There are those who would have you believe that the prevalence of online fraud is such that the only safe course is to never turn on your PC. Whilst such a solution is clearly ludicrous, undeniably the cost of online fraud to UK plc is huge. The Minister for Small Firms and E-commerce estimates that online fraud costs the UK over £9bn every year, in the US analysts estimate the costs at $10Bn per year. Almost half of all organisations suffer an information-security related financial loss each year and 41% of companies cite security as the major hurdle to doing business over the internet.
There is therefore an unmistakable need for better security within e-commerce. Ensuring that information is only received by the intended recipient has always been challenging, no sooner is a technique developed than somebody cracks it!
Since establishment of his role in 1999, the Minister has been given responsibility for addressing the problems of fraud and breach of security in e-commerce and to establish an environment of trust and security in electronic business. The Management of Information project, a 3-year rolling collaborative LINK initiative, has the following aims:-
- to encourage the development of new technologies and systems to detect and counter fraud;
- to improve the privacy of individuals and organisations; and
- to encourage development of high-tech weapons against conventional activities such as forgery, illegal access and theft.
On 22 November this year, the Minister announced two projects to develop electronic solutions to help boost "e-confidence"; development of software to improve e-trading processes (FIDES) and addressing consumer and industry barriers in e-commerce (HI-SPEC).
FIDES, Fair Integrated Data Exchanged Services, will be responsible for the research into the design and implementation of secure e-procurement information exchange systems over the internet to prevent fraud.
HI-SPEC, Human Issues in Security and Privacy for E-Commerce, will explore the development of "rules of trust" for e-consumers and e-retailers; developing software to meet the needs of next generation "privacy enhancing" technologies.
Can internet fraud be prosecuted effectively?
The lynchpin case of R v Gold and another 1988 prompted the enactment of the Computer Misuse Act 1990 ("the Act"). In this case, the defendants were accused of hacking into a computer databank and were convicted of making a "false instrument" under s.1 of the Forgery and Counterfeiting Act 1981. They appealed this decision on the grounds that they had not actually "made" an instrument. Their convictions where quashed in the Court of Appeal, a decision which was later upheld on appeal by the Crown to the House of Lords.
The Act creates the specific offences available to prosecutors to tackle computer crime. To date, however, it has not been widely used, one reason being that computer crime often involves the use of computers to facilitate more traditional offences like conspiracy to defraud.
S. 1 of the Act makes it an offence to cause a computer to perform any function with intent to secure access to any program or data held on any computer with the intention to secure unauthorised access and knowing that such access is unauthorised.
S.2 of the Act creates the offence of committing the unauthorised access offence under s.1 with intent to commit an offence which is punishable by 5 years imprisonment (on indictment) or more.
S.3 of the Act creates the offence of unauthorised modifications to the contents of any computer with intent by so doing to impair the operation of any computer, to prevent or hinder access to any program or data held in the computer or to impair the operation of any such program or the reliability of any such data. The modifications (temporary or permanent) do not need to be directed at a particular computer but it is necessary to prove knowledge that any modification by the defendant intended to cause is unauthorised.
Those of you whose software has received the unwanted attentions of "Love Bug", "Melissa" etc will be pleased to know that the proliferates of this and similar viruses could be prosecuted under s.3 if they can be tracked down.
Sections 4 to 9 of the Act provide wide territorial scope to allow prosecutions to take place in this country. The territorial limit scope is similarly wide for inchoate offences (such as conspiracy and attempt to commit offences under the Act). In particular, the question of which country any person become a party to a conspiracy and whether any act, omission or other event occurred in the home country concerned is immaterial to the defendants guilt.
There is no offence of stealing a service but the Law Commission has recognised the need for a specific offence of dishonestly obtaining a service from a machine because of the Internet and growth of e-commerce.
What does the future hold for this area?
The European Convention on Cybercrime is due to be signed by Ministers shortly and is the first international treaty on crimes committed over the Internet and other computer networks, dealing particularly with computer-related fraud, infringements of copyright and violations of network security. It also contains a chain of powers and procedures such as the search of computer networks and interception. Its main objective is to pursue a common criminal policy aimed at the protection of society against cybercrime, especially by adopting appropriate legislation and fostering international co-operation.
Interior ministers and law enforcement officials from Europe, South Africa, Canada, the United States and Japan will sign the milestone cyber-crime convention, which has taken four years to draft, in the Hungarian capital of Budapest.
Whilst increased regulation may not at first sight seem necessarily to be a beneficial step for players in the IT and online space, a clearer understanding of what is and is not acceptable online will help to foster a greater sense of trust. Increased trust in the systems will be essential for Europe to become the e-commerce hub that it aspires to be, and for the UK to meet the Government's targets for 2005, including the requirement for all government services to be available online by that date.
Key technologies that underpin critical security applications
Biometrics is the use of biological characteristics to I.D individuals, the most commonly used techniques involve the measurement of external physical characteristics. For example, fingerprinting, iris recognition (here the patterns in the coloured ring of tissue that surrounds the pupil are analysed), facial recognition (e.g., the distances between facial features are measured to thermal analysis) and DNA analysis. Developments are moving in the area of body odour recognition and speaker verification.
Data Mining looks at the source-data itself which is usually held on machines of different types, using operating-systems and software. By using the Data Warehouse, information from a variety of different origins is collected and verified before being stored. The data can then be interrogated in a number of different ways, e.g., Online Analytical Processing (OLAP) where software is used to detect the reason for particular trends, Executive Information Systems (EIS) where information is organised so as to produce reports with little expert effort and Data Mining where sophisticated statistical, analytical and artificial intelligence methods such as neural networks are used to determine patterns and trends within the information and to predict likely future outcomes.
Pattern recognition starts with classification, looking at the features of an object. In all pattern recognition applications, the concept of clustering is used. A cluster is a number of similar objects (patterns) that are grouped together. Simple drawing techniques such as data visualisation can also be used in pattern recognition.
RFID is based on the use of small tags that can be attached to or incorporated within products at the time of manufacture (source tagging). The tags can then be either read from, or have information written to them over distances that range from a few centimetres to a few tens of metres, depending on the type of tag that is used. These tags are a great step forward from the more usual CCTV's used in store security as they can store much larger amounts of information which can be changed in a secure manner at all stages of the product's life-cycle and secured in an encrypted form that prevents unauthorised changes. This technology is currently being used in automatic payment systems, airline baggage tracking and routing, counterfeit protection and parcel tracking systems. By using this technology at every point in a supply-chain to identify the lawful owner of an item, the chance for fraud, counterfeit etc is reduced.
Encryption occurs by encoding information with a key. However, making sure that the key gets to the recipient without being available to anybody else is still an issue. In a public key system, this problem is addressed by having 2 keys; a public key and a private key. The public key is available to anybody but can only be used to encrypt information. The private key, which is never released is necessary to decrypt the message.
Written by Mark O'Conor & Lisa Comber. Due to be published in the January 2002 edition of MIS magazine.
Important - The information in this article is provided subject to the disclaimer. The law may have changed since first publication and the reader is cautioned accordingly.