Re: [GKD-DOTCOM] Cyber-Security and E-commerce
We have discussed a lot of the problems for e-commerce in developing countries but not a lot about the individual work arounds for both buying and selling through e-commerce. Trying to think like a businessman, it sounds like the problems related to e-commerce and security can be divided into: 1. payment systems 2. methods to verify identity and build trust (for resolution of problems, quality, trust, branding) 3. shipment/tracking that goods and services are actually delivered 4. privacy for transactions (i.e. you don't want your competitors know prices/locations, etc) From what I know (and that is rather limited) there are a variety of work arounds, including partnering with bigger, more well known companies (such as eBay or Amazon) to sell goods, or find individual responses (like finding a friend with a US-based credit card to process payments). I would love to hear of other work arounds that developing country entrepreneurs use to overcome the security issues with e-commerce. Siobhan Green www.sonjara.com This DOT-COM Discussion is funded by the dot-ORG USAID Cooperative Agreement, and hosted by GKD. http://www.dot-com-alliance.org provides more information. To post a message, send it to: [EMAIL PROTECTED] To subscribe or unsubscribe, send a message to: [EMAIL PROTECTED]. In the 1st line of the message type: subscribe gkd OR type: unsubscribe gkd For the GKD database, with past messages: http://www.GKDknowledge.org
Re: [GKD-DOTCOM] Cyber-Security and E-commerce
I believe that the problem facing developing countries is not one of 'systems' or 'technical'; it is the lack of 'enforceable' laws that handles cyber-crime in particular and the lack of the rule of law in general. Until such laws are in place and it is evident that they are enforced, we can cry 'wolf' all we want. Sincerely, Nabil El-Khodari Founder/Treasurer Nile Basin Society Tel.: +1 (647) 722-3256 Fax: +1 (647) 722-3273 http://nilebasin.com http://nilebasin.net http://nile.ca 108 Waterbury Dr. Toronto, Ontario, M9R 3Y3 Canada If the people will lead, the leaders will follow. - Dr. David Suzuki This DOT-COM Discussion is funded by the dot-ORG USAID Cooperative Agreement, and hosted by GKD. http://www.dot-com-alliance.org provides more information. To post a message, send it to: [EMAIL PROTECTED] To subscribe or unsubscribe, send a message to: [EMAIL PROTECTED]. In the 1st line of the message type: subscribe gkd OR type: unsubscribe gkd For the GKD database, with past messages: http://www.GKDknowledge.org
Re: [GKD-DOTCOM] Cyber-Security and E-commerce
In a message dated 10/4/2004, Barry Coetzee [EMAIL PROTECTED] wrote: In economies where the total number of e-commerce transactions are in the 1000's there is no point in installing or using any technology that costs more than a couple of thousand US$. It would not be sustainable. Furthermore, If the cost of protecting the IT Asset is more than the asset, why invest at all in Security mechanisms? This DOT-COM Discussion is funded by the dot-ORG USAID Cooperative Agreement, and hosted by GKD. http://www.dot-com-alliance.org provides more information. To post a message, send it to: [EMAIL PROTECTED] To subscribe or unsubscribe, send a message to: [EMAIL PROTECTED]. In the 1st line of the message type: subscribe gkd OR type: unsubscribe gkd For the GKD database, with past messages: http://www.GKDknowledge.org
Re: [GKD-DOTCOM] Cyber-Security and E-commerce
Dear Mr. Sharkovski, I do understand perfectly your frustration, yet don't share your opinion - or perception - that there are just some powerful anonymous groups out there, which intentionally try to harm Macedonia by putting it on a black list. Why should they? (And by the way, this IMHO applies to almost any developing country, therefore Macedonia may serve just as an example). Under current conditions, there are just 2 recognized public entities that - on the state level - may give you credentials: (a) the US-government (Departments of State and Commerce in their country-profiles and related info, see for instance http://www.mac.doc.gov/ceebic/countryr/Fyrm/MARKET/Macedonia%27s%20Informa ti on%20Technology%20Sector.pdf which in fact makes quite critical observations with respect to laws and ICT in Macedonia). (b) the EU-commission (Commissioner for commerce) in Brussels. Even though not publicly admitted, both are obviously say modulated by general political interest, yet they don't operate anonymously. And there are the private risk-assessment agencies like Standard Poors or the respective risk-assessment departments of banks and [public] trade- or export-risk assurance companies. Hence the only way out - in your situation and similar situations in other countries - is to engage at least one of these public entities and at least one of the private ones in a more formal assessment of your conditions and then distribute their assessment (like percentage of risk-penalties in trade-assurance contracts etc.). Unfair? Yes! Avoidable? Definitively no! Yours sincerely, Cornelio On Friday, October 1, 2004, L Sharkovski [EMAIL PROTECTED] wrote: I think perhaps some on the GKD list have missed the problem that my compatriot in Macedonia is describing. The point, for us at least, is not that there is rampant cyber-criminality in Macedonia that the government has failed to prevent. The point is that it is just as safe to buy from Macedonia, or sell to Macedonians online, as it is from any other country. Yet the organization Exportbureau.com has alleged that there are online fraud schemes based in Macedonia and has placed Macedonia on their list of Suspect Shipping or Contact Addresses. There is no contact address or information listed on THEIR website, so it is extremely difficult to determine who this group is and where they reside (although, after some research, we believe they reside in Taiwan). ..snip... It is bitterly ironic that Macedonia -- a very small country with relatively low cyber-density compared with the industrialized countries in Western Europe and the US -- is accused of being major sources of cyber-fraud. In a world of cyber-criminality, what percentage of that is Macedonian? I will tell you: Zero. Yet our companies are shut off from access to major e-commerce channels. So it is not an issue of lack of laws or lack of enforcement. It is an issue of too much power in the hands of groups that seem to be informal arbiters of which countries are secure enough for e-commerce. Furthermore, they are completely inaccessible and unaccountable. They do not reply to our requests for evidence of their accusation. And there is no way for us to counter their accusation other than trying to publicize our security through discussions like this one. It is difficult for us to convey how frustrating and damaging this situation is for us. In many ways, this type of baseless accusation, which harms our economy, is just as lawless as the accusation they are making. ..snip... This DOT-COM Discussion is funded by the dot-ORG USAID Cooperative Agreement, and hosted by GKD. http://www.dot-com-alliance.org provides more information. To post a message, send it to: [EMAIL PROTECTED] To subscribe or unsubscribe, send a message to: [EMAIL PROTECTED]. In the 1st line of the message type: subscribe gkd OR type: unsubscribe gkd For the GKD database, with past messages: http://www.GKDknowledge.org
Re: [GKD-DOTCOM] Cyber-Security and E-commerce
Dear Colleagues, I am sure there are several ongoing projects addressing the issue of Information Technology in the institutions of learning in the so-called developing countries. Of course Africa as a continent can still use more of such work force training. The issue is not that of allowing a country to do E-Commerce, but that of having the proper framework for proper and secure implementation, that will allow for global virtual enterprise. As pointed out by the Moderator: Cyber-security is essential to e-commerce. Businesses must establish trust with their potential customers. Countries need to prevent cyber-fraud that can cripple e-commerce activity. Yet, developing countries face special obstacles in their efforts to safeguard their companies' e-commerce activities. Many lack a legal infrastructure that can thwart digital crime. These countries also have conditions that foster cyber-crime: many people with sophisticated computer skills and very low incomes, in an environment of expanding organized crime. The e-Centers, as Electronic Commerce Resource Centers, can draw on any sector of the society, especially the small and medium-sized enterprise (SMEs) in Africa. The involvement of the government is very essential because the policies and legal framework have to be coupled with the business standards and enforcement. In addition, the government is the biggest customer in most of the African countries. Therefore, all the stakeholders that understand running of a Virtual Enterprise infrastructure should be attracted to come up with a viable solution in each country. As I pointed out in my previous e-mail, in the US, out of the seventeen Electronic Commerce Resource Centers (ECRC), only two of the centers are run by Universities, the rest are run by private business enterprises with technology hubs, and they were all funded and supported by the government at the inception. A Virtual Enterprise needs the cooperation of all the stakeholders, be it government, educational institution or business entities, to build trust with their customers and create a legal framework that can thwart digital crime. The industrial environment of today consists of numerous organizations working together as a virtual enterprise. As I pointed out in my previous e-mail, the Global Trade and Investment Management Network (GTIM) group in Nigeria and US are taking measures in working with stakeholders in building trust among members and seeking partnerships with organizations interested in cyber-security for Africa. I thank you for your input. Best Regards, O. Olatidoye GTIM US Coordinator On Wednesday, September 29, 2004, Ajay Gupta wrote: I do believe the first and most critical step towards a allowing developing countries (e.g., countries on the African continent) to more fully take part in electronic commerce and the deployment of a secure IT infrastructure is to institute educational training programs in Information Technology and the Secondary and Post-Secondary level. E-Centers and CSIRTs can more easily be implemented by educational institutions that are developing the necessary and qualified work force in the first place. Further, the educational institutions, if self-managed, provide at least one degree of separation between governments and the e-Centers and CSIRTs often raising the credibility of the latter organizations. This DOT-COM Discussion is funded by the dot-ORG USAID Cooperative Agreement, and hosted by GKD. http://www.dot-com-alliance.org provides more information. To post a message, send it to: [EMAIL PROTECTED] To subscribe or unsubscribe, send a message to: [EMAIL PROTECTED]. In the 1st line of the message type: subscribe gkd OR type: unsubscribe gkd For the GKD database, with past messages: http://www.GKDknowledge.org
Re: [GKD-DOTCOM] Cyber-Security and E-commerce
Dear GKD Members, Everything (in developing economies) MUST comply with sustainable and appropriate. In economies where the total number of e-commerce transactions are in the 1000's there is no point in installing or using any technology that costs more than a couple of thousand US$. It would not be sustainable. However, even developing economies are part of the planet. An important part of their development is to institute systems that will put them in synch with the rest of planet so that they can trade (and pay off their debts). The technology would be appropriate. ALL universisal cyber-security protocols are designed to meet the specific requirements of developed economies. I can make that statement because the cost of implementing them usually is un-sustainable. Furthermore, paranoid legal requirements that have been forced on the world since 9/11 have made the administrative and other overheads on a transaction so huge that any system would need massive volumes to pay them off. Developing economies do not have these volumes. So what do we do? We cannot do nothing. The reason for this is that crooks always move to the weak point in the system. If the developed world is successful with their expensive security systems and the weak point becomes the developing world then they would have succeeded in exporting fraud, etc. into the developing economies and we would have to accept that we are, indeed, basket cases. So this is not an option. We have to find sustainable and appropriate ways of implementing cyber-security while still using the same systems that everyone else uses, ie Visa, MasterCard, Sprint, etc. I like the eBay / reputational suggestion below. The problem is that eBay does not settle to any developing world. They welcome you as a buyer, but they will not settle you as a merchant. This is the problem with private systems. Individuals and profit margins make the rules. What we have been experimenting with is the Management of Risk as opposed to the Prevention of Risk. Prevention is proving too expensive and too high an overhead for our infrastructure. However, with so few transactions, maybe we can just insure against the risk. Or, maybe, change our pricing so that we can build up a pool to fund risk when it happens. Believe it or not, this works out much cheaper than implementing some of the security protocols like EMV, 3D Secure, VbyV, etc. There is something we are doing on the reputational side. We are moving away from universal VeriSign type certificates and starting to issue our own, cheaper certificates. This works very well and we have found that there are very few rejections of these certificates. It is incumbent on the Issuer to ensure that their reputation does not cause users to reject the certificate. I would love to hear if anyone has ony other ideas on how to approach these issues. On Wednesday, September 29, 2004, [EMAIL PROTECTED] wrote: Femi Oyesanya wrote: Organizations in developing Countries ought to adopt International Certification and accreditation standards. For example, ISO 11799. The challege is finding qualified expertise to implement adoption of these standards. I suppose Femi's suggestion could work for fairly established firms, but it would simply raise the barriers to small e-business development. Why don't we take the cue from empirical cases? Take eBay for example. While there have been cases of grand abuses (e.g., the laptop sale scandal a year or two back), it has remained a very popular site for incidental or systematic e-businesspersons. Trust is built by repeated transactions - and eBay aptly recognizes this by appending the net positive feedback you have from previous transaction partners (buyers and sellers) to the name you use on the site. A first-timer at eBay would readily be viewed with suspicion. Many sellers avoid this risk by declaring outright they will not transact with anyone not having positive feedback. It becomes increasingly important then to maintain a good reputation (i.e., net positive feedback) to gain the trust of new buyers/sellers and maintain that of previous ones. Your reputation becomes the de facto certification of good business practice, and presumably, security. From this rudimentary - if naive - case, what is seemingly important for developing countries are two things: 1) In lieu of harping on security for each individual firm, it might be better to ensure security at the marketplace - i.e., where transactions are conducted; and 2) the guarantee of security is not in keeping information closed, but rather, transparent - open and accessible. This DOT-COM Discussion is funded by the dot-ORG USAID Cooperative Agreement, and hosted by GKD. http://www.dot-com-alliance.org provides more information. To post a message, send it to: [EMAIL PROTECTED] To subscribe or unsubscribe, send a message to: [EMAIL PROTECTED]. In the 1st line of the message type: subscribe gkd
Re: [GKD-DOTCOM] Cyber-Security and E-commerce
Dear GKD Members, Based on its sheer size and endowed resources, Nigeria is a power house of economic gain for determined investors (locally and internationally). However, economic frauds are rife in the country's system as it seems to have become a culture to conduct business dubiously. Also, the growth of Internet use verges on exponential. On the flip side however, this presents vast opportunites for economic security providers to establish credible measures to make e-commerce a truly safe medium to conduct transactions in Nigeria. Is anyone really looking into this? I'd like to help. Leo Waters = Best regards God bless, Leo D. Waters Tel: +234(0)805.506.7103, or +234(0)802.338.1628 This DOT-COM Discussion is funded by the dot-ORG USAID Cooperative Agreement, and hosted by GKD. http://www.dot-com-alliance.org provides more information. To post a message, send it to: [EMAIL PROTECTED] To subscribe or unsubscribe, send a message to: [EMAIL PROTECTED]. In the 1st line of the message type: subscribe gkd OR type: unsubscribe gkd For the GKD database, with past messages: http://www.GKDknowledge.org
Re: [GKD-DOTCOM] Cyber-Security and E-commerce
On Monday, September 27, 2004, Global Knowledge Dev. Moderator asked: When countries are branded as unsafe for e-commerce, what can innocent companies do to rescue their own e-commerce efforts? The hallmark of e-commerce is that it involves a transaction that takes place across time and space, and in the first instance involves a virtual transaction (the order, the payment, etc.) with the good or service to follow. This is in contrast to a commerce transaction at a time and a place, where frequently the produce is examined (book, appliance) and received or consumed (food, parking) at the time of the purchase. It comes as no surprise that fraud artists try to take advantage of this temporal and spatial distance to engage in deception. In the past the same has been done via postal service, telephone service, fax, and any transactions venue where there is a degree of seperation between the perpetrator and the intended victim. Scams and fraud can go in both directions, with either the buyer or the supplier as the victim. For developing and transition economies, newly emerging on the global economic stage, the larger victim is the growth of their e-commerce sectors. However, what is different about e-commerce is that the distances can be greater but the speed of transactions is faster. This has a negative side, but it also has a positive side. The negative side is that it is harder for the client (consumer, buyer, etc.) to carry out due diligence with respect to the integrity of the supplier, and it is harder for the supplier to prove (or build) a reputation for trust and integrity. Both factors cause reluctance on the part of potential clients and stiffle the growth of the e-commerce sector. Previous postings to this thread have focused on the role of governments in promoting the integrity of the e-commerce sector, either via internal policies, or adherence to international standards. That is well and good but presumes that national governments have that top down administrative ability and power, when many do not. There is a second avenue that should not be minimized, one that involves a bottom up strategy. The same digital venue that makes e-commerce possible across time and space also makes collaboration possible across time and space. E-commerce ventures residing in locations where they are likely to be tarred with a negative brush - because of location - can consider strategic alliances with relevant e-commerce service providers that are located elsewhere, and that have brand name acceptance. This need not be a subservient relationship, nor a permanent relationship, but it can be a stepping-stone relationship that allows a country's e-commerce sector to grow to the level where it can stand on the world stage in its own right. One of the strengths of the digital venue is that it supports collaboration across time and space. Collaboration in the building of an e-commerce sector will likely produce a healthy national, but globally positioned, e-commerce sector faster than trying to just go it alone and hope for governmental top down policy help. Sam Lanfranco Distributed Knowledge Project York University This DOT-COM Discussion is funded by the dot-ORG USAID Cooperative Agreement, and hosted by GKD. http://www.dot-com-alliance.org provides more information. To post a message, send it to: [EMAIL PROTECTED] To subscribe or unsubscribe, send a message to: [EMAIL PROTECTED]. In the 1st line of the message type: subscribe gkd OR type: unsubscribe gkd For the GKD database, with past messages: http://www.GKDknowledge.org
Re: [GKD-DOTCOM] Cyber-Security and E-commerce
Dear GKD Members, I am an educator in the areas of Computer Security, Cyber Crime, Computer Forensics and IT Security Policy, therefore, I will admit a potential bias in my thoughts on the matter under discussion here. I do believe the first and most critical step towards allowing developing countries (e.g., countries on the African continent) to more fully take part in electronic commerce and the deployment of a secure IT infrastructure is to institute educational training programs in Information Technology and the Secondary and Post-Secondary level. E-Centers and CSIRTs can more easily be implemented by educational institutions that are developing the necessary and qualified work force in the first place. Further, the educational institutions, if self-managed, provide at least one degree of separation between governments and the e-Centers and CSIRTs often raising the credibility of the latter organizations. I hope my comments on this list have been helpful. I welcome any response or further discussion. Thank you, Ajay Gupta, CISSP Director of IT Security Services [EMAIL PROTECTED] On Tuesday, September 28, 2004, Olu Olatidoye wrote: The e-Center solution is based on the proven Electronic Commerce Resource Centers (ECRC) framework with the proper infrastructure adapted to the cultural environment in African countries. ...snip... I see a need for e-Centers in Africa, because if one link of the Global economy pipeline is unsecured, then the rest of the pipline is vulnerable. This calls for a collective solution. ...snip... As simple as this may sound to the members of this forum, about ten years ago, in the US, there had to be a Value Added Network (VAN) provider to handle the secured business transaction environment which later led to more companies handling their own data as the internet became more secure. There is a need for e-Centers in African Countries that will focus on the EC/EDI and Cyber-Security infrastructure. Some of the functions of the e-Centers will be and not limited to, 1) Education and Training, 2) Outreach and Technical Support 3) Technology Development that will address EDI. The continent of Africa can draw on existing expertise in the E-Commerce infrastructure industries, with special regard to the cultural environment. However, most of the time, due to the greed of some government officials in some countries or lack of understanding, they deal only with vendors that will sell them equipment and not a solution. ...snip... Along with the establishment of e-Centers, what any country in Africa will also need are Computer Security Incident Response Teams (CSIRT). The main role of a CSIRT is to create trust links between itself and its constituency, on one hand, and between itself and the other CSIRTs. ...snip... With the progressive development of networks and information systems in Africa, the continent needs to develop CSIRTs. Unless she does so, information systems in Africa will be an attractive choice for all the hackers in the world, because they will know they can use them and abuse them without any risk of being discovered. This DOT-COM Discussion is funded by the dot-ORG USAID Cooperative Agreement, and hosted by GKD. http://www.dot-com-alliance.org provides more information. To post a message, send it to: [EMAIL PROTECTED] To subscribe or unsubscribe, send a message to: [EMAIL PROTECTED]. In the 1st line of the message type: subscribe gkd OR type: unsubscribe gkd For the GKD database, with past messages: http://www.GKDknowledge.org
Re: [GKD-DOTCOM] Cyber-Security and E-commerce
Dear GKD Members, My name is Bogdan Manolea and I work as a Legal Adviser for RITI dot-Gov (Romanian Information Technology Initiative), a 3-year project funded by USAID - part of the dot-Com alliance, and implemented in Romania by Internews. See more about our project at www.riti-internews.ro I will try to answer part of these question, based on our expertise so far. On Monday, September 27, 2004, Global Knowledge Dev. Moderator asked: 1) Who must take what steps to build global e-commerce systems? WTO? Donors? Transaction companies such as Paypal and Visa? Governments? Private firms? I would say that the transaction companies have very little interest to expand their business in the developing countries. I know the experience from Paypal that has been more than reluctant to expand in Romania (but also in other SEE countries), even though a lot of businesses have shown their interest in promoting their business model. But let me mention that there are no global e-commerce systems yet available. And this raises questions in the developing countries private sector. What system to adopt? A system based on credit-card processing? Can that be a good solution, when the people in these countries do not have the habit of buying with the credit-card and when the credit/debit cards are used by 90% of the population to withdraw cash from ATMs ? A system based on electronic money? Paypal has been a very successful solution in US, but in Europe - even though there is an e-money directive, the market has not been so eager to promote such systems (except probably moneybookers.com) If such global e-commerce systems could be set up by governments, with involvement of the transaction companies and the major private firms - then what a developing country will need is just clear conditions which state what needs to be accomplished in order to access this system. 3) Within countries, who must take what measures to build cyber-security and trust among consumers? The government? NGOs? Businesses? Citizens? If you are talking about cyber-security related to e-commerce the answer should be: the businesses together with NGO's - or even e-commerce businesses gathered in an NGO. However, in the developing countries with a young private sector, the consumers trust more the system where the government (the state) is involved. I wouldn't support a government-run trusting system, but it could be an advantage if such a system could be endorsed or supported by the state. 4) What solutions are working? Are there tools and techniques that have been effective and would be appropriate for developing countries? I think that the trustmark system has not been developed and tested enough in the developing countries. It could be a good solution to create trust in e-commerce. Some newcomers in the credit card processing system have tried to use the VISA and MasterCard names as a trustworthy mark. 5) How can organizations in developing countries get certified in order to build trust among potential e-customers? Do certification agencies have a responsibility to support cyber-security in developing countries? Usually, the companies are complaining that there are not (enough) local certification agencies and therefore they need to go abroad and pay a lot for a certification. The Romanian Ministry of ITC (see www.mcti.ro) has tried to back up such a system for Home-banking and Internet-banking applications in order to increase confidence - basically all the banks who have such systems are required to have an independent IT security audit on their product, based on which they receive a confirmation from MCTI. The number of users of these application has increased, but it is still too early to say if such a system is the best solution possible. 6) When countries are branded as unsafe for e-commerce, what can innocent companies do to rescue their own e-commerce efforts? Unfortunately, Romania is one of countries that is on the black list on some e-companies due to fraud problems. The situation is causing problems for 2 categories: - consumers that are not allowed to buy from international e-shops (e.g. amazon.com, godaddy, etc). - companies that are trying to promote e-commerce applications in Romania face problems of mistrust not only from consumers, but also from the banks who refuse to implement such a system. What can be done? * first - to stop cybercrime and Internet frauds as much as possible. Good legislation is just one step. Implementing that legislation is the most difficult part though. * second - to work on proving that secure solutions can be developed for e-commerce. This a hard and long process, but it can be done. The banks will be convinced sooner or later that e-commerce is a good business for them, too. And the consumers will follow the banks. But that needs a lot of time and effort involved. Regards, Bogdan Manolea Legal Coordinator RITI dot-Gov - Romanian Information Technology
