ABSTRACT

In the world of today, where time is money and information is a corporate asset, protection of data confidentiality and integrity has become critical. Today, companies are focusing much more on how to secure their businesses from identity fraud, which has emerged as the modern day menace. As I found research on identity theft is rather limited. This research will provide more knowledge of the subject.

The aim of this research therefore was to find and assess the impact and the level of identity theft in e-commerce. This was achieved by using analytic induction from the existing research literature and analysis of feed back from the various business executives, industry specialists and company clients through a questionnaire.

After introducing identity theft and its impact on the corporate sector in detail, in the first two chapters with the data protection laws; it discusses their merits, demerits, controls and loopholes, the third chapter of this study delves into the methods and techniques used to prevent identity theft, it discusses in detail their efficacy, efficiency, implications and limitations while the last chapter is a case study of an organization where , existing data has been collected from various sources and has been critically analyzed and reviewed.

A quantitative method approach has been employed in carrying out this research, besides carrying out a case study of an organization

Moreover, aim to decrease the risk and effects of identity theft in e-commerce possible best practice techniques were identified through this research which was achieved through a study of existing literature which results the formation of a policy document. This policy document was also evaluated by industry experts.

INTRODUCTION

Like Mcleod and Scheel (2001) says, “e-business creates higher customer satisfaction, by providing quicker service, less effort to buy a product or service, and less business cost compared to a business run without the use of information technology (IT)”.

Internet is also called worldwide network of computers. It provides excellent opportunities for an organization to do their business online. To get more customers and to increase the public's awareness of the business, it is very important to represent themselves on the Internet and their products, resulting in increased sales volume and higher profits. Security implications hold back the business. Nowadays, Credit card companies, banks and software companies' work together to produce a broad standard to do safe online business. Whereas on the other hand System Hackers are trying to get as much information as possible, which they can easily sell in the black market. Some of the staff in companies also busy in selling their customer's details in the same black market. Specific guidelines should be followed by companies to develop a safe and successful appearance in the online business.

Some critics like Professor Richard Walton CB, (2005) however quarrel, "The rise of the Internet and other modern technologies has brought about a fundamental change in commercial life. He further says that thieves have been stealing wallets and credit cards for a long time, but the growth of online buying and on-line banking has made Identify Theft the fastest growing white-collar crime in the U.K. and America, It's a big problem, and it can happen to anyone".

On the other hand, some people are disagreed that the major cause of Identity theft is internet. As per Thomas C. Greene (2005) he said, that "The vast majority of incidents can be traced to (what he calls) skimming, or dumpster diving, he goes further to say that plain stupidity among those who own our personal data are also contributive. Only a small fraction of such incidences result from on line transactions." I found majority of research is on the topic of identity theft, which usually consists of some variations in the phrase "identity theft is the fastest growing crime in the United kingdom" or it begins with a quaint anecdote about the tens of thousands of identity theft victims that emerge each year.

According to a report published in the American angle, Anne P.Minz (2002) which says that the consumer sentinel network of agencies gathering data on e-commerce fraud, reports that in 2001 alone, there were 204,000 complaints, compared to 138,900 reported in 2000. It is noticeable that 47% increase demonstrates the growing nature of the problem. Figures such as the ones noted above are apparently disconcerting, in other to glean possible remedies which in turn demands for additional research on this issue.

There are so many occasioning of identity theft and different ways this may be consummate. The overheads and wounded are considerable to financial institutions as well as individuals, but the overheads are often difficult to reveal or enumerate, mainly for individual punter sufferers. If an individual is auspicious enough to avoid financial responsibility for the theft, in so many ways they still endure losses in different ways, which may not be substantial; most of the time the affecting damage is very heavy that some sufferers commend suicide while so many others hunt for therapeutic or psychiatric assistance. In an attempt to recover from the theft or loss, sufferer may end up costs more money and time.

These two must not be perplexed as theft resembles fraud in that and both engagedin some form of unlawful takings, but fraud requires an extra component of false pretenses formed to persuade a sufferer to turn over wealth, property or other services. Theft, by difference, needs only the illegal captivating of another's possessions withthe aim to enduringly divest the other of the possessions. Harsh punishment is for fraud because of more planning is involved in that than does the theft.

However, for the use of this study we are going to focus on identity theft in e-commerce in accessing the effect on online business in UK.

Definition of Identity

Definition of Theft

“Theft” can be defined as per English Law act 1968 section (1). Subsection (1), that a person is guilty of theft if he is deceitfully appropriates property belongs to another with the purpose of enduringly miserly the additional of it; and that 'steal' and 'theft' shall be construed consequently. It is irrelevant whether the appropriation is made with a view to expand, or is made for the thief's own benefit.

As per encyclopedia dictionary 2007, Sometimes theft is used synonymously with larceny as a term; however, we can say that, it is actually a broader term, encircling many forms of dishonestly taking of property, including cheating, double-crossing and false pretenses. Some states categorize all these offenses under a single statutory crime of theft. Property belonging to another is taken without that person's consent will be assumed as theft, where Theft could be regarded as criminal act.

Sense of Identity Theft

In the Identity theft and assumption prevention Act of 1998 the term "identity theft" was first codified, where the act makes it as a "federal crime when someone deliberately uses or transfers, without legal permission, a means of identification of another person with the aim to commit, or to aid or support, any unlawful activity that constitutes a breach of federal law, or that constitutes a offense under any applicable state or local law." In addition, the act defines it as a "means of identification" as "any name or number that may be used, alone, or in combination with any other information, to identify a specific person." Identifying information is noted to be, surrounded by other things, passport number, a name, date of birth, driver's license or national insurance number (NI), access device or telecommunication identifying information.

Identity theft may be broadly defined as the unlawful acquirement or the use of any aspect of an individual's personal information for committing some form of criminal activity (Hoar, 2001; LoPucki, 201; Slosarik 2002). This definition is proposed to cover any type of crime that falsely uses a victim's name, home address, bank account, credit / debit card number, national insurance number, date of birth, etc. (Federal trade commission, 2004)

Formal Definition of Identity Theft

Although the act of simply embezzlement one's private information is an offense, the key factor to be notable here is that this information is then used to declare to be someone else. In other words we can say when someone else uses your identity as his own with the ultimate ambition for fiscal, material, and monetary gain.

The Internet, the evolution of e-commerce, online shopping, and wireless capability, the explanation of identity theft can be further extended to comprise such things as the hacking into the customer databases of large organizations; stealing of usernames and passwords; the theft and hacking of network login sessions; and onwards.

The development of e-commerce and particularly Wireless has compounded the problem of identity theft. Basically, it can happen worst yet to anyone, anywhere and at anytime, at variable edges in the way that information can easily be stolen. For example, Identity theft can occur by an individual simply rummaging through the trash cans at the local dumpster (the technically it is well-known as “Dumpster Diving”, and will be discussed later).

Identity theft can also happen at your workplace, particularly if you do most of your work through telecommuting over a wireless link. Suppose yourself sitting in a café at the train station, and while you are waiting for your train. Your laptop computer is connected to the “Hot Spot” or wireless link at the café, and you access your confidential customer data as well as an important work e-mail, but how do you know if the wireless link is for authentic? For example, there could be someone sitting next to you, and this person could have set up a fake wireless access point, and you unintentionally logged into that, thinking that you have really linked to a legitimate, safe and encrypted wireless link. Now, you can see that, this person has all the right to use your customer information, usernames and passwords as a result of that fake link, or “rogue” Wireless access link, And then you are completely unaware to all of this (this situation is well-known as “The Evil Twins”).

Nowadays, you can see every where there is always a case of theft of identity going on almost every day. First, it was simply stealing a Bank Account Number or 16 digits credit card numbers, but now this crime is going on a large scale, where it affects millions of people all at once. Some peoples working in companies where they are steeling and selling customers full details under the table. As according to the BBC world report - (March-2008) on local TV news, that HSBC Bank lost one data disk (compact disk) of their customer details.

As we move more towards a wireless and mobile world, people who launch identity theft attacks are becoming much more stylish in the manner in which these attacks are launched. We are also seeing a trend today where large corporations are becoming very complacent in protecting their customer databases from these attacks. There are also trends going on where small, Wireless devices with huge capacity are being used in identity theft crime, and private information is even sold during auctioning processes over the internet.

Definition of the term “Electronic Commerce”:

Electronic Commerce refers generally to all forms of commercial transactions involving both organizations and individuals, that are based upon the electronic processing and transmission of data, including text, sound and visual images” (OECD, 1997),

“Electronic commerce is about doing business electronically. It is based on the electronic processing and transmission of data, including text, sound and video. It encompasses many diverse activities including electronic trading of goods and services, online delivery of digital content, electronic fund transfers, electronic share trading, electronic bills of lading, commercial auctions, collaborative design and engineering, online products (e.g. consumer goods, specialized medical equipment) and services (e.g. information services, financial and legal services); traditional activities (e.g. healthcare, education) and new activities (e.g. virtual malls).” (EC document, 1997)

“Electronic commerce is the carrying out of business activities that lead to an exchange of value across telecommunication networks” (EITO, 1997)

“E-commerce involves business transactions conducted through computer networks. The e-business literature deals with the technical facilities needed to run a business smoothly.”(Laudon and Laudon, 2000) “E-business creates higher customer satisfaction, by providing quicker service, less effort to buy a product or service, and less business cost compared to a business run without the use of information technology (IT)” (McLeod and Schell, 2001). Both of these approaches to e-business point to changes in the entire vision of a classical understanding of business.

Service industry's challenges

Companies are using electronic funds transfer (EFT) for their customers as the fast and secure way of transactions, at present; there are two most excellent ways to handle money online: personal checks and credit cards, there are other fast and secure methods to exchange funds online. Electronic funds transfer (EFT) is another name for online money exchange. Here, the exchange of digital money is involved between buyers and sellers. In the front customer authorization is made over the Internet where Banks handles the transactions behind. To ensure higher level of security specialized authentication systems should be adopted. IDs and passwords are one of the most fashionable methods of data security are in use to access a server or Internet site, but these are often poor. To address this problem, Axent Technologies has developed hardware and software solution called Defender that creates unique, one-time passwords that cannot be guessed, shared, or cracked (Venetis, 1999).

“The system incorporates software on the user's computer that communicates with the Defender Security Server on the other end. When the user connects with the server, a software token is activated that automatically establishes a dialogue with the server. A new password is generated during each session, removing any possibility that the user will forget to change his/her password on a regular basis” (Venetis, 1999).

This study aims not only to evaluate benefits of adopting secure solution to identity-theft, but also to see that what best practices should be adopted by the Companies, which add value to their online business. Through in-depth research, I will be able to examine why customers switch to new online companies for their shopping. I will see techniques other company's uses to give confidence to their customers to retain them. Although there is a very limited research available on prevention of identity theft in e-business, but my aim is to study how I can contribute from the experiences of other company's perspective. By using quantitative method approach, I will try to test the current literature available on the subject matter.

The study is based upon research conducted throughout the report from a variety of sources. The scope of the study is the assessment of tools, technologies and architectures that may involve in identify theft in e-commerce. As the scope of “Identity theft in e-commerce” is a diversified, so I have limited my research to online fraud detection and prevention methods.

Why this research?

The Literature provides insights into factors underlying the impacts of identity theft on e-business and failure results: customer's lack of confidence, inappropriate variety of technologies structures, lack of ability to control and secure online businesses, lack of adoptable techniques and processes, but lack of study on how to secure online business.

Research Questions

To concentrate the research primary and secondary questions have been devised to establish a central path to guide the research.

PRQ:What technologies are currently in place to combat fraud and how do they work?

SRQ:Looking at previous fraud prevention techniques, have new technologies actually prevented and deterred fraud from the mainstream areas?

The past study on identity theft in e-commerce was not enough to solve the problems. As the cyber crime growing rapidly, it is very difficult to secure online business. The purpose of this dissertation was to investigate why the organization like XYZ UK Limited not able to continue their online businesses and what new techniques and best practices are in use by others to run their online businesses. What are the techniques that were appropriate for identity management and how well the organization (XYZ UK limited) complies with these

techniques? The quantitative data was collected through an online questionnaire addressed to approximately 50 business executives, partners, experts and consumers.

AIMS AND OBJECTIVES

This research emphasizes the issues in private company (XYZ-UK Limited) regarding the risk and impact of identity theft that company had faced while doing online business and also the problems they had been through in transactions, made on the Internet.

I will also put forward what new techniques should be adopted to increase more business and customer's satisfaction. To see companies involved in e-business and how to overcome their problems. Adopt new techniques and ideas to have secure online business.

Following are research objectives:

  • To analyze, the affect of cyber crime on businesses and with its consequences on customer relationship.
  • Determine the protection level that the company has provided through its security

Policy to maintain the privacy of their customer's sensitive information and determine it's compliance with industry best practices.

  • To identify the reasons that results for the company in suffering loses and losing business opportunities and determining their plan to overcome those constraints.
  • Analyzing new strategies acquired by the company to achieve the level of protection and review their effectiveness in accordance with existing practices.
  • To provide opinion whether new methods for safe on-line business ensure customers' satisfaction or need of improvement.

Organization of Research

This research is organized as follows. The first chapter, as noted, introduces the research and objectives. The second chapter provides the brief overview of literature on identity theft in e-commerce and describes the critical background identity theft associated with e-commerce., and third Chapter consists of Methodology. Chapter 4 Analysis of the findings of Survey as well as content analysis to assess the scale of the effect of these factors on e-commerce success as supposed. Chapter 5 is a policy document can be used as best practices.

CHAPTER2

Literature Review

“What's my ROI on e-commerce? Are you crazy? This is Columbus in the new world.

What was his ROI?” (Andy Grove, chairman of Intel)

CHAPTER TWO

Literature Review

DEFINITION OF E-COMMERCE

Various definitions of e-commerce are there; the one given at this point is an attempt to relate to this research.

“Electronic commerce is about doing business electronically. It is based on the electronic processing and transmission of data, including text, sound and video. It encompasses many diverse activities including electronic trading of goods and services, online delivery of digital content, electronic fund transfers, electronic share trading, electronic bills of lading, commercial auctions, collaborative design and engineering, online products (e.g. consumer goods, specialized medical equipment) and services (e.g. information services, financial and legal services); traditional activities (e.g. healthcare, education) and new activities (e.g. virtual malls).” (EC document, 1997)

While, defining the term “Electronic Commerce” ranges from broad (EITO) to the very narrow (OECD), basically they are equivalent. A patent description of transactions rather than the scope of activities are there. A hurdle in drafting a precise definition of e-commerce is the continuing evolution of science and technology and its impact on ever-changing environment. (Civil Jurisdiction, 2002)

Identity theft may be broadly defined as the unlawful acquirement or the use of any aspect of an individual's personal information for committing some form of criminal activity (Hoar, 2001; LoPucki, 201; Slosarik 2002). This definition is proposed to cover any type of crime that falsely uses a victim's name, home address, bank account, credit / debit card number, national insurance number, date of birth, etc. (Federal trade commission, 2004)

Some authors and authorities have obviously been some hard work on the result of identity theft to those whom their identity had been stolen; they were trying to see how identity theft can be avoided and possible ways to avoid one's identity being stolen by the criminal specially in online business and to find what identity theft in e-commerce is about.

For instance, Mehdi Khosrowpour (2002) defines “identity theft is a form of hacking which results in possession of personal data and information by the hackers to masquerade as the true identity owners for future use”.

IMPACT OF CYBER CRIMES ON BUSINESS

E-commerce oriented Businesses are often having a fear that exposing security weakness gives the opportunity to hackers to penetrate into business sensitive information and do the damage. These concerns have shown to have negative impact on consumer attitudes toward using the Internet to make purchases. (Koufaris, 2002) The outcome is failure in doing business online. The losses can be divided into “direct” and “indirect losses”. The complete impact of identity theft is not completely understood so far, but latest researches importance the fast development and major costs linked with the offense have discussed and looking to solve it. Near the beginning debate around identity theft relied on subjective proof which is mainly reported by the popular press Identity theft is in many ways a more harmful act that can have continuous effects on major financial effect on merchants as well as on customers.

Recent studies have found that identity theft victims often suffer the same emotional consequences as victims of other crimes. The crime of identity theft can be difficult to track because it takes many forms and is used to facilitate other crimes, such as credit card fraud, immigration fraud, Internet scams, and terrorism.

"Identity fraud arises when someone takes over fictitious name or adopts the name of another person with or without their consent" Rt Hon David Blunkett MP (2002)

DIRECT LOSSES

"Direct losses can be defined as losses in terms of monetary value. Reflection of such costs can be seen as incorporated costs of the market incentives faced by such parties addressing the issue. Surveys conducted by experts show the range of financial losses that the businesses have suffered. Identity theft losses to companies are over two times greater whereas to consumers three times that are linked with conventional payment deception. Analysis of recent consumer surveys has suggested that while users may view the internet as a marketing channel valued for its convenience and ease of use for shopping, security and privacy issues are very influential on decisions to buy online”. (Smith and Rupp, 2002a, b)

In e-businesses associated fraud losses are also normally charged back to merchants. From the perspective of the credit card issuer, the cost of identity theft for illegally purchased products is most likely to be claimed against the applicable retailers by the credit card issuer. Internet merchants' fraud-related costs are high, and when those costs are combined with growing consumer fears of identity theft it results in significant damage to the business. For consumers, the main impact of identity theft is the unauthorized use of their credit card accounts that could make them suffer financial losses. Corporate identity theft provides perpetrators to conduct industrial sabotage resulting in possible fines to businesses for breach of regulatory rules.

Another form of direct losses is the loss of data, according to studies data breaches cost companies losses in terms of administrative performance, management defections and loss of critical and sensitive business data as well as customer data. It will also allow consumers to sue if their personal information is improperly taken from online transactions (Tillman, 2002). It also results in cost overheads for companies to implement preventive measures and techniques. Additionally there will be costs for the recovery of loss-data. It also impacts the company to continue its business processes, above all companies may go out of business because of major data-loss.

One more category of direct loss is the loss of equipments and products, since it is very easy for id theft criminal to divert the delivery or shipment of goods by having unauthorized access to the place where it is convenient to pick it up.

INDIRECT LOSSES

There could be many indirect losses because of identity theft. For example, the time and resources spent on corrective action after the identities and personal information have compromised. However, the ultimate indirect loss, in this regard is, the loss of goodwill, company reputation, customer confidence and relationship with trading partners. Reputation is one of trustworthy behaviour and plays an important part in determining the willingness of others to enter into an exchange with a given actor (Grabner-Kraeuter, 2002, p. 48).

It has also estimated that businesses fear to accept large number of orders because of their susceptibility, especially they turn away overseas transactions and hence get to lose business. The combination of financial losses coupled with reputation and customer trust provide great level of damage to the e-businesses. In terms of reputation, it can said that any e-commerce scandal will become headline of news immediately and the media is always curious about such scandals, thus the publicity of any such incident ruins the company reputation largely.

Consumers always worry about their privacy. Many researchers have found that, a majority of internet users worry about spreading of personal data, because the person stealing someone's data can use it to misuse the bank accounts, conduct a crime using the details of somebody else, can easily get away from worst situations or can even cross countries borders using fake identities, all of the above can create problem for the person whose identity has been used for all such crimes.

Liability issues are always in concern when companies are dealing with trading partners or doing the business within a country having strict laws for companies to be found liable if they do not protect their own and critical information of others. Theft of corporate identities may adversely affect morale of third party employees as well as the competitive advantages that a company may have with its trading partners. Using a network perspective, concerning interrelationships between people and organizations, economic relationships between organizations embedded in networks of social relationships (Galaskiewicz, 1985; Granovetter, 1985; Uzzi, 1997).

Improper handling of information can also take companies to court where they can held accountable for negligence and can face severe fines including imprisonments. Another aspect of indirect loss is the damage to the credit history of both customers and businesses. Businesses will no longer be able to obtain business loans to boost their business and also cannot obtain insurance benefits from insurance companies. Similar things happens to customers, once their history has been marked susceptible they cannot obtain bank loans, credit cards, health claims and even a better carrier.

In summary, the above psychoanalysis shows a picture what an individual or a business might suffer from if cyber criminals steal their identities.

E-commerce and Main Categories

Nowadays businesses are using heterogeneous computer environments to integrate their proprietary systems with the external world. Database servers and application servers supported with middleware to interface with online connections; these include HR management, supply chain management and customer relationship management.

Through electronic networks where the purpose is to achieve businesses, E-Commerce can be separated into major categories:

  • Business-to-Business (B-TO-B) relationship
  • Business-to-Customer (B-TO-C) relationship
  • Business-to-Government (B-TO-G) relationship
  • Consumer-to-Consumer (C-TO-C) relationship
  • Mobile Commerce (m-commerce) relationship

The two core categories are Business to Business and Business to Customer.

Business to Customer (B-TO-C)

B-TO-C e-commerce is a part of the business, which deals with commercial activities between companies and customers. Companies can easily make their strategies according to the needs and requirements of customers, based on analysis of customer's statistics in this model, these statistics can be based on marketing, sales and customer service components (e.g. ordering, online assisting, delivering and customers interaction etc.).

E-tailing

The most common form of business-to-consumer (B2C) transaction is E-tailing. (Electronic retailing) It is the selling of sellable merchandise over the Internet.

E-Tailing: Revolutionary Trends in E-Business

Recent studies have found that 1997 was the first big year for e-tailing. Dell Computers claimed as they processed a multimillion dollar orders taken through their Web site. In 1996, was the success for Amazon.com welcomed Noble & Barnes to launch its

E-business site whereas, Commerce Net/Nielsen Media disclosed that 10 million customers had completed purchases on-line.

A systematic approach in this regard, needs a good combination of business strategies and dynamic networks. “The total of these structures is called a dynamic strategic network” (Dyke, 1998). One of the best examples of B-to-C e-commerce is Amazon.com, an online bookstore that launched its site in 1995. The benefits of B-TO-C e-commerce includes that it provides instantaneous communication between consumer and trader as well as products and services can be access globally and transactions happens in real time, whereas the risk includes, the confidentiality and privacy of customer's information.

Business-to-business (B2B) and business-to-customer (B2C) transactions are used in e-commerce and is a type of online shopping.

Advantages of B2C e-commerce;

The subsequent advantages are:

  • Shopping can be quicker and expedient.
  • Prices and Offers can alter immediately.
  • The website can be incorporated with Call centers directly.
  • The buying experience will be improved by Broadband communications.

Background of E-Shopping

E-Shopping was introduced in 1990. It has emerged into every corner of life, as internet converted the world into a global village, which results joined people to the society of free enterprise in regular and on a daily basis. It helps us buy what we wish for at our ease, having positive results by the stuff obtainable to buy online. Since its first arrival on the internet in society, E-shopping has always been middle to high class goods.

The first World Wide Web Browser was created in 1990 by Tim Berners-Lee. After that in 1994, an online Banking was launched and introduced. The first online shop was a pizza shop by Pizza Hut. 1995 and 1996 are the years when Amazon and eBay's started online-shopping. SSL encryption was introduced by Netscape, to enable encrypted transmission on data transferred over internet which result as a very useful for online shopping.

IDENTITY THEFT

Due to the heavy success of e-commerce, identity fraud has become a major concern for consumers, retailers, bankers and suchlike. Identity fraud was initially recognized in the mid 1990's due to the rapid growth of the e-commerce industry. Identity-theft problem continues to grow as a worldwide problem. In UK, the percentage of identity theft is very high.

There are many different ways with which perpetrators can obtain Id's of people and the purpose is either a financial gain or sometimes because of professional competency or industrial espionage. One more reason for committing such illegal action is that the hackers want to try the new techniques or to test their skills.

“A useful definitional model of identity theft has been proposed by Sproule and Archer. Identity theft encompasses the collection of personal information and the development of false identities. Identity fraud refers to the use of a false identity to commit fraud.”

(Ottawa, 13 October 2006).

Definitional Model of Identity Theft

TECHNIQUES USED IN ID THEFT

“In May 2003, the Government of Canada identified the five most common methods of identity theft in Canada.” (Public Safety and Emergency Preparedness Canada, Public Advisory: Special Report for Consumers on Identity Theft, May 21, 2003.)

Some of the techniques used for identity-theft are discussed below;

Phishing:“Phishing is a form of online identity theft that employs both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials” (APWG). The rate of phishing attacks are increasing day by day, most of the times security faults in websites become the reason of leakage of personal information that gives phishers an opportunity to obtain that information by using tools and techniques. Phishing results in both direct and indirect losses in terms of reputation and finance. Studies by the Anti Phishing Working Group (APWG) have concluded that Phishers are likely to succeed with as much as 5 percent of all message recipients.

Dumpster diving:In the world of information technology, dumpster diving is a technique which is used to retrieve information that could be used to carry out a fraudulent activity. Many people throw away their sensitive documents that contain their personal information without destroying them properly that a fraudster can find in trash cans and as a result use this information to commit a fraud. Dumpster diving is not too meant to probing through the trash for noticeable resources like identity numbers or passwords written down on papers. Apparently useless information like a phone list, calendar, or organizational chart can be used to obtain valuable information. Shopping, can easily memorize your details including name, address and the last three numbers of your credit card during the short time it takes you to write a check.

Social engineering:An art of impersonation. It is so easy to call someone or meet someone and pretend like an authorized and reliable person and take out the necessary information, people often do not realize that they are giving their personal information to a false person. According to Kevin Mitnick (who is considered as a godfather of social engineering) "Social engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he isn't, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology."

E-mail spoofing:It is a practice of sending false e-mails, the contents of e-mail lure the curious reader and force them to follow the directions given in e-mail with which one can easily become a victim. The header of the e-mail is usually appeared to be from a renowned source and the aim is to obtain the credit card or bank account information. Unfortunately, there is no prevention of this technique, that's why people are easily fooled and tricked by identity thieves. Masquerading and spamming are also the terms that can be used in this regard as the motive behind all these tactics is the same.

Theft from databases:There are new developments going on by identity thieves to get on large amount of databases of personal information that government agencies and private companies holds. These criminals have broken into offices to get computer hard drives, some times employees also involved into obtaining useful personal data for them, they also hacked into databases to get information and damage the records.

Shoulder Surfing:An identity thief can stand next to a public phone booth and watch you keying in your credit card numbers (or even take note in when you give your credit-card details for ordering a new sofa for home over the phone or booking a hotel room) near the till when you paying for your shopping.

Card skimming:Another most common method used now days is Card skimming. These Identity thieves also “swipe” or “skim” customer credit cards at cash points, small local grocery shops and specially restaurants, using special electronic popular device known as a skimmer. Identity thieves then transfer those data to another location where it is re-copied onto fraudulently made credit cards.

Please note that using the same technique Identity thieves can easily convert the local point's card called “nectar” into credit card. In other words I can say that, Identity Thieves can easily steal your credit/debit card account numbers as the card is used at a restaurant, store or other business location, using a special data collection/storage device Known as (skimmer)

Identity theft in e-commerce has created a scary result. As according to Source: TNS Research, August 2006, “87% of online shoppers are concerned about credit card fraud, 85% of online shoppers are concerned about identity theft, 83% of online shoppers are concerned about sharing personal information, and 77% of online shoppers are concerned about spyware”. According to the VeriSign Secured Seal Research Review, “65% of online consumers shop only at sites they know and trust, and 54% of UK online shoppers have abandoned a shopping cart/basket or failed to complete an online purchase due to security concerns.” Where as according to the Forrester Research found that; “24% of online consumers stopped purchasing online during the 2005 Christmas shopping season due to security concerns.” (Forrester Research, December 2005)

“The system incorporates software on the user's computer that communicates with the Defender Security Server on the other end. When the user connects with the server, a software token is activated that automatically establishes a dialogue with the server. A new password is generated during each session, removing any possibility that the user will forget to change his/her password on a regular basis”. (Venetis, 1999)

Laws and Regulations

Several laws and regulations are applicable to organizations regardless of the nature of their business that addressed data protection. A company should comply with some or all of these regulatory requirements. E-commerce business management is responsible for adherence with legal requirements. Several countries make effort in this regard to protect the information's confidentiality and integrity. Since conventional law is somewhat lacking, it is necessary to look at the national systems of the Private International Law. However, the reply differs from one system to other. They differ also within each system (André (2001). Brief description of legislations affecting protection of information is as under.

EU Privacy and E-Communications Directive (DPEC):

2.5.1.July 2002, the European Commission adopted the Directive on Privacy and Electronic Communications (DPEC) [2002/58/EC] in order to adapt data protection principles to “the markets and technologies for electronic communications services in order to provide an equal level of protection of personal data and privacy for users of publicly available electronic communications services, regardless of the technologies used.” Sometimes referred to as the EU Privacy Directive, the law requires organizations in the electronic communications sector of the European Union to abide by a number of regulations including:

Article 4 - Security: a) the provider of a publicly available electronic communications service, must take appropriate technical and organizational measures to safeguard the security of its services. b) In case of a breach of network security, network and service providers are required to inform subscribers of risks of such breaches, as well as possible remedies and the likely associated costs.

Article 5 - Confidentiality: Members must ensure the confidentiality of communications and data traffic, and prohibit interception or surveillance (specifically prohibit listening, tapping, or storage) of communications without the user's consent.

Article 6 - Traffic Data: Network and service providers must delete traffic data once it is no longer required.

PRIVACY ACT 1986:

This act provides prosecution of unauthorized interception of electronic communication. Penalties for disclosing personal information has been dictated by this act. Management is responsible for protection of personally identifiable information.

HIPAA:

Health Insurance Portability and Accountability Act 1996 enforce the efficient electronic transmission of health information and its maintenance. HIPAA also provides for civil and criminal penalties including fines, imprisonment or both.

SAFE HARBOR:

The safe harbor approved by the EU (European Union) in 2000 is an important way for U.S (United States of America). Companies avoid experiencing and interruptions in their business dealings with the EU or facing prosecution by European authorities under European privacy laws. Certifying to the safe harbor assure that EU organizations know that the company provides adequate privacy protection.

DPA:

The Data Protection Act 1998 is a United Kingdom Act of Parliament that provides legal basis and allow for the privacy and protection of data of individuals in the UK (United Kingdom). The act places restrictions on organizations, which collect or hold data, which can identify a living person.

ELECTRONIC SIGNATURE ACT 2000:

This act allows electronic signatures to have the same legal authority as written signatures to authorize transactions.

PRIVATE INTERNATIONAL LAW:

Whenever a court confronted with a case that contains a foreign element, there are two issues, which need to address before court can resolve conflicts. A common problem arises when the parties reside in different countries, and whether the court then has jurisdiction to adjudicate upon the cases. If not, then the case must move to a court having that jurisdiction. In addition, if the court does have jurisdiction, it must determine what rules shall apply to the case (Michael, 2001).

The final issue is to solve the question of recognition and enforcement of judgment. The rules and principles a court will use to determine these questions constitute the field of law usually referred to as either Private International Law or the conflict of laws. Unlike uniform law, Private International Law is in fact national law (Lawrence Collins, 2000) hence the forum will always apply its domestic Private International Law to determine applicable law to the contracts and to decide whether it has the jurisdiction over the cases. However, a number of International conventions to harmonize private International Law exists; Private International Law conventions are to be implemented by national legislators, hence their provisions are national law and thus subject to the differing interpretations.

JURISDICATION:

Technological innovations on the Internet has promoted globalization trend and spawned an industry of "E-commerce” which has forever changed the way companies provide goods and services. Company web sites are accessible to virtually any of the Internet user in the world. It is a unique global character of the Internet to develop, however, which has prevented the uniform approach to jurisdiction over cases involving the consumer transactions via web. "Jurisdiction is the power and authority of a court to hear and determine a judicial proceeding." (X.M. Frascogna, 2001). The lack of the uniform legal framework for jurisdiction regarding internet transactions between different countries impacts a company's vulnerability to foreign legal judgments in which their web sites can be accessed.

The unpredictability of the jurisdiction makes it difficult for the companies with web sites to limit their legal liability and inhibits the growth of e-commerce. In Europe, little law concerning Jurisdiction on internet is so far been established and the main body for establishing Jurisdiction in Europe has been the Brussels Convention, which was later superseded by the Brussels Regulation, which accommodates the issues as pertaining to E-commerce.

Jurisdiction Rules for E-Consumer Contracts:

The purpose of E-commerce Directive and the Brussels Regulation is to ensure consistency of rules for on-line transactions conducted across borders. However like the E-commerce Directive, the Brussels Regulation, would apply only to entities established in the European Union. Thus, these measures are simply for the benefit of the Internal Market and are not to be treated either as an attempt at creating international private law rules nor to deal with the global issue of jurisdiction for electronic consumer contracts. The impact on businesses located inside and outside the European Union is the same. The consumer has the right to sue them in their own jurisdiction. No matter where the business is located (whether in Europe or elsewhere) Businesses are likely to encounter difficulties in knowing and understanding the consumer protection and private international laws of each Member State.

To that extent, the Draft Hague Convention is likely to be of great significance. It deals with the same material as the Brussels Convention and Brussels Regulation but for a far wider area: 47 countries are members of the Hague Conference. However, the Draft Hague Convention, like the Brussels Convention and Brussels Regulation, deals only with which courts should have jurisdiction in a dispute and not with what the applicable law should be. This is how the global Quest for jurisdiction Rules for Electronic Consumer Contracts arises. The conflict between national consumer protection laws, Private International Laws and the “virtual”, borderless nature of electronic commerce is evident and must be addressed.

Rules for Consumer Contracts:

The rules governing consumer contracts apply in the specific situations listed in Article 5(2). Where there is no choice of law. The applicable law is the law of the country where the consumer has its habitual residence (Art 5(3), Brussels Regulation). If the contract contains a choice of law clause, it may not deprive the consumer of the protection afforded to him by the mandatory rules of the law of the country in which he had his habitual residence (Art 5(2), Brussels Regulation).

The special rules concerning consumer contracts apply under certain circumstances. The contract conclusion must have been preceded by a specific invitation to the consumer, or by previous advertising in the country where he is domiciled and finally the consumer must have taken the necessary steps for concluding the contract in that country. Thus under the terms of Rome Convention consumer cannot be deprived of the consumer legislation of his country, as long as conditions in the Article 5(2) are fulfilled. These conditions correspond to the conditions for consumer protection according to the Brussels convention, which have now been amended by Article 15 of Brussels Regulation with the view to taking account of Internet.

Consumer transactions were dealt differently from regular commercial transactions as it gave consumers a choice of the jurisdictions. Article 13 of the Brussels Convention defined a consumer contract as B-TO-C contract for goods and services for purposes outside a consumer's normal trade or the profession if it met the following requirements:

  • The contract was for the sale of goods on installment credit terms; or
  • A contract for a loan repayable by installments, or for any other form of credit, made to finance the sale of goods; or
  • Any other contract for the supply of goods or services (Art (13), Brussels Regulation).

The conclusion of the contract had to be preceded by a specific invitation addressed to the consumer or by advertising in his state of domicile and the consumer had to take in his state of domicile the steps necessary for the conclusion of the contract (Ibid). Article 14 gave the consumer a choice of jurisdictions between either his own domicile, or that of the supplier (e.g., website owner). This bright-line rule left little room for debate. If the contract met the requirements of a consumer contract, the consumer had the option of choosing the jurisdiction in which to litigate (Michael Cordera, 2001).

A consumer could also choose to forgo choice of jurisdiction by opting to be made an agreement with supplier as to which court would have jurisdiction before agreeing to a contract in a forum selection clause. This opt-out choice was allowed only if it fulfilled several formal requirements. The agreement had to: (1) be in writing; (2) be in a form which conformed to practices established between the parties; and (3) in International Trade or commerce, be in a form which accorded with a usage of certain dignity (A.Lindberg, 1997). However, jurisdiction was an entirely different scenario for suppliers (e.g., sellers). In a restriction against suppliers, Article 14 only permitted suppliers to bring suit in a consumer's domicile. The restriction against suppliers also applied to non-EU suppliers who had branch offices in the EU (Art 13, Brussels Regulation).

The Brussels Convention clearly favored consumers in its jurisdiction provisions.

The appearance of new forms of commerce non-existent in 1968, one of them being of course E-Commerce prompted the adoption of an updated version of the Brussels Convention. To address the advent of E-Commerce in the context of the existing Brussels Convention, the EU's Council of Ministers adopted Brussels Regulation, which came into force in March 2002 (Council Regulation EC, 2000). When revising the rules for disputes arising from consumer contracts, the Council had the clear intention to boost confidence in cross-border trade and in particular in E-Commerce.

There was a great debate over whether Brussels Regulation would take a country-of-origin or country-of-destination approach in consumer transactions. The country-of-origin approach dictates that all legal disputes over transactions contracted over the Internet would be determined by the law of the supplier, where the good/service originated (E. Alexandridou, 2001). The country-of-destination approach applies the law of consumer's domicile in legal disputes over the Internet transactions. The drafters of the Brussels Regulation chose to embrace a country-of-destination approach in the name of boosting consumer confidence in E-commerce.

While Brussels Regulation does not alter the main structure of Brussels Convention, it effectuated certain changes which are intended to take account of new technological developments related to the e-commerce. Specifically, Article 15 Regulation provides that the courts of consumer's domicile have jurisdiction over a foreign defendant if latter "pursues commercial or professional activities in the Member State of the consumer's domicile or, by any means, directs such activities to that Member State and the contract falls within the scope of such activities.” (Art 15(c), Brussels Regulation) This language expands range of situations in which consumer can sue in his or her place of the domicile. Under the Brussels Convention, consumer can sue in his or her jurisdiction only if the consumer has been subject to a “specific invitation or advertising made in the consumer's state of domicile and consumer has taken necessary steps to be completed in the consumer's domicile”. As a result, the consumer who has contracted from a different country, or who cannot prove that he or she contracted from his or her domicile, is not entitled to sue in his or her domicile.

In contrast, the Brussels Regulation abandons requirement of a specific invitation or advertising and instead covers “any consumer contract concluded with a person who pursues commercial activities in the Member State of the Consumer's domicile by any means” The phrase "by any means" was not inserted as a catch-all. Rather,

It is specifically intended to reach the Internet-based transactions. Furthermore Brussels Regulation makes no mention of the latter requirement that the contract be completed in consumer's domicile because for the purposes of the Internet transactions, a consumer's physical location is difficult to ascertain. Brussels Regulation also retained the Brussels Convention limitation which restricted a supplier's choice-of-law to bringing suit in the consumer's domicile (Art 16(2), Brussels Regulation).

Lastly, while Article 17 in Brussels Regulation allows for forum selection clauses, it does not allow any such contractual agreements to take away the consumer's right to bring suit in his home jurisdiction, unless the agreement is entered into after the dispute arises (Art 17, Brussels Regulation). Ultimately, if a seller is running a web site which is "directing its activities" towards an EU member state, under the Brussels Regulation, seller would be under that member state's jurisdiction. The Brussels Regulation undoubtedly protects the consumer's choice of forum by embracing country-of-destination approach.

Fraud prevention measures and their limitations

Except for the simplest credit linked cases, it is typically the consequence of severe breaches of privacy is Identity Theft.

VULNERABILITIES AND SECURITY OF E-COMMERCE

CREDIT CARDS AT A GLANCE

In the early credit cards, it was simple enough for fraudsters to find out how to crack the limited procedures of card protection in place, which is due to lack of security measures taken and technological advancement. In 1984, the first significant countermeasure came in to place which as according to the VISA website, the first computer-based system and the Visa Risk Identification Service to pinpoint suspicious card transactions at merchant locations. Many countries have already implemented a number of measures to crack down fraud levels, yet in fraud prevention technologies UK is the first to take the next step, with the introduction to Chip and Pin cards.

As the early days of plastic fraud, the prevention measures has been developed continuously and have become more complex, but as the measures taken already, become more difficult. To secure our plastic nation do the criminals with their technology to crack through the defenses put in place. Initially the most common form of plastic fraud was card skimming or more widely known as ‘cloning'. This consisted of copying the details on the magstripe of a card to another blank card. Card skimming or cloning was the most successful and the easiest form of fraud for the perpetrator.

Mostly card being stolen from the actual owner without his knowledge or where the card was stolen from during the online transaction information. As for plastic cards new generations of technology have become more stringent and secure, many criminals have change away from the standard types of fraud and have gone more advanced or have applied new methods to improve their techniques of capturing card data. Criminals now using methods such as use of pinhole cameras, key loggers etc. The old and simpler methods are becoming inadequate to suffice with the new security techniques; the criminals themselves to look into newer technologies, which help them, are phasing out.

Magstripes

The use of magnetic strips is one of the most common technique used in the early part of 2000, were heavily reliant on to hold data, known as Magstripes. The information, which is normally held on the stripe, is the cardholder's name, address, date of birth, 16 digits card number, start, expiry, validity date and CCV number. This was the information required by order form etc to take payment from the account holder's bank account. It is very easy to capture and read date from it, which is due to the problem with the data on the magstripes “traditionally the process of duplicating cards began at a point of compromise” (APACS, 2005), it means the actual point where the details were stolen from.

Simple magnetic reader/writer and the software should be there with the necessary hardware or device to transfer the data to another new card, once the data had been download. As According to the magstripe standards, magstripes is on plastic cards, which can easily hold like three tracks; these tracks can hold the minimum specified amount of information that is required to complete one transaction. A track consists of characters, which are numeric to hold information like, account name, account number, start date, expiry date and CCV number.

In the mid 1980s, due to the increase in plastic fraud, VISA initially set up its first neural network. Now a day a neural network is much simpler than the advanced neural networks. At the authorization stage of a sale, these networks can quickly determine suspicious activity of an account. As abnormal spending behavior the neural network can easily recognizes a variety of anomalies. That is reason why the system called neural, because, it does not analyze though programming but it learns itself.

The system can learn behaviors during spending of customers etc, thus, learnt specifics of that person to make their account more protective and secure. A magstripe can easily be replicate. Therefore, magstripe has become a necessity for the industry to research in to new prevention methods against fraud. The newest security implemented and with full action was on 14th of February 2006. As After launching Chip and Pin, provide a better level of security as compared with the magstripe.

EMV CHIPS

In 2006, EMV chips introduced nationally, which broke down the point of sale fraud and it also provide a secure method to store customer data on a plastic card within a chip. The chip introduced to prevent criminals, as it is much difficult to copy an EMV chip than it was to clone a magstripe. When smart chip placed on the card, the card then called a smartcard. The way they store the data on EMV chips are very secure now. Even though these chips have secured a sector of the card, they are not resistant to worked around as the cards still contain the magstripe as a fallback feature. In case chip does not work or chip and pin does not acceptable, still customer can continue to use as magnetic card.

To secure against identity fraud, the EMV chips are intelligent for storing and sending data, which will work with neural networks alongside, to help identify potential fraud. EMV chips can hold over fifty different amounts of data at a time, which is concerned with the risk management to reduce the risk of fraudulent transactions. To help in the reduction of crime these methods in theory are very useful, but “the EMV is mostly used to authenticate the card and check for fallback or to see if the offline PIN has been blocked” (Adams, 2006). The way the EMV chip interacts with the neural networks and authorization with sending and receiving information at the same time, to reduce the likelihood of another person's using your cloned card without the consent, the chip itself acts as a your personal security assistant.

The primary reason for introducing the chip was to tackle counterfeit card fraud. But card issuers are aware that the memory capacity of the chip gives them the platform to use the chip in other risk management ways” (APACS, 2006).

The data held on the EMV chip and the data sent to and from the terminal is encrypted using industry standards protection such as DES and the more secure form is ‘Triple-DES' that's why EMV transactions are meant to be more secure. The algorithm is used to establish the authenticity of the card and chip on a real time basis. It does not assist by sending and receiving data securely only. To protect the validity of the card, EMV developers used "Dynamic Data Authentication"; this can be done by issuing each card a private pin code within the EMV chip. It provides extra security to the card owner.

Personal PIN Entry Devices (PPED)

After 2007, most of the card companies and banks have introduced personal pin entry devices (PPED). These are handheld pocket side device which have no wire in and outs connections available, it hold the general details of card holder in coded form. When ever card holder wants to do online shopping or online banking, he would have to insert his card into the device (looks like pocket calculator), that device has on-screen display asking to enter given memorable pin-code, after that it generates another code, through which the online transaction gone through. Please note that generated code cannot use again. It means that it generates new codes every time you do shopping and banking. It is another useful secure technique to do online business and banking.

“To demonstrate this we have purchased a Chip & PIN terminal off eBay and modified it such that it is completely under our control. To show that this is indeed the case, we have made it play Tetris.” (Drimmer, 2007)

In the near future new technologies like contact less payment cards are looking to come in to force. The system works by proximity sensors where the user simply has to wave their card in front of the sensor to complete a transaction. “The aim of this technology is to speed up the cash payment process by reverting it to a contact less payment method where an entire transaction takes only 0.5 seconds to complete” (VISA, 2007).

SECURITY & CONTROLS

Strong security is essential in e-commerce environments; it includes the security of information processing facility that is running the e-commerce business. The prime vulnerabilities associated with networks have three basic fields.

1. Interception

2. Availability

3. Access and Entry Points

Interception

The information that is transmitted over the communication lines could be captured, “Once security is violated, there is a risk of unwanted disclosure, i.e. someone stealing secure information or modifying the intercepted data, resulting in loss of integrity and other subsequent, more material losses”.(S.Anantha Sayana, 2005)

Control for Interception

Management must identify who is responsible for security and operation of internet connection must mention the control for physical security over telecommunication equipment. Evaluation of physical security that is where their network termination point, network wiring and location of distribution points must checked. The most effective control is encryption which will work in both wire and Wireless environments even if interception happens, a good encryption would not leak. Information encryption can exist at application level or at router and firewall. Cryptographic encryption disguised in applications, which is for internet transaction.

Encryption is applicable to all layers in the open system interface model provide network administrator a good degree of adjustability at this level because the scope and strength of protection can be adjusted to meet the specific need of application. Encryption at transport and network layer, which is transparent to most applications, allows information system to converse over insecure medium. The Control for Physical assess must be designed in such a way to protect organization from unauthorized access such as use of Bolting doors locks, Combination door locks, Video camera, Manual logging Control Physical access.

Availability

As time goes by, span network grows and more people get involved in the use of applications for e-commerce issues, arises about the access of shared information. If network connectivity fails their will be interruption to business and serious consequent damages.

Controls for Availability

The high network availability results to form three key points;

  • Choice of high availability of network elements that is hardware and software.
  • Creation and maintenance of high availability environment.
  • Use of network design and operation practice and emphasize high availability.

Today's networks are the parts of a large and centrally managed inter-network. The network administration must ensure that the network is functioning properly from a performance and security perspective. These duties include monitoring usage and throughput, load balancing to security violation. The architect of information network must ensure that between resource and AP there are redundant access paths appropriate automatic routing to divert the network traffic to the quickest available path without any loss of data and time. The software, used, to monitor the network and enact changes should be accessible to the network administrator only. This software is the network operating system software or IOS associated with specific network devices mainly router and switches.

Access and Entry points

It is common today to see wide area networks communicating with a mix of Local area networks and most systems network structural design SNA traffic or pure LAN oriented traffic. Almost all organizations are standardizing their communication infrastructure on TCP/IP and modern router all these technologies resulting in convinced and good information organization. The practical Information network provides feasibility to access the network form anywhere on the globe. Weak access points in the Networks make confidential information vulnerable to intruders and might active malicious things such as viruses and worms. The most common way a user accesses resource on the network is TCP/IP the ability of TCP/IP networks is, they can be accessed from anywhere these are the most serious issues of network vulnerabilities both in wired and wireless environments

Controls for Access and Entry Points

Network administration ensures that the network is functioning properly, from a performance and security prospective, these duties include monitoring, usage, and throughput, and to place control in networks at the points where the network connects with an external networks. It is much more common today to standardize the network on TCP/IP infrastructure. Different Technical design approach also made such as to limit the traffic that can come in or go out and also the origin and destination of traffic using configurable firewalls and IDS. Limitation of HTTP Traffic is a common strategy to limit the access such as only the authorized access admin to database server and stop the access from customer to confidential database. Limited access for Vendor from a fix location for maintenance and development of information system and keep log of their activities if any for proof of as authorized access such control implemented through suitable configuration of the rule base in a firewall or through a control list in the routers.

WAN needs to be managing and monitor similarly as LAN and ISO as a part communication modeling efforts have defined five basic tasks related to network management;

  • Fault management: detects the devices faults.
  • Configuration Management: Allows authorized user to know define and change remotely configured.
  • Accounting resource: Holds the records of the information resource usage in the WAN.
  • Performance Management: Monitors usage levels and secure information stored on data by setting alarms when the threshold has been surpassed and.
  • Security Management: Detects doubtful traffic or system abuser and generates alarms accordingly.

Identification of Access

  • Employees;

The employees access whether they have access to organization database from outside office premises.

  • Customers;

Costumers should only have access to web server through the internet using secure SSL connection.

  • Vendors;

Vendors must execute remote login to the enter database system so their action can be monitored and recorded.

Identification of access has an important effect on security. The remote access of databases and information resources increase the business activities but result in controlling the issue and security concern. Remote access points of entry include VPN as well as dial-up access in which authentication mechanism must be appropriate. In terms of wireless access using specific frequency and hopping patterns, sub channels, IDs and passwords make unauthorized access extremely difficult. Physical access of wired LAN is also an important aspect that should managed properly. Threats from inside the network are as serious and dangerous as from the outside connection from internet. To secure system form internal network threats all host-based security such as security of e-commerce application and operating system need to be tighten.

APPLICATION SECURITY

In a broader sense application security is also includes evaluation of end user computing that covers specific issues of end user developed e-commerce application that may be flawed either intentionally or unintentionally. Some of these applications are crucial for business and supervisory review can be the best practice to provide control in these situations. Access control list is another feature that determines user's access rights assigned to each user which dictates which user has what rights (read, delete, modify etc.).

There should be an identification process embedded in applications accurately identify participants in e-commerce transactions. In these transactions, the significant risk is of transaction authorization. Since the communication is electronic, therefore, there is an uncertainty of authentication.

ENCRYPTION AND DIGITAL CERTIFICATES

Encryption is a technique used to convert plain text into a form of coded information, which cannot read without converting it into original form (i.e. decryption). In the world of e-commerce, encryption is an important part of organization's security architecture without which, the concept of secure e-commerce transactions cannot complete. XML encryption extensively used in e-commerce transactions since it facilitates the secure transmission of large volume of data. Encryption provides the features of confidentiality, integrity and availability of information need to be protective.

Symmetric Cryptosystem

In symmetric cryptosystem secret keys are used, that means involved parties have same set of key, therefore it is the responsibility of both parties to protect the key because this is where the security of symmetric cryptosystem relies, so if a cyber criminal somehow obtain that key then he could easily read the information, being communicated between consumers and merchants. Although, a large amount of data can be encrypted by symmetric cryptosystems, but they do not provide the proof that the sender of the information is actually the right person.

Asymmetric encryption

In asymmetric cryptography both parties involved have different keys i.e. a public key and a private key. Normally, merchants doing businesses on internet has their public key available on web directories for public keys, which is assign to them from a reliable authority. Asymmetric encryption is more secure than symmetric encryption, in a sense that a cyber criminal can easily get the public key but it is much harder to obtain the private key. However, asymmetric encryption has performance issues that can be solve by a hybrid approach (use of both symmetric and asymmetric encryption).

Authentication

Consumer and merchants should maintain a relationship in which they both can trust each other, which simply mean that they have to prove themselves to one another before performing any transactions online, in such manner the risk of any fraudulent activity can be preventive. This act of authenticating themselves in a way that both of them cannot deny the initiation of transaction afterward, known as non-repudiation. Digital Signature is a technique that provides the feature of non-repudiation. In digital signatures, a hash value is attached with the message, which is encrypted with the sender's private key. This encrypted hash value ensures that information has not altered during transmission because when the receiver decrypts that hash function, the value of the original hash function will be different from that of the changed hash function, in this way the integrity of the information has provided. A standard for digital signature has also been established known as “digital signature standard” formed by NIST in 1991. Specifically, Secure Hash algorithms produced for digital signatures.

Public Key Infrastructure

PKI is deigned so that anyone can perform transactions on internet in a secure environment. Certificates issued to the users upon which others entrust them in a framework. E-businesses published their certificates on their websites or one can access the certificate of a specific merchant on PKI directory to check their validity. This certificate provides assurance to the customer assurance that the merchant with whom he is making purchases is reliable. PKI consists of certificate authority, registration authority and certificate revocation list. If someone wants to register for a certificate, the registration authority asks for the necessary information required and verifies it, the certificate authority then created and issued the certificate after receiving confirmation from registration authority, this certificate has credentials that consist of user identity and public key. If the certificate becomes invalid or compromised then it is the responsibility of PKI to publish the details of revoked certificate on certificate revocation list.

CHAPTER3

Research Design

&

Methodology

CHAPTER THREE

Methodology

RESEARCH APPROACH

The aim of this study is to evaluate the consumer's sensitivity on e-commerce based businesses. To develop the theory, which is empirically grounded, an inductive methodology is appropriate to accommodate the existing theory in our newly developed theory. I used the descriptive and quantitative approaches for the study.

The purpose of this research is to identify the best practices for identity management and to evaluate the protection provided for consumers on e-commerce based businesses. Primary research is utilized in “literature review” to gain the knowledge about the topic. Secondly, I conducted the survey and content analysis of the websites of companies who are selling their products online. To get more opinions from the people, I conducted a survey based on Identity Theft in E-commerce from different perspectives of peoples and professionals. There must be a legal age limit for adult to attain the survey (18) online. The purpose of this research is to understand the nature of the identity crimes and the impact on the overall system.

The analysis and result will provide considerable efforts to the final conclusion will also be cross-examined. A coding based System form and questionnaire is designed for the content analysis which is in connection with the Aims and Objectives of this study. Another source of information is different policies, books, directives, past figures and data of research. To acquire helpful articles and information searching on the World Wide Web using search engines which can be useful to create improved results. To support the conclusion a variety of academic articles are also used.

For censure and examining the policy document, will be passed to certain executives and key persons of company. In connection to the study of the policy document, a meeting with the company personals will then be conducted. Their notes will be recorded and used as part of the conclusion of this study.

Research method

Based on this reality, the content analysis of e-commerce based businesses has been made in order to check whether sufficient level of security and protection has been provided to the customers in given services. Randomly only few companies are selected as sample. These companies were selected because they are more relevant and are considerable to the study objectives.

Scheme in the literature

The schemes is used in related research in this section tend to implement a similar method.

Muhammad (2006) used questionnaire as medium to gather their data. Alexander (2005) collected his data by survey questionnaire send to 28 distributors to study international strategic alliances. ISAAC (2006) collected his data through questionnaire. All of the above studies used feedback form (questionnaire) as standard of collection their data. Finally, questionnaire is preferable to collect data (feedback) and to interview where responses have to be obtained from the e-commerce field.

By going to the heart, it is now possible to understand resultant from the study survey and give sensible ideas and suggestions in the use and based on recommended principles.

The question were reserved as little and easy as possible, however it is possible that respondents fail to recognize the question and, without recourse for details, ignore or misread it. To evaluate whether the question could be understood by the respondents, the survey was pre-tested and there could be a trend to recommend or guide respondents in the answer required.

Most of the survey was carried out through e-mail and postal services. The correspondence for the survey lasted for about five week's period. It was believed that as a matter of public opinion, that the issues of resulting subjective and objective data were paramount. This however led to the ability to evaluate meaningfully on the overall understanding of identity theft and practices as well the relating issues that can then enable the formulation of balanced suggestive possible steps that will enhance the emancipation of identity theft. The duration of the survey was 4 week's time and was carried out with the help of postal services and email system as well as by hand to peoples.

Interview

FINDINGS

AND

ANALYSIS

CHAPTER FOUR

FINDINGS AND ANALYSIS

Finally, the results in this study are going to be graphically represented. The analysis of distributed questionnaire so far, it was determined that how e-commerce based business websites in United Kingdom provides security and protection to customers. These findings also give us an idea that a good number of peoples around the world have the information of Identity theft in e-commerce. Facts show that a number of peoples have not experienced to identity theft themselves. These findings also gave an idea how these websites work in a different way as per their nature of dealing, also how well do they maintain customer's security and privacy. These findings also give a good judgment of inspiration to give confidence to customers to contribute in e-commerce without uncertainty.

Statistical Analysis based on Questionnaire

As per the statistical analysis based on the questionnaire, following are the observations;

Privacy:

  • 84.6% consumers respond privacy, as one a very important role playing factors for online shopping.
  • 15.4% consumers say that privacy does not play much important part during online shopping.

Security:

  • 73.1% consider, security must be there and plays a very vital role in online shopping.
  • 26.9% felt in neutral consideration slab stating as it is not much important.

Financial Institutions:

  • Regarding Financial institutions, 15.4% consumers consider it as a very important element while purchasing online.
  • 26.9% are slightly agreed towards the importance of making purchases from financial institutions.
  • 46.2% are neutral.
  • 7.7% do not consider its importance.
  • However, 3.8% did not bother.

Trusted Seals/ Trust Level:

Figure clearly states that;

  • 15.4% consumers consider that trusted seal is very important.
  • 42.3% are slightly agreed to it.
  • 15.4% were neutral.
  • 3.8% does not consider its importance.
  • 23.1% does not bother it.

Legal Issues:

In pursuing of legal issues, according to the findings, following are the respondents who gave their consideration regarding Resolving legal issues;

  • 19.2% are the target audience who do not feel comfortable or they does not pay much attention in resolving their legal issues.
  • However, 80.8% consumers felt completely comfortable in resolving issues in the country where they have made the purchase.

Whereas, below are the ones who gave their responses regarding resolving their legal issues at the business place;

  • 80.8% consumer does not feel comfortable in resolving issues at the place of performance of contract.
  • However, only 19.2% are willing to resolve it at the place of business.

Personal Details:

According to the research findings, following are the target audience who gave their ideologies regarding providing personal details;

  • 38.5% are the consumers who feel comfortable in sharing personal details during online shopping.
  • 26.9% consumers have shown neutral behaviors towards it.
  • However, 30.8% are the sample of consumers, who does not feel comfortable in doing so.
  • 3.8% do not want to think to share their data in any case.

Privacy Agreement:

According to the finding,

  • Among the total targeted audience for the research for taking responses on “Privacy Agreement”, only 50% consumers showed their concerns regarding paying attention to it and they feel the importance of privacy agreement of e- business Company before they purchase on-line.
  • 26.9% lied between important and neutral. However, only 23.1% were neutral.

Read Law:

  • Overall 88.5% consumers do not read law before attempting to shop online.
  • However, 11.5% consumers feel importance of reading & understanding the law before opting for an online purchase.

Product via Mail Order:

  • Even though consumers make online transactions, 69.2% prefer to receive their purchased products via mail order.
  • 30.8% are comfortable with Internet.

Security of Payments:

  • According to the findings, 42.3% consumers seriously feel the importance of security in payments while shopping online. According to the target audience, third parties ensure the security of payments such as the online banking, which provides online payment services.
  • Only 15.4% consumers have responded as partially important & neutral towards security of payments.
  • However, 42.3% are completely neutral in this regard.

Disclaimer Info:

  • According to the findings, it has been observe that 84.6% consumers have shown importance in reading the disclaimer information is being published over the website containing terms & conditions as evidence before making a purchase.
  • However, 15.4% avoids going through disclaimer information.

Trademark Information:

  • In considering trademark information is being used on the website to purchase on-line, there was no big gap between the positive & negative responses. 46.2% consumers feel the importance of trademark info.
  • Whereas, 53.8% says that it is not important.

Security Threats:

  • In considering the security threats to on-line transaction payments, 92.3% target audience considers it as an important element for them.
  • However, rest of the 7.7% lied between important and neutral.

GRAPH - 5.3

Transaction Security:

  • 80.8% consumers are very much concern about transaction security & refers it to one of the most important role playing factor for online shopping.
  • While, 19.2% consumer's responses laid between important and neutral.

In the context of content analysis performed for the business, it been found that the business has a huge customer base with respect to the services and products offered by the business. The website of the company contains purchase and return contract, ownership of the product purchased, liability issues of electronic communication and loss or damage of products delivered.

In contrary, contractual terms and conditions have not clearly stated in the website, which shows lack of professionalism and importance of considering consumer's needs without given priority to the customer satisfaction. Validity & expiry of contracts is based on e-commerce directives which is a legislative framework regarding e-commerce.

It lays down a legal frame work to enhance certainty and consumer confidence containing provisions relating to codes of conduct. However, websites doesn't require any special written form of conclusion by the consumer. The business depends heavily upon contractual selling which is fulfilled with an order confirmation e-mail. When the email is sent to the consumer, it remains there till the product is dispatched to the consumer. As far as the services & products are concerned, the business is offering a wide range from 101 to 500 products & services.

Since, the company has a network of e-business internationally; therefore, it follows the framework, which removes any legal barriers that obstructs the development of electronic trade with a principle, which requires cross border flow of information. Regardless of the nature of business, the important aspect of the website is a registered trademark, which is a matter of fact, is a necessary part of doing business in a professional way. Company also uses financial institutions for processing transactions because of the security provided by these financial institutions.

A security guarantee (or a trusted seal), has been provided by the company by mentioning that every purchase is backed by security guarantee. Unfortunately, the website does not provide facility to keep the record of transactions; as a result, consumers have a lower level of confidence upon website. According to the company policy, customer can choose to permit the company to share their information with third parties. The website requires user identification for the trading of goods and services online.

CHAPTER5

POLICY DOCUMENT

Chapter Five

POLICY DOCUMENT

Introduction:

On the basis of all the discussions and after a careful SWOT analysis, I recommend the following policy to such companies. Identity management is the process of establishing and protecting customer's identity. This document is base on the results made from the literature review and the investigation made in connection with the impact of identity theft in e-commerce.

Procedures should be in place to prevent the unauthorized disclosure of personal information. Some of the methods that can be included in the process of identity management are:

  • Establish strategies that fulfill the needs of identity management according to the business objectives.
  • Develop a proactive approach in the implementation of identity management strategy.
  • Organizations should define policies that govern the rules for identity management.
  • The process of identity management should adequately supervise to ensure consistency.
  • Senior management and board of directors should provide attention and commitment for the success of identity management process.
  • The technical and logical environment of the enterprise must be a part of this process.
  • Strong identification and authentication mechanism should be in place so that unauthorized transaction cannot take place.
  • Company should strictly consider having regulatory compliance in order to improve security.
  • The process of identity management should incorporate with the business units and the IT department.
  • An administration cost should consider in terms of cost benefit analysis.
  • Implementation of single sign-on for e-commerce applications and access to transactions can greatly reduce the impact of fraudulent activity.
  • Logical access controls should embedded in e-commerce applications.
  • Personal information should classify based on their sensitivity.
  • SSH or SSL should be used for the secure transactions and information over the internet.
  • Attempt to transaction processing with doubtful identities should block and logs should maintain to investigate such events.
  • Security by obscurity does not work.
  • Organizations should not make a false sense of security by considering their e-commerce environment well protected.
  • Continuous monitoring and improvement of the identity management process must ensure.
  • Identity data of customers, employees, partners and contractors must separately manage.
  • All the data about identities, passwords and transaction must be in encrypted form and should not transmitted in a clear format.

Compliance:

In order to comply with best practices, company has to follow standards and conduct periodic audits of their procedures.

Policy Review of XYZ-(UK) LIMITED Company

This company is been selected for the case study, because it is more relevant to the research objectives. A review of company policy related to their e-commerce businesses is as under:

Information Classification

Company requires customers who want to purchase online. These customers have to provide their personal information. It depends on the services chosen. The information includes name, address, phone number, e-mail address, 16 digits credit card number and last three numbers from the back of the card. Customer's address should verify. Additionally, some time information such as fax number as so need if the customer needs receipt by fax. Information like annual revenues, number of employees or industry for partners and traders is required for registration and billing purposes.

Company does not distribute or share customer's e-mail addresses as noted in its terms of services and required by the data protection law. Company policy also includes the utilization of customer feedback obtained from emails and form attached on the website, use to improve services standards and to get ideas how to improve and increase the customer relationship and management. Company also has referential relationships with third-party companies who refer their customers to company.

In this is way customers are considered as customers of both companies and the Referential Partner; hence, they also share customer details includes contact, account and financial information. The functionality of applications is to provide services and enhancing by keeping them up-to date with servicing organizations. Company has outsourced its credit card processing management to a third party.

The service provider does not have the rights to save or disclose the information obtained during credit card processing. Some businesses allowed using the company website for their advertisement but they cannot collect any information. Company's customers can use web based applications to store data and information, however to resolve issues company can view or access customer information according to the terms of services when it is required. To monitor and detect unusual activity information of visiting users has also collected and logged. It also helps to determine the visitor's volume and statistical information about the aggregate usage.

Security and Privacy

It has been discovered that the company is using Secure Socket Layer (SSL) technology, to ensure that data is been safely transmitted by encrypting the data and providing server authentication along with the use of digital signatures. Moreover, the use of firewall and advanced security technology prevents unauthorized access from external hackers. Additionally, the password syntax used by the company is unique. These counter measures ensure appropriate protection of data. The privacy policy of the company is according to the data protection act, the company reserves the right to change its privacy policy and will inform the users at least 30 days prior to change. This also includes an option for the customers about not choosing the sharing of information with others; a customer can do this by sending an e-mail to the company.

“Security threats not only consist of breaks-ins and technology disturbance, but also stalking, impersonation, and identity theft are serious issues that everyone should be concerned about”. (Janal, 1998)

Best Practices (Secure your self)

Mail Matters

Don't put outgoing mail, especially bill payments, in personal curbside mailboxes. Use Postal Service mailboxes instead, or, better yet, drop off your mail inside a post office. Use a locked mailbox with a slot at home, if at all possible. Don't put outgoing mail in an unguarded “out box” at work. Don't write your account number on the outside of envelopes containing bill payments. When out of town, have the post office hold your mail for you or have someone you trust pick it up every day.

Using Cash Points

Make sure nobody is standing right behind you when you're drawing cash from a cash machine. He/she may be trying to photograph your card number and password with a camera cell phone. Always shield your hand and the screen, even if no one's right behind you. Pay your bills online using a secure site if that service is available. Don't give out your credit card number on the Internet unless it is encrypted on a secure site. Don't become a victim.

Personal Finance

Examine your credit reports from the major national credit reporting firms at least three times a year to make sure no one has established credit in your name or is ruining your credit after stealing your identity. The recently enacted Fair and Accurate credit transactions act requires that each of the three major credit reporting agencies provide consumers with a free credit report once a year. When you are trying to register with them and providing them personal or financial information from a public phone or by cell phone, make sure no one is listening and try to be in a secure and quiet place.

Shred all financial statements, billing statements, and pre-approved credit card offers and the like before throwing them in the trash. Cross-cut shredding is best. Minimize the number of identification and credit cards you carry with you. Take only what's absolutely necessary. Cancel all credit cards that you have not used in the last six months. Open credit is a prime target if an identity thief spies it in your credit report. Call the credit reporting industry as an extra measure to stop credit card and insurance solicitations from coming to your home.

Personal Banking

Use traveler's checks instead of personal bank checks. Examine all of your bank and credit card statements each month for mistakes or unfamiliar charges that might be the sign of an identity thief at work. Make sure you know when your bills and bank statements normally arrive. If one is late, call to find out why. It may have fallen into the wrong hands. Use direct deposit, whenever possible, instead of a paper pay-check. Don't have new checks mailed to you at home; pick them up at the bank. Be alert if you get a call from someone purporting to be from your bank who asks for personal data to update your “records.” This is almost always a scam.

If you're in doubt, hang up and call the bank yourself. Identity thieves have been known to take Social Security numbers from medical charts in hospitals, where the numbers are frequently used as patient identifiers. If you're hospitalized, tell your doctor or nurse to be careful with your chart!, Destroy the hard drive of your computer if you are selling it, giving it to charity, or otherwise disposing of it. Don't just erase the hard drive; physically remove it. Keep your personal information confidential and learn as much as you can about the various kinds of scams being perpetrated to steal your identity. The newspapers are full of tips.

Passwords to be kept strictly confidential

Commit all passwords to memory. Never write them down or carry them with you. Don't give out your financial or personal information over the phone or Internet, unless you have initiated the contact or know for certain with whom you are dealing. Don't exchange personal information for “prizes.” Ask to have the offer put in writing and mailed to you so you can consider it more carefully. Give out your Social Security number only when absolutely necessary. Treat it as confidential information.

Documents that should be given Topmost Security

Don't carry your Social Security card with you. Keep it in a safe place at home. Don't carry automotive insurance policies in your car. Keep them locked up at home. Don't keep your car registration in your car. If possible, carry it in your wallet. Keep your wallet in your front pocket so a Pick-pocket can't take it. Hold your purse close against your body through its straps. Burglar-proof your home, then burglar-proof what's inside your home, especially your financial records and important documents (put them inside a locked filing cabinet or safe).

Contact the Credit Reporting Agencies

As soon as you know your identity has been stolen, call one of the three major credit reporting agencies. The law requires the agency you call to contact the other two. The agencies will flag your account; this means that any business that wants to view your credit report to give you credit will first have to verify your identity. Upon request, the three agencies will then send you two free reports over the next 12 months.

Working with the Creditors

If you discover unauthorized charges on your credit report or any billing statement, contact the fraud department of the creditors you believe have been robbed in your name. You have 60 days from the date you normally receive your bill to notify them. If you notify your creditors within this time frame, your loss for unauthorized charges will be a nominal fee.

Prevention and Mitigation of Identity theft at the corporate Level

It is to be noted that identity theft has become a multi-dimensional problem that needs to be addressed from a number of perspectives, not just the criminal law. A multi-pronged approach to the crisis should be adopted. In particular, in addition to deterring identity theft by more aggressive prosecution and punishment, prevention is a key part of the overall solution. Identity theft can be prevented by keeping sensitive data out of the hands of thieves in the first place. This can be accomplished through better data security and access controls from organizations holding this data. Increased education for businesses and proper data collection and handling practices will play an important role in a comprehensive approach to the problem of identity theft. Additionally, businesses should truncate credit card numbers and expiration dates on purchase slips. While many businesses already do engage in truncating credit card numbers, it is not obligatory.

A case of identity theft can be shocking to both an individual and a small sized business. For victims of identify theft, the Government should probe the prospects of introducing an “Identity Theft Passport” that could be easily obtained and used to properly verify someone's identity and that that person is a legitimate victim. This would assuage the situation of identity theft victims having to spend countless hours and significant amounts of money to validate their true identity. It would be particularly useful in the event that innocent victims may be falsely arrested and held in custody due to outstanding warrants issued against the actual perpetrators using the stolen identity documents.

Electronic commerce has grown and expanded rapidly internationally giving rise to a thriving and vibrant international trading opportunities in which products may be delivered anywhere in the world, regardless to distance. Concurrently it also gives rise to the conflicts and issues of consumer protection from malpractices and conduct of malicious merchants and internet businesses. This poses serious challenges to both parties involved in the e-commerce and to the companies trying to harmonize ways to resolve these issues.

This report consist of findings of a simple answer to the question regarding a company, including the strategies adopted by the company to protect customers identities and information, weaknesses and strengths of those methods and techniques and the changes made by the company thereby. The initial review has made the assertion that business was tucked-up in a situation that the application of the security measures may not be sufficient to develop trust of online transactions for the customers. The consumer survey analysis shows that overall tendency in consumers, for privacy is very important.

Consumers are very much concern about the privacy, whether they are employed or not. Majority of consumers considered security should be there and it is very important. Keeping these things in mind the analysis of business shows that although the company has implemented some security features in past but those measures were proven to be insufficient to protect both the business and its customers from cyber crimes. There was lack of management and administration that puts the company out of the business.

One of the most crucial things to consider is the requirement to prevent and detect the unauthorized access and use of customer identities in order to revoke the suspicious transactions. Regarding IT controls, there's a lack of consensus on generally accepted practices for adapting information technology to meet the requirements of e-business, these controls include logical access to e-commerce applications and database servers.

Changes made by company

Company has made changes in the policy by requiring customers to register themselves initially. In this way unique ids and passwords are allocated to each customer. Moreover, there was no implementation of VPN for secure transmission between business partners, customers and branch offices which leads towards the compromise of sensitive information, but as a result of security awareness, Virtual Private Network has been implemented. Similarly, communication of information and transmission of transactions does not takes place on secure SSH connection, which possess the same risk and impact as of not implementing the VPN, but afterwards the company realized the need of SSL connection and deploy the technology. Previously, no legislative protection has been provided to the customers but this area is also covered after the lessons learned from the economical losses.

As, the company has relationships with their referential partners and both shares the customer's data but due to poor administration of database management system, the integrity of customer's data between the two companies was not maintained adequately, the consequences of damages enforces the company to put right administration of data in place. The company kept their applications updated by installing patches released by the application vendor, however, these patches were not installed and tested in a controlled environment which raised the occurrence of errors and incompatibility issues increasing the risk of providing opportunities to fraudsters to commit the fraud, in fact the dispute is still unresolved but the company is working on it.

In context of credit card management company has upgraded itself to the use of chip and pin. The new system has been affecting fraud levels upon businesses and customers and the credit card crime has been decreased by 83%. To protect the information being lost from the use of CGI scripts and java applets company has made changes to their application system and installed a middleware program with built in access control mechanism. The use of cookies has been terminated, since the number of unauthorized access that occurs were successful to process the fraudulent transaction on the basis of information obtained through cookies from client's machine. In terms of security company has implemented advanced security solutions

Based on dynamic data and encoded session identifications and hosts the Services in a secure server environment along with the implementation of application level firewall. In their new policy and methods company also provides option to the customers to update their information by visiting the website and modifying the information fields.

Based on the information which is gathered by conducting an online survey of a XYZ company, I performed content analysis to evaluate whether they provide sufficient level of protection to consumers.

CHAPTER6

CONCLUSION

CHAPTER SIX

CONCLUSION

It has been observed that globally there are private arrangements as well as government involvements to resolve and reduce the conflicts of identity management in e-commerce businesses in the form of best practices. After suffering economical losses and public embarrassment the company has learned their lesson and adopted new methods and solutions to come over their deficiencies. These changes include initiation of customer registration, implementation of VPN and SSL connections, provision of legislative protection, appropriate administration, use of new technology for credit card payments, controlled application processing environment, implementation of advanced level firewalls and use of strong encryption techniques.

These changes have significantly reduced the risk associated with the e-commerce environment, but still there are some areas on which the company needs to focus their attention to resolve the issues in a timely manner, these include, management of outsourcing relationship with service providers and hardware/software vendors, enhancement of customer relationship management process, renegotiating the terms and contracts with other businesses using company's website with a careful consideration after placing company's interest and safety in first place, implementation of compensating controls, providing suggestions and recommendations to the customers regarding the use of their identities and keeping their personal information secure and considering return on investments when looking for costly solutions to improve security.

The upcoming years will be challenging as the cyber criminals will come up with new techniques and technologies and tries to damage the e-commerce businesses. In the mean time, the business management has to get control of its infrastructure and start putting the processes into place. These efforts are significant steps for the future but do not provide complete or comprehensive solution. The continuous efforts are necessary in order to protect the business and its customers.

The results of descriptive analysis of frequencies (percentage) were presented in table form. For further study consideration, based on similar population sample, a mixed research methods combining questionnaire and interviews would have been preferable. The survey observation would have been supported by data collected during the interviews. The findings would have been enhanced and would have lead to more robust conclusion.

FINDINGS

CAUTION

Bibliography

McLeod, R. and Schell, G. (2001), Management Information Systems, Prentice-Hall International, Upper Saddle River, NJ. IMCS 12, 2 176

Laudon, K.C. and Laudon, J.P. (2000), Essentials of Management Information Systems,

Prentice-Hall, Upper Saddle River, NJ.

N Rosner (2002), “International Jurisdiction in European Union E-Commerce Contracts”, published May1, 2002, p.3, http://www.llrx.com/features/eu_ecom.htm,

(July 29, 2002)

J. Steele (2002), “Global TRECs: The Regulation of International Trade in Cyberspace”, CJLT Vol. 1, No3, 27, 2002

OECD (1997), Organisation for Economic Co-operation and Development, Electronic Commerce: Opportunities and Challenges for Governments, Paris, 1997

EC Document (1997), European Commission, A European Initiative in Electronic Commerce, EC document COM97 (157), 15 April 1997, online: www.cordis.lu/esprit/src/ecomcom1.htm>

EITO (1997), European Information Technology Observatory Frankfurt

Venetis, T. (1999), ``Opening up for e-business doesn't have to be scary,'' Computing Canada, Vol. 25 No. 3, January 22, p. 19.

Civil Jurisdiction (2002), Civil Jurisdiction in International Business to Consumer (B-C) Electronic Commerce Contracts: Comparative Study between European Union andThaiProvisionshttp://www.ecommerce.or.th/nceb2002/paper/30-Civil_Jurisdiction.pdf

http://en.wikipedia.org/wiki/Electronic_commerce (Development in E-commerce)

http://en.wikibooks.org/wiki/E-Commerce_and_E-Business/Concepts_and_Definitions

http://en.wikibooks.org/wiki/E-Commerce_and_E-Business/E-Commerce_Applications:_Issues_and_Prospects (Figure: 1.1 Top 10 E-Retailers)

Koufaris, M. (2002), "Applying the technology acceptance model and flow theory to online consumer behavior", Information Systems Research, Vol. 13 No.2,

pp.205-23.

Smith, A.D., Rupp, W.T. (2002a), "Issues in cyber security: understanding the potential risks associated with hackers/crackers", Information Management and Computer Security, Vol. 10 No.4, pp.178-83.

Tillman, B. (2002), "Internet privacy legislation emerges", Information Management Journal, Vol. 36 No.5, pp.14, 16-18.

Grabner-Kraeuter, S. (2002), "The role of consumer's trust in online shopping", Journal of Business Ethics, Vol. 39 No.1, pp.43-50.

Galaskiewicz, J. (1985), "Interorganizational relations", Annual Review of Sociology, Vol. 11 pp.281-304.

Granovetter, M. (1985), "Economic action and social structure: the problem of embedded ness", American Journal of Sociology, Vol. 91 pp.481-510.

Uzzi, B. (1997), "Social structure and competition in interfirm networks: the paradox of embedded ness", Administrative Science Quarterly, Vol. 42 pp.35-67.

Dyke D.F. (1998), Strategies for Global Sourcing, Financial Times, UK, pp. 2-4.

http://www.rowan.edu/business/FACULTY/dosoglu/ch01/sld017.htm

Public Safety and Emergency Preparedness Canada. Public Advisory: Special Report for Consumers on Identity Theft, May 21, 2003.

APWG-The Anti Phishing Working Group

www.apwg.org

Article.5 (1) Rome Convention; art. 13 Brussels Convention; art.2(c) Hague Convention 1986; art.1(1) Draft Consumer Sales Convention 1980;

Directive EC (2000), Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market, OJ L178 17.07.2000.

D Church (1999), M Pullen, and JK Winn, 'Recent Developments regarding US and EU regulation of electronic commerce' (1999), International Lawyer, 347 (353).

André (2001), Professor Faculty Of Law And Political Science University Of Nantes, France, WIPO Forum On Private International Law And Intellectual Property,

30 - 31 January 2001.

Magstripe: <http://www.acmetech.com/documentation/java/credit_card_utils/com

/acmetech/cc/MagStripeCard.html>

Michael Cordera (2001), E-Consumer Protection: A Comparative Analysis of EU and US Consumer Protection on the Internet, 27 Rutgers Computers & Tech. L.J.231, 237 (2001)

Lawrence Collins (2000), Dicey and Morris on the Conflict of Laws, 13th Ed, and London: Sweet & Maxwell, 2000.

X.M. Frascogna (2001), Jr. et al., This Business of Internet Law 143. (2001)

Brussels Regulation (2001), Brussels Regulation (EC) No. 44/2001 of 22 December 2000 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters, OJ L12 16.01.2001.

DeVeau, P. (1999) ``VPN = very profitable news'', America's Network, Vol. 103 No. 8,

May-15, pp.36-8

Whatis.com Inc. (1999), ``Virtual private network'', at http://whatis.com/vpn.htm

Morse (1992) 41 I.C.L.Q. 1, 4; Report, p.23

Rome Convention (1980), 1980 Rome Convention on the Law Applicable to Contractual Obligations; introduced into English law by the Contracts (Applicable Law) Act 1990.

A.Lindberg (1997), “Jurisdiction on the Internet - the European Perspective”, American Bar Association Section of Business Law, Committee on Law of Commerce in Cyberspace, Subcommittee on International Transactions, July 20, 1997,

http://www.abanet.org/buslaw/cyber/initiatives/eujuris.html.

Council Regulation EC (2000), No. 44/2001 of 22 December 2000 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters, OJ L12 16.01.2001.

E. Alexandridou (2001), the Country of Origin Principle in E-Commerce Viewed from a Greek Law Perspective, in Consumer Law in the Information Society

103, 104 (Thomas Wilhelmsson et al. eds., 2001) (explaining the country-of-origin principle)

Latest figures show UK card fraud losses continue to decline in first six months of 2006 < http://www.apacs.org.uk/media_centre/press/06_07_11.html

2.4.9.: TNS Research, August (2006), (Forrester Research, December-

2005)http://www.verisign.co.uk/index.html

Venetis, (1999), “Challenges to service industry”.

J. Christopher Westland, “Global Electronic Commerce: Theory and Case Studies”