m09 turb9235 03 se wc09.qxd 8/13/10 8:08 pm page...

Chapter Nine: E-Commerce Security and Fraud Protection W9.1

ONLINE FILE W9.1 Application Case

HACKERS PROFIT FROM TJX’S CORPORATE DATAThe ProblemThe huge data theft at discount retail conglomerate TJXCompanies illustrated the hackers’ trend toward profit-motivated cybercrimes. Hackers sought to rob TJX of itsmost valuable information. TJX operates about 2,500 retaillocations in North America and Europe, including T.J.Maxx,Marshalls, HomeGoods, and AJWright. The companyreported that a network intrusion had compromised someof its customers’ personal data—credit and debit card anddriver’s license data.

TJX officials said that outsiders gained access to thecomputer network that stored customers’ credit card,debit card, and check information. The informationinvolved was drawn from stores in the United States,Puerto Rico, Canada, the United Kingdom, and Ireland. Amajority of the data related to individuals who shoppedat its stores during 2003, and between May andDecember 2006.

The massive data breach seemed to involve someonewho had TJX’s encryption key. But it might not have beenneeded since the cyberthief was accessing data during thecard-approval process before it was encrypted. The intrud-ers had planted software in TJX systems to capture datathroughout the day and then did a “postevent cleanup” toeliminate traces of the software. In effect, TJX’s networkwas infected by a computer worm that was placed on itsmission-critical systems. That worm remained there undis-covered for 18 months.

The ResponseIn response to this incident, TJX did the following:

◗ Worked with all major credit and debit card firms to helpinvestigate potential fraud.

◗ Worked with law enforcement officials including the U.S.Department of Justice, U.S. Secret Service, and the RoyalCanadian Mounted Police.

◗ Directly contacted customers whose information wasknown to have been exposed because of the intrusion.

◗ Offered additional customer support to people concernedthat their data may have been compromised.

◗ TJX spent $5 million in a three-month period dealingwith this breach including costs incurred to investigateand contain the network intrusion, harden computersecurity and systems, communicate with customers, andtechnical, legal, and related fees.

In addition, several banks issued warnings to cus-tomers whose data may have been involved in the inci-dent, as have the credit card brokers.

Containment via a Quiet PeriodTJX delayed revealing details of the intrusion at therequest of law enforcement officials. This quiet period hasbecome a common practice to give investigators time togather evidence of data incidents before making details ofthe events known to the public.

Hardening Information SecurityTJX significantly strengthened its computer and networksecurity after the incident and hired IT specialists GeneralDynamics and IBM to help investigate and assess howmuch data had been stolen.

Ben Cammarata, chairman of TJX Companies, issueda statement to reassure its customers as well asinvestors. He stated:

Since discovering this crime, we have been working dili-gently to further protect our customers and strengthenthe security of our computer systems, and we believecustomers should feel safe shopping in our stores. Ourfirst concern is the potential impact of this crime on ourcustomers, and we strongly recommend that they care-fully review their credit card and debit card statementsand other account information for unauthorized use.

Lessons LearnedThis network intrusion highlights the unending efforts ofcriminals (hackers and malware code writers) to targetmassive databases of consumer information. That infor-mation is then sold to other parties for identity fraud,fraud, and other crimes. Dr. David Taylor, vice presidentof data security strategies at security software makerProtegrity Corporation in Stamford, Connecticut, warnedthat information stolen directly from computer databaseswill be used in criminal activity more often and morequickly than data residing on misplaced equipment.

While a majority of the high-profile data incidentsreported over the last several years have involved lost orstolen laptop computers, or misplaced backup storage tapes,there have also been a string of incidents which reflectcriminal attempts to steal valuable corporate information.

There are thousands of security breaches every hour.Here we have compiled a few illustrative examples. InJanuary 2007, TJX Companies disclosed that data from 100million credit and debit cards had been stolen by hackersstarting in July 2005. TJX’s data heist was the largestbreach ever to date based on the number of recordsinvolved. Following the disclosure, banks said that tens ofmillions of dollars of fraudulent charges were made on the

(continued)

M09_TURB9235_03_SE_WC09.QXD 8/13/10 8:08 PM Page W9.1

W9.2 Part 4: Other EC Models and Applications

REFERENCES FOR ONLINE FILE W9.1

ONLINE FILE W9.1 (continued)

cards. The Massachusetts Bankers Association sued TJX fornegligence. The FTC filed a complaint alleging TJX did nothave the proper security measures in place to preventunauthorized access to the sensitive, personal customerinformation. The total cost of the data breach was an esti-mated $197 million. To compare this cost to TJX’s finan-cials, see google.com/finance?fstype=ia&q=NYSE:TJX.

Questions1. How did intruders gain access to TJX’s customer data?

2. For how long did the intrusion go undetected? Why?

3. What costs did TJX incur as a result of thisintrusion?

Abelson, J. “TJX Breach Snares over 200,000 Cards inRegion.” Boston Globe, January 25, 2007. krowenlaw.com/tjx2.htm (accessed November 2009).

Hines, M. “TJX Intrusion Highlights Pursuit ofCorporate Data.” eWeek.com, January 18, 2007.eweek.com/article2/0,1895,2085390,00.asp?kc=

EWDATEMNL012507EOAD (accessed November2009).

Schuman, E. “TJX Intruder Had Retailer’s EncryptionKey,” Baseline, March 29, 2007. baselinemag.com/article2/0,1540,2109374,00.asp?kc=CMCIOEMNL033007EP22 (accessed November 2009).

Online File W9.2 Top Cybersecurity Areas in 2008

1. Increasingly sophisticated Web site attacks that exploit browser vulnerabilities—especially on trusted Web sites.Web site attacks on browsers are targeting components, such as Flash and QuickTime, that are not automatically patchedwhen the browser is patched. Also, Web site attacks are more sophisticated attacks that can disguise their destructivepayloads (the malicious part of the malware). Attackers are putting exploit code on popular, trusted Web sites that vis-itors believe are secure. Putting hidden attack tools on trusted sites gives attackers a huge advantage.

2. Increasing sophistication and effectiveness in botnets. Storm worm, which was not a worm, began spreading inJanuary 2007 with an e-mail saying, “230 dead as storm batters Europe,” and was followed by subsequent variants.Within a week, it accounted for one out of every twelve infections on the Internet, installing rootkits (sets of networkadministration tools to take control of the network) and making each infected system a member of a new type of bot-net. Previous botnets used centralized command and control; the Storm worm used peer-to-peer (P2P) networks tolaunch (control) the attack, so there is no central controller to take down to stop it. New variants and increasing sophis-tication will keep Storm worm and other even more sophisticated worms as serious threats.

3. Cyber espionage efforts by well-resourced organizations looking to extract large amounts of data, and phishing.One of the biggest security stories of 2007 was the disclosure of massive penetration of federal agencies and defensecontractors and theft of terabytes of data. Economic espionage will increase as nations steal data to gain economic

(continued)



advantage in multinational deals. The attack involves targeted phishing with attachments, using social engineeringmethods so the victim trusts the attachment.

4. Mobile phone threats, especially against iPhones and VoIP. Mobile phones are general purpose computers so they aretargeted by malware. A mobile platform is also a platform for unforeseen security risks. The developer toolkits provideeasy access for hackers. Vulnerabilities of VoIP phones and attack tools that exploit those vulnerabilities have been pub-lished on the Internet.

5. Insider attacks. Insiders have a significant head start in attacks that they can launch. Insider-related risk as well asoutsider-related risk has skyrocketed. Organizations need to put into place substantial defenses against this kind of risk,one of the most basic of which is limiting access according to what users need to do their jobs.

6. Advanced identity theft from persistent bots. A new generation of identity theft is being powered by bots that stayon machines for three to five months collecting passwords, bank account information, surfing history, frequently usede-mail addresses, and more. They will gather enough data for advanced identify theft until criminals have enough datato pass basic security checks.

7. Increasingly malicious spyware. Criminals and nations continue to improve the capabilities of their malware.Additionally, some of the Storm variants are able to detect investigators’ activity and respond with a DoS attack againstthe investigators, making investigation more difficult. Advanced tools will resist antivirus, antispyware, and antirootkittools to help preserve the attacker’s control of a victim machine. In short, malware will become stickier on targetmachines and more difficult to shut down.

8. Web application security exploits. Large percentages of Web sites have vulnerabilities resulting from programmingerrors. Adding to the risk exposure are Web 2.0 applications that are vulnerable because user-supplied data (which couldhave been supplied by hackers or others with malicious intent) cannot be trusted. Web attacks will increase because ofthe exposure created by Web 2.0 vulnerabilities and programming errors.

9. Increasingly sophisticated social engineering including blending phishing with VoIP and event phishing. Blendedapproaches will increase the impact of common attacks. For example, the success of phishing is increased by first steal-ing users’ IDs. A second area of blended phishing combines e-mail and VoIP. An inbound e-mail, disguised to look asthough it was sent by a legitimate credit card company, asks recipients to reauthorize their credit cards by calling a1-800 number. The number leads them via VoIP to an automated system in a foreign country that asks that they key intheir credit card information.

10. Supply chain attacks infecting devices (e.g., thumb drives and GPS) distributed by trusted organizations. Retailersare becoming unwitting distributors of malware. Devices with USB connections and CDs packaged with them sometimescontain malware that infect victims’ computers and connect them into botnets. Even more targeted attacks using thesame technique are starting to hit conference attendees who are given USB thumb drives and CDs that supposedly con-tain just the conference papers, but also contain malicious software.

Online File W9.2 (continued)

1. Oprah’s Millionaire Contest Show The scam sent an e-mail claiming that the recipient had been nominated to be on anOprah show during which the cash winner would be named. Those “chosen” for the show are told to send money to payfor an airline or train ticket to Chicago for the program. They even have to pay to get into the show. (The show is free!)(For additional Oprah scams see: oprah.com/article/oprahdotcom/scams.)

2. Typical Phrases in E-Mail Fraud These were compiled from microsoft.com/protect/fraud/phishing/prevent.aspx.◗ “Verify your account.” Businesses do not ask you to send passwords, log-in names, social security numbers, or other

personal information through e-mail. If you receive an e-mail asking for this information, it is a scam.

Online File W9.3 Examples of Internet Fraud

(continued)



If you receive an e-mail message from Microsoft asking you to update your credit card information, do not respond: thisis a phishing scam. To learn more, read fraudulent e-mail that requests credit card information sent to Microsoft customers.◗ “You have won the lottery.” The lottery scam is a common phishing scam known as advanced fee fraud. One of the

most common forms of advanced fee fraud is a message that claims that you have won a large sum of money, or thata person will pay you a large sum of money for little or no work on your part. The lottery scam often includes refer-ences to well-known companies.

◗ “If you don’t respond within 48 hours, your account will be closed.” These messages convey a sense of urgencyso that you’ll respond immediately without thinking. A phishing e-mail message might even claim that your responseis required because your account might have been compromised.

3. Spoofed Web Sites Fake, copycat Web sites are also called spoofed Web sites. They are designed to look like the legiti-mate site, sometimes using graphics or fonts from the legitimate site. They might even have a Web address that’s verysimilar to the legitimate site you are used to visiting (e.g., verify-microsoft.com).

Once you are done at one of these spoofed sites, you might unwittingly send personal information to the con artist.If you enter your log-in name, password, or other sensitive information, a criminal could use it to steal your identity.

Here’s an example of the kind of phrase you might see in an e-mail message that directs you to a spoofed phishing site:◗ “Click the link below to gain access to your account.” Phishing links that you are urged to click in e-mail messages,

on Web sites, or even in instant messages may contain all or part of a real company’s name and are usually masked, mean-ing that the link you see does not take you to that address but somewhere different, usually an illegitimate Web site.

Example of a masked Web address:https://www.woodgrovebank.com/loginscript/user2.jsphttp://192.168.255.205/wood/index.htm

Note that resting (but not clicking) the mouse pointer on the link reveals the real Web address, as shown in the lowerpart of the box.

4. Spring Break Offers Scammers (and/or spammers) offer free or extremely inexpensive “deals,” such as:◗ Experience Cancun with a complimentary accommodation.◗ Four days and three nights in beautiful Cancun, Mexico, for free.◗ Need a vacation? Get great travel deals sent right to your inbox.

While the promise of a “free” vacation may be appealing, it is important to remember a few facts about these offers.The offer came from a spammer who may use your personal information such as credit card details you provided for theirown ulterior motives. Some spam messages provide “a disclaimer” stating that the traveler would be responsible for allapplicable incidental hotel taxes and transportation costs. Consumers should be reminded that “there is no such thingas a free lunch” or a free vacation.

5. Getting “Paid” to Write Blogs The e-mail message indicates that “Freelance Writers are needed” to “Post in Blogs” inorder to get paid $12 to $50 per hour. Just write one or two short, simple articles or blog posts everyday and you’ll bebringing in several hundred dollars of cold hard cash per week, almost effortlessly! Sounds good, right? But then thecatch. . . As soon as you log in to our exclusive, members-only area . . . For only $2.95, you will be asked to provide per-sonal contact information and credit card details. The sites may lure recipients into a false sense of security by includ-ing two security logos to tout the supposed reliability of dealing with this site.

6. Too Good to Believe All the Way from West Africa Received by one of the book’s authors.

FROM: DESK OF DR. XYZAUDITING AND ACCOUNTING SECTION OF BANK OF AFRICA (B.O.A.)OUAGADOUGOU BURKINA-FASO

Dear Friend:I know that this mail will come to you as a surprise. I am the director in charge of auditing and accountingsection of Bank of Africa Ouagadougou Burkina Faso in West Africa. I hoped that you will not expose orbetray this trust and confident that I am about to expose on you for the mutual benefit of our both families.


(continued)



We need your urgent assistance in transferring the sum of $10.5 million United States dollars immediatelyto your account. The money has been dormant for years in our Bank here without anybody coming for it. Wewant to release the money to you as the nearest person to our deceased customer (the owner of the account)who died along with his supposed next of kin in an air crash in July 2000.

We don’t want the money to go into our bank treasury as an abandoned fund. So this is the reason why Icontacted you, so that we can release the money to you as the nearest person to the deceased customer.Please we would like you to keep this proposal as a top secret and delete if you are not interested. Uponreceipt of your reply, I will send you full details on how the business will be executed and also note that youwill have 35% of the above mentioned sum if you agree to transact the business with us.

In acceptance the following information stated below you are required to provide us with:

1. Your age2. Your full name and address3. Your marital status4. Your occupation/profession5. Your direct telephone/fax numbers6. Your passport details for legal operations7. Your bank account details

Yours Sincerely,Dr. XYZP.S.: Make sure you keep your transaction as your top secret and make it confidential till we receive the

fund into the account that you will provide to the bank. Don’t disclose it to anybody “Please,” because thesecrecy of this transaction is as well as the success of it.

7. Making a Fortune from Political Misery Here is another e-mail received by one author:

Dear Friend,I am Marina Litvinenko, wife of Alexander Litvinenko, a former Russian security officer who died in Londonhospital after apparently being poisoned with the highly-toxic metal thallium by Mr. Lugovoi, a RussianGovernment Paid agent.

This is my husband’s life in a video for your full understanding. . . Please I want you to assist me to removeUS$9.5M given to my husband before his death by Mr. Berezovsky, a Russian Billionaire exiled in UK for exposingan alleged plot to assassinate him by the Russian Authority and to investigate the death of Anna Politkovskaya,a Russian Journalist believed to have equally been poisoned by the Kremlin for writing a book: The Putin’sRussia: Life in a Falling Democracy depicted Russia as a country where human rights are routinely trampled.

The funds are deposited with a financial firm in Europe and I will want to relocate these funds forinvestment in your region and with your assistance and advice.

As soon as I receive the response, I will furnish you with more details on this issue that is stressing me sobadly. I do not mind drawing a business agreement with you.Best regards,Mrs. Marina Litvinenko

8. An Example of a Spoof E-Mail

FROM: THE NATIONAL CREDIT UNION ADMINISTRATION (COMES WITH AN IMPRESSIVE LOGO)

Dear Credit Union Member:You have received this email because you or someone had used your account from different locations.For security purpose, we are required to open an investigation into this matter.

In order to safeguard your account, we require that you confirm your online banking details.To help speed up to this process, please access the following link so we can complete the verification of

your Credit Union Online Banking Account registration information. https://www.ncua.gov/administration/auth/Authorize?=Submit


(continued)



If we do not receive the appropriate account verification within 48 hours, then we will assume this CreditUnion account is fraudulent and will be suspended.

The purpose of this verification is to ensure that your bank account has not been fraudulently used and tocombat the fraud from our community.

We appreciate your support and understanding and thank you for your prompt attention to this matter.Thank you,Credit Union Security Department

This was sent to one of your authors who does not even have a credit union account.

9. With 1.3 Billion Chinese, You Can Get Rich Quickly In early March 2009, a Chinese scammer sent millions of e-mailsin China, requesting borrowers to return to him, Mr. Wang (a very common name in China), the money he lent them,or. . . Within a week, hundreds of people who owed money to Mr. Wang sent money to the mailbox provided in the e-mail(for a total of $200,000). The police were alerted, and the criminal was apprehended.


Organizations that do not follow such a life-cycle approach in developing, implementing, and maintaining their securitymanagement programs usually:

◗ Do not have policies and procedures that are linked to or supported by security activities.◗ Suffer disconnect, confusion, and gaps in responsibilities for protecting assets.◗ Lack methods to fully identify, understand, and improve deficiencies in the security program.◗ Lack methods to verify compliance to regulations, laws, or policies.◗ Have to rely on patches, hot fixes, and service packs because they lack a holistic EC security approach.

A patch is a program that makes needed changes to software that is already installed on a computer. Software compa-nies issue patches to fix bugs in their programs, to address security problems, or to add functionality. A hotfix isMicrosoft’s name for a patch. Microsoft bundles hotfixes into service packs for easier installation. Service packs are themeans by which product updates are distributed. Service packs may contain updates for system reliability, program com-patibility, security, and more. For more information about what particular Microsoft service packs contain and how toobtain them, visit support.microsoft.com/sp. Other companies have adopted Microsoft’s nomenclature of hotfixes and ser-vice packs for updates to their own software.

If a life-cycle approach is not used to maintain an EC security program, an organization is doomed to treating secu-rity as a project. Projects have a starting date and an ending date, at which time the resources and project team are real-located to other projects. A project approach results in a lot of repetitive work that costs much more than a life-cycleapproach and with diminishing results.

Online File W9.4 Life Cycle of an EC Security Program




THE EYES HAVE ITWith increasing concerns about terrorism, air safety,and fraud, the United Kingdom has begun testing biometric identification and authentication for bothsecurity and commercial purposes. In one pilot project,British Airways and Virgin Atlantic tested an iris-scanningsystem from EyeTicket Corporation at Heathrow Airportin London, JFK Airport in New York City, and DullesAirport outside Washington, DC. The six-month pilot,which occurred in 2002, was arranged by the U.K.’sSimplifying Passenger Travel Project (SPT) of theInternational Air Transport Association (IATA). Themajor goal of the project was to determine whether irisscanning could be used with passports to speed theauthentication process for international travelers enter-ing the United Kingdom.

The two airlines chose participants from amongtheir frequent flyer programs, focusing on passengerswho made frequent trips between the United States andthe United Kingdom. Potential participants registeredfor the program via e-mail. The U.K. ImmigrationService interviewed them to ensure that there were nosecurity issues. Approximately 900 people registered forthe program.

The actual tests involved iris-scanning enrollmentstations at Heathrow, JFK, and Dulles, as well as videocameras and a recognition station located at Heathrow.Passengers who participated in the program enrolledonly once. This was done at the enrollment stations bytaking a close-up digital image of the passenger’s iris.The image was then stored as a template in a computerfile. When a passenger landed at Heathrow, the passen-ger’s iris was scanned at the recognition station andcompared to the stored template. If a match occurred,the passenger passed through immigration. On average,the scan and match took about 12 seconds. If thematch failed, the passenger had to move to the regularimmigration line. The failure rate was only 7 percent.Watery eyes and long eyelashes were some of the majorsources of failure.

According to the IATA’s SPT regional group incharge of the project, the initial findings of the pilotproject were encouraging. Not only did the biometricsystem simplify and speed the arrival process, but thesystem also successfully verified passengers, main-tained border integrity, and was well received by theparticipants.

Despite the success of the pilot project, there arebarriers to using the system for larger populations ofpassengers. One of the major barriers is the initial regis-tration. According to the Immigration Service, the mostdifficult and time-consuming aspect of the pilot programwas working through the processes and procedures forregistration and risk assessment. As noted, the pilotonly involved around 900 passengers. It would be muchmore difficult to register thousands or millions of pas-sengers. Likewise, it would be a much slower process tocompare a scanned iris against thousands or millions ofiris templates.

Another barrier to wider deployment is the lack oftechnical and procedural standards. On the technical front,there are no standards for iris scanning. The EyeTicket sys-tem is based on an iris-scanning algorithm originally cre-ated by Jeffrey Daugman, a professor at CambridgeUniversity. Other iris enrollment and scanning devices useother algorithms. This makes it difficult to share templatesacross systems and across borders. There is also a need forstandard procedures. Without common enrollment, authen-tication, and identification procedures, there is little basisfor trust among different government agencies or differentgovernments.

Even with standards, the prospects for using iris scan-ning or any other biometrics at airports for identificationare poor. In 2003, face-recognition systems at Boston’sLogan Airport failed to recognize volunteers posing as ter-rorists 96 times during a three-month period and incorrectlyidentified the innocent an equal number of times. Similarresults were obtained in an earlier trial at Palm BeachInternational Airport, with more than 50 percent of thosewho should have been identified going undetected and twoto three innocent passengers being flagged every hour. Suchresults in a larger population would bring airport security toits knees.

According to the TSSI Biometrics in Britain Study 2006,undertaken by TSSI Systems, Britain’s document and identitysecurity specialists, the U.K. public is now overwhelmingly infavor of wider biometrics use. Seventy-six percent are morein favor of biometrics than they were in 2005. The strikingopinion change comes after a year in which the UnitedKingdom has thwarted an airline terrorist plot and 15months after the London transport bombings of July 2005.Personal safety was identified as the biggest driver for thechange: three-quarters of people believed it was important

(continued)




for combating terrorism. However, there is widespread publicconfusion about what biometrics mean in practice, with themajority of people confused about the terminology. Inaddition, concerns about civil liberties were highlighted byalmost a third of the respondents. The TSSI Biometrics inBritain Study 2006 management report with full details ofthe findings, issues raised, and recommendations can berequested from TSSI at tssi.co.uk/en/press/pdfs/Biometric_Britain_Report_FINAL.pdf.

Questions1. What were the major components in the EyeTicket

iris-scanning system?

2. What are some of the difficulties in using iris scan-ning to verify passengers for passport control?

3. Is it reasonable to use iris scanning or any otherbiometrics to identify terrorists at airports?

REFERENCES FOR ONLINE FILE W9.5Emigh, J. “The Eyes Have It.” Security Solutions,

March 1, 2003. securitysolutions.com/mag/security_eyes (accessed November 2009).

TSSI. “TSSI Biometrics in Britain Study 2006.” tssi.co.uk/en/press/pdfs/Biometric_Britain_Report_FINAL.pdf (accessed November 2009).

Venes, R. “A Closer Look at Biometrics.” BusinessGreen.com, June 24, 2004. businessgreen. com/com-puteractive/features/2014022/closer-look-biomet-rics (accessed November 2009).

Online File W9.6 Basic Security Design Concepts

(continued)

Six major design concepts direct the security of internal information flows. They are:

◗ Defense in depth. Relying on a single technology to defend against attacks is likely to fail. Layers of security tech-nologies must be applied at key points in a network (see Online Exhibit W9.6.1). This is probably the most importantconcept in designing a secure system.

◗ Incident response team (IRT). Regardless of the organization’s size, its networks will be attacked. For this reason,organizations need to have a leader and possibly a team in place that can respond to these attacks. The team needsto have well-established plans, processes, and resources and should practice responses when the pressure is offrather than acting only (and learning) during a crisis.

◗ Need-to-access basis. Access to a network ought to be based on the policy of least privilege (POLP). By default,access to network resources should be blocked and permitted only when needed to conduct business.

◗ Role-specific security. As noted in Section 9.7, access to particular network’s resources should be based on a user’srole within an organization.

◗ Monitoring. Real-time monitoring is essential because of zero-day exploits and emerging hacker threats.◗ Patch management. Vendors (such as Microsoft) are continually patching or upgrading their software, applications,

and systems to plug security holes. The only way to take advantage of these fixes is to install the patches orupgrades. Newer versions of software (e.g., operating systems such as Windows Vista) have automatic update func-tionality built in. This makes it easier for organizations and individuals to track fixes.




Online File W9.7 What Firewalls Can Protect

Internet

Router

LAN Switch

Firewall

ImplementSecurityat EveryLayer

Servers

Users

EXHIBIT W9.6.1 Layered Security

◗ Remote log-in. When someone connects from the outside to your PC and gains control of it. Examples: being able toview or access your files; running programs on your PC.

◗ Application backdoors. Some programs have special features that allow for remote access. Others contain bugs thatprovide a backdoor, or hidden access, which provides some level of control of the program.

◗ Spam. Spam is the electronic equivalent of junk mail. Spam can be dangerous. Often it contains links to dangerousWeb sites.

(continued)





HONEYNETS AND THE LAWMillions of networks and computers are on the Internet.Given this, what is the chance that an outside intruder willvictimize a small collection of computers connected to theInternet? In the first phase of the Honeynet Project, whichran from 1999 to 2001, the honeynet consisted of eighthoneypots that mimicked a typical home computer setup.Within 15 minutes of being connected to the Internet, oneof the honeypots was hit. Over the course of the next fewdays, all the honeypots were compromised, and over thecourse of the next two years, they were attacked repeatedly.

During the first phase, many of the attacks werecrude and fairly innocuous. Today, the character of boththe intrusions and the intruders has changed. The

proportion of hackers involved in illegal activities of allsorts has risen dramatically. If a company deploys a honeynet, there is a good chance that it will be thescene of a cybercrime or contain evidence of a crime.Some intruders may be focused solely on attacking thehoneynet itself. Others may want to use it as a zombiefor launching attacks, as a place to store stolen creditcards, or as a server to distribute pirated software orchild pornography. Regardless, companies need to under-stand the types of crimes that may occur and the legalissues that may ensue if they choose to either report orignore these crimes. Just because the activities on ahoneynet are perpetrated by intruders, it does not mean

(continued)

◗ SMTP session hijacking. SMTP is the most common method of sending e-mail over the Internet. By gaining accessto a list of e-mail addresses, a person can send spam to thousands of users. This is done quite often by redirectingthe e-mail through the SMTP server of an unsuspecting host, making the actual sender of the spam difficult to trace.

◗ Macros. To simplify complicated procedures, many applications allow you to create a script of commands that theapplication can run. This script is known as a macro. Hackers create their own macros that, depending on the appli-cation, can destroy your data or crash your PC.

◗ Viruses. Range from harmless messages to erasing all your data.

Packet FilteringSome firewalls filter data and requests from the Internet to a private network based on the network IP addresses of the computer sending or receiving the request. These firewalls are called packet-filtering routers. Packet filters are rules that can accept or reject incoming packets based on source and destination addresses and the other identifyinginformation. Some simple examples of packet filters include the following:

◗ Block all packets sent from a given Internet address. Companies sometimes use this to block requests from computersowned by competitors.

◗ Block any packet coming from the outside that has the address of a computer on the inside. Companies use this type ofrule to block requests where an intruder is using his or her computer to impersonate a computer that belongs to the company.

However, packet filters have their disadvantages. In setting up the rules, an administrator might miss some importantrules or incorrectly specify a rule, thus leaving a hole in the firewall. Additionally, because the content of a packet is irrele-vant to a packet filter, once a packet is let through the firewall, the inside network is open to data-driven attacks. That is,the data may contain hidden instructions that cause the receiving computer to modify access control or security-related files.

Packet-filtering routers often are the first layer of network defense. Other firewalls form the second layer.




that the operator has unlimited rights to monitor theusers of the network.

Although many crimes can be perpetrated against orwith a honeynet, the most frequent and obvious crime isnetwork intrusion. The Computer Fraud and Abuse Act (CFAA)is a federal law passed by the U.S. Congress in 1986intended to reduce “hacking” of computer systems. It wasamended in 1994, 1996, and 2001 by the USA PATRIOT Act.The CFAA makes it a crime to attack “protected computers,”including computers “used in interstate or foreign commerceor communication.” If a computer is on the Internet, it isused in interstate communication. The CFAA protects all gov-ernment computers and those used by banks and financialinstitutions. This means that the CFAA is going to protectmost honeynets.

The act also defines the types of attacks that consti-tute a crime. It is a felony if an attacker “knowinglycauses the transmission of a program, information, code,or command, and as a result of such conduct, intentionallycauses damage without authorization, to a protected com-puter.” Damage occurs when there is “any impairment tothe integrity or availability of data, a program, a system orinformation.” The limitations are that in order for anattack to be a felony, one or more of the following mustresult: aggregate damage of at least $5,000; modificationor impairment to the medical examination, diagnosis,treatment, or care of one or more individuals; physicalinjury to a person; a threat to public health or safety; ordamage to a government computer used for the adminis-tration of justice, national defense, or national security.Under these provisions, the act covers a wide range ofactivities, including:

◗ DoS attacks, viruses, and worms◗ Simple intrusions in which the attacker causes damage◗ Unauthorized information gathering, especially if the

information is used for commercial advantage, financialgain, in furtherance of another crime, or the informationis worth more than $5,000

◗ Unauthorized access to nonpublic U.S. governmentcomputers

◗ Using computers to obtain classified information withoutauthorization

◗ Computer-related espionage, which may also constituteterrorism

◗ Trafficking in passwords◗ Threatening to damage a computer◗ Attempting to commit a network crime, even though the

crime was never consummated

In running a honeynet, a company needs to be care-ful to ensure that it is not facilitating or helping further a

crime. Precautions and actions must be taken to preventpotential or actual criminal activity from harming others;to inform authorities when criminal activities or evidencecomes to light; and to ensure that the data, code, pro-grams, and systems running on the honeynet are legal(e.g., do not store contraband on the system in an effortto trap an intruder).

The primary purpose of a commercial honeynet is tomonitor and analyze intrusion and attacks. Under certaincircumstances, the monitoring of these activities may con-stitute a criminal or civil action. In the United States, thefederal Wiretap Act and the Pen Register, Trap, and TraceDevices statute place legal limits on monitoring activity.The Wiretap Act makes it illegal to intercept the contentsof a communication. If intruders cannot store (eitherdirectly or indirectly) data or information on a honeynet,then the act does not apply. If they can, then there areexceptions to the rule. For instance, if the monitoring isdone to prevent abuse or damage to the system, thenmonitoring it is not illegal. The implication is that certainhoneynet purposes and configurations are illegal and oth-ers are not.

In contrast to the Wiretap Act, the federal PenRegister, Trap, and Trace Devices statute applies to the“noncontent” aspects of a communication. For example,with telephones, telephone numbers are “noncontent.”Similarly, in a network communication, networkaddresses are “noncontent.” This statute makes it illegalto capture the noncontent information of a communica-tion unless certain exceptions apply. The exceptionspertain primarily to actions that are taken by the com-munication provider (in this case the honeynet opera-tor) to protect its rights or property. Again, certainhoneynet purposes and configurations are legal andothers are not.

When a company monitors the network activities ofinsiders and outsiders, a number of legal issues arise.Because monitoring is one of the primary activities of ahoneynet, a company should consult legal counsel beforedeploying a honeynet and should become familiar withlocal law enforcement agencies that should be involved ifillegal activities are observed.

Questions1. What constitutes a crime under the CFAA?

2. What types of activities are prohibited by the CFAA?

3. What types of activities are illegal under the federalWiretap Act? The Pen Register, Trap, and TraceDevices statute?



REFERENCES FOR ONLINE FILE W9.8Honeynet. Know Your Enemy: Learning About Security

Threats, 2nd ed. Boston, MA: Addison-Wesley,2004.

honeynet.org (accessed July 2010).

Legal Information Institute of the Cornell Law School.“Fraud and Related Activity in Connection withComputers.” law.cornell.edu/uscode/18/1030.html(accessed November 2009).

Filtering achieves more immediate results. Bloggers plagued by comment spam can get help from SplogSpot(splogspot.com), which collects information on such content to help network administrators filter it out.

Evidence shows that unethical and illegal business tactics that exploit or mimic e-commerce operations will not stop.To defend themselves, Google (google.com/top/computers/internet/e-mail/spam) and Yahoo! (help.yahoo.com/l/us/yahoo/search/spam_abuse.html) have turned to aggressive measures. For example, they have implemented spam sitereporting systems, built algorithms that check for and penalize deceptive rank-boosting practices, and banned violators’sites outright. In 2006, Google temporarily banned BMW and Ricoh’s German Web sites from its search index for usingJavaScript redirect, or doorway pages that presented visitors with different content than they had displayed to the searchengine.

Google has warned that it is expanding its efforts to clamp down on unethical tricks and tactics. As abuses becomeknown or intolerable, additional laws will be passed with varying degrees of effectiveness.

Protection Against SplogsBlog owners can also use a Captcha tool (Completely Automated Public Turing test to tellComputers and Humans Apart), which uses a verification test on comment pages to stopscripts from posting automatically. These tests may require the person to enter sequences ofrandom characters, which automated systems (software scripts) cannot read.

Another potentially effective measure against blog spam and other undesirable contentis to only allow comments posted on the blog to be made public after they have beenchecked. But like the fight against e-mail spam, it is a constant battle in which the spam-mers seem to have the advantage. Sometimes the only solution to comment spam is forusers to turn off their comments function. For more information, see the CAUCE Web site(cauce.org). Online File W9.9.1 shows an example of how companies fight spamming.

Online File W9.9 Protecting Against Spam and Splogs

Captcha toolCompletely AutomatedPublic Turing test to tellComputers and HumansApart, which uses averification test oncomment pages to stopscripts from postingautomatically.

ONLINE FILE W9.9.1 Application Case

HOW COMPANIES FIGHT SPAMMINGThe following are case studies of four companies that aresuccessfully fighting spam.

Note that even with tools such as Captcha turned on,it is risky to simply allow comments to go unchecked. Blogowners may be held responsible for anything illegal ordefamatory posted on their blogs.

Pier 1 ImportsEmployees of the Pier 1 chain (1,100 stores) were spendingtoo much time clearing huge amounts of spam from their e-mail boxes on a daily basis. The entire e-mail systembecame more trouble than help when spam accounted for80 percent of all e-mails. Employee productivity suffered

(continued)



ONLINE FILE W9.9.1 (continued)

drastically. At first, Pier 1 used a keyword filter to blockmessages containing words the company deemed inappropri-ate. This system failed; IT blocked legitimate messages withwords that had dual meanings. Also, spammers became moreinnovative, using creative misspellings to evade the filter.

Pier 1 found a suitable solution, MailFrontierEnterprise Gateway, which works well with Microsoft’s e-mail software. MailFrontier is placed in front ofMicrosoft Exchange in order to inspect all incoming e-mail. It then accepts good e-mail and rejects spam.The software uses 17 predictive techniques to filterspam, stopping 98 percent of all spam at Pier 1. Pier 1is collaborating with MailFrontier to add antivirus andantifraud capabilities. For further details, see Korolishin(2004).

Charter CommunicationsCharter Communications, the fourth-largest U.S. televisionand Internet cable company, provides e-mail accounts toover 2.3 million users and handles 200 million messages aday. The company suffered from spammers who abusedCharter’s network infrastructure. Spam comprised wellover 50 percent of inbound e-mail. It also created a nui-sance for customers. Charter needed to minimize the spam(as well as viruses) reaching customers’ inboxes. Initially,Charter used open source filters, which were not veryeffective.

Today, Charter is using two unique tools fromIronPort: The IronPort C60 e-mail security applianceallows Charter to divide e-mail senders into unique categories (e.g., by IP address, domain name, senderreputation). For each sender, the tool provides specificthresholds for the acceptance or rejection of e-mailmessages. The second tool, Reputation Filtering, complements the first one. It allows e-mail administrators to sort e-mail senders based on theimportance of the mail they send. Poor-quality messages are rejected.

The Catholic Diocese of RichmondManagers of the information system at the CatholicDiocese of Richmond, Virginia, needed to stop the flow ofspam to about 200 employees at three locations. The

organization now is using Power Tools from Nemx(Canada). The tool achieves quality spam blocking byusing the combination of modules including ContentManager, Concept Manager, Spam Manager. For details,see Piazza (2004).

First Banking Services of FloridaFirst Banking Services’ 250 employees use desktops to pro-vide core data processing services to banks in the south-eastern United States. The company is connected withmany business partners, and its e-mail messages have dif-ferent characteristics; many have large attachments. Spamwas becoming a major problem. After careful evaluation,the company selected a spam-fighting solution called MailWarden Pro (from Waterford Technologies, Ireland).

Mail Warden Pro allows users to set rules that distin-guish spam from nonspam in a very flexible manner. Thesoftware also provides generic rules that have been foundto be excellent in stopping spam and protecting againstattachments with viruses. The volume of spam has beenreduced from 65 percent of all e-mails to less than 5 per-cent. For details, see Piazza (2004).

Questions1. The four companies use different blockers, each with

a proprietary method. Why do each of the companiesuse different products from different vendors?

2. Regular spam stoppers from e-mail providers (e.g., Microsoft Exchange) were insufficient.However, such spam stoppers are getting better withtime. Research the issues involved. Do you thinkthat in the future the need for blockers such asthose described here will wane?

3. In all cases, the companies felt that the investmentin spam-fighting software was justifiable, but noformal ROI was done. Is this a reasonable approach?Why or why not?

4. What is the logic of combining antispam, antivirus,and antifraud software?

REFERENCES FOR ONLINE FILE W9.9ironport.com (accessed July 2010).Korolishin, J. “Taking a Bite Out of Spam: Pier 1

Imports Blocks Unwanted E-Mail with the Help ofMailfrontier.” Stores, August 2004.

Piazza, P. “Had Your Fill of Spam?” Security Management,April 2004.



Online File W9.10 Consumer and Seller Protection for Online Fraud

(continued)

An FBI report released in March 2009 revealed that the number of EC fraud complaints reached 275,285 in 2008 (a 35 per-cent increase from 2007), at a price tag of $265 million. Therefore, it is necessary to defend EC consumers.

Consumer (Buyer) ProtectionConsumer protection is critical to the success of any commerce, especially electronic, where buyers do not see sellers. TheFTC enforces consumer protection laws in the United States (see ftc.gov). The FTC provides a list of 10 scams that are mostlikely to arrive by bulk e-mail (see onguardonline.gov/topics/email-scams.aspx). In addition, the European Union and theUnited States are attempting to develop joint consumer protection policies. For details, see the Trans Atlantic ConsumerDialogue Web site at tacd.org.

Representative Tips and Sources for Your ProtectionProtecting consumers is an important topic for government agencies, vendors, professional associations, and consumerprotection organizations. They provide many tips on how to protect consumers online. A representative list follows.

◗ Users should make sure that they enter the real Web site of well-known companies, such as Walmart, Disney, andAmazon.com, by going directly to the site, rather than through a link, and should shop for reliable brand names atthose sites.

◗ Check any unfamiliar site for an address and telephone and fax numbers. Call and quiz a salesperson about the seller.◗ Check out the seller with the local chamber of commerce, Better Business Bureau (bbbonline.org), or TRUSTe.◗ Investigate how secure the seller’s site is and how well it is organized.◗ Examine the money-back guarantees, warranties, and service agreements before making a purchase.◗ Compare prices online with those in regular stores—too-low prices may be too good to be true.◗ Ask friends what they know. Find testimonials and endorsements.◗ Find out what redress is available in case of a dispute.◗ Consult the National Consumers League Fraud Center (fraud.org).◗ Check the resources available at consumerworld.org.

In addition to these tips, consumers also have shoppers’ rights on the Internet. The following is a list of sources forconsumers:

◗ The FTC (ftc.gov): Abusive e-mail should be forwarded to [email protected]; ftc.gov/bcp/menus/consumer/tech/online.shtm provides tips for online shopping and Internet auctions.

◗ National Consumers League Fraud Center (fraud.org).◗ Federal Citizen Information Center (pueblo.gsa.gov).◗ U.S. Department of Justice (usdoj.gov).◗ The FBI’s Internet Crime Complaint Center (ic3.gov/default.aspx).◗ The American Bar Association provides online shopping tips at safeshopping.org.◗ The Better Business Bureau (bbbonline.org).◗ The U.S. Food and Drug Administration for buying medicine and medical products online (fda.gov/ForConsumers/

ProtectYourSelf/default.htm).◗ The Direct Marketing Association (the-dma.org).

Disclaimer: This is general information on consumer rights. It is not legal advice on how any particular individualshould proceed. If you require specific legal advice, consult an attorney.



Third-Party Assurance ServicesSeveral public organizations and private companies attempt to protect consumers. The following are just a few examples.

TRUSTe’s “Trustmark.” TRUSTe (truste.com) is a nonprofit group whose mission is to build users’ trust and confi-dence in the Internet by promoting the policies of disclosure and informed consent. TRUSTe certifies and monitorsWeb site privacy, e-mail policies, and practices, and resolves thousands of consumer privacy problems every year(TRUSTe 2009). Sellers who become members of TRUSTe can add value and increase consumer confidence in onlinetransactions by displaying the TRUSTe Advertising Affiliate “Trustmark” (a seal of quality). This mark identifies sitesthat have agreed to comply with responsible information-gathering guidelines. In addition, the TRUSTe Web site pro-vides its members with a “privacy policy wizard,” which helps companies create their own privacy policies. The siteoffers several types of seals such as privacy, children, e-health, safe harbor, wireless, e-mail services, and interna-tional services.

The TRUSTe program is voluntary. The licensing fee for use of the Trustmark ranges from $500 to $10,000, dependingon the size of the online organization and the sensitivity of the information it is collecting. Many Web sites are certified asTRUSTe participants, including AT&T, CyberCash, Excite, IBM, Buena Vista Internet Group, CNET, Google, Infoseek, the NewYork Times, and Yahoo! However, there still seems to be a fear that signing with TRUSTe could expose firms to litigationfrom third parties if they fail to live up to the letter of the TRUSTe pact, and that fear is likely to deter some companiesfrom signing up.

Better Business Bureau. The Better Business Bureau (BBB), a private nonprofit organization supported largely by mem-bership, provides reports on businesses that consumers can review before making a purchase. The BBB responds to millionsof inquiries each year. Its BBBOnLine program (bbbonline.com) is similar to TRUSTe’s Trustmark. The goal of the program isto promote confidence on the Internet through two different seals. Companies that meet the BBBOnLine standards for theReliability Seal are members of the local BBB and have good truth-in-advertising and consumer service practices. Thosethat exhibit the BBBOnLine Privacy Seal on their Web sites have an online privacy protection policy and standards for han-dling consumers’ personal information. In addition, consumers are able to click on the BBBOnLine seals and instantly get aBBB report on the participating company.

WHICHonline. Supported by the European Union, WHICHonline (which.co.uk) gives consumers protection by ensuring thatonline traders under its Which? Web Trader Scheme abide by a code of proactive guidelines. These guidelines outline issuessuch as product information, advertising, ordering methods, prices, delivery of goods, consumer privacy, receipting, dis-pute resolution, and security.

Web Trust Seal and Others. The Web Trust seal program is similar to TRUSTe. The American Institute of Certified PublicAccountants (aicpa.com) sponsors it. Another program, Gomez (gomez.com), monitors customer complaints and providesmerchant certification.

Evaluation by Consumers. A large number of sites include product and vendor evaluations offered by consumers. For example,Deja.com, now part of Google, is home to many communities of interest whose members trade comments about products atgroups.google.com. In addition, epubliceye.com allows consumers to give feedback on reliability, privacy, and customer satis-faction. It makes available a company profile that measures a number of elements, including payment options.

The Computer Fraud and Abuse Act (CFAA)The Computer Fraud and Abuse Act (CFAA), which was passed in 1984 and amended severaltimes, is an important milestone in EC legislation. Initially, the scope and intent of CFAA was toprotect government computers and financial industry computers from criminal theft by outsiders.In 1986, the CFAA was amended to include stiffer penalties for violations, but it still only pro-tected computers used by the federal government or financial institutions. Then, as the Internetexpanded in scope, so did the CFAA. In 1994 and in 1996, there were significant revisions of CFAAthat added a civil law component and civil charges to this criminal law. In 2001 it was amendedby the USA PATRIOT Act (Chapter 11), which provides for counterterrorism activities.


(continued)

Computer Fraud andAbuse Act (CFAA)Major computer crime lawto protect governmentcomputers and otherinternet-connectedcomputers.



Seller ProtectionThe Internet makes fraud by customers or others easier because of user anonymity. It must protect sellers against:

◗ Customers who deny that they placed an order◗ Customers who download copyrighted software and/or knowledge and sell it to others◗ Customers who give false payment (credit card or bad checks) information in payment for products and services provided◗ Use of their name by others (e.g., imposter sellers)◗ Use of their unique words and phrases, names, and slogans and their Web addresses by others (trademark protection)

Sellers also can be attacked illegally or unethically by competitors.

Example. Discount online retailer SmartBargains was using pop-up ads on its rival Overstock.com’s Web site. Overstock filed alawsuit alleging violations of the state of Utah’s antispyware statute. The court ruled that insertion of unwanted competitivepop-up advertisements does not constitute unfair competition or tortuous interference in favor of SmartBargains in August 2008.

What Can Sellers Do?The Web site cardcops.com provides a database of credit card numbers that have had chargeback orders recorded againstthem. Sellers who have access to the database can use this information to decide whether to proceed with a sale. In thefuture, the credit card industry is planning to use biometrics to deal with electronic shoplifting. Also, sellers can use PKIand digital certificates, especially the SET protocol, to help prevent fraud.

Other possible solutions include the following:

◗ Use intelligent software to identify questionable customers (or do this identification manually in small companies). Onetechnique, for example, involves comparing credit card billing and requested shipping addresses.

◗ Identify warning signals—that is, red flags—for possible fraudulent transactions.◗ Ask customers whose billing address is different from the shipping address to call their bank and have the alternate

address added to their bank account. Retailers agree to ship the goods to the alternate address only if this is done.

For further discussion of what merchants can do to protect themselves from fraud, see OnGuard Online atonguardonline.gov/topics/email-scams.aspx.

Protecting Buyers and Sellers: Electronic and Digital SignaturesOne method to help distinguish between legitimate and fraudulent transactions is electronic signatures. Electronic signaturelegislation is designed to accomplish two goals: (1) to remove barriers to e-commerce and (2) to enable and promote the desir-able public policy goal of e-commerce by helping to build trust and predictability needed by parties doing business online.

A signature, whether electronic or on paper, is a symbol that signifies intent to be bound to the terms of the contractor transaction. Thus, the definition of “signed” in the Uniform Commercial Code includes “any symbol” so long as it is“executed or adopted by a party with present intention to authenticate a writing.”

Electronic signature is a generic term that refers to the various methods by which onecan “sign” an electronic record. Although all electronic signatures are represented digitally(i.e., as a series of ones and zeroes), many different technologies can create them. Examplesof electronic signatures include a name typed at the end of an e-mail message by the sender; adigitized image of a handwritten signature attached to an electronic document; a secret codeor PIN to identify the sender to the recipient; a code or “handle” that the sender of a messageuses to identify himself or herself; a unique biometrics-based identifier, such as a fingerprintor a retinal scan; and a digital signature created through the use of public key cryptography. Digital signatures have gener-ated the most business and technical usage, as well as legislative initiatives.

Authentication and Biometric ControlsIn cyberspace, buyers and sellers do not see each other. Even when videoconferencing is used, the authenticity of the per-son on the other end must be verified unless the person has been dealt with before. However, if one can assure the identity


electronic signatureA generic, technology-neutral term that refers tothe various methods bywhich one can “sign” anelectronic record.

(continued)



of the person on the other end of the line, one can imagine improved and new EC applications. For example, students will beable to take exams online from any place without the need for proctors. Fraud among recipients of government entitlementsand transfer payments will be reduced to a bare minimum. Buyers will be assured who the sellers are, and sellers will knowwho the buyers are, with a very high degree of confidence. Arrangements can be made so that only authorized people incompanies can place (or receive) purchasing orders. Interviews for employment and other matching applications will beaccurate because it will be almost impossible for imposters to represent other people. Overall, trust in online transactionsand in EC in general will increase significantly.

The solution for such authentication is provided by information technologies known as biometric controls. Biometriccontrols provide access procedures that match every valid user with a unique user identifier (UID). They also provide anauthentication method that verifies that users requesting access to the computer system are really who they claim to be.Authentication and biometric controls are valid for both consumer and merchant protection.

Questions1. Describe consumer protection measures.

2. Describe assurance services.

3. What must a seller do to protect itself against fraud? How?

4. Describe types of electronic signatures.

5. Describe authentication and biometric controls.


REFERENCE FOR ONLINE FILE W9.10TRUSTe. “About TRUSTe.” truste.com/about_

truste/index.html_php (accessed November 2009).

An audit is an important part of any control system. Auditing can be viewed as an additionallayer of control or safeguard. It is considered as a deterrent to criminal actions, especially forinsiders. Auditors attempt to answer questions such as these:

◗ Are there sufficient controls in the system?◗ Which areas are not covered by controls?◗ Which controls are not necessary?◗ Are the controls implemented properly?◗ Are the controls effective? That is, do they check the output of the system?◗ Is there a clear separation of duties of employees?◗ Are there procedures to ensure compliance with the controls?◗ Are there procedures to ensure reporting and corrective actions in case of violations of controls?

Online File W9.11 Auditing Information Systems

(continued)

auditAn important part of anycontrol system. Auditingcan be viewed as anadditional layer ofcontrols or safeguards. Itis considered as adeterrent to criminalactions especially forinsiders.



Auditing a Web site is a good preventive measure to manage legal risk. Legal risk is important in any IT system, butin Web systems it is even more important due to the content of the site, which may offend people or be in violation ofcopyright laws or other regulations (e.g., privacy protection). Auditing EC is also more complex since in addition to theWeb site one needs to audit order taking, order fulfillment, and all support systems.

Auditing involves checking the disaster plan as well (see en.wikipedia.org/wiki/Disaster_recovery_and_business_continuity_auditing).



IMPACTS OF CHOICEPOINT’S NEGLIGENCE IN INFORMATION SECURITYChoicePoint is a leading data broker with access to 19 billion public records and information on more than220 million individuals. The company collects personalinformation, including names, Social Security numbers,birth dates, employment information, and credit histories,which it then sells to over 50,000 businesses and govern-ment agencies. They rely on ChoicePoint’s data for customerleads, background checks, or other verification purposes.

The ProblemOn February 15, 2005, ChoicePoint reported that the per-sonal and financial information of 145,000 individuals hadbeen “compromised” putting them at risk of identity theft.The compromise was not due to hackers or malicious spy-ware. ChoicePoint had sold the information to OlatunjiOluwatosin, a 41-year-old Nigerian national living inCalifornia, who had pretended to represent several legiti-mate businesses—a technique that is called pretexting.Oluwatosin’s credentials had not been verified, whichenabled him to set up bogus business accounts that gavehim access to databases containing personal financialdata. For their negligence and violation of their privacypolicy, ChoicePoint faced state and federal penalties.

At the state level, ChoicePoint was compelled to dis-close what had happened. California’s privacy breach noti-fication law, Senate Bill 1386 (SB 1386), which went intoeffect in July 2003, required ChoicePoint to inform resi-dents that their personal information had been compro-mised. Within days, outraged attorneys general in 38 otherstates demanded that the company notify every affectedU.S. citizen.

At the federal level, ChoicePoint was charged withmultiple counts of negligence for failing to follow

reasonable information security practices. Beginning in2001, the company had been receiving subpoenas from lawenforcement authorities alerting them to fraudulent activ-ity. Despite these warnings, management did not tightencustomer approval procedures to safeguard access to confi-dential data. The Federal Trade Commission (FTC) chargedChoicePoint with violating the:

◗ Fair Credit Reporting Act (FCRA) by furnishing creditreports to subscribers who did not have a permissiblepurpose to obtain them; and by not maintaining reason-able procedures to verify their subscribers’ identities andintended use of the information.

◗ FTC Act by making false and misleading statements aboutits privacy policies on its Web site.

Section 5 of the FTC Act prohibits unfair or deceptivepractices, which gives the FTC authority to take actionagainst companies whose lax security practices couldexpose the personal financial information of customers totheft or loss. For a full explanation of the Act, seeftc.gov/privacy/privacyinitiatives/promises.html.

On March 4, 2005, ChoicePoint filed a report with theSEC warning shareholders of an expected $20 million declinein income by December 31, 2005, and a $2 million increasein expenses from the incident. In addition, there would also be FTC fines. In January 2006, the FTC announced thatChoicePoint had agreed to pay a $10 million fine, theagency’s largest-ever civil penalty, plus $5 million tocompensate customers for losses stemming from the databreach. Legal expenses of $800,000 were incurred in thefirst quarter of 2006 alone related to the fraudulent dataaccess. With the announcement of the impending $15 millionsettlement, ChoicePoint’s stock price plunged.

(continued)




The SolutionAs part of the settlement, the FTC mandated the solutions to ChoicePoint’s risk exposure. The companyimplemented new procedures to ensure that it providesconsumer reports only to legitimate businesses for lawful purposes, established and maintains a comprehen-sive information security program, and obtains audits byan independent third-party security professional everyother year until 2026. To reassure stakeholders andlegitimate customers, ChoicePoint hired a chief privacyofficer (CPO).

The ResultsChoicePoint’s data breach brought businesses’ securitypolicies to national attention. Together with high-profile

frauds and malware, data breaches have triggeredincreased corporate governance and accountability.

Questions1. Why do you think that ChoicePoint did not verify all

potential customers thoroughly before allowing themto open accounts?

2. What legal charges and fines were imposed onChoicePoint for its negligence and violation of pri-vacy policy?

3. What did ChoicePoint do to reassure stakeholdersand customers?

REFERENCES FOR ONLINE FILE W9.12ftc.gov (accessed November 2009).Gross, G. “ChoicePoint’s Error Sparks Talk of ID Theft

Law.” IDG News Service, February 23, 2005.pcworld.com/news/article/0,aid,119790,00.asp(accessed November 2009).

Mimoso, M. S. “Cleaning Up after a Data Attack:CardSystems’ Joe Christensen.” Information Security,

April 14, 2006. searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1180411,00.html (accessed November 2009).

Scalet, S. D. “The Five Most Shocking Things Aboutthe ChoicePoint Debacle.” CSO Magazine, May 1,2005.


m09 turb9235 03 se wc09.qxd 8/13/10 8:08 pm page...

Documents