The development of the Internet as an enabler for information,
communication, efficiency and commerce over the past decade has
been an advance that is unparalleled in our society. For example,
over two hundred billion dollars have been spent in on-line commercial
transactions (by consumers and businesses) in the last year alone,
and there is no end in sight for the continued dramatic growth that
is expected in the coming years. The proliferation of relatively
inexpensive and powerful personal computers, as well as ready availability
of inexpensive high speed Internet access, have further fueled the
already rapid expansion of commercial services available to consumers
over the Internet. In parallel, cable and satellite service providers,
which in the past have only provided media content, began to offer
interactive capabilities to their subscribers that in certain cases
enable the subscribers, utilizing a provided “set-top box”
or equivalent device, to conduct commercial transactions. At the
same time, conventional mail-order, facsimile, and telephone-based
commercial transactions (and especially non-interactive television-based
home shopping) have declined somewhat but certainly not to the degree
commensurate with the expected decline due to the explosive growth
of on-line ordering capabilities.
Notwithstanding
the tremendous growth in availability of on-line offerings of products
and services, there has been a very significant challenge (and in
some cases, barrier) to continued success and growth of on-line
commerce – the escalation of fraudulent on-line transactions.
It is well documented that currently at least 10% of every dollar
spent in on-line transactions represents the costs involved in combating
fraud. On-line fraud can take many forms, but is generally defined
as utilization of consumer confidential financial data (CFD) (e.g.,
credit card number, expiration date, CVV2 number, etc), by an unauthorized
party to engage in on-line commercial transactions or for related
purposes.
However,
fraudulent on-line transactions are only a part of the problem –
the true risk of online commerce, as perceived by most consumers,
is the theft, or misappropriation, of consumer CFD that may later
be used not only to engage in fraudulent on-line transactions, but
also for other secondary purposes, such as placing off-line fraudulent
mail, facsimile, or telephone orders, in addition to being utilized
as a basis for even more dangerous activities, such as identity
theft. Furthermore, recent increased scrutiny of methods used by
various terrorist organizations to obtain funds, equipment and supplies,
has demonstrated that such organizations frequently engage in fraudulent
on-line transactions, CFD misappropriation, and identity theft as
part of their procurement operations.
Theft
or misappropriation of CFD has always been a problem with conventional
telephone (e.g., catalog or television shopping network based orders),
and mail-order / facsimile-based commercial transactions, because
customers were forced to provide the CFD verbally to an employee
of the merchant, or in writing, by sending the CFD as part of an
order form through facsimile or by conventional mail. In both cases,
the CFD was readily accessible to parties that were able to intercept,
misappropriate, and then utilize the CFD for fraudulent purposes.
While in certain ways on-line transactions may offer a greater deal
of security for transmission of CFD between a customer and a merchant,
the challenge of CFD theft by individuals with external or internal
accesses to the merchants’ computer systems remains. In fact,
as described below, the process of on-line commercial transactions
offers even more opportunities for CFD misappropriation than do
other non-electronic methods.
Theft
or misappropriation of the CFD may occur in at least one or more
of the following well-known and publicized ways:
- Interception
of the CFD from consumer prior to transmission: Many consumers
store their CFD on their computer as part of “form-filling”
software or in simple text or word processing files for their
convenience. In this case, any individual who is able to gain
electronic or physical access to the consumer’s computer
may be able to obtain the CFD. In another case, a computer virus
infecting the consumer’s computer, such as a “keystroke
logger” or a password capture program, may be able to intercept
the CFD being entered by the consumer during an order process,
and then secretly send it to a third party;
- Interception
of the CFD during transmission: For example, the CFD may be misdirected
from a merchant’s system, the consumer may be tricked into
sending the CFD to a different destination (i.e., “spoofing”),
the CFD may be intercepted at the merchant side by a maliciously
installed hidden program, etc.; and
- Theft of
the CFD from the merchant: The CFD may be misappropriated by the
merchant, by one or more of the merchants’ employees, or
by a third party breaking into a merchant’s customer CFD
database. This is an issue of particular importance -- the U.S.
Congress has held hearings on identity theft and considering new
legislation to address this growing problem, while the Canadian
government and EU officials are considering a similar course of
action.
In addition
to all the risks and dangers described above in connection with
consumer commercial transactions, another significant challenge
exists in the corporate sector – the danger of fraud and embezzlement
by the company’s own employees. This problem is particularly
significant in small to medium size businesses that do not have
in-house purchasing departments, or other dedicated financial controls,
and that rely on credit, debit, or charge cards for most day-to-day
purchases.
Glossary:
“CFD” – Confidential Financial Data
“CDC card” – Credit / Debit / Charge Card
“FSP” – Financial Service Provider
“CFAU rules” - Customized Financial Account Utilization
rules
“BTST technologies” - Byz Tek’s Secure Transaction
technologies |
