Question

Can traditional contract law that applies to third-party beneficiary contracts, assign­ments, and delegations, apply to those same types of contracts entered into on the Internet? Why or why not? What is the current state of technology for protecting online transactions? How can a party be assured that the negotiation and transmission of a contract online is secure? How can the performance of a contract be monitored online?

Answer 1

A third-party beneficiary, in the law of contracts, is a person who may have the right to sue on a contract, despite not having originally been an active party to the contract. This right, known as a ius quaesitum tertio,^[1] arises when the third party (tertius or alteri) is the intended beneficiary of the contract, as opposed to a mere incidental beneficiary (penitus extraneus). It vests when the third party relies on or assents to the relationship, and gives the third party the right to sue either the promisor (promittens, or performing party) or the promisee (stipulans, or anchor party) of the contract, depending on the circumstances under which the relationship was created.

online transactions

The trusty telephone is emerging as one of the key elements in new multifactor authentication schemes designed to protect online banking and other web-based financial transactions from rapidly evolving security threats.

New federal guidelines, which took effect last month, recommend multiple layers of security controls beyond the traditional username/password, particularly out-of-band authentication methods.

While the Federal Financial Institutions Examination Council (FFIEC) rules apply specifically to banks, credit unions, mortgage lenders, and savings and loans, every organization that deals in online financial transactions such as shopping portals, credit card companies, online bill payments, etc. is affected.

Point, counterpoint

One of the main weapons in the today's hacker arsenal is password phishing. In this scenario, hackers use phishing emails to steal online banking credentials and break into user accounts.

In response, banks and other financial institutions have deployed technologies like device identification, challenge questions and one-time password tokens, according to Sarah Fender, vice president of product management at authentication vendor PhoneFactor.

Forrester analyst Andras Cser emphasizes that login IDs and passwords are no longer enough. He says preselected images, challenge questions, device information, and device reputation are all effective second factor authenticators.

But the problem with many of those "in-band" authentication methods is that the device itself might be infected with malware, adds Fender.

Plus there are more advanced threats, such as keyloggers, Man in the Browser (MITB) and Man in the Middle (MITM) attacks, which require even more sophisticated security measures.

Gartner analyst Ant Allan says, "Virtually every authentication technique can be compromised or circumvented. Authentication is better than legacy passwords to minimize the risk for 'quick and dirty' attacks such as phishing, but there is a limit to the utility of seeking higher-assurance methods that are harder to compromise directly. At some point, the attackers will move to MITB attacks, which hijack already authenticated sessions, effectively bypassing authentication, to manipulate transaction details or insert bogus transactions."

Allan says there are two advanced technologies that are effective in combatting the current crop of attacks: Web Fraud Detection and Transaction Verification.

According to Allan, Web Fraud Detection evaluates contextual information about the user's connectivity (endpoint identity, geographic location, and so on) and looks for anomalous transactional behavior (compared to user history and to other users; e.g., are multiple users making transfers to the same new account?). (See "Well organized, sophisticated, fast cybercriminals scare U.S. banks".)

Transaction Verification uses a number of techniques to confirm that the transaction details received by the bank (a) originated with the user and (b) are what the user intended. Interactive transaction confirmation via an out-of-band method, as outlined in the FFIEC guidance, is effective for desktop browser sessions and is possibly the most attractive option.

Of course, there are even more robust security methods -- OTP (one-time password) hardware tokens with PIN pads and the EMV (Europay, MasterCard, Visa) payment card readers - but banks have run up against customer resistance to these types of security measures.

State-of-the-art authentication

Here are some of the current options for effective authentication of online transactions.

- Risk-based authentication

An example of risk-based authentication is CA Arcot's RiskFort, a sophisticated tool that incorporates analytical fraud models based on a statistical analysis of transaction and fraud data.

"RiskFort collects a wide range of data about each login or transaction to produce a risk score derived from analytics and rules," says Ram Varadarajan, general manager at CA Arcot Security solutions, CA Technologies.

He adds, "The risk score determines what action, if any, to take for a given transaction, such as requiring a higher form of authentication. This is a scenario where risk-based authentication works collaboratively with strong authentication. If a transaction appears suspicious, another factor of authentication can be invoked to 'step up' the authentication and security."

- Versatile Authentication Platforms

Entrust offers IdentityGuard and TransactionGuard. "IdentityGuard handles strong authentication in breadth as well as depth. It supports hard tokens, soft tokens, smart cards, SMS tokens, geo-location, eGrids, and more. Authentication could be relatively simple for clients using their own computers from their own homes, but increases in depth if they are using a hotspot, and even more if they are in another country," says Jon Callas, CTO at Entrust.

One improved technology is Entrust's patented electronic grid (eGrid), a simple, two-factor authentication system that requires little to no supporting technology. It's a grid of two-character codes indexed by letters and numbers. A bank can ask a user; for example, to provide the codes for E4, A1, H3. The user looks them up on his/her eGrid and replies CX, G3, 23 (which is, obviously, different on every card), and if the corresponding table matches, then the authentication is correct.

"Note that it doesn't require users to have a smart card, a token, or any other supporting technology," adds Callas. "It can be printed, kept as a picture, embossed on a badge or almost anything else. I have one that's a picture, which I keep on my iPhone, and I use it to authenticate to web mail."

- Phone-Based Authentication

"Phone-based authentication is swiftly becoming the method of choice," says PhoneFactor's Fender. "These systems leverage the user's telephone as the trusted device for the second factor of authentication. Telephones are extremely difficult to duplicate and phone numbers are extremely difficult to intercept. The combination of the phone and a username with password yields strong, multi-factor authentication with minimal impact on the user experience."

She adds, "PhoneFactor users can choose whichever authentication method they prefer such as phone call or text message, and all these solutions provide the same level of out-of-band security and convenience. Additional security features include PIN mode, voiceprint, and transaction verification, which can be mapped to particular users and/or levels of risk.''

- Image-Based Authentication

One clever, new technology by Confident Technologies uses images on a touch screen phone for authentication. Unlike multi-factor authentication processes that send a one-time, text message, pass code to the user's phone, this technology provides a secure second factor by encrypting a one-time pass code within an image-based authentication challenge.

Windows 8 picture password is 'Fisher-Price toy' says father of 2-factor authentication

"When an authentication requirement is triggered, users identify pictures on their phone screen that match their previously selected, secret categories," says Curtis H. Staker, CEO at Confident Technologies. "For example, if a user preselects the categories called cars, food, and dogs, a grid of 12 (or so) images appears that contains various images, three of which fit their categories such as a Corvette, a hamburger, and a beagle. By correctly identifying the pictures that match their secret authentication categories, users are, essentially, re-assembling the one-time pass code that was encrypted within those pictures. Importantly, the process remains completely out-of-band from the web session."

"This concept of image categories is intriguing," says Scott Crawford, managing research director at Enterprise Management Associates, "Particularly for mobile or touch screen form factors (where text input can be a challenge) and for cross-cultural or multi-language use cases, but the technique may beg the question as to whether or not users can consistently remember the categories they have chosen."

Staker adds that the specific images displayed are different every time, but the users' categories always remain the same. ``This makes it difficult for anyone else to determine the users' secret categories. Even if someone else gained possession of the mobile phone or intercepted the communication, they would not be able to authenticate because the one-time password is encrypted within the images," adds Staker.

- Biometrics

Biometrics include authentication properties such as face recognition, fingerprint identification, hand geometry biometrics, retina scan, iris scan, digital signatures, and voice analysis.

"I'm not sure if biometrics is considered new, but it's definitely improved, and it's an area that ebbs and flows, as far as interest is concerned," says Chris Silva, mobile industry analyst at Altimeter Group. "The newest buzz in biometrics that's garnering attention in the mobile space is facial recognition. It has a lot of promise for the devices that we all carry around with us, which have limited physical keyboards (or none at all) and often need to be accessed while we're multi-tasking,"

"Voice recognition, face topography, and iris structure are emerging technologies that also look attractive when you can leverage a user's mobile phone as a capture device (all have mikes and most have user-facing cameras)," adds Allan. "Most of these technologies are relatively passive and unobtrusive, making for a good user experience."

Many companies are experimenting with biometrics as an additional layer of security; for example, PhoneFactor uses Voiceprint Verification as a third factor of authentication on top of its other offerings.

"Using an existing voice channel, PhoneFactor simultaneously verifies something you have (your telephone) and something you are (your voiceprint) for the second and third factors of authentication," says Fender. "Voice verification provides one of the strongest levels of authentication without the high costs typically associated with biometric authentication.

Companies often consider the negotiation and approval of contracts as the complicated and time-consuming aspect of contract management. However, a lot of the real work starts once the deal has closed and all relevant documentation has been executed. Just because everyone has come to an agreement and has formalized the terms in writing, the parties involved cannot simply toss those written documents aside and forget about them.

It is the responsibility of the parties to a contract to thoroughly examine the contents of it, as well as any amendments, addenda, or other pertinent information, so that they are fully apprised of their role and responsibilities moving forward.

These are six of the most effective tools to monitor contractor performance:

1. Contractor Progress Reports
2. Contractor Quality Assurance Plan (QAP)
3. Quality Assurance Surveillance Plan (QASP)
4. Earned Value Management (EVM)
5. Performance Assessment
6. Product or Service Inspection & Acceptance

The use of these six tools will vary based on the type and complexity of the contract, direction from the Contracting Officer (CO), and the experience and performance of the contractor. But effective contract management depends on how the COR performs his/her role and how effectively the COR uses the tools available to monitor contractor performance

Negotiation and transmission of online contract is secure

The Contract Process

This is the first article in a series on the negotiation and management of security service contracts. As will become clear during the next 5 articles agreeing written contracts for security services is a difficult yet important process. The contracts deal with issues of high risk, are often for long terms and their content is both complex and specialist.

Managing the process is no simple task as the parties need to co-ordinate large teams and resolve difficulties whilst also attempting to achieve milestones in a timely manner. Additionally, negotiation can often be lengthy, testing the goodwill of both sides. The process of negotiating and finalising the contract itself deserves special attention along with key terms which often prove difficult to negotiate, so this series will deal with both the process and those key terms. Although there are no ‘shortcuts’ there are certainways the process can be managed to ensure it is both smooth and time efficient.

Process

At the start of the process both parties will need to take actions that help establish the relationship, outline the steps that will need to be taken throughout the process and protect their interests:

• The seller will need to carry out an examination of the buyer’s business and security requirements both for purposes of risk assessment and preparation of assignment instructions.
• The seller will also need to review the detail of information about the employees of the outgoing provider.
• The buyer will often insist that the seller enter into commitments of confidentiality by a confidentiality letter or a non-disclosure agreement (NDA) which are perfectly enforceable in law provided that they are well drawn up.
• I also recommend the parties enter into a letter of intent (LOI), or heads of terms, to set out in brief everyday language the key terms of the agreement which the buyer and the seller are in the course of negotiating.
  • The LOI should contain a timetable setting out milestones to be achieved along the way to contract signature.
  • LOIs should be expressed to be non-binding, allowing them to be safely used as a convenient vehicle for negotiating the key terms of the contract, before drafting of the contract itself begins.

The buyer may wish to proceed by invitation to tender, if so, then that process itself dictates that a timetable is used, and my experience tells me that the same discipline should be employed in all negotiations of security contracts. In the course of agreeing the timetable, the parties should pencil in one or two round table meetings within the process just in case they are necessary to resolve difficulties. A meeting at the right time can save weeks of unproductive communications.

It is important for each party to appoint a team of people to work on the contract process. These will include operations, finance, management, health and safety, human resources and legal.

Many of the issues which cause problems in bringing a contract to final signature are legal, typically involving the issues which will be discussed in the following articles. The lawyers on each side should be permitted to talk to each other to resolve these legal issues. In my experience it does not help for these issues to be negotiated by the commercial members of each team, who will tend to adopt a strong defence of their company’s position, but will not be qualified to find the work around which will be required to bring the contract to signature.

The first draft of the agreement can be provided by either the buyer or the seller. If it is provided by the buyer, it may be an adaptation of a general purposes procurement agreement. Alternatively the seller may provide his own contract. In either case all too often the terms offered by one party to the other are one-sided in favour of that party, and in effect challenge the other party to pick up every single point and turn it round to a reasonable position. There is no harm in that approach provided that both parties are aware of what is achievable in negotiation, and move to those acceptable positions without undue delay or acrimony.

The contractual process is vitally important. If it is project managed properly, using the process which I have described, which includes proper preparation in advance and knowledge of the issues likely to be negotiated, the contract negotiation can be achieved in accordance with a good timetable, on time and with an enhanced working relationship between buyer and seller.