A Broader View of Information Risk during Internet Transactions

James Lee Jr., Merrill Warkentin, Allen C. Johnston
2016 Communications of the Association for Information Systems  
Ubiquitous networking facilitates Internet access across multiple network environments, whose value is tied directly to user perceptions of its ability to securely execute transactions. Prior research has cited awareness, trust, and risk as critical determinants of adoption but has failed to examine these factors as they relate to infrastructure and its provider. Because information in transit is at risk from a network environment's vulnerabilities, we focus on the implications of such risk on
more » ... nternet activities. We examine the multiple parties that must be trusted to complete and facilitate an online transaction. We propose that the user must trust not only the information recipient to act benevolently but also the technologies and organizations that facilitate the online exchange. Focusing at the other end of the transmission, the attacker could leverage the victim's intended information recipient by using impersonation or masquerading attacks, replay attacks, and modification attacks. Impersonation attacks use the captured information to mimic the victim. Similarly, a replay attack mimics the victim by replaying the captured packets against the victim's intended destination system. If the system uses improved authentication mechanisms and session sequencing, the attacker would execute a modification attack by modifying the information in the packets prior to replay (Stewart et al., 2008) . Alternately, if the user and the endpoint use additional advanced authentication encryption techniques, the attacker could use a man-in-the-middle attack the way the hacker did in the introductory scenario. This attack permits malicious individuals (Willison & Warkentin, 2013) to intercept a communication between two parties by splitting the original connection, spoofing the encryption certificates, and acting as a proxy to the victim. Victims believe they are securely communicating with the intended endpoint but they are communicating through the attacker (The Open Web Application Security Project, 2009). Figure 2 illustrates the attack, which compromises the victim's confidentiality and integrity and allows the attacker to view and modify the victim's transmission (MITRE, 2011) . A successful man-inthe-middle attack enables the attacker to perform additional attacks such as address resolution protocol spoofing, directory name service spoofing, and hyperlink spoofing to redirect the victim to the attacker's desired destinations (The Open Web Application Security Project, 2009).
doi:10.17705/1cais.03808 fatcat:qghwroyrz5eo5cg7pm3mmejvpa