New Security Solutions Are Needed

Back to Fraud Information Articles

Internet Transactions at Risk

New Security Solutions are Needed

B y R o b e r t D . P e t e r s o n , C F E , C P A , F L M I a n d

D a l e G . P e t e r s o n , C I S S P

On June 21, Internet users tried to reach www.nike.com but instead found themselves in an anti-Nike site originating from Australia. Though it was obvious that they had been hijacked, the switch showed how criminal hackers could use the same Internet vulnerabilities to redirect users to copycat financial Web sites to steal millions of dollars before they know they’ve been duped.

Fraud examiners and auditors must realize that the Internet is now the preeminent fraud battleground. Schemes that once required a physical presence in the workplace to execute properly, are now accomplished with a few keystrokes and the crime trail vanishes with a few more. The victim can be destroyed financially in seconds but may not be aware of the attack for days. Recovering the loss is almost impossible because there is scant and fleeting evidence that a crime ever occurred. CFEs must recognize their companies’ and clients’ vulnerabilities and help design controls and solutions. The current method to protect Internet transactions – Secure Sockets Layer (SSL) – is inadequate and doesn’t provide the required protections and assurances. Unfortunately, this session-based encryption protocol is used on almost every e- commerce site. (SSL encrypts, or scrambles, all information sent from an Internet browser to a Web site for a session or a period of time.) Instead, Internet transactions need to be protected by a "transaction security protocol."

Transaction Requirements

Any transaction between two people has similar requirements whether it is face-to-face, over the telephone, or on the Internet:

 the identity of the consumer and merchant need to be authenticated;  the transaction details such as price, quantity, and terms need to be agreed upon and authenticated;  each party needs to know that the other party cannot claim that the transaction did not take place (non- repudiation); and  both parties need dispute resolution procedures that protect both positions.

An optional, but highly desirable, requirement is privacy (that is, only the consumer and merchant know the transaction details). There are many everyday financial transactions in which privacy isn’t provided – such as a check-out line in a supermarket, a public auction, or buying a restaurant meal – but most Internet users request privacy

E-commerce sites protected by SSL today only provide privacy and some limited, weak consumer and merchant authentication. While privacy may be important to some consumers, it is not a substitute for identity and transaction authentication, non-repudiation, and dispute resolution protection.

One common aspect of diligence within auditing standards has been the ability to test and prove transactions. If SSL standards were applied to banking, then, for instance, a checking account could open at the beginning of the month with a certain balance and close at the end of the month with a different balance and there would be no way to verify the transactions occurring between the two dates. An auditor could prove that the holder of the checking account entered and exited the bank but could not verify what the customer actually did in the bank to the satisfaction of both parties. Each party could present a collection of separate electronic records, none of which are mutually authenticated.

A Sample Hack Attack

There are a number of ways hackers can attack SSL. Some are very simple and others require great skill. Without providing a complete how-to guide for criminals, we can describe a simple but devastating example to demonstrate SSL’s vulnerability: the criminal combines two well-known hacks with some knowledge on stock manipulation, and then is able to use other people’s money to manipulate stocks and steal millions of dollars.

Most Internet brokerages try to secure their Web sites in the same ways. When an investor enters the brokerage’s Web site and clicks on a link to access their account, the brokerage initiates a SSL encryption session.1 All information sent between the investor and brokerage is encrypted (or translated into a secret code) from that point until the end of the session. The investor then is required to provide his user ID and password. A review of brokerage policy statements shows that any trade made using a legitimate user ID/password pair is considered valid. So if the user ID/password is the only authentication needed, a criminal’s goal is to collect these pairs.

Collecting user ID/password pairs is not difficult. If a criminal can hack into any Domain Name Service (DNS) server, he can secretly send all investors who use that DNS server to any other site the hacker wants. Specifically, the hacker:

1. creates a false copy of a brokerage’s Web site; 2. illegally gets access to any DNS server (If the criminal gets access to XYZ corporation’s DNS server he could attack all XYZ’s corporate network users who trade with the brokerage. Alternately if the criminal gets access to an ISP’s DNS server he could attack all users who connect to the Internet through the ISP to trade with the brokerage.); 3. redirects an investor to the false site by changing the address that corresponds to the brokerage site to the criminal’s false site address; 4. collects user ID/password pairs that unknowingly are sent to the criminal’s false copy of the brokerage site; and then 5. redirects the investor to the real brokerage site by sending a login failure messages and asking them to try again.

After the criminal has collected user ID/password pairs, he can use the funds in these accounts and a little day-trading knowledge to manipulate a stock. He selects a stock that fluctuates a great deal on low volume and then takes a position in that stock in a completely legitimate account. But then he would use the money in the hacked account to buy or sell the stock and take the profit in the legitimate account. For example, the criminal might buy stock in the XYZ Corporation in a legitimate account. After establishing a legitimate position, he would login to the hacked accounts using the stolen user ID/password pairs, and then illegally buy stock in XYZ. All this buying pressure would cause the stock price to rise, and the criminal would take the profit in the legitimate account. The hacked investor would find he now owns unwanted artificially inflated stock and positions he had established in other stocks or bonds eliminated.

Digital Signatures can Protect Transactions

Digital signatures can help block hackers from violating SSLs. A digital signature has similar properties to a physical signature in that only the owner can legitimately sign it, and most people can verify it. A digital signature is more secure than a physical signature because it is impossible to forge and any modification to a digital signature is easily detected.

Here’s how an individual or company can send a secure transaction with a digital signature. The message sender first produces a "hash value" for the message, which means that he uses a formula to transform the text into a series of numbers that are substantially smaller than the text itself.

The message sender then digitally signs (encrypts) the hash value with a "private key," known only to the sender, and sends the message with the digital signature to the recipient. The recipient verifies (decrypts) the digital signature using the sender’s public key2, known by anyone who needs to verify signatures, and compares the hash value sent in the digital signature to the hash value they independently calculate on the received message. If they are the same, it is virtually certain that the message was transmitted intact.

To summarize, the message sender:

 produces a hash value for the message;  digitally signs (encrypts) the hash value with the sender’s private key; and  send the message and digital signature to the recipient.

The recipient:

 produces a hash value for the received message;  verifies (decrypts) the digital signature using the sender’s public key; and  compares the two hash values to make sure they are the same.

If the sender denies any part or all of the transaction, the irrefutable secure electronic document provides the recipient non-repudiation transaction protection.

The U.S. federal government and many states are realizing the need to pass acts that make digitized signatures legally binding. In June, the U.S. Congress approved the Electronic Records and Signatures in Commerce Act, which has been signed into law by President Clinton. The act states that "in respect to any transaction in or affecting interstate or foreign commerce"

1. a signature, contract, or other record relating to such transaction may not be denied legal effect, validity, or enforceability solely because it is in electronic form; and 2. a contract relating to such transaction may not be denied legal effect, validity, or enforceability solely because an electronic signature or electronic record was used in its formation.

(To read the complete act, visit http://thomas.loc.gov/ and search for bill S.761.)

Using Smart Card Technology

Internet transactions today are riskier than most physical transactions; in fact, they don’t even have the security of an ATM withdrawal. To receive money from an ATM machine, a person needs a two-factor authentication: an ATM card and a Personal Identification Number (PIN). The person using the ATM machine would not feel safe if he entered a PIN without first inserting the card even if the amount of money he withdraws or deposits is small and the network is secure. But that is what companies ask consumers to do when they buy products or trade stock online.

One solution for Internet transaction security is the "smart card," which is embedded with a computer chip and memory and can create and verify legally binding digital signatures. Similar to the ATM card, the smart card requires two-factor authentication. Merchants can hold consumers responsible for maintaining control of the card and not sharing their PIN with others. If the card is lost or stolen, it can be easily revoked and replaced. A smart card is almost tamper-proof. It can securely store the private keys used to digitally sign transactions and identify the smart card owner. The card also can store the public keys of merchants to verify the physical signatures on all receipts. Even though Internet users require a smart card reader machine, the readers may be standard components for computers in the future. But for now, the smart card reader is an accessory that must be installed.

Eventually, smart card companies may bypass the reader machine by providing electronic tokens – small enough to be attached to a key chain – that can be plugged into Universal Serial Bus (USB) ports, which are standard on new computers.

The computer industry knows that the SSL protocol is not adequate anymore to authenticate transactions and resolve disputes. Online transactions soon will have to be protected with digital signatures delivered through smart cards, USB tokens, or other technologies that will be developed to stay one step ahead of Internet crooks.

Robert D. Peterson, CFE, CPA, FLMI, is president of Forensic Audit Research Inc., a Chicago firm engaged in providing litigation support in the insurance industry. His e-mail address is: [email protected].

Dale G. Peterson is president of Digital Bond Inc., a South Florida firm that provides expertise and tools to secure Internet transactions and safeguard computer networks. His e-mail address is: [email protected].

1Some brokerages do not start the SSL session until after the user ID/password are typed in and the submit button is selected. This makes redirection of this information even easier for the criminal.

2Public keys are provided securely to those who need them through a Public Key Infrastructure (PKI). These are highly automated and secure ways to distribute public keys to those who need them.

SIDEBAR

DNS: the Internet Telephone Book

The Domain Name Service (DNS) is similar to an automated telephone book. When a Uniform Resource Locator (URL) – an Internet address – is sent, the DNS determines the Internet Protocol (IP) address corresponding to the URL. For instance, www.example.com might translate to 198.105.232.4. The Internet uses IP addresses to route data from source to destination.

The DNS system actually is dynamic and "self learning." If one DNS server doesn’t know how to translate a domain name, it will ask another and then another until the correct IP address is returned. However, there are no checks on DNS servers on the Internet to determine if they have incorrect DNS entries. So a hacker or system administrator can modify a single DNS server which they control to change the IP address of a URL. Any users that rely on that DNS server will be sent to the wrong site. Most corporations and ISPs run a DNS server for the users on their networks.

A hacker most likely will attack a DNS at an Internet Service Provider (ISP). All that is required is to gain access to the DNS application or configuration file. Once a hacker has access, they add or change a single line in the configuration file to point a domain name like brokerage.com to a hacker-controlled IP address. New ISPs are appearing monthly and are especially vulnerable to insider attacks because of lax security.

The Association of Certified Fraud Examiners assumes sole copyright of any article published in Fraud Magazine. Fraud Magazine follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be e-mailed to: [email protected].