Internet Transactions at Risk

New Security Solutions are Needed

By By Robert D. Peterson, CFE, CPA, FLMI;and Dale G. Peterson, CISSP

On June 21, Internet users tried to reach but instead found themselves in an anti-Nike site originating from Australia. Though it was obvious that they had been hijacked, the switch showed how criminal hackers could use the same Internet vulnerabilities to redirect users to copycat financial Web sites to steal millions of dollars before they know they ™ve been duped.

Fraud examiners and auditors must realize that the Internet is now the preeminent fraud battleground. Schemes that once required a physical presence in the workplace to execute properly, are now accomplished with a few keystrokes and the crime trail vanishes with a few more. The victim can be destroyed financially in seconds but may not be aware of the attack for days. Recovering the loss is almost impossible because there is scant and fleeting evidence that a crime ever occurred. CFEs must recognize their companies ™ and clients ™ vulnerabilities and help design controls and solutions.

The current method to protect Internet transactions “ Secure Sockets Layer (SSL) “ is inadequate and doesn ™t provide the required protections and assurances. Unfortunately, this session-based encryption protocol is used on almost every e-commerce site. (SSL encrypts, or scrambles, all information sent from an Internet browser to a Web site for a session or a period of time.) Instead, Internet transactions need to be protected by a "transaction security protocol."

Transaction Requirements

Any transaction between two people has similar requirements whether it is face-to-face, over the telephone, or on the Internet:

  • the identity of the consumer and merchant need to be authenticated;
  • the transaction details such as price, quantity, and terms need to be agreed upon and authenticated;
  • each party needs to know that the other party cannot claim that the transaction did not take place (non-repudiation); and
  • both parties need dispute resolution procedures that protect both positions.

An optional, but highly desirable, requirement is privacy (that is, only the consumer and merchant know the transaction details). There are many everyday financial transactions in which privacy isn ™t provided “ such as a check-out line in a supermarket, a public auction, or buying a restaurant meal “ but most Internet users request privacy

E-commerce sites protected by SSL today only provide privacy and some limited, weak consumer and merchant authentication. While privacy may be important to some consumers, it is not a substitute for identity and transaction authentication, non-repudiation, and dispute resolution protection.

One common aspect of diligence within auditing standards has been the ability to test and prove transactions. If SSL standards were applied to banking, then, for instance, a checking account could open at the beginning of the month with a certain balance and close at the end of the month with a different balance and there would be no way to verify the transactions occurring between the two dates. An auditor could prove that the holder of the checking account entered and exited the bank but could not verify what the customer actually did in the bank to the satisfaction of both parties. Each party could present a collection of separate electronic records, none of which are mutually authenticated.

For full access to story, members may sign in here.

Not a member? Click here to Join Now. Or Click here to sign up for a FREE TRIAL.