A medley of numbers concerning the future of online transactions are enthusiastically batted about the infosec community. The Office of Fair Trading forecasts an increase from £14 billion to £29 billion over the next five years. A report from uSwitch in December 2007 calculated quadrupled transactions by 2020, accounting for 40% of all retail spending. Speculative as they may be, the predictions indicate a common trend: that online retail will continue to grow rapidly.
And why not? For some, the scramble for a parking space, the herding through automatic doors, and almost funereal procession through the queue may be part of the fun of shopping; but for others, a cup of tea and click of the mouse is more appealing. Unfortunately both are ripe hunting grounds for fraudsters.
Caveat Emptor: Let the buyer beware
A rise in consumer awareness is inevitable as big name brands hit the news for all the wrong reasons. Last year, discount chain TK Maxx, owned by TJX Companies, fell victim to a theft of information from 45.7m credit and debit cards, as well as the identity data of 455 000 customers, in attacks executed between 2005 and 2007. Reparation looks likely to reach billions of dollars.
In March, the grocer Hannaford disclosed that a breach had potentially exposed 4.2m credit and debit card numbers, and at the time had already resulted in 1 800 cases of fraud. More recently, June of this year saw Cotton Traders admit to an alleged theft of 38 000 credit card details, although the company claimed the actual figure was ‘substantially less’.
While atoning for a breach causes a financial dent, perhaps the more valuable damage inflicted is the blow to reputation.
“The consumer is becoming more sensitised to data issues,” says Paul Davie, founder of Secerno. “They’re becoming more likely to switch sites, if one company suffers a loss.”
Last year, in a report conducted by Secerno that questioned over a thousand consumers on their attitudes to data security, almost half of respondents maintained that retailers should do more to protect their information.
Thou shalt have firewall
There are signs of increasing regulation – most notably PCI-DSS, a security standard which provides guidelines in twelve broad categories for preventing security risks in organisations that process credit card payments. There is pressure on retailers to comply, because according to Secerno’s Davie “they’ve always footed the bill.”
June 30 was touted as a deadline for PCI validation in the US. In the UK, many companies have still not acquiesced. The first hurdle is convincing a retailer of the need for PCI.
Despite hands being held through the procedure, a pervading cynicism resides among security professionals.
| "[PCI is] certainly not the holy grail" |
| Gordon Rapkin, Protegrity |
“It’s like in grade school where you just need to know enough to pass, and you can forget about it the next day,” analogises Gordon Rapkin, CEO of Protegrity. Rapkin notes it has “improved the situation for credit card fraud” but adds that “it’s certainly not the holy grail.”
It’s imperative that PCI is not embraced as a panacea for attacks. It’s not. A harsh reminder buttressed by the Hanneford breach in March: it was concluded that the company were compliant when their system was struck.
“It’s a perfect example of PCI not equalling security,” observes Rapkin. “Security is an active process of education.”
If PCI has not yet been unanimously adopted, then surely customers should have a right to know who has, and more importantly, who hasn’t subscribed?
Paul Baker, MasterCard’s vice president of payment system integrity worldwide, was not prepared, or at least not permitted, to divulge that information.
“I couldn’t give you the exact numbers,” he declared, attributing the confidentiality to company regulations, adding that for fear of feeding prospective hackers with information “it’s dangerous to say that x percent aren’t compliant.” Baker would, however, deal in generalities.
“In the UK, I’m not aware of anyone refusing to do it. There is a good proportion who are compliant, there are others who are close to being compliant, and others who due to the complexity of their organisations, it’s taking a little while.”
Terms and conditions
When questioned on liability in the case of an online breach, Baker replied that it’s “not dissimilar to day-to-day shopping, where whoever has the best security is protected against liability. Ideally both merchant and consumer will have good security.”
The subject is particularly pertinent now since in early July, the House of Lords’ science and technology committee called for the government to place responsibility on banks in the event of e-fraud, adding that victims should also be able to go directly to the police instead of first informing their banks, for whom it would hardly be a commercial incentive to pass the report on.
“There’s always a call for liability,” insists Baker. “What’s more professional: arguing about liability or making sure that these problems are reduced?” He also notes that some banks already assume liability. “We take it very seriously.”
Baker affirms that there are many merchants who may not have survived if it weren’t for e-commerce. “They struggled because face-to-face retail wasn’t working so well.”
Window shopping
With such fuzzy legislations, is the shrewd customer better to shop online, or in-store?
Protegrity’s Rapkin believes the former is “less risky because it’s more contemporary, however it does make it open to the world – to the stereotypical 14 year old in Belarus who may be able to gain access.”
The hazards associated with online retail, or e-tail, are vast. While bigger brands are generally protecting themselves, fraudsters are directing their energy toward smaller, more vulnerable, less-aware companies.
Assessments and Policing of Community Safety (APACS) estimated the level of internet fraud in 2007 to have exceeded £290 million. In 2007 during the christmas period, fraud rocketed 167%, with 8 500 perpetrators buying iPods, watches and perfume through the use of credit card details harvested through phishing and skimming.
A fairly new scamming technique involves taking a photograph on a mobile phone of the front and back of a credit card, before selling the phone on the internet, sometimes for as little as £50. This way buyers won’t have to come into contact with the card and can establish anonymity.
Even passwords used for retail websites do not guarantee a smooth transaction. Research conducted by SecureTest in March disclosed that when a password was forgotten, 60% of sites tested emailed the user explicitly stating whether the email address employed as a username was actually in their database or not. This was lamented by Ken Munro, managing director of SecureTest, as “a fatal mistake” as it might unwittingly direct hackers to where they could start testing for attacks.
One possible answer to such ubiquitous dangers could be hand-held chip and pin card readers for use in the home, a development already invested in by several banks, including Barclays and NatWest.
The consumer inserts their card and enters their pin and is given a one-time eight-digit pass number.
| "Banks are protecting internet transactions, but online retailers haven’t yet invested in security devices" |
| Andy Jones, ISF |
“Banks are protecting internet transactions, but online retailers haven’t yet invested in security devices,” observes Andy Jones, a senior research consultant at ISF. “eBay are starting to suffer from that which banks used to [suffer from]. They’re lagging behind.”
The process echoes the chip-and-pin method commonly used in stores, which Protegrity’s Rapkin accepts as an important development in retail.
“In the US we still use magnetic strips, making it quite straightforward for criminals to use your card. With chip and pin it’s not so easy. In the US, fraud is committed more physically. In Europe, it’s a lot tougher to walk into a store with the card. The fraud tends to be online.”
However it’s not just our credit card data that we give stores access to; many of us offer our addresses, and an insight into our spending habits by applying for loyalty cards.
“Loyalty cards probably aren’t a serious risk in the bigger scheme of things,” says Jones of ISF. “It’s non-sophisticated. It may give an attacker the ability to redeem points, but I don’t think addresses would be taken.”
Customer service
Paypal evolved in 1998, allowing consumers to send payments for purchases to an email address, while leaving credit card details concealed. However it’s not immune to danger. PayPal’s head of UK risk management, Gareth Griffiths, names phishing as the “biggest threat by far”.
“It’s hard to control. All the big brands are being hammered. I can easily set up a site that looks like PayPal and I can make my mother think it’s PayPal.”
According to Griffiths, the phishing occurs off the system.
“Think of PayPal as a fortress. Our fortress is locked down tight and so far we’ve held them off. The issue for us is that the risks happen through someone else, for instance if the customer downloads a Trojan. Hackers can’t get at the data but they can get money from innocent people.”
Perhaps, then, the greatest risk when shopping online is simply a lack of good judgment. Consumers expect retailers to be secure, but it’s easy to neglect our own responsibilities.
A report from Sophos in February found that over 80% of customers were concerned about security when shopping online, yet 70% didn’t understand what a green browser bar represented, and 20% didn’t understand the significance of a golden padlock. A survey by PayPoint.net in June of this year revealed that 98% of users performed at least one security check, with over 90% checking three or more security features. However, it also discovered that almost four fifths of online consumers may trust an easy-to-use site regardless of security features.
Griffiths puts the real worries down to trusting users who click on what they shouldn’t, and equates the online shopping experience to the real world.
“People are still wandering down dark alleys at 2am. Why is this? We’re still learning to crawl on the internet.”