CHAPTER 6: PROPOSED SOLUTION AND FINDINGS
6.6. Evaluation and Validation of the Research
Evaluation and validation of the study is reflected in detail within the research methodology of the approach used. In terms of this, validation of the Critical Success Factors occurred through the use of Expert Reviews. Ten experts in the online trust and security field were presented with the findings of the research and requested to comment on the correctness and applicability to the research problem, so as to further refine the artefact being developed. This approach is associated with the Delphi Technique, and therefore follows an iterative process of evaluation and refinement. The Delphi Technique is a popular method that is widely used and accepted to gather data from respondents. The technique is designed as a collective communication process aimed at a group of individuals with the objective to obtain a wide variety of opinions on specific real-world problems. The Delphi Technique used in the study consisted of four rounds of review, analysis and feedback.
The first round was validated by two experts who provided an extensive critical review of the research problem, concepts, and the initial Critical Success Factors developed. A second round of the validation process occurred, which resulted in less extensive, but highly valuable feedback from a different set of three reviewers. In the third round of validation, the largest response was seen as five experts were consulted. The opinions and comments obtained in this round were found to be extremely influential in constructive criticism, successfully improving the research artefact on all levels. Finally, the fourth round resulted in strong agreement and consensus from the particular experts who were provided with an opportunity to respond. Throughout the review process, all responses and comments made were taken into account and accordingly applied to the research where applicable. This added to the integrity of the research.
The secondary data collected included literature from frameworks, methodologies, online journal articles and other Internet sources, past research projects, surveys, and books. The initial literature review was performed in order to determine the research problem and objectives. This was most important, as it identifies the body of knowledge of which the study will be based on, and expand upon. By combining these two data collection methods, and using them as inputs into a design science approach, an innovative artefact was able to be developed.
By taking Figure 5.5 (in chapter 5) into consideration, the research data that was presented to the experts was continuously and thoroughly refined after each round of review that occurred, thereby making the research study of an increasingly credible standard. Therefore, the way in which the review process was conducted was deemed to be credible, leading to a perception of trustworthiness. The responses received from the experts can also be said to increase the credibility of this research project, as the responses provided comparable data.
The dependability of the responses received from the experts is difficult to measure. It is heavily dependent on the experts who were involved in the review process, their position and expertise, the situation, expectation and own perception on the subject. Therefore, the expert review process was conducted in a non-leading manner using defined research data presented for analysis, with the aim of keeping the process as open as possible.
De Vos et al. (2005) note that dependability and trustworthiness are also important in document study. To ensure and increase the dependability of the literature used in this study, only well known researchers, authors and institutions have been used in the construction of the theoretical framework.
Since this study explains the Critical Success Factors that involve users and websites in a general sense, they can be applied to all to users and websites where a trust problem exists. Therefore, transferability is obtained to some extent.
Since all five constructs of interpretivist research shown in Figure 5.5 (in chapter 5), have been achieved in varying degrees, it illustrates the soundness of this study. In general, credibility and dependability of this study have been achieved.
6.7. CONCLUSION
This chapter identified and discussed the initial vulnerabilities that were discovered in the E- Commerce environment that caused the environment to be highly susceptible to online attacks, specifically that of phishing. Various Critical Success Factors were then explained, providing key areas of security that are required in order for trust to be increased, and the risk of phishing to be reduced. An initial critical success factor to vulnerability elements map was presented, after which a detailed process into the refinement of these through application of reviews obtained from experts was explored. The summary of these reviews, and there application to the research was then provided. Finally, the main contribution of the study was presented. This was a model consisting of Critical Success Factors (and associated vulnerabilities) that aid in improving the problematic trust situation between users and websites. In terms of the applicability to the study, the model addresses the main research objective, by providing practical guidelines to increase the sense of trust within the E- Commerce environment by reducing the risk created from the threat of phishing. The following chapter will provide a summative discussion of key aspects that were looked at in this study, and how the gained knowledge from the research conducted has been applied to the research questions and objectives of the study.
CHAPTER 7
Conclusion
7.1. INTRODUCTION
The previous chapter discussed the findings and recommendations of the study and provided six Critical Success Factors that are necessary to reduce the risk of phishing, and in turn increase the trust between online users and companies in an E-Commerce environment. The Critical Success Factors presented in this study were supported firstly by the secondary data collected from conducting a comprehensive literature review which was then used as a foundation for their development. Then secondly by the primary data collected, which was derived from the responses obtained out of an expert review process. This chapter will provide a summative conclusion to the study, and begins by providing a brief description of the relevant literature and previous studies that have been applied. A discussion of the research questions and research methodologies will be given, after which the results of the data collection and analysis will be presented. The Critical Success Factors are then reiterated within the context of the research questions, highlighting the progress made during the study and how each research question has been addressed through the course of the research project. Finally, suggestions for future research are provided. The next section below presents a summary of the key areas that were included in the literature review which was conducted.
7.2. LITERATURE
It is well documented in literature that there are significant trust related problems that affect E-Commerce, and the use of the Internet for commercial activities, due to the presence of online risks such as phishing. Users and websites, and the communication or activity that occurs between them, have been found to be highly vulnerable to phishing attacks. These vulnerabilities consist of a wide range of weaknesses specifically targeted by phishing criminals. A detailed study was conducted to identify the vulnerabilities that exist within the E-Commerce environment, and that which leaves users and websites susceptible to this form of online attack. The Common Criteria Security model was firstly considered which helped gain an understanding of the relationships between the parties involved in E-Commerce transactions (being users and websites). The model also provided clarity on the way countermeasures are implemented by these parties to reduce risk to their assets (information).
Threat agents were also illustrated and explained, which provided an understanding of these entities and how they exploit vulnerabilities, increasing the risk to the information assets that belong to the parties in mention. It was found here that phishers exploit the vulnerabilities of users and websites and the countermeasures they have in place, in order to abuse their trust relationship to illegally gain access to valuable private information. We then looked to the Internet Threat Model which also points out that the two parties involved in E-Commerce are the users and websites, but states that the communication channel between them is unsecure. Essentially it explains to us that phishers exploit the security weaknesses in the communication channel, and then abuse the trust that exists between both parties. As a result, distrust between them is created and confidence in using the Internet for E-Commerce related activities is negatively affected.
Once an understanding of the dynamics of the E-Commerce environment was obtained, the focus of the research shifted to identifying the weaknesses that lie within E-Commerce that cause it to be vulnerable to phishing. The following major areas of vulnerability (or vulnerability vectors) were found as a result of the study:
The Expansion of Technology: The research has shown that the growth of the Internet and the development of technology have created new methods of attack for the phisher to utilise, and due to the wide availability and places to access the Internet, phishers are now able to easily evade detection. Hardware and software weaknesses in the new technologies being used for E-Commerce today make a phishers job even simpler, allowing them a number of points of vulnerability to target. Contributing to this is the anonymous nature of the Internet allowing phishers to conceal their identity, as well as the ease of which they are able to obtain easy to use phishing attack tools.
Weaknesses in Information Security: Due to weak security mechanisms failing to protect the privacy of personal information, people and companies are vulnerable, as confidential data is being increasingly exchanged and shared amoungst parties over the Internet.
Online Users (The Customers of E-Commerce): Users have been found to be one of the most significant contributing factors to the vulnerabilities of E-Commerce. Online users are highly susceptible to making mistakes, and struggle to differentiate between phishing and legitimate websites. Users generally also lack a sufficient understanding of phishing attacks and Internet security, leaving them open to exploitation.
Website and Web Browser Vulnerabilities: The results of the research showed there are major weaknesses in the medium across which business occurs. Websites are
highly vulnerable to Domain Name Spoofing, Pop-up hijacking, and client side scripting to name a few.
E-mail Communication Channel: The mass implementation and use of e-mail, along with the weaknesses in the e-mail transport protocol, SMTP have resulted in a vulnerability of E-Commerce from e-mail.
Other Countermeasure Weaknesses: Another weakness found in anti-phishing tools and countermeasures posing as a vulnerability of E-Commerce is firstly, that tools that have been automated have been relatively unsuccessful against phishing. Secondly, Encryption mechanisms have been rendered weak as phishers have been able to bypass these. Password Management Systems have received major attack, and have resulted in them being ineffective in countering phishing attacks. Lastly, blacklists, which have been widely implemented online, have also been proved ineffective, thus still leaving users and websites vulnerable to attack.
General: E-Commerce, and its activities, requires high levels of trust and confidence between users and websites, and because phishing is specifically designed to target and to exploit that very trust and confidence, these two issues are not only seen as its strength, but also its greatest weakness.
Once the vulnerabilities in E-Commerce were discovered, this lead to questioning what phishing attacks are, and how phishers carry out their attacks. Thus, consulting the literature, phishing was defined and analysed in detail. After considering several definitions, the common elements that phishing was found to comprise of is an instrument, a twist, an aim, and an underlying goal. The instrument of phishing consists of the technical aspects through which the attacks occur, which is generally via a phishing e-mail and a fake website. The twist involves obtaining the trust of users by pretending to be a legitimate e-mail or website, and then exploiting that trust for dishonest gain. The aim of a phishing attack is to steal a user’s private information without the user being aware of it. The goal or underlying objective of a phishing attack is to sell that information for a profit, or use it to commit identity theft or fraud. Certain literature pointed out that phishing is a highly complex problem, possessing both a social and technical component. The social component consists of the techniques employed by phishing which originates from social engineering. These techniques seek to trick and con users into divulging their credentials to someone who should not receive them. The technical aspect of phishing includes the technical components used to improve the success of phishing attacks. Thus, these components function by circumventing any countermeasures that a user may have in place, sneaking through spam filters, or aid in the
process of mining user data. Consequently, phishing is generally classified as being both a syntactic (targets computer systems and software) and semantic (targets people) attack. The results of a thorough research analysis also identified that phishing operates within a complex network of entities which execute, control, and monitor the process of a phishing attack. These entities form what we call a ‘circle of phishing’, and comprise firstly of, a phisher, who manages all the other entities involved, coordinating them into a single, well structured attack. Secondly, mounting provider’s setup phishing attacks, including its design and target distribution. Hosting providers will then collect all the stolen user data and pass it on to financial agents, who will then monetise the phished information. If the money is going to the phisher themselves, they will often utilise a money withdrawer (mostly within another country to that of the attack), who is responsible for withdrawing the funds as quickly as possible. Forming the components which are the target of the attacks, are the users themselves, the platform they are using, the operating system they are running, and any web servers being employed on the server-side. As a result, it can be seen that a phishing attack is dynamic, and involves more than one person. Hence, phishing is considered a highly organised form of online crime that causes considerable damage to E-Commerce.
Following the investigation into the various entities involved in a phishing attack, an analysis of relevant literature was conducted to discover the process in which phishing attacks occur, and the fundamental elements which it comprises of. Phishing attacks generally were found to consist of a delivery component (a phishing e-mail) and a mimicry component (a fake, phishing website). Phishers will use various techniques in order to make phishing e-mails highly believable. In nearly all cases, phishers will mimic the appearance of legitimate e-mails used by actual online companies, to cause people to mistakenly believe that they are viewing an e-mail originating from a trusted source. They will often obfuscate any links found in the e-mail to continue its believable look. Phishing e-mails will address recipients in a generalised manner, and use common words such as ‘account number’. Certain situation contexts will also be utilised. Phishers will create a sense of false urgency, threat or concern to force users to follow the e-mail’s instructions and click on the links provided in the e-mail. Even more effective is when they create a sense of opportunity or reward, offering a monetary reward or similar to recipients who follow the link and provide their details. Other techniques such as origin impersonation, spear phishing, and customisation of e-mail text to fool spam filters are also frequently employed by phishers, drastically increasing the success rate of their attacks.
With regards to the mimicry component of a phishing attack, phishers will use various techniques to construct a highly believable, legitimate looking website in order to obtain the private details of users that are victimised and happen to visit the website to divulge them. Two of these techniques are distribution attacks and redirection attacks, which offer two differing ways of routing users deceptively to a website to be phished. They are a mechanism employed to cleverly layer the attack, and cover a phishers tracks. JavaScript attacks are also very commonly used in a phishing attack, which give the phisher the ability to monitor keyboard inputs, rewrite the domain names, create fake login and password fields, and create legitimate looking browser components and toolbars. Host File poisoning was also mentioned, and is an exceptionally effective technique phishers use within their attack to conceal the true identity of a website from its domain name. Doppelganger window attacks, or similarly, picture-in-picture attacks are both used by phishers to create multiple fake browser windows on top of, or embedded into, the windows of a legitimate website in an attempt to fool users in to believing that they are using the intended website. Another technique, and is the most common to phishing attacks, is that of man in the middle attacks. This form of attack is where a phisher positions themselves between the user and a legitimate website, and relay’s any data or messages that are transferred between them, whilst saving the valuable data for themselves. Other techniques used are cross-site scripting attacks (where phishers inject code into a website to manipulate it into doing what the phisher wants), flushing password protected list attacks (where phishers flood the protected list with fake passwords in order to bypass the checking mechanism), hosting on legitimate domains or sub-domains, as well as, creating and using fake Certificate Authorities. By looking at the various techniques, a thorough understanding of phishing attacks, and the techniques employed was obtained. However, the need to understand the process in which attacks occur still remained.
Consequently, the phishing attack process was then examined and the resulting literature explains a three phase process consisting of a planning phase, an attack phase, and a cashing phase. The planning phase involves tasks set on information gathering, and includes tasks such as searching for opportunities and vulnerabilities in the environment to target, harvesting e-mail addresses, the registration of domains and the setup of a web server to host the phishing website, and designing the phishing e-mail and the phishing web pages. Once the attack has been planned and setup accordingly, the attack phase is initiated. This is when the attack is formally executed. The phishing e-mails designed to lure users to a phishing website will be distributed to the agreed targets. The users will then be lead to the phishing website, where they will be asked to enter certain credentials. Once they enter their private details, the
attack then ends and the users’ details are collected by the phisher. After the attack phase is completed, the cashing phase then occurs. This is where cashers will take the phished data, and convert it into monetary form, i.e., they will purchase the data at an industry standard price.
By looking at the vulnerabilities of E-Commerce to phishing, the phishing techniques used,