During the past ten years, the intensiveness and variety of electronic financial transactions have increased dramatically. The last decade was characterised by the rapid spreading of financial transactions involving the use of online and/ or remote mechanisms. E-services and e-transactions have become an essential element of the postmodern technological reality. As the number of online financial services increases, so do the number and variety of security threats. Small and large companies are equally vulnerable to the risks of security breaches in various types of financial transactions.
These threats are becoming more and more complex and can take full advantage of the existing network and application vulnerabilities. The current state of technology provides numerous solutions to the existing and emerging security threats; however, the success of the proposed countermeasures will depend on how well businesses realise the seriousness of the major security threats and are prepared to invest additional resources in the development and implementation of the complex security strategies. Security threats and statistical information: The current state of literature
A wealth of literature was written about the most serious security threats and the financial losses which security breaches and various types of system vulnerabilities cause to large and small businesses. The period between 2006 and 2008 was marked with the slight decrease in the number of financial frauds and security breaches in financial operations: U. S. Federal Trade Commission asserts that frauds as a percentage of online revenue in the United States and Canada has decreased slightly over the past few years and stabilised at 1. 4 percent in 2008 (Paget 2009).
Meanwhile, the losses caused by security breaches and financial fraud display a marked increase – in 2008 alone, the American market lost over $4 billion due to security breaches and financial frauds (Paget 2009). This is a 20 percent increase compared with 2008 (Paget 2009). Given the new trends in technology-related financial services and businesses’ striving to reduce their transaction costs, the development of new methods of e-payment and the use of open architectures will create new technological challenges for professionals and new fraud opportunities for hackers (Glaessner, Kellermann & McNevin 2002).
The current state of literature provides the basic overview of the most serious security threats and proposes unique solutions businesses and individuals can take to address these threats. Financial transactions and security threats: what literature says The discussion of security threats in the context of e-financial transactions is one of the most popular topics in scholarly literature. Today, the rapid growth of wireless technology and the increasing role of wireless solutions in daily financial operations turn electronic security into the issue of the major public concern.
Numerous authors tried to identify the most important security threats and to categorise them according to their severity and define the risks they pose to the stability of the financial e-flows. For example, Glaessner, Kellerman and McNevin (2002) state that the most frequent problems in the financial transactions arena include (a) insider abuse, (b) identity theft, (c) fraud, and (d) hacking. Cate (2005) concentrates on the discussion of identity-based fraud and suggests that account fraud, true identity fraud and synthetic identity fraud are the three most frequent forms of security threats in online financial transactions.
In this context, Keller et al. (2005) seem the most objective and detailed in their observation of the existing security threats and financial transaction issues. According to Keller et al. (2005), the first generation of vulnerabilities started in the middle of the 1980s and took a form of boot viruses that affected computers and networks over the course of weeks; the next generation of viruses was spread by means of macros and e-mails. Denial-of-service attacks became prevalent in the middle of the 1990s and still present one of the basic problems in financial transactions domains (Keller et al. 2005).
New types of threats include worms that affect individual and multiple computers and networks, and can easily self-replicate to infect large number of users (Keller et al. 2005). Trojans are used extensively to steal passwords or create back doors on computers, compromising network security (Keller et al. 2005). Keller et al. (2005) believe that the rapid expansion of spyware and malware are of particular concern to IT specialists and business people – these programmes are downloaded into computers without users’ knowledge or consent, typically run in the background, track personal information and execute damaging commands.
Statistically, every PC contains approximately 27. 5 pieces of various malicious programmes (Keller et al. 2005). Fortunately, IT professionals actively work to develop effective countermeasures against the most sophisticated security threats. Financial transactions and security threats: Potential solutions Given that malware presents one of the most serious issues in the field of electronic financial transactions, numerous authors sought to offer their solutions to the problem.
Vlachos and Spinellis (2007) provide an overview of the so-called Proactive malware identification system, which is based on the computer hygiene principles and demonstrates relative effectiveness in combating the risks of malware in financial transactions. Vlachos and Spinellis (2007) call the proposed algorithm PROMIS and base it on a peer-to-peer architecture; the choice of the P2P architecture is justified by the fact that P2P networks often become a propagation vector for various types of malicious software.
The P2P architecture used by Vlachos and Spinellis (2007) contains two types of nodes, the member and the super nodes, and all nodes wishing to participate in the discussed P2P networks must authenticate themselves to the super nodes. PROMIS nodes generally fulfill the two basic types of operations – a Notifier daemon regularly checks the log files on the security applications, while a Handler daemon analyses the incoming rates from other peers of the group and computes a global malicious activity rate (Vlachos & Spinellis 2007).
The researchers use experimental design to prove that the performance of the P2P group improves proportionately to the number of P2P members. Extensive simulations suggest that PROMIS has a potential to protect the operating networks from known and unknown worm activity (Vlachos & Spinellis 2007). That during virus epidemics PROMIS exploits only specific vulnerabilities and leaves all other systems intact is considered as one of the basic system’s benefits (Vlachos & Spinellis 2007). However, Vlachos and Spinellis (2007) are not the only professionals in the field of financial security.
The fact is in that malware is often associated with denial-of-service attacks, which continue to plague the Internet. Malware substantially lower the bar for massive distributed denial-of-service attacks (Wang & Reiter 2008). Unfortunately, the current state of protection against DoS attacks is passive by nature and does not offer incentives to the owners of the Internet networks to protect their computers from the risks of malware (Wang & Reiter 2008). Wang and Reiter (2008) suggest that client puzzles be a potentially effective mechanism against DoS attacks in financial transactions.
Client puzzles imply that “a client solves a computational puzzle for requesting service before the server commits resources, thereby imposing a massive computational burden on adversaries bent on generating legitimate service requests to consume substantial server resources” (Wang & Reiter 2008). End-to-end puzzles imply that each client bidding for a financial service from the Internet server must present his solution to a puzzle; meanwhile, the server will allocate its limited resources to the bidders who solve the most difficult puzzles (Wang & Reiter 2008).
In this system, an adversary cannot seize the financial and informational resources of a victim without committing its own resources first (Wang & Reiter 2008). These systems are effective in mitigating DoS threats at all application layers and can be readily interoperable with various legacy systems (Wang & Reiter 2008). These, however, are unique technological solutions to the existing security threats. Other authors offer less sophisticated but no less effective ideas of how to deal with security threats in financial transactions.
According to Corzo et al. (2008), Automated Banking Certificates (ABC) can be readily used to timely identify unauthorised financial transactions. In the current system of electronic transactions, a financial transaction is considered authentic if it (a) is performed by an authorised entity; (b) has not been altered since the moment it was generated; and (c) is not a replay of another valid transaction (Corzo et al. 2008).
Unfortunately, current banking systems can identify non-valid and fraudulent transactions only by means of audit after the transaction took place; as a result, there is an urgent need to develop a mechanism which will trace and identify fraudulent transactions before and while they are taking place (Corzo et al. 2008). An ABC is a data structure which allows monitoring the relationships between various transactions within one workflow (Corzo et al. 2008).
A complete ABC allows tracing operations within workflows that go beyond the boundaries of one financial institution, as long as their tasks are related (Corzo et al. 008). The use of ABC’s in the current system of financial transactions proves that the task of identifying an unauthorised user is absolutely achievable. The use of network smart cards is another potential solution to the existing and emerging security threats. A network smart card “is a smart card that is an Internet node and is accessible from the Internet” (Lu & Ali 2006). The Smart Card stores user information and provides this information only to the trusted client or server, as soon as the user authorises the service or transaction (Lu & Ali 2006).
Smart cards are beneficial in the sense that they can create and maintain secure Internet connections with another Internet node, a web server or a web browser (Lu & Ali 2006). As long as the smart card sends selected user information directly to the service provider, this information does not go through the local computer and the threats of identity theft or similar security breaches becomes minimal (Lu & Ali 2006). Unfortunately, the effectiveness of these developments is yet to be discovered. Meanwhile, companies continue using more traditional solutions to their security issues.
The current research suggests that AdAware and Spybot are the most common tools used by businesses to deal with such threats (Keller 2005). Moreover, despite the availability of effective tools that cost little or nothing at all, many businesses recognise that they do not use any spyware at all (Keller 2005). As a result, businesses either lose significant material resources or fail to timely identify the emerging threats. The case is particularly difficult with the so-called insider threats, when security threats are being born from within the business entity.
For example, in 2008, the FBI alleged that a former Intel employee copied top secret documents that posed a threat to the future of the whole company and its business projects (Patel 2009). The cases when bank workers become the basic sources of the security threats and the initiators of the complex financial frauds are not rare. As a result, the success of financial transactions, their security, and the technical safety of consumers depends on how well companies realise the seriousness of the security threats and whether they are prepared to deal with them.
The current state of technology provides numerous solutions to the security issues in financial transactions, and businesses can secure themselves from the potential risks and failures by using the proposed technological Internet solutions at low or no cost. Conclusion The past years have been marked with the rapid increase in electronic financial transactions. The use of online and/ or remote mechanisms in financial operations has already become an essential element of the daily business routine.
Financial transactions are associated with numerous security threats, including identity fraud, insider abuse, and the use of malware and denial-of-service attacks to access and steal personal user information. The current state of literature provides numerous solutions and ideas, which businesses could use to address the existing and emerging security threats. Smart cards, automated banking certificates, and the use of client puzzles are just some out of many ways to address security threats in financial transactions.
Unfortunately, businesses often neglect the existing technological opportunities and do not deem it necessary to use effective protection from the real security threats. As a result, the effectiveness and safety of financial transactions largely depends on how well businesses realise the seriousness of the discussed threats and are prepared to invest additional material resources in the development of effective security strategies and solutions.