Security Issues Of E-Commerce

The main security problem in e-commerce is online credit card fraud, i.e. withdrawing money from someone else’s account without permission. Credit card details obtained without permission are used to withdraw funds from unauthorized accounts, make fraudulent purchases, and obtain false credit. Credit card fraud is committed through hacking, skimming, identity theft, phishing, card theft, cardholder absence (CNP) transactions, and farming, as discussed below. Credit cards are vulnerable to fraud because even after an online shopping transaction ends, credit card details remain stored on a network, database, or other storage device that is not secure and remains vulnerable to hacking. A hacker can infiltrate the network using viruses that attack the server on which the information is stored. If credit card details are not protected from the use of malicious software from networks or servers, they can also be obtained from them. Most cases of credit card fraud in India occur in the event of absence of cardholder (CNP) and of course, all e-commerce/online transactions are CNP transactions. However, before we investigate CNP, we will explore how credit card fraud is committed through hacking, skimming, identification, theft, phishing, and farming. Although these types of cyber crimes have already been discussed in other articles, they are still investigated here in the context of credit card fraud.

1. Hacking:

A hacker does not need to know the complete information of the cardholder to make unauthorized use of someone’s credit card, as details may be available elsewhere on the web. Once a hacker knows a person’s credit card number, he can get the cardholder’s date of birth or address from social networking sites. There are many ways to get credit card details and information.

2. Skimming:

Electronic way of obtaining personal information of the victim by identity thieves. A skimmer is a small device that scans a credit card and stores information contained in a magnetic stripe. Skimming may occur during a legitimate transaction in a business. Skimming is the process of obtaining personal information contained on a credit card using a skimming device to scan card details on a magnetic stripe. The numbers on the magnetic stripe are erased and a new number emerges and transactions are made using the new numbers. The magnetic stripe contains the cardholder’s name, 16-digit credit card number, expiration date, and credit card verification value (CVV). This information available on the magnetic stripe is sufficient to make the card resemble the original card. This makes the magnetic strip more susceptible to theft. When the card marked with the new number does not work in the swiping machine, the merchant processes the card details manually to complete the sale. Therefore, the transaction is completed even after deleting the numbers marked on the original magnetic stripe and marking the new number. Unlike a magnetic stripe, a credit card chip on an RFTD transponder provides additional security. A new CVV is generated for each transaction, which is completely different from the CVV marked in the card. The new CVV is notified to the network to be used for new transactions. In this case, the card information cannot be skimmed as a new CVV is generated for each transaction.

3. Phishing:

Phishing is the same as fishing in a lake, but instead of trying to fish, phishers try to steal your personal information. They send emails that appear to come from legitimate websites such as eBay, PayPal or other banking institutions. The email states that your information needs to be updated or verified and you are asked to enter your username and password after clicking on the link provided in the email. Some emails ask you to enter even more information, such as your full name, address, phone number, Social Security number, and credit card number. However, even if you visit a false website and simply enter your username and password, Phisher can still gain more information by logging into your account. As mentioned in the introductory chapter, phishing is another way to acquire usernames and passwords of credit cards or bank accounts under false pretences. Phishing is a type of Internet scam where fake email messages, for example, are sent under the pretext of updating or verifying account information. A link to a fake email leads to a fake website resembling the original website, which is a forgery. The customer unknowingly gives all the information to the false website, which claims to be the real website of the bank or credit card company, and the fraudsters thus obtain the necessary information to hack the user’s bank accounts, transfer money, etc. Are. There are many methods available to prevent phishing. To prevent phishing, a merchant must use spam filter software, antivirus software, and personal firewalls.

In addition to sending fake email messages or text messages, fraudsters use malicious software as email attachments to find personal banking information and passwords held on a person’s computer and some worms hijack the user’s host file that leads him to a fake phishing website. Another method of phishing is the use of spyware that is inserted into the user’s computer and the information received is sent to the fraudster’s computer network. Another method of phishing is ‘tab nabbing’, in which a third party script is downloaded and shown like a bank account, email account, etc. To avoid these fake emails/websites, it is advisable that credit cardholders visit their bank’s website directly through the URL of that particular bank.

4. Pharming

Pharming is another way hackers influence users on the Internet. While phishing attempts to obtain users’ personal information by sending them to a fake website, farming redirects users to false websites without their knowledge. Where a common website uses a domain name for its address, its actual location is determined by an IP address. When a user types the domain name in the address field of their web browser and presses Enter, the domain name is converted to an IP address via a DNS server. The web browser then connects to the server at this IP address and loads the web page data. After the user visits a specific website, the DNS entry of that site is often stored in the DNS cache on the user’s computer. This way, whenever the user visits that website, the computer does not need to access the DNS server.

Pharming is another way to obtain the PIN code, access number, and other confidential information needed to commit credit card fraud. Farming occurs when hacker website traffic is another way of influencing users on the Internet by another, i.e. some hackers. While phishing attempts to obtain users’ personal information by sending them to a fake website, farming redirects users to false websites without their knowledge. Where a common website uses a domain name for its address, its actual location is determined by an IP address. When a user types the domain name in the address field of their web browser and presses Enter, the domain name is converted to an IP address via a DNS server. The web browser then connects to the server at this IP address and loads the web page data. After the user visits a specific website, the DNS entry of that site is often stored in the DNS cache on the user’s computer. This way, whenever the user visits that website, the computer does not need to access the DNS server.

Pharming is another way to obtain the PIN code, access number, and other confidential information needed to commit credit card fraud. Farming occurs when hackers redirect website traffic to another, that is, a fraudulent site. This can be done by altering the host file of the victim’s computer or by placing a virus or malware on the DNS server’s software, that is, the Domain Name System (which is the name of a computer connected to the Internet). By inserting viruses/malware into the victim’s computer, the impostor can redirect the victim to a fake/scam website that may look like the original website, called page-jacking. In other words, the URL inserted into the browser by the victim redirects to a fake address.

The fake website asks for sensitive information such as username, password and credit card details. Anti-spyware or antivirus can be used to protect the host computer from attack by viruses or malware.

5. Cardholder absent (CNP):

As discussed above, most credit card fraud in India occurs when the credit card is used in the absence of the cardholder (called CNP). CNP transactions are for all e-commerce transactions as these are all online purchases and not physical purchases where the cardholder is present in the shop. In fact, neither cards nor cardholders are physically present at the time of an e-commerce transaction. If the cardholder is not present at the time of executing the transaction, it is not clear whether it is the actual cardholder or a fraudster is carrying out the transaction. Credit card fraud in CNP is done through skimming or other methods discussed above such as farming, phishing or identity theft. As discussed above, various security measures are available to determine whether the person providing the credit card details is an authorized user. The merchant must ask for the credit card number, cardholder name and details, secure code provided by the issuing bank, secret code, virtual payer authentication and AVS (Application Verification System), where the address on the credit card is verified with the address in the issuing bank’s file The three-digit number, i.e. Credit Value Verification (CVV), should be checked by the merchant while placing the order.

There are many circumstances when fraud may be suspected in the absence of the cardholder, such as when multiple account numbers result in goods being sent to the same address, transactions from the same account numbers, multiple transactions on a card in a short period of time, multiple account numbers from the same IP address. Repeated attempts to find numbers may alert the issuing bank and thus they may not succeed. A company doing business online should ensure the use of AVS, CVV, virtual payer authentication and other security measures mentioned above. In an effort to curb credit card fraud, the Reserve Bank of India (RBI) in collaboration with Dun & Bradstreet (D&B) has established the Indian Credit Information Bureau (Credit Information Bureau of India).

However, credit card statements should be checked monthly. RBI has issued a circular titled ‘Banks’ Credit Card Operations’, requesting banks to set up internal control systems to prevent credit card fraud. RBI has advised credit card issuing banks to check the ‘Know Your Customer’ requirements in detail.

Taxation Of E-Commerce

In any jurisprudential system, tax laws are made with a social purpose. According to the author, taxation is an attempt to come up with collective solutions to individual problems. Revenue from taxation helps the state to perform diverse functions and provide security and stability to the economy. The circulation of financial resources through taxation has a significant impact on the operation of the economy. Although the statutory provisions governing taxation establish basic principles, uncertainty persists in many aspects. The author wishes to discuss a similar suggestive issue within the Income Tax Act, 1961, namely, whether income tax authorities can invoke the principles of preventive detention to detain a taxpayer. E-commerce changes the nature of the physical needs required to do business.

The fact that the place of business, the place to start transactions, the place of delivery of goods and services and the server to pay are all usually real challenges in traditional principles of taxation. In the absence of physical presence, it becomes difficult to apply the traditional principles of taxation relating to the residence or source of income of the parties, called residencebased taxation or sourcebased taxation. Residence based taxation means that all individuals and legal entities are subject to tax in the place where they reside. Source based taxation means that all income can be taxed by the country that is the source of income. Furthermore, the basic principles applying to cross-border taxation must also apply essentially to e-commerce transactions that are inherently cross-border.

The basic principle is that when a resident of one country earns income from economic transactions in another country, both countries have the right to tax the same income. The home country has the right to tax income on the basis of the residence rule and the other country, the host country, has the right to tax income on the basis of the source rule of taxation. This poses the problem of double taxation, which is addressed in various bilateral double taxation avoidance treaties. The next section examines some basic principles of taxation under Indian law to find out whether they may be relevant to the taxation of e-commerce transactions.

1. Principles of taxation under the Income Tax Act, 1961:

Under Indian tax law, Indian residents are taxed on their global income, whether earned, generated or received inside or outside India. Non-residents are taxed on their income which is received from any source in India. Under Section 9 of the Income Tax Act, 1961, all income earned, generated or received in India, which is deemed to be earned or generated in India, is taxable in India.

2. OECD:

The OECD Model Convention provides for fair treatment in e-commerce business. In January 1999, the OECD’s Committee on Fiscal Affairs set up the Technical Advisory Group (TAG) to monitor the application of existing treaty norms to tax business profits. The task of the TAG was to examine how the current Treaty rules for taxation of business profits applied in the context of electronic commerce and to examine proposals for alternative rules. The tags (a) ‘Place of Effective Management’, b) focused on the concept of Permanent Establishment (PE), c) determination of profit to server PE, and d) transfer pricing.

Foreign Investment In E-Commerce

According to the Consolidated FDI Policy published on October 1, 2011 by the Department of Industrial Policy and Promotion, Ministry of Commerce and Industry, e-commerce activities refer to the activity of buying and selling through e-commerce platforms by a company. According to the consolidated FDI policy, such companies will engage only in business to business (B2 B) e-commerce and not in retail trade. This means that the existing restrictions on FDI in domestic retail trade will also apply to e-commerce. Under Indian law, only up to 51% of foreign investment is allowed in the retail sector, provided the shops sell the same brand. Foreign investment is prohibited in retail outlets holding multiple brands called multi-brand retail trade. Provided the e-commerce activity is on a B2 B basis, 100% foreign investment is allowed by the automatic route. This means that prior approval from the Foreign Investment Promotion Board (FIPB) of the Finance Ministry is not required and foreign investors can set up a company directly in India.

Read Also: