Fraud Risks in E-commerce Transactions

Author(s): Wolfgang Wopperer

Source: The Geneva Papers on Risk and Insurance. Issues and Practice, Vol. 27, No. 3 (July 2002),
pp. 383-394
Published by: Palgrave Macmillan Journals
Stable URL: http://www.jstor.org/stable/41952645
Accessed: 01-12-2015 08:11 UTC

Your use of the JSTOR archive indicates your acceptance of the Terms & Conditions of Use, available at http://www.jstor.org/page/
info/about/policies/terms.jsp

JSTOR is a not-for-profit service that helps scholars, researchers, and students discover, use, and build upon a wide range of content
in a trusted digital archive. We use information technology and tools to increase productivity and facilitate new forms of scholarship.
For more information about JSTOR, please contact support@jstor.org.

Palgrave Macmillan Journals is collaborating with JSTOR to digitize, preserve and extend access to The Geneva Papers on Risk
and Insurance. Issues and Practice.

http://www.jstor.org

This content downloaded from 130.63.180.147 on Tue, 01 Dec 2015 08:11:04 UTC
All use subject to JSTOR Terms and Conditions
 TheGenevaPapersonRiskandInsurance
Vol.27 No. 3 (July
2002)383-394

Fraud Risks in E-commerce Transactions

byWolfgang
Wopperer*

1. Introduction
definition
The following of e-commerce was adoptedbytheEuropeanUnion.It goes
ofProcedures
backtotheUnitedNationsCentreforFacilitation andPracticesforAcquisition,
CommerceandTransport whichadopteditin 1997:
ElectronicCommerceis definedas doingbusinesselectronically. This includesthe
sharingof structured businessinformation
or unstructured by any means (such as
electronic
mailormessaging, WorldWideWebtechnology, bulletinboards,
electronic
smartcards, electronicfundstransfers, and electronicdata interchange)among
customers,
suppliers, government bodies,and otherpartnersin orderto conductand
inbusiness,administrative
executetransactions andconsumer activities.
InEurope,thevolumeofe-commerce transactionshasbeenconstantly ontherisethroughout
thepastyears.In2001,thetransaction volumewasestimated at€65 million,whichrepresents
a considerableincreaseover2000(€2 1million)and1999 (€8 million).Germany accountsfor
thebiggestpercentage ofthisvolume(28 percent),followed bytheU.K. (26 percent),France
(10 percent)andtheNetherlands (8 percent).Ananalysisofthegoodspurchased showsthat
mostlycomputer and software products, books, music, clothing,travel,entrancetickets,
householdgoodsandfoodarepurchasedovertheworldwide web.In theU.S. thevolumeof
tradeovertheInternet increasedsubstantiallyinthefourth quarterof2001. Thereasonforthis
attacksof 11 September
lies intheterrorist 2001. U.S. citizenstendedto canceltripstotheir
relativesand to do theirChristmas shoppingon thenetfromthesafetyof theirhome.No
evidenceforsimilartendencies has beenfoundintheEuropeanUnion.
The continuationofthispromising development is endangered bythefactthatInternet
security breachescostU.S.$15 billionin 2001 withan upwardstendency inthefuture.As a
resultGermanshoppers hesitatetopaybycreditcardbutprefer topaybycashon delivery or
by bank
traditional transfer.

2. Securityaspects
2.1 Thesecurityconsciousness
ofcompanies
Many companieshave neglectedthe importanceand applicationof the security
technology available.Furthermore,too littlecontrolis usuallyexercisedbycompaniesover
theirIT landscape.Webhackershaveno problemfinding andusingtheweakpointswithin
commercial sites,andeasilyaccess customer cardinformation andotherpersonalfinancial

*Manager Allianz
Reinsurance, AG,Munich.

©2002
The
Internationalfor
the
Association ofInsurance
Study Economics.
Published
byBlackwell 108
Publishers, Oxford
Road,
Cowley 1JF,
OX4 UK.

This content downloaded from 130.63.180.147 on Tue, 01 Dec 2015 08:11:04 UTC
All use subject to JSTOR Terms and Conditions
384 WOPPERER

details.Even if it failsto provide100 percentprotection froma technicalpointof view,

securityis availabletomakeitdifficult forInternetsitehackersto obtainsensitive customer
data.
Planningforsecurity is oftennota priority duringthecreationprocessand errorsin
programming, inadvertent loopholesand incorrect use of encryption techniquescan all
exposesystems tohighlevelsofrisk.Security measurescarriedoutbydevelopers whoarenot
specialistsin such techniques can increase theriskand not the levelofprotection.
A British studyfoundthatmorethanhalfofonlinecompaniesdo notuseexternal datato
checkclients'namesand addresses.Two-thirds of retailers need morethanone monthto
uncovercreditcardcrime,oftenallowingtheperpetrator to escape.
Despite numerous violent attacks,companies are still nottakingthe securityissue
seriously.Theyspend twice as much on theresults of damageas on preventing them.A
statement made by the Confederation of BritishIndustry recommended thatcompanies
regularlyevaluateall e-businessrisksand reviewtheirInternet strategyand relatedrisk
management at boardlevel.
Whilee-commerce continues togrow,fewpeoplefullyunderstand therisksinvolved.
In
a surveyconducted bytheBritish AssociationofInsurance & RiskManagers,riskmanagers
whoresponded saidthatneither employeeusersnormanagement boardsunderstandtherisks
associatedwithe-commerce andIT. Thereis also a beliefthattheinsurance market doesnot
fullyunderstand therisks,whichis backedbythecontention ofinsureds thattheyareunable
to obtainadequateinsurance coverforthem.

2.2 Staffconsciousness
Companiescantakea greatmanymeasurestominimizeriskandthemostvitalofthem
arenottechnological In fact,manyenterprises
matters. areconcerned aboutthewrongissues.
Whiletheapplicationof well functioning intrusion
firewalls, detectionand othertechno-
logicalmeasuresareimportant,businesspractices
anda perfectly
working policyare
security
evenmorevital.Rulesconcerning Internet
use,suchas whenemployees mayusetheInternet
forprivatepurposes,whichsites or classes of site theycan or cannotaccess, can be
established.
Unlimited use oftheInternetcan increasesecurity
risks.
Generally,
e-securitycompaniesfocuson efficient Manyofthemlackthe
technologies.
knowledgeto offervalueaddedservicesandtraining.

2.3 Lack ofsecurity:an obstacleforthedevelopment

ofe-business
Fear of the deceptiveuse of creditand debitcard detailsprovidedduringonline
transactionsis keepingmanypeopleawayfrome-commerce. According toa recentstudyby
theBritishConsumers Association, only23 percentofBritishInternet usersbelievethatitis
safetousea creditcardinonlinetransactions. Overhalfofusers(5 1percent),however, donot
trustInternet securityin its currentformswhichcould be verydamagingforcompanies
tradingoverthenet.Theperceivedsecurity problem lookslikea vitalobstacletohigherlevels
ofconsumer interest.
Cybercriminalsthreaten to destroyInternettrade,withmorethanhalfof companies
sellingovertheInternet intheUnitedKingdomhavingreported onlinefraudsto thepolice.
According toanExperianstudy, creditcardfraudoverthewebgrewin 1999 intheU.K.by146
percentto£40millionand20 percentofonlineretailers areexperiencing fraudcharge-back

©2002
The
International
Association
for
the ofInsurance
Study Economics.

This content downloaded from 130.63.180.147 on Tue, 01 Dec 2015 08:11:04 UTC
All use subject to JSTOR Terms and Conditions
FRAUD INE-COMMERCE
RISKS TRANSACTIONS 385

levelsinexcessof 1 percentofsales,withsomeas highas 10percent.Itis a factthatfew,if

any,organizations can currently promiseuserscompleteprotection.
WhenGermane-commerce customers wereaskedabouttheirpreferred features
security
a securepayment process was atthetopof theirlist:
morethan 94 percent ofthose interviewed
statedthata securepayment methodis (very)important forthem.Insecondplacewasthewish
fora moneybackguarantee ifsomething goeswrongduring thetransaction process(90.1per
cent).
The emerging use ofmobilephonesfore-commerce (in thiscase calledm-commerce)
raisesthepotentialthreat offraudtoa higherlevel.Thus,consumers canuse mobiledevices,
through usingWAPtechnology, to access bankaccountsand otherfinancialservices.The
securityofWAPtechnology is oftenata poorlevelbecausethetechnology doesnotyetmatch
theimplementation of traditionalfirewalltechnology.This low level of security,amongst
otherinfluencing factors,has alreadyresultedin a sharpdecreaseof popularity of m-
commerce. A studycarriedoutbytheconsulting companyA.T. Kearneyfoundoutthatthe
percentage ofusersofmobilephonesinEuropewhointendtodo shopping overthephonein
thefuture hasdecreasedfrom29 percentinJuly2000 to 14percentinJanuary 2001 andtoa
mere3 percentin July2001.
Neithercompaniesnorconsumers willcarryouttransactions or sensitivecommunica-
tionthrough a mediumin whichtheylackconfidence.

3. Risksoccurringduringthetransactionprocess
3.1 Variety thetransaction
ofrisksendangering process
Theftofcomponents
Whencomponentsarestolen,damagecan occurthrough andits
loss ofconfidentiality
consequences.

Manipulation ofsoftwarein components

The softwareintheindividualcomponentscanbe manipulated waysorcan
indifferent
as suchhaveweakpoints.ExamplesarePIN numbers thatcanbe avoidedbyso-calledSuper-
PINs or people fromoutsidethecompanywho installTrojanhorses,i.e. software which
besidesitsintendedfunctioncarriesoutsomeotheractionwhichis notobvioustotheuserof
thesystem.

software
ofcontaminated
Installation
riskemanatesfrom
A substantial himself.
thecustomer Through ofvirus-
theinstallation
contaminated software so-calledTrojanhorsescan spyout
on his local privatecomputer,
dataandsenditonlinetosomeotheraddress.Allthishappensunnoticed
sensitive bytheuser.

Weakpointsinhardware andsoftware
Faultyconstructionof hardwareand softwarecan makeit possibleto evade security
measures.Poor software notonlyincreasesmaintenance
structure problemsbutcan also
to detectweakpointsin security.
makeitmoredifficult

The
©2002 for
the
Association
International Study Economics.
ofInsurance

This content downloaded from 130.63.180.147 on Tue, 01 Dec 2015 08:11:04 UTC
All use subject to JSTOR Terms and Conditions
386 WOPPERER

Loss of storeddata
problemsbutalso to financial
The loss of storeddatamaynotonlylead to availability
loss. If, duringa computerfailureat the customer's,the data areas whichare used for
electronic moneybecomeunusable,thiscanalso leadtotheirretrievablelossofhiselectronic
money.

Manipulation ofstoreddata
In electronic
moneysystems, itis possibletomanipulatetheamountofstoredmoney.A
customer cantryto increasethesumofhiselectronic money, a dealercantryto increasethe
storedturnover A personintherangeofthecustomer
figures. couldusehiscomputer andpay
hisexpenses.Anaggressor whowantstodo harmtothedealercouldtrytodecreasethestored
turnover A further
ordeleteitentirely. assaultcouldbe themanipulation oftherangeofgoods
offered bya dealeron theInternetsuchas offering goodsat dumporveryexpensiveprices,
offering goodsthatare likelyto worsenthedealer'simageor modifying theirdescription.
Another pointofattackis data.
protocol Non-entitledpersons try spyoutprotocoldata
can to
in ordertogetaccessto confidential data.

accesspoints
maintenance
Misuseofdistant
In IT systemsthathavedistantmaintenanceaccesspointsorthatallowthedownloading
of software, entertheIT systemthrough
an aggressorcan successfully and
thesefunctions
modifysoftware, manipulate information.
dataor spyoutsensitive

Duplicationofmoneyunits
As electronicmoneyis represented
through itis possible
ofa givenstructure,
a bitstring
andthusto doubletheamountofmoney.A customer
to duplicatethisbitstring couldtryto
duplicatehis storedamountof money andtospend itmany times.A dealercouldtry toobtain
moneyreceivedon hisaccountseveraltimes.

ofoutdateddata
Re-entry
Aggressorsmayregister themunchangedat a latertime.For cash
data and re-enter
offoneandthesamepayment
data,thiscanbe doneforthepurposeoftriggering
transaction
fora secondtime.
transaction

communication
Pretenceofbeingan authentic partner
An aggressorcan tryto pretendvis-à-visothercomponentsin the systemthata
component whichhadbeenmodifiedthrough Thiscouldtakeplaceinorder
himis authentic.
tomakea customer a payment
effect to a fakedealer.An aggressorcouldfurthermoretryto
withdrawelectronic
money froma bank in thename ofan authentic
customer.

Pretenceofbeinga seriouscommunicationpartner
So-calledweb-spoofing websitein the
meansthatan aggressorimitatesa trustworthy
wayhe makesup hisownwebsite.Forthispurposehe willchoosean addresswhichmakes
totheintended
usersthinkthattheyareconnected A rangeofgoodsis offered
institution. for
themerepurposeofspyingoutthecreditcardnumbers ofthepotentialbuyers.

©2002
The
International the
Association
for ofInsurance
Study Economics.

This content downloaded from 130.63.180.147 on Tue, 01 Dec 2015 08:11:04 UTC
All use subject to JSTOR Terms and Conditions
FRAUD TRANSACTIONS
INE-COMMERCE
RISKS 387

Non-acknowledgementofdata
A communicationpartnercan denysendingand receivingdata.This is especiallyof
forfinancial
importance A clientcoulddenyhavingreceivedelectronic
transactions. money
fromhisbankora dealercoulddenyhavingreceivedpayment fromhiscustomer.

medium
in thetransmitter
Risksthatareinherent
In opennetworks each and everyinterface
suchas theInternet, servercan readdata
whichare transmitted in a non-encrypted data,besidePINs and
way.In cash transaction
cryptographic codes,information creditcardnumbers
aboutamounts, orobjectsofpurchase
to an aggressor.
can also be interesting

Faultytransmission
Anaggressor couldintendinterceptingdataduring transmission toother
andconveying
In
addresses. open networks such as the there
Internet, area lotof of
possibleways doingthis,
e.g.through themisuseofrouting Thus
protocols. he can tryto catch moneyon its
electronic
way to thedealer.

Incoherencethroughfaultytransaction
finishing
processes
If a transactionis not correctlyfinalizedthis can lead to incoherenceat the
communication If a dealermakesthebankdebita customer's
partners. accountbeforethe
payment transactionhas been the
finalized,
correctly account can be debitedwithout
thepurchasedgoodsbeingdelivered.

Spyingoutcryptographic codes
Spyingout confidential codes is the mostsignificant
cryptographic dangerforall
electroniccash methodsin whichencryption is used. This can be madepossiblethrough
unsafestorageofthecodes,poorcode selection,theapplication of inappropriate
encryption
methodsorthrough thefaultyimplementationofencryption methods.

3.2 Perpetrators
FraudPrevention
A surveycompiledby ProfessorPaul Barnesof the International
ResearchCentreatNottingham foundthat45 percentofthoseinterviewed
TrentUniversity
werehackers,13percentcitedformer
saidthatthemainperpetrators employees,13percent
to
putitdown organized crimeand 11 percentto current
employees.

3.3 Practicalexperience
In a surveyof 273 organizationsof different kinds,theAmericanComputerSecurity
foundthat90 percenthad reported
Institute thedetectionof attacksovertheInternet, the
totallossesamounting
resulting tomore than U.S.$265 millionover 12 74
months; per cent of
respondentshad suffereda loss
financial as a of
result an attackover theInternetand 53 per
centstatedthattheyhadbecomevictimsoffinancial fraud,losinga totalamountofU.S.$56
million.TheNationalConsumers League (USA) reports Internetfraudbyindividuals inthe

©2002
The the
for
Association
International Study Economics.
ofInsurance

This content downloaded from 130.63.180.147 on Tue, 01 Dec 2015 08:11:04 UTC
All use subject to JSTOR Terms and Conditions
388 WOPPERER

U.S. ata totalamountofU.S.$3.2billionduring thepastyear,a riseof38 percentcompared

withthepreceding year.
Fakecreditcardnumbers canbe generated byhackerprograms. Oftentheyaredisguised
as companycreditcardswithlowlimits.Theresultsareplausiblecreditcardnumbers thatare
acceptedby companiestradingacrosstheInternet. The companiesthatacceptthesecard
numbersand delivertheorderedgoodswill suffer damagethrough non-payment. Another
methodis maliciousaccess to customers' databy electronicintrusion intoa databaseof a
server.
Researchcarriedout by SymposionPublishingshowedthat14 per centof online
shoppers haveneverreceivedtheproduct thattheyhadordered, andto3.6percentofthemthis
hadhappenedmorethanonce.Themajority ofthesetransactions arepaidvia creditcard.In
case ofnon-delivery ofordered goodsithappensquitefrequently thatthepriceis nevertheless
debitedto the creditcard account.For the customerin question,an oftenlengthyand
inconvenient procedurestartsin ordertogetthemoneyback.Figuresfromthesamesource
showthattheconfidence ofonline-shoppers is easilyaffected:two-thirdsofthemstatethat
theywillneveragainuse an online-shop withwhichtheyhada negativeexperience butmore
thanhalfofthecustomers intendusingagaina shopwhoseservicewas satisfactory.
The followingcase was reportedby thepolice in Heidelberg,Germany.Swindlers
orderedfroma computer companygoodsvaluedat somemillionsof euros.The company
delivered atonceandneverreceivedthepayment due.Thegangsters hardlyleftanytrace.All
information thattheygave to thee-mailserverwas incorrect. Personaldatamostlyis not
verifiedbythecompaniesthatoffer onlineservices.Manyofthemonlycheckifthedatagiven
areplausibleandcouldtheoretically be correct. AttheGermanpoliceacademyinFreiburg,
the police are learninghow they can trace the perpetrators in such cases through
communication protocolsofe-mailservicecompaniesandaccessproviders.
Suchanapproachmadebythepoliceisurgent andvitalinviewofthefactthat57 percent
ofonlineretailers intheU.K. reported fraudtothepolice,butonly9 percentofthesecasesof
reported fraudcurrentlyleadtoa prosecution. ThiswasrevealedbyanExperianstudycarried
outamongst800 retailers.
In the U.K., a 19-year-old took advantageof weaknessesin standardsoftwareby
obtaining thousands ofcreditcarddetailsandpostingthemontheInternet. His actionsledto
£4millionworthoffraudulent creditcardchargesandcausedtwocompaniestoclosedown.
Thelawsuitthatfollowedwashampered bya wholenumber ofambiguities andraiseddoubts
overtheU.K.'scomputer crimelaws.In theend,theperpetrator was sentenced tothreeyears'
probation andputon a courseofpsychiatric treatment.
IntheU.S.,companiessellingoverthewebhavebeeninterviewed abouttheirexperience
withcreditcardfraud.In2000,83 percentofthosecompaniesquestioned wereoftheopinion
thatpayment fraudinbusinessconducted viatheInternet is anever-increasingproblem. Inthe
preceding year,only75 percentsharedthisview.IntheU.S.,themajorcreditcardcompanies
have introduced special regulationsformoneytransactions withoutcash combinedwith
shoppingon theInternet. These regulations stipulatepenaltiesforthosesales companies
whichareveryofteninvolvedincustomers' complaints. Theproblemis thatno distinction is
madebetweenjustifiedand unjustified complaints. In Germany, a 60 percentincreasein
e-commercefraudin 2000 comparedwiththeprecedingyearhas been reportedby the
Ministry ofInternal Affairs.
Eurocard, with9.3 millioncreditcardsand themarketleaderin Germany, statesthat
coinciding withtheincreasing popularityoftheInternet ande-business, thephenomenon of
creditcardmisuseis also on therise.This riskis consideredto be substantially higherin

©2002
The
International
Association
for
the ofInsurance
Study Economics.

This content downloaded from 130.63.180.147 on Tue, 01 Dec 2015 08:11:04 UTC
All use subject to JSTOR Terms and Conditions
FRAUD INE-COMMERCE
RISKS TRANSACTIONS 389

Internettransactions
thanintraditional creditcardpayments inshopsorrestaurantsalthough
criticsare arguingthatthetransfer of thecreditcardnumberthrough theInternet is much
moresecurethanhandingoverthecreditcardina restaurant andmoreover itis mucheasierto
lookfora creditcardreceiptthathadbeendisposedofcarelessly. Thismightcertainly be true
andfollowa parallelpattern tothefearofboardinga planewhichis muchmorecommonin
societythanthefearofdrivinga caron a publicroad.In an objectiveway,drivingis much
moredangerous thanflying butthedifferenceisthatpeople(oftenerroneously) thinkthatthey
can influencetheirfortunein a car, whereasin planes theyare helplessvictimsof an
uncontrollable power.Also whenshoppingoverthe Internet and givingout creditcard
numbers forpayment reasons,peoplefeelrobbedofcontrol. Marketresearch has shownthat
inGermany everytenthcreditcardtransaction is followedbya complaint.
Theresulting lossis estimatedat€12millionannually. Comparedto 1999,thefigure has
increasedby32 percentduring2000.

4. Securitymeasures
Ifconsumers' databecomeaccessible,forexample,youneeda rapidwayofidentifying
whatthefaultis andwhereitsoriginlies.Regulartesting ofsecurity
systems is necessaryto
ensurethatall systemsareworking andno violationshavetakenplace.
properly
Encryption disguisesdata in a waythatprotectsanyonefromreadingit withoutthe
respective In
key. principle,anencrypted creditcardnumber cannotbe readwithoutthekeyto
unencrypt it.Themostsophisticated typeofencryption
is PublicKeyInfrastructure
as wellas
digitalsignatures.

4.1 Securemoney
4.1.1 "TrustedShops"/"Paybox"
Amongstinsurers,the Cologne-basedGerlingGrouphas takenthe positionof a
forerunnerwithits "TrustedShops" whichis a jointventurewitha consulting company.
"TrustedShops" was createdin late 1999 in close co-operation withconsumerprotection
agenciesand withthesupportof theEuropeanCommission.Amongstotherfeatureslike
certification
ofonline-shopsandvariouscustomer services,"TrustedShops"offers a money-
backguarantee byGerling)toonlinecustomers.
(underwritten Allparticipating
shopshaveto
meetstrictdemandsas todatasecurityanddelivery, andtorefund payment tothecustomerin
theeventofnon-deliveryorreturnofgoodswithin duetime.Moreover, itrequiresthesupplier
to providethecustomer witha contactpersonifproblemsshouldarise,pricetransparency,
generaltermsandconditions oftradethatareeasytounderstand, as wellas promptcustomer
service.
The conceptis completedbya close co-operation withtheFrenchcompany"Paybox"
whichhasdevelopeda payment methodontheInternet inwhichtheonlineorderis confirmed
byan automatic call-backcarriedoutby"Paybox",whichactsas an intermediary.
telephone
The programis installedon the serverof the supplierand ensuresthattherehas been
communication betweenthecustomer andthe"Paybox"servervalidating theorderandabout
thewillingnessof the customerto pay. "Paybox" applies data securityand encryption
standardscodingthenumber ofthesupplier,theordernumber, amountandcurrency, andthe
customer'se-mailaddress,whichareall transmitted in a secureprocess.
The systemof "TrustedShops" is maybetheonlyonewhosesuccesscanbe provedby

©2002
The
International
Association
for
the ofInsurance
Study Economics.

This content downloaded from 130.63.180.147 on Tue, 01 Dec 2015 08:11:04 UTC
All use subject to JSTOR Terms and Conditions
390 WOPPERER

figuresso far.Renownedinternational companiesare membersof "TrustedShops". By

October2001,morethan250,000customers hadalreadyused "TrustedShops"; 250 online
shopswere already and
certified, another 180wereintheprocessofcertification.
Morethan
1,000buyersa daywitha purchasevolumeof€130on averageregister forthemoney-back
guarantee. "TrustedShops"is activeatinternational
level,amongothersinmajorEuropean
markets liketheU.K., FranceandGermany.

4. 1.2 Digitalsignature
In orderto achievebroadacceptanceof the digitalsignatureas such,thistypeof
signature hastobe ata minimum as reliableas a handwritten signature. Thisreliability
mainly
involvesfourcriteria:the electronicsignature mustbe uniqueto its creator;it mustbe
impossibleto forgetheelectronic signature; itmustbe easilyauthenticated; and itmustbe
impossible forthe author to deny his electronic signature.As soon as an electronicsignature
matchestheserequirements a truealternative tothehandwritten signature has beenfound.
In Germany, theso-calleddigitalsignature hasrecently beenapproved bylaw.Thiswas
via theconversion intonationallawofthee-commerce guidelinewhichhadbeendrawnupby
theEuropeanUnion.Thelackoflegalreliability anda certifiedsystem whichguarantees the
and of
confidentiality authenticityelectronically transmitteddata had always been an obstacle
hampering thegrowth ofthesale ofgoodswitha highervaluethrough theInternet. Thenew
law organizesthe signatureproblemin a mathematical way: the methodof the digital
signature combineseverytextwitha personalconfidential code whichis similarto PIN
numbers on creditcards.The recipients ofelectronic dataareable to provetheauthenticity
andtheunadulterated natureofthetransmitted dataprovided thatbothpartners areconnected
to a so-calledtrustcentre.Currently, a starter setforsigningdigitally at thecomputer costs
approximately €60.Thissetincludesthesignature card,thereadingdeviceandusersoftware.
Fortheservicesofthetrustcentre, thereis an annualfeeof€25.Signingat thePC is very
simple:as soonas a messageis finalized, yousimplyhaveto selectthe"click" button. The
computer willthenaskyouto enterthechipcardintothereadingdevice.Everything else is
donebythecomputer. Theauthenticity checkofa signature willbe automatically carriedout
bythecomputer.
An articlein a reputable Germannewsmagazinerecently frightened all optimistswho
expecteda substantial decreaseintherisksinvolvedine-commerce transactions coinciding
withtheenforcement of theGermanlaw on digitalsignature. It was reported thata virus
programat theUniversity of Bonnhad crackedtheallegedlyunassailablesoftware of the
DeutschePost AG and spied out the PIN of a user. Scientistsspeak of severelegal
consequencesforuserswhoarelikelytobecomevictimsoffraudulent intrusionsintoonline
business.Unnoticedbytheuser,a treaty wordingcan be modified byincorrect figuresand
sections.In case ofa lawsuit,theownerofthecorrupted software willhavetoprovethathis
originaldataweremodified illegally.
IntheU.S.,theso-calledE-SignActwaspassedinOctober2000.Although thisActgave
electronicsignaturesthe bindingpowerof handwritten signatures, businessesare still
hesitating tomakeuse ofthistoolwhichis assessedbyexperts as beingtime-andcost-saving.

4. 1.3 Othersecurepayment
systems
Morethana dozenothersecurepayment systemsarealreadyinexistence.
Basically,they
use thesameprinciple:
thepayment is noteffected
directlybythecustomer tothesellerbut
through anintermediary Inall cases,encryption
server. andchecking proceduresplaya major

©2002
The
International
Association
for
the ofInsurance
Study Economics.

This content downloaded from 130.63.180.147 on Tue, 01 Dec 2015 08:11:04 UTC
All use subject to JSTOR Terms and Conditions
FRAUD
RISKS
INE-COMMERCE
TRANSACTIONS 391

C-SET (Chip
role. The mostpopularsystemsare SET (Secure ElectronicTransactions),
eCash,FirstVirtual,Millicent,HBCI, CyberCoin,Cyber
SecureElectronicTransactions),
Cash,andelectronic suchas Smartcard
portfolios orChipcard.

securepayment
4. 1.4 Criteriafordistinguishing systems
Thesesystems can be distinguishedandjudgedaccordingto thefollowing and
criteria
havethus,beforethechoiceofonepayment system, tobe selectedaccordingtotheprofileand
therequirementsoftheindividual users:
- Transition momentofthemoneyto thecustomer (pre-paid,pay-now, post-paid);
- Divisibilityofmoneyunits(likecoins,cheques/credit cards,moneytransfers);
- Anonymity ofthecustomer uponpayment partlyornon-anonymous);
(totally,
- Suitability for
(onlymicro-payment, big amounts, for information, programs,services,
forshipping ofgoods);
- Mobility(adaptableto different endpiecessuchas privateandpublicendpieces);
- Online/offline(incase ofoffline,noadditional communication linehastobe usedduring
i.e. nofurther
thetransaction, partysuch as an authorizationserverora payment gateway
has tobe involved);
- Suitabilityforspontaneous purchases;
- Circulation suitability(can be handedoverto anotherpersonor transfer onlypossible
through bank/intermediary);
- Spread(regionally national,international).
restricted,

4.2 Measurestakenbycreditcardcompanies
In the middleof 2001, Visa Internationallauncheda programto increaseInternet
byimpeding
security accessto storeddatabyhackers.The so-called"AccountInformation
SecurityProgramme"(AIS) definesstrictsecuritystandardsforthe storageand use of
customerdata on Internet dealersand service
sites.Since 1 November2001, all Internet
providershave had to match thesenew securitystandardswhich include,amongother
elements, passwords,secureencryption
theallocationof customer-related of data,and the
foraccessto theInternet.
existenceoffirewalls

5. Legal and liabilityissues

Liabilityin theeventof losses fromInternet fraudis an interestingsubject.Overthe
years,soundprotocols havebeendevelopedtotryandguarantee thatfraudrelatingtocheques
and creditcardsis limited.A firststeptowardshigherlegal security whenparticipating in
e-commerce was Guideline2000/31 /EGoftheEuropeanUnion,generally knownas theE-
CommerceGuideline.Its goal is to regulatecross-border transactions and to createlegal
forcompaniesas wellas forcustomers.
reliability Itsmostimportant featureis thestipulation
ofthe"country oforigin"principle.Hence, insidetheEuropean Union thelaw ofthecountry
inwhichtherespective entrepreneur is registered For
obtains. queries,however, thecourtat
thecustomer's residenceis responsible.Thus,infuture,courtswillbe facedwithforeign law
andwillhavetoapplyit.Thiswillleadtosubstantial delaysas thecourtsinquestionwillhave
to studyindividuallyon a case-by-casebasistherespective law to be applied.
In orderto enhancesecurity forthosewho are tradingand buyingoverthenet,E.U.
Commissioner David Byrne,who is responsible fortheprotection of customers' rights,is

©2002
The for
the
Association
International Study Economics.
ofInsurance

This content downloaded from 130.63.180.147 on Tue, 01 Dec 2015 08:11:04 UTC
All use subject to JSTOR Terms and Conditions
392 WOPPERER

requestingbindingrulesfore-commerce. TheEuropeanCommission hasbeenworking fora

yearona commonruleofconductfortheEuropeanUnion.Thisruleofconductis tolaydown
whichdetailsthecompanieshavetodisplayontheirwebsiteoronthepurchaseconfirmation
pere-mail.The customer has to be informed in detailofthemethodsofpayment, thefinal
priceanddeliverydate.
Everye-commercetransaction whichinvolvesthetransfer of personaldata will be
regulatedinEuropebydataprotection laws.Allinformation exchanged overtheInternet oras
e-mailis consideredtobe data.Nevertheless, inmostcases thecustomer himselfis liablein
case offraud.Thepracticalsituation is likethisinspiteofthefactthattheindividual canask
fordetailsof his data and thatmeasureshave been takento ensurethathis consenthas
previously been obtainedto processhis personaldata.This consentis a pre-condition of
in
participation online commerce. this
Havinggiven consent, whichoften is doneas a routine
action,theindividuallosesmostofhisrightssuchas claimingcompensation fordamageor
distressthathas beencausedbyunauthorized orunlawful processingofhisdata.

6. The insuranceissue
Eveniftheinsurance industry makinguseoftheInternet
is increasingly formarketing its
products andsomecompaniesalso offer theonlineconclusionofmotorandaccidentpolicies,
companiesdo notyetmeettheinsurance needsofcustomers usingthenetfortheirbusiness
transactions. Insurersare facedwithtwo mainproblems.On the one hand,a statistical
databaseis non-existent, whileontheotherthelegalissueis notrestricted toonecountry and
moreover notclear.
Theproducts availablearemostlycombinations andmodifications ofexisting products
forotherlinesof businesssuchas productindemnity, electronicequipment insuranceand
businessinterruption insurance. Moreoftenthannot,riskssuchas creditcardmisuse,viruses
andhackerattacks, andinterruption ofbusiness, without physicaldamagetothehardware are
not insured.Productdevelopment takes weeks and months;in the meantimethe risk
circumstances mayhavechangedsubstantially andtheproduct maythusbecomeinadequate.
Agents, brokers, consultantsand riskmanagers attended the"New World,Old World"
conference thatwas heldin Dublinon 15 and 16 March2001. Responding to thestatement
thatinsurance currentlyavailableoffers goodprotection againstcyberrisks,only8 percent
agreed,44 percentdisagreedwiththestatement, and 17 percentstrongly disagreed.The
30
remaining per centsaid they neither nor
agreed disagreed.
In thecase of loss to a virus,theaccumulation buildsup quicklyand widely.No one
insureris abletoprovideall clientswithfullcoverage.Thereis an obviousneedforalliances
and massivecatastrophe protection. Elaboration,compliancewith,and controlof security
standards andtheexistenceofsystem redundanciesis oneimportant steptowards theofferof
e-riskcoversthatincreasingly matchtherespective demandsofInternet users.
A survey oftheAssociation ofInsurance & RiskManagers'e-commerce specialinterest
groupshowedthatmembers judgedlossofreputation, intellectual
propertyloss andfraudto
be thegreatest risksarisingfromtheircompanies'e-commerce
potential operations.

7. Outlook
We arestillon thebrinkofthee-commerce andInternet
revolution, securityandfraud
areissuesthatwillnotgo away.Itis ofvitalimportancethatmoreandmoreeffortis madeto
achievesecurity as possible,whichinthelongtermcouldbe morevaluable
thatis as perfect

©2002
The
International
Association
for
the ofInsurance
Study Economics.

This content downloaded from 130.63.180.147 on Tue, 01 Dec 2015 08:11:04 UTC
All use subject to JSTOR Terms and Conditions
FRAUD
RISKS
INE-COMMERCE
TRANSACTIONS 393

thanmarketing andotherexpenditure spenton acquiringcustomers.Expertsclaimthatthe

incentiveof achievinge-security is alwaysa moreimportant competitive advantagefor
companieswhichperform bestinthisrespect.
Onlyifsecurity issuescanbe solvedandclientsfeelsafeintheirtransactionswillglobal
B2B and B2C e-commerce turnover reachtheprognosisof U.S.S5.9 trillionand U.S.S663
billionrespectivelyby2005. Itwillbe a vitalchallengefortheinsuranceindustry toclosethe
hopefullyfew remainingsecuritygaps by specializedinsurancecoversthatmatchthe
multiple demandsofInternet tradersandcustomers.
The Internet is an opennetand theprinciplethat"nothingis secureon theInternet"
continues to be valid.Encryption increasethesecurity
methodscan substantially ofmoney
transactions on the Internet but cannotgrantfullsecurity. A smallriskalwaysremains.
Technological redundancies decreasetheriskfortheuser.Theyshouldbe
can substantially
maintained and thedependency on mono-linesolutionsshouldbe reducedto a minimum.
Investment in complexity can be vitalforcompaniessellingthrough theInternet.

8. Summary
Electronic commerce is definedas doingbusinesselectronically. In Europe,thevolume
ofe-commerce transactions hasbeenconstantly on theriseoverthepastfewyears.In 2001,
thevolumeoftransactions was estimated at €65million.The continuation ofthispromising
development is endangered bythefactthatInternet securitybreachescostU.S.$15 billionlast
yearwithan upwardstendency in thefuture. Manycompanieshaveto dateneglectedthe
importance andapplicationofthesecurity technology available.Despitenumerous violent
attacks,companies are still
not the
taking security issueseriously. Theyspend twice as much
on theresultsof damageas on preventing them.Whiletheapplicationofwell functioning
firewalls,intrusiondetectionand othertechnologicalmeasuresis important, business
practicesanda perfectly workingsecurity policyare evenmorevital.In fact,aboveall the
fearof deceptiveuse of creditand debitcarddetailsprovidedduringonlinetransactions is
holdingmanypeople back from e-commerce. The risksthat are endangering the transaction
processare numerous, includingsoftware and datamanipulation, and manipulation of the
transmissionprocessorofthecommunication partner.Encryption disguisesdataina waythat
stopsanyonefromreadingit withouttherespective key.One majorelementin achieving
securemoneyin onlinetransactions is the so-calleddigitalsignature. To achievebroad
acceptanceofthedigitalsignature, thistypeofsignature hastobe ata minimum as reliableas
a handwritten LiabilityintheeventoflossfromInternet
signature. fraudis an interesting and
stillnotcompletelyresolvedproblem. Up tonow,inmostcasesthecustomer himselfis liable
in case offraud.As faras theinsurance issueis concerned, companiesstillfailtomatchthe
insuranceneedsof customers usingthenetfortheirbusinesstransactions. The products
availablearemostlycombinations andmodifications of existingproductsforotherlinesof
businesswhichdo notmatchtherequirements ofonlinetraders andshoppers. Onlyifsecurity
issuescanbe solvedwillclientsfeelsafeintheirtransactions. Itwillbe a vitalchallengefor
theinsurance industrytoclosethehopefully fewremaining security gapsthrough specialized
insurance coversthatmatchthemultipledemandsofInternet traders andcustomers.

REFERENCES
Post
Cyberland",Magazine
"Policing ,28September
Supplement 2000(U.K.).
"When life's - ofyour
a breach security
computer system", ,22February
Telegraph 2000(U.K.).

©2002
The
International
Association
for
the ofInsurance
Study Economics.

This content downloaded from 130.63.180.147 on Tue, 01 Dec 2015 08:11:04 UTC
All use subject to JSTOR Terms and Conditions
394 WOPPERER

"Insurersputthebrakes ondrivers", Insurance Times ,21September 2000(U.K.).

"Internet
security breaches cost£10billion", TheTimes , 15November 2000(U.K.).
"eSecurity:investment doesn't match costs,Datamonitor Europe, 15November 2000(U.K.).
"TheInternet andIntranet, Exposures andInsurable Interest", Paper presented attheIMIAConference inMunich,
September 2000.
"Internet-Risikenquälen Versicherungen", FTD,23 June, 2000(D).
"Warnung vorbetrügerischen Warenbestellungen über dasInternet ,Bundeskriminalamt - Pressemitteilung
vom
24.03.2000 (D).
"Electronic Commerce, Bundeskriminalamt publiziert Ergebnisse einerStudie",Bundeskriminalamt -
Pressemitteilung vom 24.02.2000 (D).
"TrustedShops - Thesafewaytowebshopping", www.trustedshops.com (D).
"Paybox -
ServicesLasolution depaiement sécurisédue-commerce", www.paybox.com (F).
"DigitaleSignatur bringtSicherheit imInternet", DieWelt ,22May2001(D).
E-Commerce Studie: Bedeutung - Wirkungsweise - Rahmenbedingungen - Risiken- Sicherheitskriterien
,
tescon study, autumn 2000(D).
"Cybercoverage isfound lacking inconference poll", Business Insurance, 9 April2001(U.S.).
"TrojanischePferde", DerSpiegel, 24/2001 (D).
"BrüsselerSpitzen", Focus , 23/2001 (D).
"ZugriffimCyberspace", Focus ,23/2001 (D).
"KeineRechtssicherheit beim E-Commerce", DieWelt ,21February 2001(D).
"Betrugbeim E-Commerce nimmt weiter zu",Süddeutsche ,6 December
Zeitung 2000(D).
"Marktfuhrer Eurocard peilt zehn Millionen Kunden an",DieWelt ,20March 2001(D).
"ElectronicCommerce inderVersicherungswirtschaft", DieVersicherungsrundschau ,VR9/99 (D).
"Kumulgefahr beiIT-undInternet-Risiken - wiesicher istsicher?",Versicherungswirtschaft
Heft,12/2001
(D).
"Newclasses ofrisk: E-business andonline exposure", Global Reinsurance, 12/2000(U.K.).
"Goode-coverage ishardtofind: Survey", Business Insurance, 18June 2001/19 (U.K.).
"Beim E-Commerce dominiert dasHerkunftsland", FTD11December 2001(D).
"VisawillSicherheit imInternet erhöhen", Handelsblatt ,29August 2001(D).
Deutsche Post/Com CultResearch, DasFachmagazin für Erfolg mitE-Commerce, Mai2001(D).
Internet-Shopping-Report 2001 , Symposion Publishing.
"TrustedShops - Sicher undversichert einkaufen" MitderUnterstützung derEuropäischen Trusted
Kommission,
Shops GmbH, Präsentation vom24.10.2001 (D).
"Emsige deutsche Shopper", Focus, 44/2001 (D).
"E-Commerce boomt zuWeihnachten", DieWelt, 29October 2001(D).
"Nepper, Schlepper, Bauernfanger", Focus,32/2001 (D).
"U.K.firms exposed toonline risks", BusinessInsurance, 3 September2001(U.K.).
"Outthere - andoutofcontrol", Insurance Day,14August 2001(U.K.).
"E-signusers slowly evolve", TheBusiness Journal,/High Tech:E-Commerce, 5October 2001printedition
(U.S.).
"Internet
may behotspotfor holiday shoppers",Dayton BusinessJournal, /High Tech:E-Commerce, 12October
2001print edition(U.S.).
"Firmsearned oncyber-security raids", Insurance Day,12September 2001(U.S.).

©2002
The
International
Association
for
the ofInsurance
Study Economics.

This content downloaded from 130.63.180.147 on Tue, 01 Dec 2015 08:11:04 UTC
All use subject to JSTOR Terms and Conditions