Time to combat cyber fraudsters

The bizarre circumstances that allowed John Chamberlain, an IT manager from Leicester, to hook into PowerGen's web server and view the payment details of up to 7,000 of its customers are still coming to light, but the repercussions have already been dramatic.

The bizarre circumstances that allowed John Chamberlain, an IT manager from Leicester, to hook into PowerGen's web server and view the payment details of up to 7,000 of its customers are still coming to light, but the repercussions have already been dramatic.

The day after the story broke, advertisements appeared apologising to online customers and advising them to change their credit card details. More damaging for a rapidly expanding utility was the hit on its reputation. But perhaps worst of all was the blow to public opinion on the risk of fraud in e-commerce.

PowerGen has announced a review of its e-security, and pundits say a carefully considered, board-approved policy is vital to any company's e-commerce strategy. But many are falling short as the impetus to exploit the web gets the better of firms' traditional reluctance to take risks.

Pundits have long called for firms to piece together IT security policies, though one difficulty is that a number of software vendors have supported the different pieces, with few offering an all-encompassing suite. That is slowly changing.

The three main areas such a policy needs to cover are: keeping data safe from external threats; ensuring data integrity, so records are accurate and intact; and authentication, so a user knows where information has come from. A British standard, BS 7799, defines these and other elements that a firm should implement.

Of course, even the most watertight security measures can be breached. A case recently came to light involving two major stockbrokers and a large European bank. One of the brokers decided to set up an arm dealing in government bonds and began building a network across Europe, which meant placing servers in all of the major banks to transfer information to the dealing rooms.

The network manager was known to many of the banks because he had once worked for a rival, and he was given access to top-security computer rooms. In one of the banks, the space allocated for the server was next to one of its rivals, which already had a government bond operation.

After a quiet chat with his boss, the network manager was given a discreet nod and told to lose £10,000 on expenses to place a connection from the rival's server to his company's server. Because of his time at the rival he was able to decipher the code, and thus gave his company real-time access to its rival's buy and sell prices, allowing it to undercut and make a killing.

Examples like this can't be avoided, and survey after survey reveals the frightening extent of fraud in the digital world. But the IT industry bemoans this focus on failure.

Guy Singh, at e-security vendor Baltimore Technologies, says: "There's also an enabling side to this - to securely enable business to be transacted between yourself and customers and suppliers. When we say this will revolutionise the way you work on the internet, people become a lot more interested."

* This column is supplied by TBC Research, an events, publishing and research group. Contact www.tbcresearch.com