As technology becomes increasingly sophisticated, so do ‘e-criminals’ in their attempts to hack into systems or steal identities. David Bicknell examines the importance of website security for e-commerce companies.
You cannot get away from security in the e-commerce world. Nor can you get away with skimping on it as an online merchant.
The familiarity of consumers with spam in their e-mail inboxes inviting them to give their account or password details to a series of banks, online auction companies, or payment schemes means most regular e-commerce users are to some degree, security-savvy.
However, their awareness of such ‘phishing’ threats is often overridden by their ‘need for speed’ in using a web service. Ease of use, convenience and time-savings are the key drivers for today’s online consumer.
The rocketing revenues from online e-commerce last Christmas may mask the concern, but there is little doubt that consumer confidence in the security of their online transactions is somewhat shaky. As a result of the growth in ‘phishing’-related fraud and identity theft, IT and e-commerce analyst group Gartner believes shoppers are starting to curtail their online purchases.
According to Gartner, 73 million adults who use the Internet received a ‘phishing’ e-mail between May 2004 and May 2005, and 2.4 million online shoppers lost money as a direct result. Many are now worried, dismayed and frightened over the threats to their personal data, their credit-card bills, and their bank accounts.
Unless e-commerce companies take steps to combat ‘phishing’, Gartner says, they will not be able to rely on online selling and e-mail as methods to draw customers. Indeed, there is evidence now that the very awareness of consumers with spammed ‘phishing’ e-mails, is prompting ever-more sophisticated methods of attack by organised crime that rely on so-called ‘social engineering’.
For example, while you might be suspicious of a ‘phishing’ e-mail supposedly from a bank, what about a purported e-mail from your boss looking for information, or from someone in your company’s HR team? Would you ignore that?
But perhaps the most insidious current security problem is spyware, which is malicious software finagled on to a user’s machine without their knowledge or authorisation. It usually arrives surreptitiously from an innocent visit to a website, and furtively logs users’ keystrokes to steal passwords and other sensitive information.
Another increasing concern is the theft or loss of personal or financial information in large measures, which puts consumers’ finances at risk.
Sometimes the incidents are the result of carelessness or accidental loss: the Marriott hotel chain admitted late last year that back-up computer tapes containing data on some 206,000 customers went missing from a company office in Florida. In other cases, data theft may have been well planned, often by insiders within e-commerce companies.
Cosmos Group IT director Alister Beveridge believes internal fraud is a much under-regarded threat.
“Companies have to be aware of the propensity for internal fraud, and yes, I’ve seen it happen in organisations,” he says. “Staff are usually familiar with all the systems, and anyone who’s disaffected may see a small loophole and take advantage of it.
“Countering it is mainly down to having effective internal policies and procedures which you have to get over to staff though training. For example, I’ve visited sites where credit-card information is mentioned in the Notes section of a customer’s record. What is credit-card information doing there?”
There are some promising developments in this area. IBM recently announced a security product to protect companies from internal attacks on their IT systems. The Identity Risk and Identification software analyses the activity of users on an internal network, looking for irregularities that might be a tip-off of unauthorised or improper access by internal staff.
Andrew McClelland, director of projects and marketing at the Interactive Media in Retail Group, suggests online commerce’s growing influence and financial clout – it now accounts for 7%-8% of retail commerce, and could reach 10% by the end of this year – means the Data Protection Commissioner’s office is now taking a closer interest in the security habits of online companies.
“The Data Protection authorities are keeping an eye on the online space. They want to know how secure customers’ data really is, and whether it is being protected,” he suggests.
McClelland also believes plenty of work is going on within the e-commerce world to counter concerns over what has been dubbed ‘e-crime’.
“Two-factor authentication, where card users require a credit-card plus single-use passcode to be authenticated via the card providers database, and 3D Secure technologies, such as MasterCard’s SecureCode and Verified by Visa, are being adopted by many retailers to bring the security of Chip and Pin to the Internet.
“In addition, Payment Card Industry Data Security Standards, which involve a high-level auditing requirement, have already been taken on by the top 25 retailers. These will be rolled out to all companies that store and hold consumer payment information over the next three years.”
Risks from ‘phishing’, spyware and insider data theft won’t disappear, so security must be at the top of all online companies agendas. Any customer perception that a site is insecure, or that their data is wilfully handled, will pose a risk to that site’s reputation. A bad experience will ensure that is the last time a site sees them. And through word of mouth, you can count on not seeing their friends either.
Best practices for securing e-commerce data
1. Use your website to educate customers about fraudulent sites. Warn them about ‘phishing’ schemes that you know about and instruct them not to click on links provided in e-mails that purport to be from your company. Advise them to type your address directly into their browsers to get to your site.
2. Have a process in place to take action against ‘phishers’ when attacks occur, and to reassure your clients. Collect information from customers about the attack, including, specifically, the IP address of the ‘phisher’, and make sure you report it to the Internet service provider and, if necessary, the police.
3. Make it a policy not to ask customers for personal information via e-mail, and remind them frequently of this policy. Enforce the practice internally with employees.
4. Consider ‘locking down’ USB drives on PCs, which can be a tempting way of downloading and walking off with a company’s crucial data.
Case study: Olives Et Al – being aware of security issues
Launched in 1992 after a journey through the Mediterranean, the Middle East and North Africa, Olives Et Al was set up by Giles Henschel and his wife – who fell in love with the food they ate along the way – to market quality olive-based products both online and in delicatessens to a wider audience.
Regional winners of the British Small Business Champions awards, Henschel is aware companies with an online e-commerce presence, such as Olives Et Al, must take steps to guarantee the security of their customers’ data. “You wouldn’t leave your house unlocked when you leave it, so why would you leave your customers’ data unsecured? Ignorance is no defence, and internal security is a serious concern.
“When it comes to retaining customers’ credit-card data or records, we don’t have access to them. Like many small and medium-sized e-commerce companies, we use a third-party credit-card processing company. Unlike organisations such as Amazon, which has very sophisticated IT systems, we don’t retain credit-card details on site. That may be a little more inconvenient for the customer, but it means for a company of our size, their details are more secure.
“You must safeguard your customers’ data for their sakes and to guarantee your own survival. How you react in the first couple of hours is critical. If you haven’t reviewed your security in the past month, then you’re in danger of being complacent, and possibly not secure.”