With the development of the Internet in the last twenty years, the nature and manner in which financial transactions are carried out has undergone a sea change. In its early days, the Internet was used solely for purposes of communication. But in recent years the role and scope of the Internet has assumed new dimensions with the introduction of commercial transactions. What has come to be called e-commerce has its origins in the dotcom boom of the late 1990s. But it is only after the inevitable dotcom bust in the early years of the millennium that e-commerce established itself as a viable and dependable method of conducting business. Technological innovation in terms of developing security software aided this process and so did the process of globalization. As a culmination of these parallel but complementary processes, e-commerce in general and electronic financial transactions in particular has firmly taken root in mainstream global economy. While this kind of progress in such a short span of time is an impressive achievement, there is much work to be done in terms of creating robust security systems for the Internet. This essay will look into the various types of security threats facing electronic financial transactions, the potential damage they could inflict, the remedial measures to counter these threats and the effectiveness of such measures.
The architecture of the Internet is such that it is inherently difficult to ensure security. Alongside this, the concept of user anonymity makes the Internet “an attractive medium for extortion and crimes involving theft of personal information for illicit financial gain” (Misra Scherer et al, 2004). As per a report released by IDG News Service, many organized crime groups avail of the services offered by hackers to implement complex and sophisticated financial schemes to swindle money from unsuspecting participants. According to the Internet Crime Complaint Center, as much as $200 million was lost in the year 2006 alone. And each year this sum seems to increase, since financial institutions like banks and insurance companies are lucrative targets for cybercriminals. A FBI report released at the beginning of the new millennia has confirmed the nexus between computer hackers and organized crime groups. Many of these organized crime groups are said to operate from Eastern European countries that were part of the erstwhile Soviet Union. In such cases, the hackers first crack the security systems in place and gain access to vital data. The organized crime groups then sell this data to interested parties, who in turn exploit it to “gain unauthorized access to credit card, bank, and brokerage accounts of unsuspecting victims” (Kiessig, 2006). Indeed the market for stolen identities is so big that it recently reached dollar one billion mark. But the threats don’t end with just monetary loss, as the following cases illustrate:
“The most alarming development in the area of information systems security is that terrorist organizations now perceive cybercrimes both as a source of financing for their activities and as a new weapon in their arsenal. For example, according to law enforcement organizations, the Irish Republican Army and the terrorists that plotted the foiled bombing of the Los Angeles International Airport used identity theft to finance their activities. Imam Samudra, the radical Muslim cleric and mastermind of the devastating 2002 Bali bombing attacks that claimed 202 lives, called for fellow Muslim radicals to take jihad into cyberspace and tap into online credit card fraud as a source of funding.” (Misra Scherer et al, 2004)
Instances of a particular type of financial crime called “insider fraud” have also escalated during the age of the Internet. The improvement in telecommunication technology, which has helped businesses in unprecedented ways, has also incidentally facilitated fraudsters. According to industry analysts, two thirds of all losses arise due to this kind of fraudulent activity within the confines of the organization. As much as 6% of the annual revenue of a business organization can be lost in this manner (Kiessig, 2006). As was rightly pointed out by a report, this kind of electronic financial transaction fraud is perpetrated by technology-savvy employees, who have a thorough understanding of the financial processes, business system customizations and network technology. Recently laid-off employees, subcontractors and third-party consultants also commit such frauds. In such cases, the enemy is clearly within and not without. So who gains access to vital computer systems will have a bearing on the overall security of business operations. (Taylor, 2005)
Another issue facing the e-commerce industry is the concept of electronic money. There are online payment systems in existence which have created a niche for them in the Internet. While the US Dollar remains the standard currency being used for electronic financial transactions, online payment systems like E-Gold, Pecunix, Liberty Reserve, etc have emerged as gold-backed alternatives to USD, although not with issues of their own. For example, E-Gold is now practically defunct due to its abuse. And those that remain in business are imposing strict regulations to curb activities like money laundering, funding terrorism, paying for child pornography, etc. Amid all the myriad of regulatory problems faced by gold-backed online payment systems, only PayPal has emerged as a reliable company. One reason why so many of the gold-backed online payment companies are prone to misuse and abuse, is the lack of an overarching governing body. Since the Internet does not fall under the purview of any national government, enforcing cyber laws have become difficult. Moreover, different nations have slightly different cyber laws, making it impossible to deduce a common set of laws applicable to all Internet users. (Misra, Scherer, et al, 2004)
But with each instance of critical security breach, the electronic commerce industry challenges itself to improve its security systems. Technological innovation is one such measure, and the development of higher security standards is another. Creating awareness among consumers and business owners alike is another strategy to counter hacks. After studying the e-commerce industry, the European Union’s central bank released a report in which they laid out a set of guidelines for electronic money systems. The first guideline for issuers of electronic money is that they should be subject to prudential supervision. Also, “the rights and obligations on the part of the respective participants (customers, merchants, issuers, and operators) in an electronic money system must be clearly defined and disclosed” (Kiessig, 2006). The system should also maintain sufficient technical and procedural safety nets to prevent or mitigate the threats posed to the integrity of the transactions. Measures for safeguarding the electronic financial transaction system against criminal abuse should be considered at the time of designing the system itself. With the advent of the Euro a few years ago, the dynamics of the cross national financial transactions have changed a lot. As a result, the electronic financial transaction systems of each country should supply the central bank with up to date information. Furthermore, issuers of electronic money must be “legally obliged to redeem electronic money against central bank money at par, at the request of the holder of the electronic money; and the possibility must exist for central banks to impose reserve requirements on all issuers of electronic money.” (Misra Scherer et al, 2004)
While security threats can be partly dealt with through upgrading technology, there is also a managerial problem to deal with. That a majority of commercial and financial institutions provide minimal security is a clear indication of the “lack of managerial awareness and understanding of the need to protect the information stored in, and transmitted between, computers” (Wright, 1994). The consequence of such neglect can be quite acute, as the following examples show. For example, the German automobile manufacturer Volkswagen suffered a loss of $260 million due to an insider fraud that created fake currency-exchange transactions but showed them as real financial transactions after a few days. The perpetrators of this fraud profited from the favorable change in currency exchange rate in the interim period. In the case of the Bank of New York, a loss of $32 billion overdraft was incurred due to a processing error that went undetected. Further,
“A group of hackers, operating under the name Masters of Deception, victimized such companies as Southwestern Bell, New York Telephone Company, Pacific Bell, US West, TRW Inc., Information America Inc., Martin Marietta Electronics Information and Missile Group, ITT Corporation, Educational Broadcast Corporation, Bugle Boy, New York University, and the University of Washington. The hackers stole credit reports, and altered or deleted files at some sites. Southwestern Bell alone reportedly spent $370,000 to repair corrupted programs and to buy more secure hardware and software” (Wright, 1994)
The personnel of the IT department also have their share of duties to perform to ensure safety of financial transactions. Today, managers of this department carry their fair share of responsibility in protecting computer systems. They are given the task of tracking employees’ computer usage and to report aberrant or suspicious activity. The IT personnel play a key role in incident response teams alongside legal experts in ensuring adherence with applicable laws. These days, the Internet Service Providers are also extending their services to include security features so that their customers can have an Internet experience that is free of “spam, malware, phishing attacks, worms, and viruses” (Ena, 2008). Third party security vendors have also come up offering sophisticated software and hardware products that would protect computer networks from security threats.
On the legislative front, to take the case of the United States, the Sarbanes-Oxley Act is a vital step forward in preventing fraudulent financial transactions. The Act holds responsible managers of business corporations for maintaining strict network protection mechanisms. Section 404 of the Sarbanes-Oxley Act is worthy of mention here, as it sets out guidelines for documenting internal controls. It further mandates that businesses should constantly monitor the effectiveness of these controls. The CEOs of companies are required to file reports with the Securities and Exchange Commission as to the veracity of the “company’s financial statements based on the integrity of these controls” (Guttmann, 2002). Also, Section 302 of the Act makes it mandatory for companies to “disclose all deficiencies in their internal controls and any fraud involving employees. Developing factors that could have a negative impact on internal controls must also be reported.” (Taylor, 2005) Hence the Sarbanes-Oxley act is a much needed legislation that has contributed toward reducing instances of financial transaction fraud over the Internet.
Another way in which companies can strengthen their security systems is by implementing Enterprise Resource Planning (ERP) systems such as PeopleSoft and SAP. Once this is done, the operations and electronic financial transactions across various departments such as sales, manufacturing, accounting, etc can be seamlessly integrated. (Taylor, 2005) The ERP systems created by software companies such as PeopleSoft and SAP come with many in-built security features which can come handy in preventing electronic financial transaction fraud. But the problem is that “employees often view these controls as a burden and, thus, fail to maintain and update them. In many cases, employees never even properly implement the controls due to the complexity of maintaining them and the need to understand all relevant business processes before implementing those controls” (Guttmann, 2002). Hence, we learn that the prevailing threats to security systems can be significantly reduced if only employees and managers will adhere and apply certain basic security guidelines as devised by ERP systems. (Taylor, 2005) In addition to this, businesses can build transaction-integrity monitoring systems.
Hence, in conclusion, it can be stated that the tug of war between computer system owners and hackers will continue in the future too. As businesses tighten up their security systems, fraudsters on the lookout for quick money will invent ingenious ways of breaking into the computer networks. In this scenario, it is quite clear that the stakeholders in the security of computer networks should stay one step ahead and come up with robust security arrangements to ward off possible threats. A coordinated effort from top managers, IT personnel, Internet Service Providers and legislators is necessary to ensure the integrity and consistency of electronic financial transactions.
References
Ena, M. (2008). Securing Online Transactions: Crime Prevention Is the Key. Fordham Urban Law Journal, 35(1), 147+.
Guttmann, R. (2002). Cybercash: The Coming Era of Electronic Money. New York: Palgrave Macmillan.
Hyman, J. (2000, September 11). Banks Use Local Firms as On-Line Guard Dogs. The Washington Times, p. 10.
Katz, E. (2005, February). Adapting to Automated Fraud: Fraudsters Are Using Technology to Automate the Fraud Process, and Banks and Financial Institutions Must Prepare for These Challenges. Security Management, 49, 59+.
Kiessig, T. M., Karpf, B. W., & Linkins, J. R. (2006). Financial Institutions Fraud. American Criminal Law Review, 43(2), 527+.
Misra, S. K., Javalgi, R. (., & Scherer, R. F. (2004). Global Electronic Money and Related Issues. Review of Business, 25(2), 15+.
Taylor, P. (2005, June). Auditing for Anomalies: New Software Tools Are Available to Help Companies Scan Transactions for Anomalies That May Signal Internal Fraud. Security Management, 49, 76+.
Wright, M. A. (1994). Protecting Information: Effective Security Controls. Review of Business, 16(2), 24+.