| |
I would like to thank the Committee
for inviting me to speak on the topic:
"On-line Fraud and Crime:
Are Consumers Safe?"
That question is admittedly
difficult to answer. To begin with,
safety -- whether on the Internet or in the physical world -- is never
absolute. Clearly the Internet does affect
the types of threats consumers face, and with mixed results. For example, there is no question that
on-line banking substantially reduces the risk that one will be robbed at
gunpoint after cashing a check at a bank branch but, at the same time, it
increases the risk of white-collar hackers emptying customer accounts from
remote locations. Rationally one might assume that consumers would approve of
the trade-off. Yet the fear of a
hacking incident (or put another way, lack of customer trust in technology)
remains somewhat of an impediment to the growth of on-line banking. Similarly, I have met many individuals who
refuse to use their credit card over the Internet, expressing the fear that
their credit card number will be intercepted.
In reality, however, it is extremely difficult to intercept such data in
transmission. Moreover, those same
individuals will often admit to handing their credit card to a waiter they do
not know, and blissfully drink their coffee while the waiter takes the credit
card out of view. To some extent,
therefore, it is perceived safety, more than actual safety, that may govern
consumer habits on the Internet.
Second, it must be remembered that
Internet safety, like technology, is not a constant. At the same time regulatory and market forces are doing much to
improve consumer safety, technological changes pose new risks. For example, while better computer security,
including the increased use of encryption, plays an important role in
protecting consumers, new technologies such as broadband are putting home
computers at greater risk. This is
significant for several reasons, not the least of which is that consumers store
sensitive personal data on their home machines, and they may also use those
computers to access corporate networks, thus creating a vulnerable "weak
link" between a hacker and corporate America.
So if I were to answer the question
"Are Consumers Safe?", my answer would be "yes, but we clearly
can do more." We can start by
better authenticating both businesses and consumers in commercial transactions,
and better protecting the confidentiality of data.
There is a now-famous cartoon of a
dog, sitting before a computer terminal, who turns to another dog and says, “On
the Internet, nobody knows you’re a dog.”
One of the key changes that the Internet has brought about is the
creation of customer accounts and other business transactions without the
personal interaction that was traditionally an essential part of such
relationships. Although telephone calls
have long been the basis for the establishment of certain business
relationships without any face-to-face contact, the Internet allows for
transactions with even less personal interaction between businesses and
consumers.
Merchants, whether in the real
world or cyber world, have always faced the challenge of authenticating their
customers. In many cases -- at least
outside of small towns where everyone knows each other through face recognition
-- a merchant's success depends on his ability to sell to -- and collect money
from -- people he or she does not know.
In cash and carry transactions, the anonymity of the buyer is no
problem, as the merchant is paid before the product leaves the store. In other types of transactions, such as
check payments and credit cards, there needs to be trust since receiving actual
payment is deferred in time. In these situations, allowing a buyer to
remain anonymous increases the risk of fraud (anonymous buyers do not fear
being held accountable for payment), and may leave the merchant holding the bag
(unless, of course, contract rules shift the loss to another party, such as a
card issuing bank or an insurance company).
For these reasons, merchants have
always looked for ways to prove a buyer's identity. In short, there are three formulas for authenticating
an unknown buyer's identity: something
the buyer is, something the buyer has, or something the buyer knows. These different metrics are often combined
in some way.
"Something the buyer is"
refers to biometrics. In face-to-face
transactions, many biometrics are available.
The most common biometric is the signature, and merchants will often
have a buyer sign some document (e.g., a check or charge slip). The advantage of a signature is its
uniqueness, permanence, and evidentiary value (compare this to eye witness
testimony of face recognition which is neither unique nor permanent, and of
weak evidentiary value due to claims of mistaken identification).
"Something the buyer has"
refers to something in the possession of the buyer. For identification purposes, it is common to require a driver's
license or other government identification (e.g., passport), documents that
have a high degree of reliability because an independent authority (the
government) has assumed responsibility for verifying the identity of the person
to whom it has issued the document. In
business transactions, the "something the buyer has" is today most
often a credit card. Although it is of
course possible to manufacture such cards without authority, most common
fraudsters have neither the means nor inclination to mass produce plastic
cards, although there are certainly organized groups that do so. In any event, in face-to-face transactions,
it is possible to use both "something the buyer is" and
"something the buyer has," and that is frequently done. For example, a merchant will ensure that the
customer both has the credit card ("something the buyer has") and
that his signature matches the signature on the back of the card
("something the buyer is").
Another example: some credit
cards come with photos, thus combining something the buyer has (the credit
card) with something the buyer is (the facial appearance).
The problem is that these
techniques do not work well in telephonic and electronic environments where
neither physical characteristics nor personal possessions can be checked. Although both biometrics ("something
the buyer is") and possessions ("something the buyer has") can
be implemented electronically, the cost is substantial. Whether using
biometrics or credit card readers, these techniques generally require the
distribution of specialized hardware/software (e.g., fingerprint readers,
credit card readers) and are often unworkable due to the difficulty of and cost
of distributing such equipment in the business-to-consumer model.
Recognizing the impracticability of
authenticating electronic and telephonic transactions using biometrics and
possessions, merchants have relied upon the third type of authentication: "something the buyer knows," often
referred to as a "shared secret."
In some cases, this secret can be created by the consumer and merchant
together. For example, the first time a
customer does business with a website, the merchant may ask the consumer to
create a password for future access.
This "shared secret" is thereafter known only to the merchant
and that consumer, at least if neither party discloses it to, nor has it stolen
by, a third party. Even the proper use
of this shared secret in future transactions only proves, of course, that the
person signing on the second time is the same one who signed on the first time,
but it does not prove that the customer, who has now signed on twice, is who he
claims to be. Put another way, a
fraudster who signs on to a site and creates a password will have a shared
secret for his second visit, but he is still a fraudster.
More commonly, both merchants and
consumers rely upon a third party to verify the secret. For example, if a consumer is purchasing
goods with a credit card, he may also be asked to provide his home address as a
shared secret; this is information that the merchant can have verified by a
third party (e.g., a credit reporting agency).
The problem with such shared secrets, however, is that they are often
too broadly shared to be called a "secret" at all. Even worse, the secret may in fact be stored
with the very information that the secret is designed to protect. Since a credit report may contain a credit
card number and the buyer's home address, anyone who accesses the credit report
also gains possession of the shared secret (the home address), thus defeating
the entire scheme. Suffice to say, from
an e-commerce perspective, authentication will remain a critical issue, at
least in business to consumer (B2C) transactions.
The Internet certainly exacerbates
such authentication issues for a host of reasons. On the civil side, differences in legal rules across
international jurisdictions also may pose a significant impediment to both
authenticating and protecting consumers.
How can a retailer physically located in Australia authenticate a buyer
claiming to be a European citizen browsing its website in the middle of the
night from a location somewhere in Asia?
And which set of regulatory rules should be applied to such
transactions? Finally, if the
transaction at issue turns out to be unsatisfactory, to which legal systems
should the business or consumer turn for assistance, and is there any practical
cost-effective way to vindicate one's rights? One current consumer-oriented proposal --
the Hague Convention -- would allow consumers to sue in their home nation, thus
requiring even the smallest website owner to defend suit in every jurisdiction
from which an Internet user makes a purchase.
On the criminal side, fraudsters
have continued to use the Internet's lack of authentication to facilitate
illegal schemes. One bank, for example,
reported a fraud scheme that illustrates the authentication issue from both the
consumer and financial institution perspectives. After several of the bank's customers contacted the bank
concerning the status of the credit card they had ordered online, the bank
reported a false advertising Internet scam.
The perpetrator utilized the bank's name to lure victims to a fraudulent
web site and charged victims $99.00 for a guaranteed Visa or Master Card. To facilitate payment of the $99.00 fee, the
fraudulent web site allowed the customers to provide their checking account
information directly online, thus allowing the perpetrator to direct the
withdrawal of funds from the victim customers’ accounts. The customers also had the option to send
checks to a mailbox address for deposit.
An investigation by the United States Secret Service and the bank's
corporate security department revealed nearly $300,000.00 was deposited into
the perpetrator’s account in a 30-day period.
That fraud may be facilitated by
the Internet is of course no surprise, but in considering consumer safety we
must remember to add two other Internet attributes: scalability and globalization.
It is not just the risk of an event that matters, but the size of the
event, and the Internet presents a platform for large-scale abuses that are
generally not practical in the physical world.
In short, large scale abuses can occur at anytime and anywhere, and can
be committed by anyone in the world with Internet connectivity. For example, a hacker can breach network
security and simultaneously breach the confidentiality and privacy of thousands
of customer records in real time. This
radical change occurs because of the way data is consolidated and thereby made
accessible, distributable, and usable.
By way of contrast, ten years ago a fraudster working at a busy
restaurant or bar might have been able to steal at most dozens or even hundreds
of credit card numbers on a good night and would have been hard pressed to make
use of all those numbers quickly.
Today, with Internet merchants allowing credit card purchases
twenty-four hours a day for everything from major home appliances to groceries,
thousands of credit card numbers may be quickly consolidated on a single
computer. Those numbers can then be
stolen en masse, and quickly used.
Moreover, such credit data may be combined with other personal
information, thus making identify theft a real risk.
Equally problematic is that global
connectivity allows hackers to access those numbers and distribute them, again
globally, within minutes. Hackers are
not hampered by the existence of international boundaries because property need
not be physically carried, but can be shipped covertly via telephone and data
networks. A hacker needs no passport and passes no checkpoints, thus
eliminating any hope of interdiction by customs authorities. And while hackers "roam" freely,
law enforcement should and must respect national boundaries.
There are
things being done, however, by both industry and the government, to help reduce
these risks. VISA, for example, has
promulgated requirements that merchants encrypt credit card data not just in
transmission, but in storage. AMEX is
relying upon smart card technology to better authenticate users, and has
introduced another technology which permits a member to use his or her credit
card without the actual card number being passed to the end merchant. This technique limits the distribution of
the actual card number, thus reducing the risk of fraud. As for the government, in addition to
fulfilling its traditional responsibility to react to crime when it occurs, it
has been working proactively in several international fora to ensure that
computer crime issues are addressed.
For example, at the G8, nations have agreed that certain computer abuse
must be criminalized, and that each country must designate a high-tech point of
contact, available 24 hours-a-day and 7 days-a-week, to respond quickly to
computer related crimes. A draft
cybercrime treaty at the Council of Europe would expand the scope of these
agreements to a larger group of nations.
Although there is still a long way to go, such efforts -- by both
markets and governments -- have served to make the Internet safer.
|
|
