News from The Globe and Mail
E-tailers arm with software to battle on-line fraud
Wednesday, May 21, 2003
Internet security expert Victor Keong has good news and bad news for retailers who sell goods and services on the Web.
The bad news is that he can penetrate security measures on nine out of every 10 retail Web sites he visits and, once inside, access customer information such as names, addresses and credit card numbers.
"If we can get in, others can get in, too," says Mr. Keong, a partner in the security services group at Deloitte & Touche LLP in Toronto. Part of his job there involves "attack and penetration exercises" that determine how well his clients' Web sites can withstand attacks by Internet hackers.
The good news is that Canadian and American information technology companies have developed a wealth of new measures to keep hackers and other Internet con artists at bay.
Mostly sophisticated software products, they're designed to put a stop to fraudulent on-line capers, such as the theft and use of credit card numbers and passwords that can be used to make purchases on the Web; "e-shoplifting," where hackers enter a site and alter data, enabling them to buy products at drastically reduced prices; and insider theft by employees and ex-employees.
In recent years, the rate of Internet fraud has doubled annually in the United States and Canada, according to Richard Reiner, chief executive officer at Toronto-based application and security consulting company FSC Internet Corp.
He blames the increase on companies' inattention to e-commerce security and a shift in focus by criminals who attack computer systems. Until two years ago, their target was computer network operating systems and communication protocols; these days, it's Web sites and various applications, such as search tools and electronic shopping baskets, because they're easier to penetrate and the spoils -- including credit card data -- help crooks turn a tidy profit, he says.
Regardless of how many millions of dollars companies have invested in network security, the applications they open on the Internet have minimal protection, he says. "Security has not traditionally been part of a developer's mindset, responsibility or training, and many companies simply don't know the most effective steps to take when it comes to protecting their Web applications," says Mr. Reiner, whose retail clients include the Shoppers Drug Mart chain. "The risks keep changing -- they can't rest on their laurels and think that things they did, three, five, seven years ago will still do the job today."
The root cause for most Internet fraud is poor programming by companies that rush to develop an on-line presence, says Ron Moritz, senior vice-president of eTrust Security Solutions at Islandia, N.Y.-based software developer Computer Associates International Inc. "There is this 'keep up with the Joneses' mentality which often means companies don't look after their Internet security as well as they should."
"They do it at their bricks and mortar stores but on the Web they let down their guard," he says.
"Some also worry that by adding more locks and controls on their Web sites, they will lose business because customers will tend to walk away if the process of making a purchase is too complex."
Some companies are simply guilty of poor housekeeping, says Mr. Keong, who can rhyme off numerous examples of firms that have misplaced data tapes, thrown credit card bills into dumpsters or failed to update software, making it easy for Internet hackers and fraud artists to get their hands on vital customer information.
"It's like these companies are leaving their cash register drawers wide open," he says.
The best way to repel fraudulent users is to incorporate security measures into a Web site's software before the site goes live, says Mr. Keong. And once the software is up and running, it should be inspected regularly for holes.
All e-commerce Web sites should be subjected to an "attack and penetration" exercise at least once a year, he contends, noting Deloitte & Touche performs the service for $20,000 to $500,000 per exercise, depending on the size and complexity of the site.
Companies that would rather spend their money on software to protect their Web site applications can choose from a variety of products.
AssureLogic, developed by Assurent Software Inc., a wholly owned subsidiary of FSC Internet, equips sites with a layer of protection for applications, much like firewalls and other measures protect computer networks. The software can determine the difference between legitimate and illegitimate transactions, says Mr. Reiner, noting the FBI recently found more than 50 per cent of e-commerce sites in the United States use software vulnerable to hacker attacks.
"AssureLogic understands the whole sequence of events that are normal during the back and forth between users and applications. If a transaction looks fine, it goes ahead. If a user makes a request that differs from a permissible use, such as changing the shipping address to one that differs from the address attached to a credit card or password, the software detects it and the transaction is blocked."
Toronto-based Novator Systems Ltd.'s Virtual Retailer software automatically, and in real time, validates a customer's credit card number, billing address and credit limit with credit card clearing houses.
Once a purchase is authorized, the system evaluates the order based on criteria such as the number of items ordered, use of a credit card for multiple orders and whether the order is being sent to an address that has been the landing point for past fraudulent orders.
"We try to determine if it is an order that deserves more scrutiny. If our system is triggered, the order is sent for manual review to one of the merchant's customer service representatives, who might contact the buyer," says chairman and CEO Mark Fox.
On-line retailers in Canada that accept Visa credit card payments received an added layer of protection in early April with the roll out of Verify by Visa, a program that assigns card holders a password to be used when they use Visa to pay for on-line purchases, says Susan MacKeown, director of emerging products for the Visa Canada Association.
Once merchants instal software available commercially or from their banks, card holders who have signed up with Verify by Visa are asked to type their password into a window that appears on their computer screen when they make an on-line purchase with their Visa card. If their identities are verified by their financial institution, the merchant's existing payment process proceeds; if the shopper's identity cannot be verified, Visa instructs merchants to request another form of payment.
"Inputing your password is like the customer is signing the receipt for a merchant," says Ms. MacKeown, noting the system, introduced in the United States about two years ago, shifts the liability for fraudulent purchases from the merchant to the card-issuing financial institution.
"In today's world of on-line shopping, the merchant is on the hook if someone else uses your card. This will no longer be the case. If there is a problem, the bank will pay for it."
Computer Associates International has developed a number of software products designed to secure a company's technology infrastructure, including the prevention of in-house fraud and fraud committed by former employees, says Mr. Moritz, whose customers include a broad spectrum of companies with an on-line presence, including retailers.
The company's eTrust Admin enables companies to control the number of people who have access to their computer systems by automatically creating, modifying and deleting user accounts when employees join and leave a firm.
"On average, employees are provided with access to 16 systems when they come on board but only 10 are removed when they leave. That's a risk," he says. "eTrust Admin helps companies better control the number of users of their systems by integrating with human resources systems to achieve completely automated user account management."
eTrust Access Control regulates employee access to specific systems, what they can do within them and when they are allowed access by allowing for the creation, management and distribution of policies enterprise-wide or customized to meet specific security requirements.
"It allows you to lock down an environment, like using a steel door and a solid lock, so only key personnel in your organization can get at certain systems," Mr. Moritz says.
© The Globe and Mail