Smart moves to win consumer confidence

(1854 total words in this text)
(1042 Reads)  

After faltering starts and the collapse of several high-profile online retailers and operators, the world of electronic commerce and transactions is finally establishing itself.Buying on the web has, for some consumers, become as commonplace and acceptable as buying over the phone or via traditional catalogue mail-order.

But it can still lack many of the safeguards and reassurances that a physical catalogue, call centre or order form can offer.

According to Richard Davis, sales director at security services provider HarrierZeuros, well-publicised failures among household names have succeeded in damaging trade.

"Unfortunately, a few highly publicised security failures have dented consumer confidence. But time is a great healer," he said.

The problem for many users is that there is often no obvious way to check whether a transaction is secure. From the web browser, the only generic indication is a small padlock in the corner of the screen that indicates when a secure sockets layer (SSL) connection is active.

There remains no unified platform for handling payments, and no single system for merchants to process inbound payments.

"The best advice to offer consumers is a business explanation of the measures that have been taken to protect the data, how it is stored and processed, and why these measures are implemented. These will all help to assure them and boost their confidence," explained Davis.

"On the whole, online trading systems are very secure. They implement SSL digital certificates, encryption technology, and have tight controls over the types of access that users can achieve."

Securing common transactions

Web transactions that rely on trust can be roughly divided into the following categories:

Business-to-consumer retail
Consumer and business banking
Business-to-business trading and exchanges
Web-based mail
Web-based document access and management
In all these areas, SSL has been the traditional method for securing a connection. But it is an opt-in system for the developer, and does not necessarily secure a connection from beginning to end.

When dealing with banking or time-critical transactions such as those on trading exchanges, using encrypted data is paramount.

It not only secures the contents, but provides an audit trail for the data and prevents it being snatched off the web server on arrival.

"Problems that can occur with e-commerce include order details not being encrypted properly while stored on websites," said Chris Barling, chief executive at e-commerce software vendor Actinic.

"Another is where call backs from payment service providers are not protected against spoofing."

Spoofing is particularly cumbersome. The lack of a single uniform standard means that there is no assured way to authenticate and trust the data you are exchanging with a customer or another organisation or body in the sale process.

The most popular platform is digital certificates. But even these are not foolproof unless all those involved keep them up-to-date and valid for the application.

"Online security is a very low priority for some companies," said Phil Coates, technical director at The Solution Group.

"I subscribe to an ADSL service and recently had to re-enter my details on its website. My browser told me repeatedly that the security certificate was invalid or out of date.

"Until systems are more reliable and people understand how they work, internet fraud will continue. I come across forms every week that ask for my credit card details and claim to be secure, but are not."

The threat to trust from within

For users, the perceived threat to confidential data and to the trust relationship comes from external sources; the hacker who can intercept credit card details in transit, or create a website or mechanism for harvesting payment and personal data (see below).

But the threat is more likely to come from within the trusted organisation than from an external source.

"The internal threat can take many forms, from faulty software to someone looking to commit fraud by accessing personal details and payment information," warned Ian Tickle, UK manager at data integrity specialist Tripwire.

Iain Franklin, European vice president at Entercept Security Technologies, agreed. "Too many people have become mesmerised by the mythical abilities of hackers, accompanied by a belief that they know the ins and outs of hacking and security," he explained.

"In actual fact, only a small percentage of hackers are experts. The rest download exploits from websites and use ham-fisted tactics to draw attention to themselves.

"The world of IT systems and security is huge. It would be impossible for a hacker to understand and advise on all vulnerabilities. A hacker has to specialise in a certain system or style of attack to be successful."

Instead, Franklin pointed to the threat posed by poorly constructed software and the inherent security flaws that can be found in many applications, regardless of whether they are critical to the trading process.

Glitches can be present in the operating system itself (indicated by the frequent patches released by the likes of Microsoft for its Windows 2000 Server platforms), the web server, the back-end database or content management system, or in the visible web page code.

"The past 18 months have seen a number of high-profile organisations suffer at the hands of system vulnerabilities, including the government's own Inland Revenue website," said Franklin.

"These vulnerabilities have universally resulted in damaged corporate reputations and reduced traffic. Any damage to reputation or brand inevitably leads to a fall in revenue. It is almost impossible to cushion when margins have already been squeezed to suffocation."

Davis pointed to the need for a software audit as part of any transaction system. "When selecting product for implementation, at least some reference material should be sought to identify and help mitigate the risk of vulnerability from inherent weaknesses," he said.

"A classic vulnerability in nearly all systems is the Buffer Overflow attack, where an attacker attempts to flood an unchecked buffer in a data field.

"This causes the system to error, and either yield some information or allow privileged access to other or administrative functions."

On a website, the internal threat is the one most likely to damage the system or the reputation of the company the site is serving, warned Tickle.

"One example is retailers providing a service online, who have much to lose without adequate security measures. Ensuring that their websites are available to customers at all times is vital," he explained.

"Any form of system breach, external or internal, can be very damaging to an organisation when it has to take down the entire network to identify and rectify changes.

"System downtime due to any kind of security breach ultimately affects the retailer's ability to take money through the tills. It tarnishes reputations and puts off potential customers."

The merchant is also at risk when balancing consumer privacy and consumer convenience. There are benefits in keeping credit card numbers, billing addresses and other personal information on file with a frequently visited merchant, but the merchant must guard against intrusion by hackers out to steal identities or credit cards for financial gain.

"Merchants have higher costs and less protection when accepting credit cards as payment," said Steve Atherton, chief technology officer at ClearCommerce.

"The schemes used by fraudsters are becoming more sophisticated, and a new class of commercial software and services has arisen to help the merchant screen out potentially fraudulent payments more accurately."

Email is also at risk. Often part of the transport mechanism, it is overlooked for encryption after data leaves the safety of an SSL link.

"Everyone is much more lax when it comes to email," warned Coates. "Companies still fail to realise how insecure it is.

"I repeatedly receive incorrect email for large charities or Labour party members, and have even been mistakenly sent a scan of a cheque, complete with signature and bank account details."

Ultimately, the problem of consumer confidence and trust is one for the business to redress. Implementing a rounded security solution will enable it to explain and justify the measures it has taken to provide the online system and its features. Thus, network and information security becomes a business enabler, allowing companies to win back confidence.

Smart chips: the UK's still unconvinced

Despite widespread use in France and growing adoption in other European countries, smart chips on credit cards are seldom used in the UK.

One problem is continued wrangling between merchant organisations, banks and card issuers over who should foot the bill for replacement card readers, authorisation systems and changes to existing point-of-sale systems.

In France, the cost has been shouldered mostly by the retailer, in the belief that the combination of the smart chip and Pin number authentication, over traditional (and still present) signature comparison, will result in reduced fraud and lower overall costs.

The use of smartcard readers for commerce on PCs also remains unresolved. As with ID and secure login cards, readers have failed to take off for mainstream transactions, although some consumer devices, such as Amstrad's email phone, have a reader for use specifically with smart-chipped credit cards.

The smart chip also means that, to secure payment from a card issuer, cards no longer need swiping and numbers no longer need to be retained.

The sale can be processed using the encrypted certificate stored on the chip, reducing the potential for fraud.

"Just recently, a single hacker stole eight million credit cards from a US banking organisation that was storing consumer information and credit card numbers on behalf of the merchants," said Atherton.

"Credit card associations have reacted strongly, imposing stiff penalties on organisations with such personal information that fail to protect it adequately."

Spoof web sites cash in on household names

One phenomenon threatening to erode the trust relationship between well-known brand names and their customer base is the spoof website.

A spoof site can be anything from a harmless fanzine to an entire retail operation that cashes in on the name, brand and reputation of an existing organisation, and tries to fool users into believing that they are dealing with a reputable company.

Spoofing has become a bigger problem in recent years with the expansion of top-level internet domains. The core global domains of '.com', '.net' and '.org' are not policed in terms of who can buy them.

The same applies to the core '.uk' domains, although specifics such as '.ltd.uk', '.plc.uk', '.ac.uk' and '.gov.uk' do carry restrictions, and only allow relevant educational groups, government bodies and legitimate companies to buy and use them.

The development of further top-level domains such as '.biz' and '.tv' has also opened up avenues for individuals to acquire a domain that looks very similar to that of a well-known company or retailer.

For example, Acme Foods runs its online supermarket service from www.acmefoods.co.uk, but someone looking to create a site that looks like the same for the purposes of extracting credit card numbers fraudulently could go for www.acmefoods.com, or maybe set up a site that is critical of the company's use of battery-farmed eggs at www.acmefoods.biz.

Worse still, they could buy up a common typo such as www.acemfoods.co.uk and point it to a porn site, damaging both the brand and user confidence.

Many high-profile brands already take steps to prevent this by buying up as many versions and variants of their domain name as possible.

As well as buying most versions of its www.ebay.com web address, the online auction site has also bought common typos including www.ebya.co.uk.

However, even this site has not escaped being spoofed, and was an innocent victim last year of an email-based scam to harvest credit card numbers.