Internet banking and online shopping have brought tremendous convenience to commercial transactions. Nothing, however, comes without a price, and the cost in this case are the pitfalls of dealing with a financial institution or retailer in the ephemeral world of cyberspace. Despite efforts to guarantee security for on-line transactions, your vendor might not always be what he appears.

Internet fraud, made possible by the anonymity and electronic illusions of the online world, already includes some well-established scams: fake websites; "phishing" for personal information with deceptive emails; online auction invitations - targeting both buyers and sellers; the Nigerian advance-fee pitch; winning lottery numbers for an upfront payment; quirky business opportunities; work-from-home plans; and faked forms that require your credit-card number.

One recent website deception started with an email asking certain Internet banking users to update their account information to combat "inactive members, frauds and spoof reports". A hyperlink led to a form where customers updated their information. The URL, however, was not a legitimate web page: It was a cleverly designed facsimile, called "a ghost". As users completed the form, the information went straight to the fraudsters.

Another frequent scam involves phoney job advertisements posted on genuine recruitment sites. A fictitious overseas company offers to forward funds to anyone wishing to act as an agent. To qualify for the job, a candidate need only supply the requisite personal information.

Customer-account data is sometimes obtained when users open an e-mail ostensibly from their own bank. The message, however, contains a "trojan" virus, which installs itself on the user's hard-drive and reads every keystroke, transferring data to the criminal.
Avoiding Internet bank fraud, however, is not particularly onerous:

• To ensure you are visiting the correct site, check the URL with the Hong Kong Monetary Authority, The Hong Kong Association of Banks or the bank in question.
• Type in the URL yourself. Do not rely on key words, and never on a hyperlink.
• Once on the desired web page, users can verify site ownership by double clicking the padlock in the bottom right-hand corner of the Web browser.

This is the symbol for a standardised protective device called the Security Socket Layer, which creates a secure "tunnel" between a browser and a server. The tunnel ensures that all data passing between the two devices remains encrypted and confidential. A web server requires an SSL certificate to generate an SSL tunnel.

Most e-banking sites allow users to login using either a username and password, a digital certificate, or both. While the username/password is convenient, security considerations favour the use of digital certificates because of their two-factor authentication.

The most common crime scene for Internet theft, however, is online shopping. Because almost anything can be purchased online, a host of criminal opportunities are available. Many of the precautions a consumer can take are similar to those for e-banking, although online shopping can be even more difficult to judge because of the sheer volume of sites.

Two specific shopping tips can help:

• Always shop on well-known sites such as e-Bay and Amazon.
• Check if an online/Internet authority such as Web Trust has approved the website. When a site gains authority approval, it receives a "trusted" logo, which is posted on the site.

Mobile Authentication

The credit card is perhaps the most popular tool for online purchase, and this has made card security a critical aspect of global e-commerce. A new "Mobile Authentication" technology, in the latter stages of development by Digi-Sign, may prove the solution to many security issues.

Currently, Mobile Authentication is via SMS text. Many banks already use SMS to alert credit-card owners at times when a merchant seeks verification. However a problem can occur when the user responds with a personal identification number. SMS is not encrypted.

Hong Kong's Digi-Sign Certificate Services Limited is testing a solution based on the sophisticated mathematics of public/private key cryptography embedded in the wireless action protocol (WAP) standard.

Digi-Sign embeds your private key in a special SIM card that includes a WAP function called Wireless Identity Module, which stores the key in a tamper-proof area of the card.

When a bank seeks confirmation for a credit-card payment, your phone will ask you to enter your PIN. Instead of sending the number, however, the phone will generate and send a digital signature.

Your PIN can never be intercepted. Private-key forgery is astronomically unlikely. Payment can be falsely authorised only if someone has both stolen your telephone and learned the PIN for your private key.

Ultimately, this solution is not limited to mobile phones - a private key can be stored in any electronic medium, offering a long-term boost to the credit-card industry - and requires only that the authenticating company be well-established in the business community.

The role is perfectly suited to Digi-Sign, a wholly owned subsidiary of Tradelink Electronic Commerce Limited, which is a joint venture among the Hong Kong government and several leading local banks and corporations. Learn more about Digi-sign and certificate offerings at http://www.dg-sign.com/.