E-Query With PwC: 'Security Issues in B2C' - Part 1
This Q&A looks at the security issues in a B2C situation.
Q: I am looking at selling some of my products on the Internet to regional customers. After hearing the losses suffered by Singapore-based mustafa.com on credit card fraud, however, I am reviewing my strategy. How can I ensure that I am protected as a retailer and that I can give the same security assurance to my customers?
A: The media is fraught with reports of attacks on, or failures of, computer networks and electronic commerce services. mustafa.com is not alone.
As an indicative guide for the mid-1990s, the following figures represent a summary of financial fraud and security-related attacks compiled in the United States:
Credit card fraud: US$5 billion annually worldwide
Online information theft: US$10 billion annually including calling card and credit card numbers, pirated software and corporate secrets
50 per cent of organisations suffered information security compromises resulting in financial loss in the last two years. 10 per cent of users reported an attempted or successful break-in to their system via the Internet in the past year; over 50 per cent would not know if someone broke into their system through the Internet.
Despite these statistics, it is generally agreed the Internet can greatly reduce costs and create opportunities for new or improved customer services.
Athough electronic commerce (e-commerce) is like any other existing commercial activity, there is a difference in that existing legal theories may no longer be applicable or may be unsuitable to resolve e-commerce disputes.
You should therefore review the potential downside of using electronic systems and revising your strategy to address the electronic risks posed.
In all commercial transactions, communication is a key element for concluding a business transaction (e.g. communication of offer and acceptance).
Where in the past these communications were verbally agreed on, or written on paper, the state of current technology has enabled faster, more efficient communications over larger distances in a paperless manner.
The evolution of communications from paper to faxes, telex, telephone and now the Internet has changed the way we communicate and do business. The electronic systems and infrastructure that support e-commerce are susceptible to abuse and misuse.
Despite the change in the physical medium of communication, the underlying principles that enable trust in commercial transactions remains the same.
To address these risks, and ensure your protection as well as provide security assurance to your customers, we must first understand the risks of e-commerce:
Direct financial loss resulting from fraud: A fraudulent insider or external attacker may illegally transfer funds from one account to another or add, delete, modify or destroy financial records;
Theft of valuable confidential information: An intrusion may disclose sensitive, proprietary information (e.g. credit card numbers held on behalf of customers) to unauthorised parties resulting in significant damage to victims;
Loss of business opportunity through disruption of service: Deliberate attacks or accidental events may disrupt your Internet services for long or unacceptable periods;
Unauthorised use of system resources: Unauthorised users may use your system or network as a staging point for attacks on other systems or networks
Loss of customer confidence or respect: The business' reputation may suffer because of actual or perceived customer inconvenience or adverse publicity resulting from an intrusion or failure, or by intruders who masquerade as a legitimate member of the business; and
Costs resulting from uncertainties: Interruptions to the transaction process caused by electronic-systems failure, external or internal intrusions or improper e-business practices result in transactions being in stasis for long periods of time. The loss of business, reputational damage and costs of dispute resolution brought about by such uncertainties may be substantial.
Part 2
E-Query With PwC: 'Security Issues in B2C', July 3, 2000 (PART 2)
Q: I am looking at selling some of my products on the Internet to regional customers. After hearing the losses suffered by Singapore-based mustafa.com on credit card fraud, however, I am reviewing my strategy.
How can I ensure that I am protected as a retailer and that I can give the same security assurance to my customers?
A. Risks over the Internet must be mitigated through the use of appropriate security counter-measures in tandem with the
establishment of essential business and legal processes. The business, technical and legal considerations are outlined below:
Business and Information Privacy Risk Management
Disclose your business and information privacy practices for e-commerce transactions and execute transactions in accordance with disclosed practices.
E-commerce often involves transactions between strangers. How does a consumer know if a well-constructed Web page is a front for a reliable business that will fill its orders? The anonymity of e-commerce and the ease with which the unscrupulous can establish and abandon electronic identities make it crucial that the business discloses and follows certain practices. Without such useful information and the assurance that the entity will follow such practices, consumers could face an increased risk of loss, fraud and inconvenience.
There is a fine line to be tread in dealing with information privacy. On the one hand, you will need certain information in order to process a customer order. On the other hand, the customer does not want this information given to others without his permission. He should be able to rectify errors in your Internet customer database when necessary. Without such a process in place, decisions detrimental to the consumer can be made.
To build trust, it is important that the customer is informed of your business practices for e-commerce transactions. You should properly disclose, and adhere to, your business practices in dealing with such matters as orders, returns, and warranty claims.
Transaction Risk Management
Your business should maintain effective controls to provide reasonable assurance that customers' transactions using e-commerce are completed and billed as agreed.
Without proper controls, electronic transactions and documents can be easily changed, lost, duplicated, and incorrectly processed. These attributes may cause the integrity of electronic transactions and documents to be questioned, causing disputes regarding the terms of a transaction and the related billing.
Potential participants in e-commerce may seek assurance that the entity has effective transaction integrity controls and a history of processing its transactions accurately, completely and promptly, and billing its customers in accordance with terms agreed-upon.
The controls should address:
transaction validation;
the accuracy, completeness, and timeliness of transaction processing and related billings;
the disclosure of terms and billing elements and, if applicable, electronic settlement; and
appropriate transaction identification. Such controls are essential in helping to establish consumer confidence in doing business electronically over the Internet.
Technology Risk Management
Your business should maintain effective controls to provide reasonable assurance that private customer information obtained as a result of e-commerce is protected from uses not related to your businesss.
Consumers need assurance that they are dealing with a Web site offering bona fide products and services and that will protect their private information. Although it is relatively easy to establish a Web site, the underlying technology can be complex and can entail a multitude of operational resilience, information protection and related security issues.
The confidentiality of sensitive information transmitted over the Internet can be compromised. For example, without the use of basic encryption techniques (e.g. Secure Socket Layer Encryption, Transport Layer Security Encryption, Public Key Encryption, etc.), consumer credit card numbers can be intercepted and stolen during transmission. Without appropriate firewalls and other security practices, confidential customer information can be intentionally or unintentionally provided to third parties not related to your business.
Security breaches may also include unauthorised access to corporate networks, Internet/Web servers, and even access to the consumer's Internet connection. Consequently, you should consider investing in an intrusion detection system that will enable you to prevent, detect, monitor and recover from any potential intrusions.
It becomes increasingly critical that the operational resilience of your systems and processes has been sized and dimensioned to cope with the level of demand for services, with recourse to back-up and recovery measures in the event of data loss through error or malicious attacks on the systems.
Potential participants in e-commerce may seek assurance that your business has effective information-protection controls, reliability from disruption and a history of protecting private customer information. This may be provided through independent attestations of your Web sites, generally termed as Web assurance.
The controls required address operational resilience, privacy and security matters like encryption, or other protection of private customer information (such as credit card numbers and personal and financial information).
You should also obtain the customer's permission before storing, altering or copying information on his computer (e.g. Internet cookie or applet information stored on his PC). Consumers are concerned about being able to correct or update information given to a site. How a site allows this process to occur can greatly enhance its e-commerce activity. Consumer concern about the safeguarding of private information traditionally has been one of the most significant deterrents to undertaking e-commerce transactions.
print page
[print]
</images/redesign/brand_images/reg/earth.css/ci_047_w.jpg>
© 2000 PricewaterhouseCoopers
|
Privacy Statement
|
Legal Disclaimer
|
Email Webmaster