Chapter 04 e Commerce Security and Payment Systems PDF

Preview

Summary

eCommerce Security and Payment Systems...

Description

CHAP TE R

4

E-commerce Security and Payment Systems LEARNING OBJECTIVES After reading this chapter, you will be able to: ■ ■ ■ ■ ■ ■

Understand the scope of e-commerce crime and security problems, the key dimensions of e-commerce security, and the tension between security and other values. Identify the key security threats in the e-commerce environment. Describe how technology helps secure Internet communications channels and protect networks, servers, and clients. Appreciate the importance of policies, procedures, and laws in creating security. Identify the major e-commerce payment systems in use today. Describe the features and functionality of electronic billing presentment and payment systems.

Europol Ta k e s o n C y b e rc r i m e w i t h E C 3

F

rom the earliest of days, humans have warred against and stolen from each other, with the tools evolving over time from sticks and stones, to arrows and spears, to guns and bombs. Physical weaponry is familiar and readily recognizable. But today, algorithms and computer code have moved to the forefront. Cyberspace has become a new battlefield, one that often involves targets such as financial systems and communications networks. In 2013, the European Cybercrime Center (EC3) was created at Europol, the European law enforcement agency in The Hague, to combat the rise of cybercrime and cyberattacks throughout Europe and the rest of the world. More than half of the EU’s population is now online, meaning that an organization like the EC3 is needed in Europe now more than ever before. A major challenge in fighting cybercrime is to even concretely define it and measure the amount of cybercrime taking place. Estimates of how much cybercrime costs companies and individuals vary widely, but a 2015 study by the Center for Strategic and International Studies estimates that the economic impact of cybercrime and cyberespionage worldwide is in a range between €345 billion and €530 billion, and that both the cost and frequency of attacks are on the rise. Cybercrime is a global problem, and countries have attempted many different strategies to fight it. However, sharing information about cybercrime is critical for success in apprehending cybercriminals, making Europol the ideal vehicle to combat multi-national criminal operations. The EC3 will help to standardize approaches to better counteract European cybercrime, and will help set guidelines regarding what incidents constitute cybercrime. EC3 began operations out of The Hague on January 1, 2013, with a focus on three areas of cybercrime: crime committed by organized groups or rings, crime that causes harm to a victim, like child pornography, and cyberattacks on European Union infrastructure, such as government Web sites, databases, and storage centers. In the wake of the terrorist attacks in Paris, France, EC3 received a boost in financial backing and powers, including the ability to coordinate police units to counter emerging threats and the capacity to directly force sites like Facebook and Twitter to remove Web pages containing terrorist

© Rafal Olechowski / Fotolia

237

238

CHAPTER 4

SOURCES: “Europol Get New Powers to Target Terrorists and Cyber-gangs,” Scmagazineuk.com, December 1, 2015; “International Law Enforcement Action Against DroidJack Mobile Phone Malware,” Europol, October 28, 2015; “An ‘Average’ Cyber Crime Costs a U.S. Company $15.4 Million,” by Bill Hardekopf, Forbes.com, October 17, 2015;” FIreEye Latest Security Firm to Join Forces with Europol,” by Warwick Ashford, Computerweekly.com, August 17, 2015; “Darknet Hidden Service for Child Sexual Abuse Material Shut Down,” Europol, July 31, 2015; Maxwell Cooter, “Europol Leads Takedown of Beebone Botnet,” Scmagazineuk.com, April 10, 2015; “Europol Shuts Down Ramnit Botnet in Global Operation,” by Dave Neal, Theinquirer.net, February 26, 2015; “FBI, Europol Make Large ‘Dark Web’ Bust,” Reuters, November 7, 2014; “’Every Day Is a Challenge’ – Inside Europol’s Fight Against Cybercrime,” by Doug Drinkwater, Scmagazineuk.com, November 1, 2014; “Only 100 Cybercrime Brains Worldwide Says Europol Boss,” BBC News, October 10, 2014; “Service Model Driving Cyber Crime, Says Europol Report,” by Warwick Ashford, Computerweekly.

E-commerce Securit y and Payment

Syst ems

communications. EC3 has also joined forces with private security firms, such as FireEye in 2015, forming agreements to share knowledge and expertise on cybercrime prevention techniques. EC3 started with 43 anti-cybercrime experts, but has increased its size to more than 70 people, and is guided by a 12-member advisory board on Internet security featuring some of the foremost experts from a variety of different fields. The EC3 describes its operations as having five main functions. First is data fusion, which involves gathering and processing information on cybercrime. The EC3 hopes to function as a central repository for statistics on cybercrime and its apprehension. Its second function will be cybercrime prevention operations, including conducting cybercrime investigations within individual EU states or facilitating joint investigations across multiple EU states. The third major function of the EC3 will be developing strategies for fighting cybercrime, analyzing crime trends, and forecasting future trends in cybercrime. The fourth function will be research and development as well as training of law enforcement agencies in the skills required to effectively investigate and combat cybercrime. The organization will also educate judges and prosecutors on cybercrime. Lastly, the EC3 will conduct outreach, working with the private sector, academia, and society at large to better handle cybercrime. The majority of credit card numbers used in cybercrime in the EU have historically originated from United States data breaches, so a major focus of the EC3 has been preventing card-not-present (CNP) fraud. Europol has reported that organized crime makes around €1.5 billion annually from credit card fraud, € 900 million of which originates from CNP fraud. As technological infrastructure improves in developing nations, it is expected that incidences of online credit card fraud originating in Africa and other similar countries will increase. The EC3 will need to be prepared for this type of cybercrime becoming more prevalent. The early results of the EC3 have been positive. In 2013, it took down the largest ransomware cybercrime network in Russia, Operation Ransom, which spanned 33 countries, including 22 in the EU. Operation Ransom infected computers with police ransomware, which is a type of malware that blocks a computer completely and warns the user that they have visited illegal websites, such as child pornography, and requests payment of a fine to unblock it. The leader of the ring was arrested in Dubai by Spanish police and Europol along with at least ten more members of the group. Later in 2013, in an operation code-named “Operation Ransom II,” EC3 and Spanish police arrested two Ukranian cybercriminals who sold access to a botnet with over 21,000 compromised servers located in 80 different countries. They also operated a sophisticated money laundering scheme that processed around €10,000 a day through various electronic payment systems and virtual currencies. These two investigations were part of EC3’s “Focal Point Cyborg,” which assisted in a total of 19 cybercrime operations in the EC3’s first year of existence. As part of its “Focal Point Terminal” division, the EC3 busted an Asian criminal network responsible for the theft of 15,000 credit card numbers and for conducting illegal Internet transactions and purchases of airline tickets. In 2014, the EC3 held a “day of action” to target criminals using stolen credit cards to buy airline tickets as part of a different ring. Europol and individual law enforcement officers worked in concert in each country to make the arrests, which yielded further links to other criminal organizations. A

Europol Takes

on Cybercrime wit h EC3

third area, “Focal Point Twins,” focused on nine sophisticated online child sexual exploitation rings in EC3’s first year. EC3 has continued to shut down high-profile cybercriminal operations in 2015, including the Ramnit and Beebone botnets, and its improved ability to work with other law enforcement entities have helped it to bring down the creators of the Dridex banking malware, which accounted for £20 million in losses in the United Kingdom and $10 million in the United States. The EC3 has increasingly focused on fighting “cybercrime-as-a-service.” Experienced cybercriminals are selling programs and services that buyers can use to commit cybercrime without the same knowledge of criminal techniques. When cybercrime is committed outside of the EU’s jurisdiction, it is more difficult to police, so many skilled cybercriminals within EU borders have taken to cybercrime-as-a-service to reduce their risk, allowing others to execute the cybercrime instead. Criminals are also increasingly making use of legitimate tools to stay anonymous on the Web, such as encryption techniques; virtual currencies like Bitcoin; and anonymization services such as Tor, which are used to navigate areas on the Web known as the Darknet, private networks where connections are made without sharing IP addresses. Many cybercriminals have migrated their efforts to mobile phones, forcing EC3 to begin targeting these operations. In its first major success in that area, EC3 brought down the DroidJack mobile phone malware in 2015. Troels Oerting, head of the EC3, noted that although these obstacles are daunting, worldwide cybercrime is driven by a small number of talented programmers, and that focusing on these top-level criminals is the best way to combat cybercrime going forward. To that end, EC3 has launched a cybercrime task force in tandem with other law enforcement agencies called the Joint Cybercrime Action Task Force, which will focus on developing strategies for handling newer cybercrime techniques, pursuing the most dangerous cybercriminals, and further improving the flow of data between law enforcement agencies across borders. In 2014, the EC3 demonstrated its ability to shut down sites on the Darknet, shutting down the second iteration of the underground black market Silk Road 2.0, and arresting its operator, a 26-year old former Google programmer. In 2015, it continued to bring down illicit sites on the Darknet, including a service for distributing child pornography. EC3’s challenge will be to continue making these high-profile arrests while adapting to the ever-changing array of techniques cybercriminals use.

239

com, September 29, 2014; “Europol’s EC3 Launches Pan-Euro Cybercrime Taskforce J-CAT,” by Phil Muncaster, Info Security, September 2, 2014; “Europol Launches Taskforce to Fight World’s Top Cybercriminals,” by Tom Brewster, Theguardian.com, September 1, 2014;“First Year Report,” EC3, February 9, 2014; “Brian Honan Appointed Special Advisor to Europol Cybercrime Centre,” Net-security.org, October 10, 2013; “Europol Appoints McAfee’s Raj Samani as Cybercrime Advisor at EC3,” The Security Lion, October 8, 2013; “Spanish Police and Europol Arrest Cybercrime ‘Service Providers,’ Europol, September 27, 2013; “EuropolInterpol Cybercrime Conference Steps Up Policing in Cyberspace,” Europol, September 25, 2013; “European Cybercrime Center Targets Airline Ticket Fraud,” by Jeff Goldman, Esecurityplanet.com, July 2, 2013;“International Network of On-Line Card Fraudsters Dismantled,” Europol, March 8, 2013; “European Cybercrime Centre Dismantles Its First Criminal Network,” by Nerea Rial, Neurope. eu, February 14, 2013; “Opening of the European Cybercrime Center – A Journey Begins,” by Neil Robinson, Rand.org, January 11, 2013; “Europe’s Cybercrime Fighters Get New Digs…Complete with Faraday Room,” by John Leyden, Theregister.co.uk, January 11, 2013;“Europe’s New Cybercrime Center to Open Its Doors This Week: EC3 to Act as Hub for EU-Wide Collaboration to Combat E-Crime,” by Natasha Lomas, Techcrunch.com, January 9, 2013.

240

CHAPTER 4

E-commerce Securit y and Payment

Syst ems

s Europol Takes on Cybercrime with EC3 illustrates, the Internet and Web are increasingly vulnerable to large-scale attacks and potentially largescale failure. Increasingly, these attacks are led by organized gangs of criminals operating globally—an unintended consequence of globalization. Even more worrisome is the growing number of large-scale attacks that are funded, organized, and led by various nations against the Internet resources of other nations. Currently there are few if any steps that individuals or businesses can take to prevent these kinds of attacks. However, there are several steps you can take to protect your business Web sites, your mobile devices, and your personal information from routine security attacks. Reading this chapter, you should also start thinking about how your business could survive in the event of a large-scale “outage” of the Internet. In this chapter, we will examine e-commerce security and payment issues. First, we will identify the major security risks and their costs, and describe the variety of solutions currently available. Then, we will look at the major payment methods and consider how to achieve a secure payment environment. Table 4.1 highlights some of the major trends in online security in 2015–2016.

A TABLE 4.1

WHAT’S NEW IN E-COMMERCE SECURITY 2015–2016

• Large-scale data breaches continue to expose data about individuals to hackers and other cybercriminals. • Mobile malware presents a tangible threat as smartphones and other mobile devices become more common targets of cybercriminals, especially as their use for mobile payments rises. • Malware creation continues to skyrocket and ransomware attacks rise. • Nations continue to engage in cyberwarfare and cyberespionage. • Hackers and cybercriminals continue to focus their efforts on social network sites to exploit potential victims through social engineering and hacking attacks. • Politically motivated, targeted attacks by hacktivist groups continue, in some cases merging with financially motivated cybercriminals to target financial systems with advanced persistent threats. • Software vulnerabilities, such as the Heartbleed bug and other zero day vulnerabilities, continue to create security threats. • Incidents involving celebrities raise awareness of cloud security issues.

4.1

THE E-COMMERCE SECURITY ENVIRONMENT

For most law-abiding citizens, the Internet holds the promise of a huge and convenient global marketplace, providing access to people, goods, services, and businesses worldwide, all at a bargain price. For criminals, the Internet has created entirely new—and lucrative—ways to steal from the more than 1.35 billion Internet consumers worldwide in 2015. From products and services, to cash, to information, it’s all there for the taking on the Internet.

The E-commerce Securit y Environment

It’s also less risky to steal online. Rather than rob a bank in person, the Internet makes it possible to rob people remotely and almost anonymously. Rather than steal a CD at a local record store, you can download the same music for free and almost without risk from the Internet. The potential for anonymity on the Internet cloaks many criminals in legitimate-looking identities, allowing them to place fraudulent orders with online merchants, steal information by intercepting e-mail, or simply shut down e-commerce sites by using software viruses and swarm attacks. The Internet was never designed to be a global marketplace with billions of users and lacks many basic security features found in older networks such as the telephone system or broadcast television networks. By comparison, the Internet is an open, vulnerable-design network. The actions of cybercriminals are costly for both businesses and consumers, who are then subjected to higher prices and additional security measures. The costs of malicious cyberactivity include not just the cost of the actual crime, but also the additional costs that are required to secure networks and recover from cyberattacks, the potential reputational damage to the affected company, as well as reduced trust in online activities, the loss of potentially sensitive business information, including intellectual property and confidential business information, and the cost of opportunities lost due to service disruptions. Ponemon Institute estimates that the average total cost of a data breach to the 350 companies from 11 different countries participating in its 2015 study was €3.5 million (Ponemon Institute, 2015a).

THE SCOPE OF THE PROBLEM Cybercrime is becoming a more significant problem for both organizations and consumers. Bot networks, DDoS attacks, Trojans, phishing, ransomware, data theft, identity fraud, credit card fraud, and spyware are just some of the threats that are making daily headlines. Social networks also have had security breaches. But despite the increasing attention being paid to cybercrime, it is difficult to accurately estimate the actual amount of such crime, in part because many companies are hesitant to report it due to the fear of losing the trust of their customers, and because even if crime is reported, it may be difficult to quantify the actual dollar amount of the loss. A 2014 study by the Center for Strategic and International Studies examined the difficulties in accurately estimating the economic impact of cybercrime and cyberespionage, with its research indicating a range of between €345 billion to €530 billion worldwide. Further research is planned to try to help determine an even more accurate estimate (Center for Strategic and International Studies, 2014). One source of information is a survey conducted by Ponemon Institute. Ponemon’s 2015 survey included 252 companies in seven countries: Germany, the United Kingdom, Russia, Australia, Japan, Brazil, and the United States. There were 1,928 total attacks reported, a 12.3% increase from the previous year. The average annualized cost for organizations in the study was around €7.1 million. In all countries, virtually all organizations experienced attacks involving viruses, worms, Trojans, and malware. More than 50% of the companies also suffered Web-based attacks, phishing and social engineering attacks, malicious code, botnets, and denial of service

241

242

CHAPTER 4

E-commerce Securit y and Payment

Syst ems

attacks. The most costly types of attacks were those by malicious insiders, denial of service, and Web-based attacks (Ponemon Institute, 2015b). Reports issued by security product providers, such as Symantec, are another source of data. Symantec issues a semi-annual Internet Security Threat Report, based on 57.6 million sensors monitoring Internet activity in more than 157 countries. Advances in technology have greatly reduced the entry costs and skills required to enter the cybercrime business. Low-cost and readily available Web attack kits enable hackers to create malware without having to write software from scratch. In addition, there has been a surge in polymorphic malware, which enables attackers to generate a unique version of the malware for each victim, making it much more difficult for pattern-matching software used by security firms to detect. According to Symantec, the number of data breaches increased 23% in 2014, the number of spear-phishing attacks increased by 8%, malware increased by 26%, and ransomware attacks grew by 113% (Symantec, 2015l). However, Symantec does not attempt to quantify actual crimes and/or losses related to these threats. Online credit card fraud is one of the most high-profile forms of e-commerce crime. Although the average amount of credit card fraud loss experienced by any one individual is typically relatively small, the overall amount is substantial. The overall rate of online credit card fraud is estimated to be about 0.9% of a...