6-1 TOPIC 6: Security, Legal, Ethical and Social Issues 6.1 Basic security issues 6.2 Basic types of network security attacks 6.3 Managing security 6.4 Ethical and legal issues in EC 6.5 Difficulties in protecting privacy in EC 6.6 Issues of intellectual property rights in EC 6.7 Free speech and censorship on the Internet 6.8 EC fraud and protection 6.9 Societal issues in EC 6.10 Role and impact of virtual communities on EC 6.11 The future of EC Module: Competing in the Network Economy 6-2 Case Study: Brute Force Credit Card Attack Story • The Problem – Spitfire Novelties usually generates between 5 and 30 transactions per day – On September 12, 2002 in a “brute force” credit card attack, Spitfire’s credit card transaction processor processed 140,000 fake credit card charges worth $5.07 each (62,000 were approved) – Total value of the approved charges was around $300,000 – Spitfire found out about the transactions only when they were called by one of the credit card owners who had been checking his statement online and had noticed the $5.07 charge. Module: Competing in the Network Economy 6-3 Case Study: Brute Force Credit Card Attack Story • The Problem – Brute force credit card attacks require minimal skill – Hackers run thousands of small charges through merchant accounts, picking numbers at random – When the perpetrator finds a valid credit card number it can then be sold on the black market – Some modern-day black markets are actually memberonly Web sites like carderplanet.com, shadowcrew.com, and counterfeitlibrary.com Module: Competing in the Network Economy 6-4 Case Study: Brute Force Credit Card Attack Story • The Problem – Online Data’s credit card processing services: all a perpetrator needed was a merchant’s password in order to request authorisation – Online Data is a reseller of VeriSign Inc. credit card gateway services • VeriSign blamed Online Data for the incident • Online Data blamed Spitfire for not changing their initial starter password Module: Competing in the Network Economy 6-5 Case Study: Brute Force Credit Card Attack Story • Another Problem – In April 2002, hackers got into the Authorize.Net card processing system (largest gateway payment system on the Internet) • Executed 13,000 credit card transactions, of which 7,000 succeeded • Entry into the Authorize.Net system required only a logon name, not a password Module: Competing in the Network Economy 6-6 Case Study: Brute Force Credit Card Attack Story • What should have been done….. – Online Data should assign strong passwords at the start – Customers should modify those passwords frequently – Authorisation services such as VeriSign and Authorize.Net should have built-in safeguards that recognise brute force attacks – Signals that something is amiss: • A merchant issues an extraordinary number of requests • Repeated requests for small amounts emanating from the same merchants Module: Competing in the Network Economy 6-7 Case Study: Brute Force Credit Card Attack Story • The results of the two attacks – VeriSign halted the transactions before they were settled, saving Spitfire $316,000 in charges – Authorize.Net merchants were charged $0.35 for each transaction – The criminals acquired thousands of valid credit card numbers to sell on the black market Module: Competing in the Network Economy 6-8 Case Study: Brute Force Credit Card Attack Story • What we can learn… – Any type of EC involves a number of players who use a variety of network and application services that provide access to a variety of data sources – A perpetrator needs only a single weakness in order to attack a system – Some attacks require sophisticated techniques and technologies – Most attacks are not sophisticated; standard security risk management procedures can be used to minimise their probability and impact Module: Competing in the Network Economy 6-9 6.1: Basic Security Issues • From the user’s perspective: – How can the user be sure that the Web server is owned and operated by a legitimate company? – How does the user know that the Web page and form do not contain some malicious or dangerous code or content? – How does the user know that the owner of the Web site will not distribute the information the user provides to some other party? Module: Competing in the Network Economy 6-10 6.1: Basic Security Issues • From the company’s perspective: – How does the company know the user will not attempt to break into the Web server or alter the pages and content at the site? – How does the company know that the user will not try to disrupt the server so that it is not available to others? Module: Competing in the Network Economy 6-11 6.1: Basic Security Issues • From both parties’ perspectives: – How do both parties know that the network connection is free from eavesdropping by a third party “listening” on the line? – How do they know that the information sent backand-forth between the server and the user’s browser has not been altered? Module: Competing in the Network Economy 6-12 6.1: Basic Security Issues • Authentication: The process by which one entity verifies that another entity is who they claim to be • Authorisation: The process that ensures that a person has the right to access certain resources • Auditing: The process of collecting information about attempts to access particular resources, use particular privileges, or perform other security actions • Integrity: As applied to data, the ability to protect data from being altered or destroyed in an unauthorised or accidental manner • Nonrepudiation: The ability to limit parties from refuting that a legitimate transaction took place, usually by means of a signature. Module: Competing in the Network Economy 6-13 6.1: Basic Security Issues Exhibit 11.1 General Security Issues at EC Sites Module: Competing in the Network Economy 6-14 6.2: Types of Threats and Attacks • Nontechnical attack: – An attack that uses chicanery to trick people into revealing sensitive information or performing actions that compromise the security of a network – Social engineering • A type of nontechnical attack that uses social pressures to trick computer users into compromising computer networks to which those individuals have access • Multiprong approach used to combat social engineering: – Education and training – Policies and procedures – Penetration testing Module: Competing in the Network Economy 6-15 6.2: Types of Threats and Attacks • Technical attack: – An attack perpetrated using software and systems knowledge or expertise. • Common (security) vulnerabilities and exposures (CVEs): – Publicly known computer security risks, which are collected, listed, and shared by a board of securityrelated organisations (cve.mitre.org) Module: Competing in the Network Economy 6-16 6.2: Types of Threats and Attacks • Denial-of-service (DoS) attack: – An attack on a Web site in which an attacker uses specialised software to send a flood of data packets to the target computer with the aim of overloading its resources • Distributed denial-of-service (DDoS) attack: – A denial-of-service attack in which the attacker gains illegal administrative access to as many computers on the Internet as possible and uses these multiple computers to send a flood of data packets to the target computer Module: Competing in the Network Economy 6-17 6.2: Types of Threats and Attacks Exhibit 11.2 Using Zombies in a Distributed Denial-of-Service Attack Module: Competing in the Network Economy 6-18 6.2: Types of Threats and Attacks • Malware: – A generic term for malicious software • A number of factors have contributed to the overall increase in malicious code. Among these factors, the following are paramount: – Mixing data and executable instructions – Increasingly homogenous computing environments – Unprecedented connectivity – Larger clueless user base Module: Competing in the Network Economy 6-19 6.2: Types of Threats and Attacks • As the number of attacks increases, the following trends in malicious code are emerging: – Increased speed and volume of attacks – Reduced time between the discovery of a vulnerability and the release of an attack to exploit the vulnerability – Remotely-controlled bot networks are growing – E-commerce is the most frequently targeted industry – Attacks against Web application technologies are increasing – A large percent of Fortune 100 companies have been compromised by worms Module: Competing in the Network Economy 6-20 6.2: Types of Threats and Attacks • Malicious code takes a variety of forms—both pure and hybrid – Virus: • A piece of software code that inserts itself into a host, including the operating systems, to propagate; it requires that its host program be run to activate it – Worm: • A software program that runs independently, consuming the resources of its host in order to maintain itself and is capable of propagating a complete working version of itself onto another machine Module: Competing in the Network Economy 6-21 6.2: Types of Threats and Attacks • Malicious code takes a variety of forms—both pure and hybrid – Macro virus or macro worm: • A virus or worm that is executed when the application object that contains the macro is opened or a particular procedure is executed – Trojan horse: • A program that appears to have a useful function but contains a hidden function that presents a security risk Module: Competing in the Network Economy 6-22 6.3: Managing EC Security • Common mistakes in managing their security risks (McConnell 2002): – – – – – Undervalued information Narrowly defined security boundaries Reactive security management Dated security management processes Lack of communication about security responsibilities Module: Competing in the Network Economy 6-23 6.3: Managing EC Security • Security risk management: – A systematic process for determining the likelihood of various security attacks and for identifying the actions needed to prevent or mitigate those attacks – Phases of security risk management • • • • Assessment Planning Implementation Monitoring Module: Competing in the Network Economy 6-24 6.3: Managing EC Security • Phases of security risk management – Assessment • Evaluate security risks by determining assets, vulnerabilities of their system, and potential threats to these vulnerabilities – Planning • To arrive at a set of policies defining which threats are tolerable and which are not – Implementation • Particular technologies are chosen to counter high-priority threats – Monitoring Module: Competing in the Network Economy 6-25 6.3: Managing EC Security Module: Competing in the Network Economy Case Study: MP3.com, Napster, and Intellectual Property Rights • The 6-26 Problem – Before the advent of the Web, people made audiotape copies of music and videos to give to friends and family or used them for their own personal enjoyment – Such activities were ignored by the producers, distributors, and artists who had the legal rights to the content – MP3.com enabled users to listen to music from any computer with an Internet connection without paying royalties – Using peer-to-peer (P2P) technology, Napster supported the distribution of music and other digitised content among millions of users. Module: Competing in the Network Economy Case Study: MP3.com, Napster, and Intellectual Property Rights • The 6-27 Problem – MP3 and Napster claimed to be supporting what had been done for years and were not charging for their services – Popularity of MP3.com and P2P services was too great for the content creators and owners to ignore – To the creators and owners, the Web was becoming a vast copying machine – MP3.com’s and Napster’s services could result in the destruction of many thousands of jobs and millions of dollars in revenue Module: Competing in the Network Economy Case Study: MP3.com, Napster, and Intellectual Property Rights • The 6-28 Problem – Existing copyright laws were written for physical, not digital, content – The Copyright Infringement Act states, “the defendant must have willfully infringed the copyright and gained financially” – The “no financial gain” loophole in the Act was later closed Module: Competing in the Network Economy Case Study: MP3.com, Napster, and Intellectual Property Rights 6-29 • The Solution – In December 2000, EMusic (emusic.com) filed a copyright infringement lawsuit against MP3.com – In 2001, Napster faced similar legal claims, lost the legal battle, and was forced to pay royalties for each piece of music it supported—Napster collapsed—in October 2003 it reopened as “for fee only” Module: Competing in the Network Economy Case Study: MP3.com, Napster, and Intellectual Property Rights 6-30 • The Results – In 1997, the No Electronic Theft Act (NET) was passed, making it a crime for anyone to reproduce and distribute copyrighted works • Applied to reproduction or distribution accomplished by electronic means • Even if copyrighted products are distributed without charge, financial harm is experienced by the authors or creators of a copyrighted work. Module: Competing in the Network Economy Case Study: MP3.com, Napster, and Intellectual Property Rights 6-31 • The Results – MP3.com suspended operations in April 2000 and settled the lawsuit – Napster suspended service and settled its lawsuits • Tried to resurrect itself as an online music subscription service with the backing of Bertelsmann AG • Filed for bankruptcy in June 2002 • Purchased by Roxio with plans to revive Napster into a royalty-paying framework Module: Competing in the Network Economy Case Study: MP3.com, Napster, and Intellectual Property Rights 6-32 • What we can learn… – All commerce involves a number of legal, ethical, and regulatory issues – EC adds to the scope and scale of these issue – What constitutes illegal behavior versus unethical, intrusive, or undesirable behavior? Module: Competing in the Network Economy 6-33 6.4: Ethical and Legal Issues in EC • Ethics: – The branch of philosophy that deals with what is considered to be right and wrong • What is unethical is not necessarily illegal • Ethics are supported by common agreement in a society as to what is right and wrong, but they are not subject to legal sanctions Module: Competing in the Network Economy 6-34 6.4: Ethical and Legal Issues in EC • EC ethical issues – Non-work-related use of the Internet • Employees use e-mail and the Web for non-workrelated purposes • The time employees waste while surfing non-workrelated Web sites during working hours is a concern • Can be minimised by having a Corporate code of ethics Module: Competing in the Network Economy 6-35 6.4: Ethical and Legal Issues in EC • Major ethical/legal issues – – – – – Privacy Intellectual property rights Free speech versus censorship Consumer and merchant protection against fraud Unsolicited electronic ads and spamming (covered in Lesson 4) Module: Competing in the Network Economy 6-36 6.5: Difficulties in Protecting Privacy in EC • Privacy: – The right to be left alone and the right to be free of unreasonable personal intrusions – Privacy issues abound when collecting information about individuals: • • • • • • Web site registration Cookies Spyware and similar methods RFID’s threat to privacy Privacy of employees Privacy of patients Module: Competing in the Network Economy 6-37 6.5: Difficulties in Protecting Privacy in EC • Privacy: – There are few restraints on the ways in which the site can use this information • Use it to improve customer service or its own business • Or sell the information to another company that could use it in an inappropriate or intrusive manner Module: Competing in the Network Economy 6-38 6.5: Difficulties in Protecting Privacy in EC • Protection of privacy – Notice/awareness – Choice/consent • Opt-out clause: Agreement that requires computer users to take specific steps to prevent collection of information • Opt-in clause: Agreement that requires computer users to take specific steps to allow collection of information – Access/participation – Integrity/security – Enforcement/redress Module: Competing in the Network Economy 6-39 6.6: Intellectual Property Rights in EC • Intellectual property: – Creations of the mind, such as inventions, literary and artistic works, and symbols, names, images, and designs used in commerce Module: Competing in the Network Economy 6-40 6.6: Intellectual Property Rights in EC • Copyright: – An exclusive grant from the government that allows the owner to reproduce a work, in whole or in part, and to distribute, perform, or display it to the public in any form or manner, including the Internet • • • • • Literary works Musical works Dramatic works Artistic works Sound recordings, films, broadcasts, cable programs Module: Competing in the Network Economy 6-41 6.6: Intellectual Property Rights in EC • Copyright protection (against piracy of software, music, and other digitisable material) – Using software to produce digital content that cannot be copied • Cryptography • Tracking copyright violations – Digital watermarks: • Unique identifiers imbedded in digital content that make it possible to identify pirated works Module: Competing in the Network Economy 6-42 6.6: Intellectual Property Rights in EC • Trademark: – A symbol used by businesses to identify their goods and services; government registration of the trademark confers exclusive legal right to its use – The owner of a registered trademark has exclusive rights to: • Use the trademark on goods and services for which the trademark is registered • Take legal action to prevent anyone else from using the trademark without consent on goods and services (identical or similar) for which the trademark is registered Module: Competing in the Network Economy 6-43 6.6: Intellectual Property Rights in EC • Cybersquatting: – The practice of registering domain names in order to sell them later at a higher price • Anticybersquatting – Consumer Protection Act of 1999 allows trademark owners sue for statutory damages • Juliaroberts.com • Madonna.com Module: Competing in the Network Economy 6-44 6.6: Intellectual Property Rights in EC • Patent: – A document that grants the holder exclusive rights on an invention for a fixed number of years • Patents serve to protect tangible technological inventions • Patents are not designed to protect artistic or literary creativity • Patents confer monopoly rights to an idea or an invention, regardless of how it may be expressed Module: Competing in the Network Economy 6-45 6.6: Intellectual Property Rights in EC • Fan and hate sites – Cyberbashing: • The registration of a domain name that criticises an organisation or person • May violate the copyrights of the creators or distributors of intellectual property • This issue shows the potential collision between protection of intellectual property and free speech Module: Competing in the Network Economy 6-46 6.7: Free Speech and Censorship in EC • One of the most important issues of Web surfers (as per surveys) is censorship – Censorship • Governmental attempts to control broadcasted material – Controlling spam • Spamming: The practice of indiscriminately broadcasting messages over the Internet (e.g., junk mail) • Spam comprises 25 to 50% of all e-mail. Module: Competing in the Network Economy 6-47 6.8: EC Fraud and Consumer and Seller Protection • Fraud on the Internet – Online auction fraud (87% of online crime) – Internet stock fraud (spread false rumors) – Other financial fraud • Bogus investments • Phantom business opportunities • Other schemes – Other fraud in EC—nonfinancial fraud • Customers receive poor-quality products and services • Customers do not get products in time • Customers are asked to pay for things they assume will be paid for by sellers Module: Competing in the Network Economy 6-48 6.8: EC Fraud and Consumer and Seller Protection • Fraud on the Internet – Identity theft • A criminal act in which someone presents himself (herself) as another person and uses that person’s social security number, bank account numbers, and so on, to obtain loans, purchase items, make obligations, sell stocks, etc. – Phishing • The act of using fraudulent communications in an attempt to obtain another individual’s identifying information. Module: Competing in the Network Economy 6-49 6.8: EC Fraud and Consumer and Seller Protection • Consumer Protection – Third-party assurance services • • • • • • TRUSTe (truste.org) Better Business Bureau (bbbonline.com) WHICHonline (which.net) Web Trust Seal (TRUSTe, cpawebtrust.org, Gomes.com) Online Privacy Alliance Evaluation by consumers – Authentication and Biometrics controls Module: Competing in the Network Economy 6-50 6.8: EC Fraud and Consumer and Seller Protection • Seller Protection – Customers who deny that they placed an order – Customers who download copyrighted software and/or knowledge and sell it to others – Customers who give false payment (credit card or bad checks) information in payment for products and services provided – Use of their name by others – Use of their unique words and phrases, names, and slogans and their Web addresses by others Module: Competing in the Network Economy 6-51 6.8: EC Fraud and Consumer and Seller Protection • What can sellers do? – Use intelligent software to identify possibly questionable customers – Identify warning signals for possibly fraudulent transactions – Ask customers whose billing address is different from the shipping address to call their bank and have the alternate address added to their bank account Module: Competing in the Network Economy 6-52 6.9: Societal Issues in EC • Digital divide – The gap between those who have and those who do not have the ability to access electronic technology in general, and the Internet and EC in particular • Other societal issues – Education • Virtual universities • Companies use the Internet to retrain employees • Home-bound individuals can get degrees Module: Competing in the Network Economy 6-53 6.9: Societal Issues in EC • Other societal issues – Public safety and criminal justice • collaborative commerce • e-procurement • e-government—coordinating, information sharing, and expediting legal work and cases • e-training of law enforcement officers – Health aspects • Safer and healthier to shop from home than to shop in a physical store • Some believe that exposure to cellular mobile communication radiation may cause health problems • Collaborative commerce can help improve health care Module: Competing in the Network Economy 6-54 6.10: Virtual (Internet) Communities • Virtual (Internet) community – A group of people with similar interests who interact with one another using the Internet – Characteristics of Communities • One possibility is to classify members as traders, players, just friends, enthusiasts, or friends in need – The gathering of needs in one place enables vendors to sell more and community members to get discounts Module: Competing in the Network Economy 6-55 6.10: Virtual (Internet) Communities Commercial Aspects of Communities 1. 2. 3. 4. Search communities Trading communities Education communities Scheduled events communities 5. Subscriber-based communities 6. Community consulting firms 7. E-mail-based communities 8. Advocacy communities 9. CRM communities 10. Mergers and acquisitions activities Module: Competing in the Network Economy 6-56 6.10: Virtual (Internet) Communities • Types of virtual communities: – – – – Transaction Purpose or interest Relations or practice Fantasy • Financial Viability of Communities: Revenue model of communities can be based on: – – – – – Sponsorship Membership fees Sales commissions Advertising Combination of these Module: Competing in the Network Economy 6-57 6.10: Virtual (Internet) Communities Eight critical factors for community success: • • • • Increase traffic and participation in the community Focus on the needs of the members; use facilitators and coordinators Encourage free sharing of opinions and information—no controls Obtain financial sponsorship. This factor is a must. Significant investment is required • Consider the cultural environment • Provide several tools and activities for member use; communities are not just discussion groups • Involve community members in activities and recruiting • Guide discussions, provoke controversy, and raise sticky issues. This keeps interest high Module: Competing in the Network Economy 6-58 6.10: Virtual (Internet) Communities Key Strategies for Successful Online Communities • • • • • • Handle member data sensitively Maintain stability of the Web site with respect to the consistency of content, services, and types of information offered Provide fast reaction time of the Web site Offer up-to-date content Offer continuous community control with regard to member satisfaction Establish codes of behavior (netiquette/guidelines) to contain conflict potential Module: Competing in the Network Economy 6-59 6.11: The Future of EC • Nontechnological success factors: – – – – – – – – Internet Usage Opportunities for Buying M-Commerce Purchasing Incentives Increased Security and Trust Efficient Information Handling Innovative Organisations Virtual Communities Module: Competing in the Network Economy 6-60 6.11: The Future of EC • Nontechnological success factors: – – – – – – – – – Payment Systems B2B EC B2B Exchanges Auctions Going Global E-Government Intra-business EC E-Learning EC Legislation Module: Competing in the Network Economy 6-61 6.11: The Future of EC • EC technology trends: – – – – – – – – Clients Embedded Clients Wireless Communications and M-Commerce Pervasive Computing Wearable Devices RFID Servers and Operating Systems Networks Module: Competing in the Network Economy 6-62 6.11: The Future of EC • EC technology trends: – – – – – – – – EC software and services Search engines Peer-to-peer technology Integration Web services Software agents Interactive TV Tomorrow’s Internet Module: Competing in the Network Economy 6-63 6.11: The Future of EC • EC technology trends: – Utility computing • Computing resources that flow like electricity on demand from virtual utilities around the globe—always on and highly available, secure, efficiently metered, priced on a pay-as-you-use basis, dynamically scaled, self-healing, and easy to manage – Grid Computing coordinates the use of a large number of servers and storage, acting as one computer Module: Competing in the Network Economy 6-64 6.11: The Future of EC • Integrating the marketplace and marketspace: – Probably the most noticeable integration of the two concepts is in the click-and-mortar organisation – A major problem with the click-and-mortar approach is how the two outlets can cooperate in planning, advertising, logistics, resource allocation, and so on and how the strategic plans of the marketspace and marketplace can be aligned – The impact of EC on our lives will be as much as, and possibly more profound than, that of the Industrial Revolution Module: Competing in the Network Economy 6-65 Managerial Issues 1. 2. 3. 4. 5. 6. 7. 8. Have we budgeted enough for security? What are the business consequences of poor security? Which e-commerce sites are vulnerable to attack? What steps should businesses follow in establishing a security plan? Should organisations be concerned with internal security threats? What sorts of legal and ethical issues should be of major concern to an EC enterprise? What are the most critical ethical issues? What impacts on business is EC expected to make? Module: Competing in the Network Economy