising the rules for disputes arising from consumer contracts, the Council had the clear intention to boost confidence in cross-border trade and in particular in E-Commerce.

There was a great debate over whether Brussels Regulation would take a country-of-origin or country-of-destination approach in consumer transactions. The country-of-origin approach dictates that all legal disputes over transactions contracted over the Internet would be determined by the law of the supplier, where the good/service originated (E. Alexandridou, 2001). The country-of-destination approach applies the law of consumer's domicile in legal disputes over the Internet transactions. The drafters of the Brussels Regulation chose to embrace a country-of-destination approach in the name of boosting consumer confidence in E-commerce.

While Brussels Regulation does not alter the main structure of Brussels Convention, it effectuated certain changes which are intended to take account of new technological developments related to the e-commerce. Specifically, Article 15 Regulation provides that the courts of consumer's domicile have jurisdiction over a foreign defendant if latter "pursues commercial or professional activities in the Member State of the consumer's domicile or, by any means, directs such activities to that Member State and the contract falls within the scope of such activities.” (Art 15(c), Brussels Regulation) This language expands range of situations in which consumer can sue in his or her place of the domicile. Under the Brussels Convention, consumer can sue in his or her jurisdiction only if the consumer has been subject to a “specific invitation or advertising made in the consumer's state of domicile and consumer has taken necessary steps to be completed in the consumer's domicile”. As a result, the consumer who has contracted from a different country, or who cannot prove that he or she contracted from his or her domicile, is not entitled to sue in his or her domicile.

In contrast, the Brussels Regulation abandons requirement of a specific invitation or advertising and instead covers “any consumer contract concluded with a person who pursues commercial activities in the Member State of the Consumer's domicile by any means” The phrase "by any means" was not inserted as a catch-all. Rather,

It is specifically intended to reach the Internet-based transactions. Furthermore Brussels Regulation makes no mention of the latter requirement that the contract be completed in consumer's domicile because for the purposes of the Internet transactions, a consumer's physical location is difficult to ascertain. Brussels Regulation also retained the Brussels Convention limitation which restricted a supplier's choice-of-law to bringing suit in the consumer's domicile (Art 16(2), Brussels Regulation).

Lastly, while Article 17 in Brussels Regulation allows for forum selection clauses, it does not allow any such contractual agreements to take away the consumer's right to bring suit in his home jurisdiction, unless the agreement is entered into after the dispute arises (Art 17, Brussels Regulation). Ultimately, if a seller is running a web site which is "directing its activities" towards an EU member state, under the Brussels Regulation, seller would be under that member state's jurisdiction. The Brussels Regulation undoubtedly protects the consumer's choice of forum by embracing country-of-destination approach.

Fraud prevention measures and their limitations

Except for the simplest credit linked cases, it is typically the consequence of severe breaches of privacy is Identity Theft.

VULNERABILITIES AND SECURITY OF E-COMMERCE

CREDIT CARDS AT A GLANCE

In the early credit cards, it was simple enough for fraudsters to find out how to crack the limited procedures of card protection in place, which is due to lack of security measures taken and technological advancement. In 1984, the first significant countermeasure came in to place which as according to the VISA website, the first computer-based system and the Visa Risk Identification Service to pinpoint suspicious card transactions at merchant locations. Many countries have already implemented a number of measures to crack down fraud levels, yet in fraud prevention technologies UK is the first to take the next step, with the introduction to Chip and Pin cards.

As the early days of plastic fraud, the prevention measures has been developed continuously and have become more complex, but as the measures taken already, become more difficult. To secure our plastic nation do the criminals with their technology to crack through the defenses put in place. Initially the most common form of plastic fraud was card skimming or more widely known as ‘cloning'. This consisted of copying the details on the magstripe of a card to another blank card. Card skimming or cloning was the most successful and the easiest form of fraud for the perpetrator.

Mostly card being stolen from the actual owner without his knowledge or where the card was stolen from during the online transaction information. As for plastic cards new generations of technology have become more stringent and secure, many criminals have change away from the standard types of fraud and have gone more advanced or have applied new methods to improve their techniques of capturing card data. Criminals now using methods such as use of pinhole cameras, key loggers etc. The old and simpler methods are becoming inadequate to suffice with the new security techniques; the criminals themselves to look into newer technologies, which help them, are phasing out.

Magstripes

The use of magnetic strips is one of the most common technique used in the early part of 2000, were heavily reliant on to hold data, known as Magstripes. The information, which is normally held on the stripe, is the cardholder's name, address, date of birth, 16 digits card number, start, expiry, validity date and CCV number. This was the information required by order form etc to take payment from the account holder's bank account. It is very easy to capture and read date from it, which is due to the problem with the data on the magstripes “traditionally the process of duplicating cards began at a point of compromise” (APACS, 2005), it means the actual point where the details were stolen from.

Simple magnetic reader/writer and the software should be there with the necessary hardware or device to transfer the data to another new card, once the data had been download. As According to the magstripe standards, magstripes is on plastic cards, which can easily hold like three tracks; these tracks can hold the minimum specified amount of information that is required to complete one transaction. A track consists of characters, which are numeric to hold information like, account name, account number, start date, expiry date and CCV number.

In the mid 1980s, due to the increase in plastic fraud, VISA initially set up its first neural network. Now a day a neural network is much simpler than the advanced neural networks. At the authorization stage of a sale, these networks can quickly determine suspicious activity of an account. As abnormal spending behavior the neural network can easily recognizes a variety of anomalies. That is reason why the system called neural, because, it does not analyze though programming but it learns itself.

The system can learn behaviors during spending of customers etc, thus, learnt specifics of that person to make their account more protective and secure. A magstripe can easily be replicate. Therefore, magstripe has become a necessity for the industry to research in to new prevention methods against fraud. The newest security implemented and with full action was on 14th of February 2006. As After launching Chip and Pin, provide a better level of security as compared with the magstripe.

EMV CHIPS

In 2006, EMV chips introduced nationally, which broke down the point of sale fraud and it also provide a secure method to store customer data on a plastic card within a chip. The chip introduced to prevent criminals, as it is much difficult to copy an EMV chip than it was to clone a magstripe. When smart chip placed on the card, the card then called a smartcard. The way they store the data on EMV chips are very secure now. Even though these chips have secured a sector of the card, they are not resistant to worked around as the cards still contain the magstripe as a fallback feature. In case chip does not work or chip and pin does not acceptable, still customer can continue to use as magnetic card.

To secure against identity fraud, the EMV chips are intelligent for storing and sending data, which will work with neural networks alongside, to help identify potential fraud. EMV chips can hold over fifty different amounts of data at a time, which is concerned with the risk management to reduce the risk of fraudulent transactions. To help in the reduction of crime these methods in theory are very useful, but “the EMV is mostly used to authenticate the card and check for fallback or to see if the offline PIN has been blocked” (Adams, 2006). The way the EMV chip interacts with the neural networks and authorization with sending and receiving information at the same time, to reduce the likelihood of another person's using your cloned card without the consent, the chip itself acts as a your personal security assistant.

The primary reason for introducing the chip was to tackle counterfeit card fraud. But card issuers are aware that the memory capacity of the chip gives them the platform to use the chip in other risk management ways” (APACS, 2006).

The data held on the EMV chip and the data sent to and from the terminal is encrypted using industry standards protection such as DES and the more secure form is ‘Triple-DES' that's why EMV transactions are meant to be more secure. The algorithm is used to establish the authenticity of the card and chip on a real time basis. It does not assist by sending and receiving data securely only. To protect the validity of the card, EMV developers used "Dynamic Data Authentication"; this can be done by issuing each card a private pin code within the EMV chip. It provides extra security to the card owner.

Personal PIN Entry Devices (PPED)

After 2007, most of the card companies and banks have introduced personal pin entry devices (PPED). These are handheld pocket side device which have no wire in and outs connections available, it hold the general details of card holder in coded form. When ever card holder wants to do online shopping or online banking, he would have to insert his card into the device (looks like pocket calculator), that device has on-screen display asking to enter given memorable pin-code, after that it generates another code, through which the online transaction gone through. Please note that generated code cannot use again. It means that it generates new codes every time you do shopping and banking. It is another useful secure technique to do online business and banking.

“To demonstrate this we have purchased a Chip & PIN terminal off eBay and modified it such that it is completely under our control. To show that this is indeed the case, we have made it play Tetris.” (Drimmer, 2007)

In the near future new technologies like contact less payment cards are looking to come in to force. The system works by proximity sensors where the user simply has to wave their card in front of the sensor to complete a transaction. “The aim of this technology is to speed up the cash payment process by reverting it to a contact less payment method where an entire transaction takes only 0.5 seconds to complete” (VISA, 2007).

SECURITY & CONTROLS

Strong security is essential in e-commerce environments; it includes the security of information processing facility that is running the e-commerce business. The prime vulnerabilities associated with networks have three basic fields.

1. Interception

2. Availability

3. Access and Entry Points

Interception

The information that is transmitted over the communication lines could be captured, “Once security is violated, there is a risk of unwanted disclosure, i.e. someone stealing secure information or modifying the intercepted data, resulting in loss of integrity and other subsequent, more material losses”.(S.Anantha Sayana, 200


To export a reference to this article please select a referencing stye below:

Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Get help with your dissertation
Find out more
Build Time: 0.0069 Seconds