G 8 GOVERNMENT-INDUSTRY WORKSHOP, TOKIO, MAY 2001
Report of Workshop IV:
Protection of E-Commerce and User Authentication
The workshop agreed on the necessity of better protection of electronic business transactions against criminal harm. The more real economic value added is transferred into cyberspace, the more serious are the consequences of criminal intrusion and deceitful skimming, both for the individual provider of electronic services and the economy as a whole.
The workshop started with a discussion on different aspects and tried to address the problem areas of e-commerce. The main problem is how to build trust in the relationships between client and industry etc. This also includes privacy protection.
The following subjects were discussed:
- whether the e-government sector should be included.
- terms of payment. Secure and trustworthy terms of payment are recommended.
- Credit-Card-Fraud as the misuse of credit card data is emerging on the internet.
- Objectives. The workshop focused on a few topics and common types of transactions.
- protection against loss of money/property
- protection of customer information/data privacy
- confidentiality, integrity
- authenticity, anonymity, pseudonymity
- auditability of service
- non-repudiation
The workshop felt it to be useful to identify the requirements by each sector towards the other actors in order to develop a comprehensive "trust picture".
E-commerce & e-security = e- trust
RISKS | REQUIREMENTS OF | ||||||
---|---|---|---|---|---|---|---|
Merchants | Bankers | LEAs | Consumer | ISPs | SecServP | CA | |
To Industry: more robust systems/safer products More risk awareness | - E-Banking Requirements | Information-sharing: Report damage as soon as possible (reporting obligations) on spec. Cases, on trends and developments Toward banking sector and merchants: more self protection |
- To Merchants: Trustmarks. - To Industry: user-friendly security -products. - Data protection - Privacy - Information sharing (Opportunity to report harm, fraud etc. to the LEA's) |
To Industry: more robust systems/safe products More risk awareness |
To merchants and consumer: more self protection | ||
Payer authentication Better risk sharing | Duh' List - Data Security - physical Safety Prudential Rules of EC -authentication (standards pp) ITSEC |
To Merchants: Transparency (know your partner) | International Information Sharing and jurisdiction | To Consumer: follow the advises given by the CA | |||
Accountability | To Industry: develop secure products and processes | ||||||
To ISP: Security Qualifying ;24/7 monitoring of secure chain of information |
|||||||
To ISP and CA: Cross Certification Interoperability of Certification |
LEA's: Law Enforcement Authorities
CA: Certification Authority
ISP: Internet Service Provider
According to the topics in the matrix the group discussed:
Safer systems - safer products: how to design secure systems?
- Should be addressed to Universities etc. to build up awareness while educating students
- Third party certification as a commercial argument in order to create a competitive advantage.
Payer-/Payment-Authentication (merchants, consumers and other stakeholders):
- there are lots of tools in the market, they differ in cost and quality. Risks and Costs have to be balanced.
- differentiation between payer authentication and payment authentication must be made
- one security model fits all would be to expensive. Therefor differentiation of security level.
- appropriate user/payer authentication (dependent on kind of business) use better/stronger digital signature
- Consumers should find a transparent environment to do the business.
- Industry and government should take leadership in the area of standards the consumer can trust in. Government should create recommendations of criteria, principles or best practices (for instance UK government standards)
- must be flexible
Better risk sharing:
- allocation of risks
- who should be responsible for prevention mechanisms against risks?
- Depends on the obligations of the specific party and the type of transaction (there is a link between good authentication and good risk sharing - which incentives for risk management should be taken?)
Data security requirements:
- secure transmission and holding of information (see paper given by VISA)
- Create guides to safer e-commerce (for...)
- How can this list of recommendations be published/communicated and brought to the users?
- create a "G 8 - e-commerce"-website to publish the information
Better International Information Sharing:
- Better reporting and complaining facilities for consumers (e-consumer.gov-project; FBI Internet-fraud complaint center; high tech crime units of the RCMP; Hotlines etc.)
- Better information sharing of ISPs
The discussion leads to the following recommendations:
The group recommends:
- that ISP's, means of payment providers, merchants and other online entities implement secure e-commerce systems based on recognised standards and auditable information technology security practices.
- that on-line e-commerce sites establish and post security policy statements which outline the safeguards implemented to encourage consumer confidence and trust in conducting on-line transactions.
- that e-commerce merchants provide sufficient opportunities for their users to choose the services that fit the users needs and provide consumers with sufficient information to choose e-commerce sites with security policies suitable for their transactions.
In doing so G 8 should respect user and supplier freedom of choice and take into consideration previous and ongoing work by international fora for example OECD, ICC, GBDe.
The group stresses that every participant in an e-commerce transaction should take adequate security measures within his own responsibility.
I. Data/Network Security Policy
The group recommends that e-commerce sites establish and post their data/network security policy.
Details: A model data/network security policy should contain, at a minimum, specific measures that address for example five sets of concerns:
1. Malicious Code
- The e-commerce provider has taken measures against major forms of malicious code (e.g., viruses, worms, denial-of-service attacks)
2. Encryption
- The e-commerce provider uses encryption when necessary to protect both stored data and data being sent through networks
3. Data Access
- The e-commerce provider limits data access to those who have a business "need to know"
- The e-commerce provider assigns unique identification to every person with access to that merchant's computers and computer networks
- The e-commerce provider tracks data access by those unique identifiers
- The e-commerce provider restricts physical access to especially sensitive or valuable data (e.g. credit-card numbers)
4. Security Maintenance
- The e-commerce provider keeps its security software robust and current (including timely "patches")
- The e-commerce provide maintains security hardware and software (including network firewalls)
- The e-commerce provider changes all default settings for system parameters (e.g., passwords)
- The e-commerce provider has adopted an information security policy for its officers, employees, and contractors, and communicates that policy to those people.
5. Consumer usage policy
- The e-commerce provider needs to provide the consumer with its requirements for the safe use of its e-commerce services.
II. Initiative on elements of Model Data/Network Security Policy
The group recommends that G8 government and industry representatives undertake an initiative to draft elements of a model data/network security policy that addresses at least the minimum requirements outlined above.
III. Initiative on Guides to Safer E-Commerce
The group recommends that G8 government and industry representatives consider undertaking an initiative to produce practical guides to safer e-commerce. Such guides may include guides for consumers, e-commerce providers and internet service providers.
Each guide would draw on existing best practises of G 8 nations to provide the target audience with practical advice on how they can participate in e-commerce with greater confidence and in a more informed manner. That advice would include, for example, what consumers have a right to expect from the merchants with which they deal, what merchants have a right to expect from consumers, and what obligations merchants have to consumers and other third parties. Each guide could also include, where appropriate, a summary of the major rights, protections, and obligations that are established under the various national legal regimes of G8 nations, as well as links to appropriate mechanisms for reporting of possible e-commerce-related crimes.
IV. G8 E-Commerce Website
The group recommends that G8 government and industry representatives consider creating and maintaining a Website to communicate critical information about e-commerce measures stemming from the G8 process.
The Website would include the model security policy, the guides to safer e-commerce, other public products of the G8 government-industry meetings (e.g., press releases, white papers), and additional materials that increases the transparency of the G8 process. It could also include other G8 products, such as publicly available training materials, and links to additional sources of information (e.g., national governments' and selected private-sector organisations' Websites).
V. Mutual recognition
The group recommends encouragement and support of mutual recognitions among different Certification Authorities in order to spread strong authentication and digital signature as one of the secure tool for e-commerce. Consequently the group recommend all standardisation bodies and industries to look forward for interoperable applications based on international standards.
VI. Information sharing
The group recommends that in each of the G 8 - countries effective mechanisms for consumer complaints and consumer reports of fraudulent or other criminal activities are provided. These mechanisms should be enabled to share information internationally.
The group also recommends that government and industry enhance their mechanisms of information sharing about specific risks of commerce and specific cases of fraudulent or other criminal activities as well. This would include the provision of international information networks between the parties (early warning systems).
VII. Future discussions
The group recommends that dialogue between government and industry continues on e-commerce matters. Such a dialogue would include a prospective approach focussing around emerging security solutions, future/new technologies and development of outreach programs.
Back to Index