The same technology that's opening Australia's markets to the world has left Australian individuals, companies and governments vulnerable to the attentions of a global pool of sophisticated, technically literate criminals. Worse, it's locking law enforcement authorities into an "arms race" with this new breed of foxes that seems capable of developing at least one new retaliatory technique to overcome every advance in fraud control.
Since shysters have found ways to pervert every commerce system ever developed, from cowrie shells to credit cards, it's hardly surprising electronic commerce is giving the switched-on criminal a new vehicle for nefarious activities. But the extent of Internet-related fraud is an eyebrow-raiser. A 1997 Deloitte & Touche report commissioned by the European Union found cross-border fraud involving Internet abuse, smuggling, banking and investment frauds was costing society $77 billion a year. Of those, the largest single threat came from Internet fraud because of the vulnerability of encryption technology to sophisticated computer vandalism.
In Australia business and regulatory authorities warn that the potential for fraud to cross borders and for international shysters to "eat into the Australian economy" is higher than ever, partly because of the trend towards e-commerce. According to the report, Taking Fraud Seriously: Issues and Strategies for Reform, fraud costs Australia more than $3.5 billion a year and adds $21 to the cost of each insurance policy. Written by the Australian Institute of Criminology for the Institute of Chartered Accountants Fraud Advisory Council, the report notes the global electronic village has brought about a significant growth in fraud opportunity through new products, services and service delivery channels.
Yet there's been no concomitant improvement in detection and prosecution. Fraud control, detection and prosecution techniques are all being run at national levels, rather than under an international approach. Technology-induced globalisation compounds the problem. "This is no more apparent than in the financial sector," the report says. "Bonnie and Clyde no longer have to turn up at a branch in order to rob the bank. Indeed, if they did, they would be severely limiting their potential 'take'. They would now be more likely to try to rob the bank through a technology-assisted approach, from the other side of the world."Internet fraud is becoming so serious the Australian Securities and Investment Commission (ASIC) recently established a dedicated electronic enforcement division, while police everywhere admit they simply haven't the resources to deal adequately with the problem. Detective Inspector Phil Kaufmann, a manager with the NSW Police Service Commercial Crime Agency, has identified numerous scams being perpetrated on the Internet and says most successful offline fiddles are now being committed online.
"There's been fraud around since Adam played fullback for Jerusalem, and there is always going to be. People will always want other people's money with minimal exposure to themselves," he says.
Credit Card Fraud
To quantify the fraud cost of e-commerce, Kaufmann approached several leading Australian banks in February 1999. One bank reported 70 per cent of all credit card "charge backs" (where the merchant is left footing the bill for a fraudulent credit card transaction) were Internet related. Credit card fraud remains the most insidious Internet fraud perpetrated in Australia.
Perpetrators either rely on credit-card generator programs found on the Internet, hack into users' or merchants' computers to obtain stored credit card details, or else use invasive "Trojan horse" programs to gain legitimate credit card details from PCs.
There are plenty of credit-card generation applications, bank-identification system guides and instructions for "carding" or for using stolen cards available online. Criminals frequently use stolen credit-card numbers to ring up online purchases -- most typically of high-ticket electronic items or downloadable products like software, music clips and images -- and stick online merchants with the tab.
In some cases, fraudulent transactions have reportedly accounted for 20 per cent or more of Web merchants' sales, until managers took action and installed antifraud software. Other avoidance measures include outsourcing credit-card verification to third parties with sophisticated neural-net antifraud software, or developing antifraud systems in-house. Some organisations even take verification procedures offline and check cards manually.
Other types of e-commerce fraud include theft of money, the compromising of trade secrets, the theft of intellectual property and customer data, the misrepresentation of business identity, not getting paid and the deliberate misrepresentation of data. Cramming -- billing companies or consumers for services they never ordered -- is also booming. Authorities overseas have identified a range of Internet scams from "work-at-home" businesses, through services purporting to improve ones' credit rating to investments in exotic products like coconut plantations.
E-commerce Fraud Devastating
Bruce Schneier, president of Minneapolis-based Counterpane Systems, writes in the electronic newsletter Risks-Forum Digest that there are three features of electronic commerce that are likely to make online fraud more devastating than non-technical fraud.
First is the ease of automation. The same automation that makes electronic commerce systems more efficient than paper systems also makes fraud more efficient. "A particular fraud that might have taken a criminal 10 minutes to execute on paper can be completed with a single keystroke, or automatically while he sleeps. Low-value frauds that fell below the radar in paper systems become dangerous in the electronic world. No one cares if it is possible to counterfeit nickels [US five cents]. However, if a criminal can mint electronic nickels, he might make a million dollars in a week."Second is the difficulty of isolating jurisdiction. In an electronic world without geography a criminal doesn't have to be anywhere near a system he is defrauding -- he can attack Citibank in New York from St Petersburg.
The speed of propagation creates a further risk. News travels fast on the Internet. If someone figures out how to defraud an electronic commerce system and posts a program on the Internet, a thousand people could have it in an hour, a hundred thousand in a week.
Electronic payment systems create security vulnerabilities that lead to instances of fraud being perpetrated on the Internet and funds being stolen electronically, says Australian Institute of Criminology research analyst Dr Russell Smith. Telephone and computer home banking expose other vulnerabilities.
"Already the police have been called upon to investigate two individuals who claimed that they could illegally obtain access into Advance Bank's Internet banking system," Smith says. "The two individuals concerned offered to solve flaws which allegedly existed in the bank's security system in return for a payment of $2 million, thus amounting to a form of extortion." No prosecution occurred, Smith says.
Then there was the case, heard before the New South Wales District Court on 27 March 1998, of an unsuccessful applicant for a position with an Internet service provider. When refused the job he took revenge, illegally obtaining access to the company's database of credit card holders and publishing 1225 sets of cardholder details on the Internet to demonstrate the company's security weaknesses. The business lost more than $2 million and was forced to close its ISP activities as a result.
Nor should the threat of electro-magnetic radiation (EMR) scanning be taken lightly. While Smith says the risk was remote, the possibility did exist. One British case involved a computer eavesdropper who scanned electronic transaction information transmitted by a bank. Although the information was encrypted, the eavesdropper defeated the code and successfully obtained £350,000 by blackmailing the bank and several customers after threatening to reveal certain information to the Inland Revenue.
As the Institute of Chartered Accountants report points out, it is trite to say that much serious fraud involves the use of highly sophisticated techniques of deception and planning. "Where computers are used in the commission of fraud, difficulties of investigation are exacerbated as offenders are able to disguise their identities and activities through the use of complex electronic technologies. Those who seek to mask their identity through the use of computer networks are often able to do so, by means of 'looping' or 'weaving' through multiple sites in a variety of nations. Electronic impersonation, colloquially termed 'spoofing', can be used in furtherance of a variety of criminal activities, including fraud."Yet while e-fraud is a growing problem, senior Australian criminal investigators concede off the record that companies have to find a balance between spending too much money combating fraud and not doing enough. "The level of compliance these days has, unfortunately, got to take an acceptable level of fraud as a cost overhead in the business structure. It's whatever is acceptable to you -- we believe it is nil -- but the practicalities of it aren't that clear," one investigator says.
Kaufmann admits it is impossible for any company to achieve "zero tolerance" to e-fraud prevention, but argues that adopting a combative approach at least gets the message out to the public and staff that the company is reliable and committed to fraud reduction. "The lack of proper policies is half the problem anyway. You've got to be a responsible member of the business community and of the wider community and stop crime," Kaufmann says. "I'm the manager of the risk assessment and prevention area. What we're trying to put across is you've got to have an ethical company structure and then you find it easier to put together a control plan and have your staff and personnel acting ethically as well."Electronic commerce systems should have the goal not of preventing crime, which is impossible, but of detecting and fingering the guilty, Kaufmann says.
Preventing fraud on the Internet would involve the use of both conventional approaches like risk awareness raising exercises and user education, as well as novel technological approaches such as those that can secure cards and hardware. If such measures can't entirely prevent Internet fraud then the aim should be to at least identify the presence of fraudulent transactions quickly in order to reduce the extent of any losses suffered or repeat occurrences.
Other measures include the use of sophisticated neural network software capable of analysing user spending patterns in order to alert individuals to the presence of unauthorised transactions. There is also software capable of monitoring merchant deposits to detect claiming patterns of corrupt merchants.
"The solution to electronic funds transfer crime on the Internet will ultimately involve the adoption of a range of strategies, both technological and strategic, in which close cooperation will exist between all those involved in providing and using systems. This includes telecommunications carriers and service providers, financial institutions, retail merchants, and individual users," Smith says. "In planning for the future, it will be necessary to ensure that the weak points in security protocols are not overlooked."Ultimately, though, as with every other area of fraud control, the weak points in Internet commerce will invariably arise out of human factors rather than technological considerations.
Other fraud protection services are available on the Internet at:http://www.plugnpay.com: Fraudtrak service http://www.cybersource.com: IVS http://www.anacom.com: IFS http://www.antifraud.com: Antifraud service http://www.fraud.org/internet/intstat.htm: Antifraud Resource http://www.bbb.com: Antifraud ResourceAn Ounce of PreventionDetective Inspector Phil Kaufmann, a manager with the NSW Police Service Commercial Crime Agency, estimates millions of dollars a year are lost to Internet fraud in Sydney alone. The only effective way to combat e-commerce-related fraud is to adopt proper business management strategies, he says.
Cryptography is often seen as the answer to electronic fraud prevention. Yes, cryptography can potentially make electronic commerce systems safer than paper systems, says Bruce Schneier, president of Minneapolis-based Counterpane Systems, but not in the ways one would expect. While encryption and digital signatures are important, secure audit trails matter even more. Systems based on long-term relationships, like credit cards and cheque accounts, are safer than anonymous systems like cash. But identity theft is so easy that systems based solely on identity are doomed.
Interactive Knowledge On-Line CEO Aseem Prakash says measures to prevent fraud needed to be company-specific, but should include:n Twice-yearly risk analysisn An annual review of fraud prevention measures, including those of every company you do business with online, offering to lend assistance if neededn A recognition that since fraud carries significant business risk, the MD or CEO should be involved in the planning and decision-making processn Making completion of security training a part of employee performance reviewsn Performing ethical hacking (sign up for an external program if necessary), deploying software scanning programs and vulnerability-detection systems n Investing in understanding intellectual property and taking steps to protect it. Do you have an IP agreement with, for example, your employees, contractors, partners? How is intellectual property stored and managed?n Monitoring legal developments. Do you [the business] understand the proposed "Electronic Transactions Bill, 1999" released for public comment in January 1999 by AG of Australia?As most Internet payment systems will require the use of a PIN or password for users to gain access to PCs or plastic cards, protection of access codes will remain a primary crime prevention strategy.
Organisations should also ensure potential new staff members are reliable and trustworthy, starting with simple verification of references and qualifications. Standards Australia has recently produced a draft Australian Standard (No DR 99025), which sets out detailed guidelines on effective pre-employment screening of personnel in order to avoid fraud.
Organisations should also regularly monitor personnel in terms of their risk of behaving fraudulently, especially long-term employees with detailed knowledge of security procedures. Be especially alert to the risk of fraud during organisational disputes. Financial institutions and others are turning to artificial neural networks to isolate the fraudulent claiming patterns of merchants.
Companies should also adopt a wide range of technological solutions to reduce the security risks associated with conducting business on the Internet. The NSW Police service recommends a range of preventative measures.
Usersn Take care when passing unsecured information over the Internet. Where possible use secure, known sites and make use of encryption (SSL, or SET when it becomes available).n Do not retain passwords or credit card/bank account numbers on your computer.n Use current and effective antivirus protection.n Carefully check your credit card statements for unauthorised transactions.n Check Internet usage on your ISP statement.n Do not open unsolicited e-mails.n Regularly update antivirus software.n Do not leave passwords around your computer.
Merchantsn Insist on fully and properly completed application or purchase orders online.n Use name/number/address data matching software where available.n Use Caller Number Display (CND)n Use callbacks to verify new accounts. Callback to fixed telephones not mobiles.n Use credit card algorithm tests.n Have adequate fraud control plans in place.n Regularly monitor actions of new accounts for anomalies or irregular ordering. n Ensure adequate firewall protection for databases.n Ensure adequate physical security for databases.
"Fraud rates between eight and 20 per cent aren't unusual for new merchants.
But if you follow correct procedures, you can get it below 1 per cent or 2 per cent," says Netrageous Inc owner Audri Lanford, whose Internet ScamBusters site (http://www.scambusters.org) serves around 50,000 electronic-commerce merchants.
Don't Shoot the Messenger
Widespread panic about Internet fraud ignores common senseOn October 28, 1998, the Securities and Exchange Commission announced an unprecedented, nationwide bust. The focus of the high-profile sweep was 44 companies and an assortment of culprits who defrauded investors over the Internet. While the SEC's action was notable because it represented the first attack on Internet-based rip-offs, the publicity surrounding it has contributed to hysteria about the Internet. And for legitimate businesses hoping to capitalise on the Internet's arguable strengths of convenience and ubiquity, any hysteria concerning the integrity of the Net is bad news.
Yes, the Internet is new and as such offers those intent on committing fraud a new outlet for doing so. (In fact, several of those busted in the October sweep have committed investment frauds the old-fashioned way in the past, either through the mail or by phone.) But for fraud to succeed, unwitting consumers must take the bait. In that respect, the Internet is no different from late-night infomercials, fast-talking telemarketers or too-good-to-be-true direct mail pitches. The SEC essentially busted violators for the same kind of scams they perpetrated in the real world, only the swindles had a virtual twist: phoney or misleading stock offers or information purveyed through junk e-mail, online newsletters and Web sites.
But despite the similarities, Internet fraud garners a different kind of attention. On a regular basis, The Wall Street Journal prints a list of SEC violators in minuscule type often buried deep within its Money & Investing section. If stock fraud is such a dangerous thing, why is Internet stock fraud the only kind emblazoned across the front pages of Web sites and newspapers? In such cases, the Internet is tainted more than the fraudulent acts themselves. It's a shame to portray the Internet as an omnipotent, somehow malignant force that will not only steal our privacy but rob us blind. As powerful as the Internet is, it doesn't have a mind of its own. Any violation of privacy or fraud that occurs online or otherwise requires the active participation of consumers. At a retail site, consumers have to submit their e-mail addresses and credit card numbers. At Web sites touting IPOs, consumers have to put faith in the prospectus of a company they may never have heard of.
The Internet is no more or less devious than other means used by the unsavoury to steal people's money. That message gets lost in all the hype about the Internet's Big Brother-like capabilities.
That's not to say that victims should be blamed. But a little due diligence on the part of consumers can go a long way in preventing fraud. In a press release posted on the SEC's site, Nancy M Smith, director of the SEC's Office of Investor Education and Assistance, offers some sound advice: "Never, ever make an investment based solely on what you read in an online newsletter or Internet bulletin board, especially if the investment involves a small, thinly traded company that isn't well known. Assume that the information about these companies is not trustworthy unless you can prove otherwise through your own independent research." In this respect, too, the Internet is no different from anything else where common sense and a little homework are the best defences against getting taken.
Executives charged with crafting an Internet strategy must remind their customers of this to avoid being shut out by the panic.
-- Megan Santosus
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.