Hazards and Risks in E-Commerce & Payment Card Industry

Hazards and Risks in E-Commerce & Payment Card Industry

Introduction to E-Commerce & Security Issues

In this modern age, online transactions are becoming integral components in our daily life. We all know that how much importance e-commerce has gained in recent years, but along with the advantages, many companies also face lot of hazards. Most important issue is that those companies don't have any privacy. Now-a-days, we have been using Internet for the purpose of communication as well as to access information and most importantly, to purchase goods and services. In order to use goods and services consumers use smart cards, credit cards and debit cards. There is always a risk of bogus credit card transactions and that is the main barrier in the  growth of e-commerce. This barrier is affecting both the online traders/merchants and online shoppers.

This short report will look at frauds made in payment card industry and other security issues companies’ face in data protection. I will also give a brief overview of Data Security Standards (DSS) made by Payment Card Industry (PCI) in the end.

Frauds, Frauds, Frauds

At Visa, there is a highest amount of fraud and that is of “24 cents for every $100” spent. During 2001, online fraud in just credit cards was about “$1.2 billion out of sum of online Credit card transactions of $65 billion”. As a result of that merchants are subjected to bear losses of all those kind of transactions by law. The initiatives have been taken to reduce the risks in online transactions. Recently, credit cards issuers have adopted the credit card identification system by master card in order to decrease the rate of fraud. [1]

Smart Cards vs. Debit/Credit Cards

On the other hand, smart cards are more protected for the misuse than the other cards. The reason behind is that might be that Credit and Debit cards show account numbers as well as signatures in front of the card.

Using Bio-metrics to Secure Payments

The incidence of September 11 has now increased the use of “Biometrics technology”. Let's first define the Biometrics Technology.

“Biometrics Technology encodes physical attributes of person's voice, eye, face, and hand + finger prints and associate them with biological attributes stored in a file.”[1]

US intelligence CIA and FBI have been using the same technology for security and clearance purposes. Now-a-days, the use of this technology is very rare for online transactions because of two main reasons. Firstly, this technology is costly and it can prove to be expensive to provide this technology with every customer for the purpose of online transactions and secondly, because of privacy reasons and it is difficult to get some biological attributes from every customer but i personally believe that this kind of technology has to be used in our daily life so that it will offer more security to citizens of the country. Nowadays, what has been happening is Banks and other institutions like Banks are enjoying by charging interests but now i personally believe that time has come for those kind of institutions to do something special for their customers and provide them with some kind of security.

Security Issues Limit Scope of E-Commerce

As we have discussed earlier that, more people are using Internet. For the customers, they need to know the legitimacy of their merchants. In countries like Pakistan, we all know that there is deficiency of more credible people as well as companies. Therefore, we can say that the scope of e-commerce is more likely to get affected by this factor and also in those areas where there is no such implementation of such Laws.

Online Auction Systems Scanned

In online Auction, there is even more probability of frauds. According to national Consumers League, “most of the frauds come from online Auction sites” where different people interact individually for buying and selling of their own goods and services. Moreover, there is no interference of sites in terms of prices. Both buyer and seller negotiate there and set prices for their transactions. No guarantee is given of quality or even delivery of products. Furthermore, these kinds of auction sites are almost “50% of total auction sites”. On the other hand there are such auction sites that offer both quality and delivery. Therefore, they are offering lesser risks than others like eBay (www.ebay.com). [1]

Repercussions of Loopholes in Security Systems in Firms

Coming back to our original topic, there are severe consequences of not following security guidelines. According to PCI DSS report, “a security breach and subsequent compromise of payment card data has far-reaching consequences for affected organizations, including:

1. Regulatory notification requirements

2. Loss of reputation,

3. Loss of customers,

4. Potential financial liabilities (for example, regulatory and other fees and fines), and

5. Litigation.

This is only about payment cards; the threats are wide range encompassing hardware, software, internal, websites and external threats. The consequences are severe and are discussed with each of these major threats. [2]

Major Consequences[2]

Companies have suffered bad consequences for leaving their networks and systems unprotected. Some of these include the following:

1.       Data Loss: which implies the competitive advantage of codified knowledge is gone

Wrong criminal charges: a clean person is exploited due to ID theft and terrible things can be done under his name

2. Loss of customers: when a company lost its credit cards to hackers, although customers were paid back, but more than 70% did not continue to purchase from it

3. Monetary loss: due to data theft, companies can lose profits due to loss of customers and reputation

4. Competitor gains key information: loss of emails to competitors with strategic information can create grave strategic losses to a firm’s position

5. Hardware Failure

6. Software Failure

7. Reducing the performance of servers

8. Frauds

9. Tapping

10. Copying of data

11. Unauthorized access

12. Errors

13 Viruses and vandalism

Vulnerabilities

Internet Vulnerabilities

Internet is wide open for anyone to access and breach into systems. Once that happens corporate systems are highly vulnerable to penetration from outsiders. They hack whole systems, get access to the data, and can even corrupt and destroy it your personal data. Consider a university such as FC college; it has databases of students’ records, fees, transcripts, IDs, etc. If someone can have access to it and corrupts it – all transcript records and IDs are gone. Students are finished. Business is over; at least in the short-run.

Wireless Security Challenges

Sniffer programs are used by hackers who roam around a building  of different companies or agencies to penetrate into the system. This has resulted in loss of databases on which a company so much depends. Things can be manipulated, stolen, corrupted, etc.

Malicious Software Threats & Payment Card Security Standards

Case of “the worst data theft ever”: Organizations are constantly threatened by such malicious software as sniffers, viruses, worms etc. We’ll consider only one such case where a vulnerable network containing credit and debit card databases was hacked due to non-compliance to PCI DSS standards.

A firm called T.J. Maxx had very loose and old encryption systems. Apart from this, due to vulnerable wireless systems, hackers gained access to all databases of credit and debit card holders. The hackers stole more than 41 million credit and debit card numbers. They caused financial losses of more than $75 million. Hackers got access into their systems by installing sniffer programs into retailer’s networks. Moreover, TJX did not adhere to PCI DSS standards. For all of this mess, TJX had to pay $40.9 million to banks; spent $202 million to deal with litigation fees, etc. More than 75% of its buyers refused to continue shop from it.[2]

Computer Crime

Following are the consequences of vulnerable systems which cause various kinds of computer crimes, including:

Breaching the confidentiality of protected computerized data

Accessing a computer system without authority

Using emails for threats and harassment

Unauthorized copying of software or intellectual property

Data transmission

Payment Card Industry Data Security Standards (PCI DSS)

Companies using payment systems in their businesses should comply to latest versions of PCI security standards. We saw the case of T.J Maxx ruined due to non-compliance to these standards. What are these standards? Following table summarizes major standards of PCI DSS – but these are expounded at length in its documents on its website:

Build and Maintain a Secure Network	1.   Install and maintain a firewall configuration to protect cardholder data 2.   Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data	3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program	5. Use and regularly update anti-virus software on all systems commonly affected by malware  6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures	7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks	10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes
Maintain an Information Security Policy	12. Maintain a policy that addresses information security
Source of the whole table: [3]http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard#cite_note-2  & [4]https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

These standards the bare minimum payment card industries must adhere to protect their systems from various vulnerabilities that we’ve discussed in the report.

Let's talk about the minimum security level that one can easily opt to. A secure system literally means that, information it contains and system itself is secure from any theft, natural disaster, malicious software’s, cyber attack and any kind of manipulation or tampering. Companies around the world spend millions of dollars to make sure that their systems are secure and for this purpose they have special teams who monitor system securities headed by top official. But if the system is not secure, then it can have very negative repercussions. These repercussions can affect firms and individuals drastically and can have long lasting effects on operation of the system and business. Different repercussions of unsecured systems, along with remedial measures for these repercussions are discussed below. When systems are unsecured, it gives an all out open invitation to all the malicious software’s to come and attack the system. Malicious software’s like worms, Trojan horses, viruses and spy-ware are also known as silent killers. These malicious creatures can affect the system in big way. These viruses can completely stop system from working. Malicious software’s can result in collapse of the whole system. Furthermore, they can also cause loss of important data, files and information which can inflict heavy losses to the firm as these files could be necessary for the normal operation of the business. In order to stop these malicious software’s from affecting the system; there should be a updated anti-virus software along with a strong firewall. Furthermore, unsafe systems can be easily accessed by anyone like hackers or a cracker, leading to identity theft which can easily steal important information from the system, for example CNIC, drivers license no, credit card numbers etc. Stolen information can be used by the competitor of the firm, which can put danger to the future strategies of the company or can finish a competitive advantage of a firm. In order to stop this, there should be a strong firewall protecting the system. There should be also an intrusion detection system to detect any intruder from accessing the system. Unsecured system can also affect business badly by loss of sales. An unsecured system can be stopped from working by malicious software, which will affect the sales of the business which mainly operate through computers and can affect E-commerce badly. An unsecured system will be easily affected through spoofing, which will result in gathering important personal information and loss of business. Another disadvantage of unsecured system is that it can disrupt the working of website with the help of distributed denial-of-service. DDoS attacks, using hundreds and thousands computers to inundate the network and making it busy so that no one can access it and this strategy can be opted by any of your competitor so that maximum of the customer will come to him. Moreover,This can cause great loss to the e-commerce companies because their customers who wanted to make online purchase won’t be able to access the website. Proper remedy to these problems is again having an updated anti virus with a strong firewall and investing in fault tolerant computers.

Some people believe that when they are forming a network within  a company then their network is said to be a safe one but answer to this is that systems are not only attacked by the outside people but they can be attacked by the inside people, for example employees. When there are no security standards present and systems are unsecured, they can be easily accessed by any employee of the company who might extract important piece of information from the computer. If security is not adequate it can also result in the robbing of the physical system itself. In order to get over this problem there should be an acceptable use policy for the equipment of the company. Furthermore, there should be authorization management systems which will determine the authorization of company employees to different parts of the company and its corporate database.

When the system is unsecured, it can be easily be monitored by anyone. This act is also called sniffing. A hacker can easily monitor what is being done by the user of the system. In this process the hacker gets to know various information, which can be used by him for various purposes. Such as black mailing or buying something online. Many world governments invest heavily to get rid of this problem. In order to get over this problem strong encryption should be used to protect you from being monitored. For example Blackberry has strong encrypted network in which no one can monitor the messages sent over that network, this is why Blackberry is trusted by the corporate people around the world. One of the corporate person i personally know is Mr Suffian Mazhar, he is owner of software house based in Canada. Currently, he is teaching courses related to MIS at School of management, FC college and  for him teaching is more of a hobby. Furthermore, he also thinks the same about the Blackberry and at his software house, he is using MIS systems to take care of that from Pakistan . Firms can encrypt their network through Secure Socket Layers (SSL) and Secure hypertext transfer Protocol (S-HTTP).

In this age of technology, one should be aware from the electronic dangers confronting firms. Firms should invest properly in the security of systems. Because it is the way forward for the companies, especially for the e-commerce companies. Also, companies should turn this point into their competitive advantage.

It the end, to finish the whole topic, i will say the words said by Miss. SAIRA ANWAR in CSCS 100, Section D, at FCCU; “Nothing is safe when more than one computers are connected to form a network........”.