Incident 1 Teaching Note

DARE Risks of CPA Assurance of WebTrustSM Electronic Seals

and of DataTrust Privacy of Cookie Jars

John E. Howland, Department of Computer Science, Trinity University

Robert E. Jensen, Department of Business Administration, Trinity University

Table of Contents

Question 1.1
Question 1.2
Question 1.3
Question 1.4
Question 1.5
Question 1.6
Question 1.7
Question 1.8
Question 1.9
Question 1.10

 

Question 1.1
What is the WebTrustSM Electronic Commerce Seal that is now offered by an increasing number of public accounting firms who provide assurance services? What are the three broad categories of WebTrustSM (referred to in the case as LogoTrust, TransTrust, and DataTrust)? How did WebTrustSM come about and what is the AICPA/CICA relationship with VeriSign?

[Hint: Start your search at the AICPA web site http://www.aicpa.org/news/p091697a.htm and then go to the VeriSign web site at http://www.verisign.com ]

Verifying that the company or person on the other end of the line is truly that company or that person has become known as authentication. The best-known web authentication service is VeriSign. In a single press release on September 16, 1997, the American Association of CPAs and the Canadian Institute of Chartered Accountants announced the public/chartered accountant WebTrustSM Electronic Commerce Seal. The Seal was to be used by member firms that offer assurance services in the broad areas of the following:

  1. Business Practice Disclosures
  2. Transaction Integrity
  3. Information Protection

Employees engaged in WebTrust activities are required to meet training standards set by the AICPA and the Canadian CICA.

In the area of authentication services, the best-known current provider is VeriSign at the URL shown in the "hint" above. VeriSign provided the expertise to make the WebTrustSM online Seal difficult to forge.

Question 1.2
How do the logo assurance services of the BBB Online program at http://www.bbb.com and the TRUSTe DataTrust assurance services at http://www.TRUSTe.com differ? What comparative advantages do public accounting firms have vis-à-vis these two competitors who are not public accounting firms?
[Hint: See G.G. Gray and R. Debreceny, "The Electronic Frontier," Journal of Accountancy, May 1998, 32-38.]

The Better Business Bureau offers an online LogoTrust service that is somewhat unique. The BBB Online logo appears at registered company web sites. At those sites, the BBB Online Logo is hyperlinked to the BBB Online site which verifies that the link came from a legitimate site. This LogoTrust service is similar to WebTrustSM services from VeriSign. However, VeriSign is better known in the digital signatures industry to date.

TRUSTe at http://www.TRUSTe.com is a DataTrust service aimed at protecting privacy rights and privacy agreements of companies and individuals that have shared information for an authorized purpose. For example, DataTrust is analogous to having an unlisted phone number. Telephone companies agree not to give out names, addresses, and phone numbers of persons who pay for unlisted numbers. In the case of listed phone numbers, however, telephone companies traditionally sell that data to anyone willing to pay the price for the data. Persons with listed phone numbers thereby find themselves deluged with telemarketers, junk mail solicitations, etc.

Unless web users have set their browser options not to accept cookies, companies build up information (e.g., names, addresses, phone numbers, product interests, browsing patterns, payment histories, etc.) that can be used and abused by companies such as DARE. For example, DARE may willingly or accidentally share cookie data (recipes?) with outsiders.

Definition of Cookies from Bob Jensen's Technology Glossary at http://www.trinity.edu/~rjensen/245glossf..htm :
Cookies
= Applets that enable a web site to collect information about each user for later reference (as in finding cookies in the cookie jar). Web Browsers like Netscape Navigator set aside a small amount of space on the users hard drive to record detected preferences. Many times when you browse a web site, your browser checks to see if you have any pre-defined preferences (cookie) for that server if you do it sends the cookie to the server along with the request for a web page. Sometimes cookies are used to collect items of an order as the user places things in a shopping cart and has not yet submitted the full order. A cookie allows WWW customers to fill their orders (shopping carts) and then be billed based upon the cookie payment information. Cookies retain information about a users browsing patterns at a web site. A good place to find out more about cookies is at http://www.illuminatus.com/cookie.fcgi . Also see http://www.doubleclick.net/ and http://www.ipro.com/. Cookies perform storage on the client side that might otherwise have to be stored in a generic-state or database server on the server side. Cookies can be used to collect information for consumer profile databases. Browsers can be set to refuse cookies. Other ways of controlling cookies or deleting selected cookies can be obtained from http://www.privnet.com/ and http://www.wizvax.net/kevinmca/. Source of definition: http://www.trinity.edu/~rjensen/245glossf.htm#Cookies1

Under the WebTrustSM program, accounting firms may offer DataTrust services similar to that of TRUSTe at http://www.TRUSTe.com. In fact TRUSTe uses Coopers & Lybrand and KPMG Peat Marwick accounting firms to conduct surprise investigations of possible misuse of the TRUSTe logo by its clients.

 

Question 1.3
What are the risks to consider when providing LogoTrust assurance services to DARE?
[Hint: See G.G. Gray and R. Debreceny, "The Electronic Frontier," Journal of Accountancy, May 1998, 32-38.]

LogoTrust has less risk than DataTrust because it guards against fewer things that can go wrong. LogoTrust assures users that the logo is being used legitimately. There are, of course, potential lawsuits if damages ensue from its misuse. Restraints such as limits to the dollar amount of a transaction are not much protection since any person or company using a logo for fraudulent purposes may also change the transaction restraints.

Risks are somewhat reduced following legislation in the U.S. Congress regarding joint and several liability of CPAs. The risk of being the deep pocket defendant left to bear all of the damages in failures that are only partly attributable to CPA firm negligence has been greatly reduced. CPAs, however, are still subject to having to pay whatever share of the damages that courts attribute to those CPAs.

Apart from lawsuit risks, there are risks of bad publicity and tarnished reputation for failed assurances. CPAs have a competitive advantage at the moment because of public perception of CPAs as honest and diligent. Entering into more risky services such as information security assurances might tarnish both the reputation of a particular CPA firm and the CPA profession in general.

Question 1.4
What are the risks to consider when providing DataTrust assurance services regarding confidentiality of DARE cookies?
[Hint: Cookies are explained at http://www.trinity.edu/~rjensen/245glosf.htm#Cookies1 ]

WebTrust assurances cover a broader range of electronic commerce transactions in addition to logo assurances. WebTrust can cover business practices and internal control. It requires more testing and professional competence in electronic commerce. Whereas some logo assurance services like TRUSTe require only after-the-fact self reporting, WebTrust service providers require client recertification every 90 days.

Question 1.5
What types of computing and network assurance services might the A&K CPA firm contemplate providing to DARE?
[Hint: See http://www.aicpa.org/assurance/scas/newsvs/index.htm and http://www.us.kpmg.com/irm/main.html ]

The broad spectrum of assurance services is given by the AICPA at
http://www.aicpa.org/assurance/scas/newsvs/index.htm
These include the following categories
:

  • Risk Assessment
  • Business Performance Measurement
  • Information Systems Reliability
  • Electronic Commerce
  • Health Care Performance Measurement
  • ElderCare
  • Other Opportunities

Those categories more closely aligned with computing and networking are Information Systems Reliability and Electronic Commerce. Information Systems Reliability is discussed in greater depth at http://www.aicpa.org/assurance/scas/newsvs/reliab/index.htm

Electronic Commerce Assurance Services are discussed in greater depth at http://www.aicpa.org/assurance/scas/newsvs/elec/index.htm

By way of illustration, instructors may want to have students discuss the various new security assurance services of KPMG at http://www.us.kpmg.com/irm/main.html

Question 1.6
Explain and illustrate the difference between information security policies versus security mechanisms.

The answer to this assignment is given in Appendix 3 by John Howland and at http://ariel.cs.trinity.edu/~jhowland/security/security .

Question 1.7
What are the advantages and drawbacks of a password encryption system?

The answer to this assignment is given in Appendix 3 by John Howland and at http://ariel.cs.trinity.edu/~jhowland/security/security .

Question 1.8
Explain how the Internet works in terms of IP addresses, packets, and routers.

    The answer to this assignment is given in Appendix 3 by John Howland and at http://ariel.cs.trinity.edu/~jhowland/security/security .

Question 1.9
Define the major network protocols and explain the role of each protocol.

The answer to this assignment is given in Appendix 3 by John Howland and at http://ariel.cs.trinity.edu/~jhowland/security/security .

Question 1.10
Discuss each of the following threats to network security:

Cracking Passwords

sendmail

Denial of Service

Repeated Attack

CGI Scripts

Windows NT Security

Denial of Service

Weak Passwwords, Authentication Attacks

Privilege Escalation

Noncaptive Environments

Cracking a fire-wall


The answer to this assignment is given in Appendix 3 by John Howland and at http://ariel.cs.trinity.edu/~jhowland/security/security .

 

 

Incident 1 Case Incident 1 Solution Top of Present Document
Incident 2 Case Incident 2 Solution Top of Present Document
Appendix 1 to Case Appendix 2 to Case Appendix 3 to Case
Bob Jensen's Documents ACCT 5342 Documents Technology Glossaries