In the OTA Honor Roll, Twitter had the top overall composite score, showing “a commitment to voluntary best practices, consumer protection and self-regulation.” The micro-blogging site supports always-on SSL, Do Not Track and the email security approach DMARC, and it recently added two-factor login verification in the wake of several account hijackings by a Syrian hacktivist group.
In all, 32% of around 750 companies qualified for the 2013 Online Trust Honor Roll. To determine the rankings, OTA completed comprehensive audits across a dozen different attributes for sites, reviewing more than 10,000+ web pages and more than 500 million emails associated with the Internet Retailer 500 (IR500), FDIC banks and the top 50 US government sites (Federal 50).
Although 26% of the IR500 made the Honor Roll, a slight improvement over 2012, 53% are still failing to achieve passing scores in one or more categories, unnecessarily exposing users to security, privacy and social engineering threats, the OTA found. Adoption of email authentication to counter forged and malicious messages was a bright spot though, with IR100 adoption of both SPF and DKIM jumping 20% to 76%.
Both banks and governments, meanwhile, showed marked improvement – but also have room to do much more.
FDIC member banks demonstrated significant improvements over last year, with 25% making the Honor Roll. Notably, the banking sector led in the adoption of Extended Validation SSL (EV SSL) certificates, at 60%, while overall worldwide growth of EV SSL certificates grew 28% over 2012, OTA said.
Of those that did not qualify, 71% received failing grades in one or more categories, largely attributed to inadequate email and domain protection or outdated privacy policies with inconsistencies observed between their written policy and actual data collection observed.
The Federal 50 sites made improvements across all sectors, achieving 88% support of the digital signing technology known as DNSSEC. However, the OTA said that they significantly lagged in helping protect consumers from forged and deceptive email and securing their sites from known vulnerabilities. Only 20% adopted both SPF and DKIM, and one-third received failing grades for their SSL server security.
Social gaming and dating sites outpaced both the IR500 and FDIC 100 two-to-one in terms of the percentage of companies qualifying for the Honor Roll. The OTA attributes the disparity to the agility of sites within this segment, their recognition of the importance of data security and privacy, and their infrastructure. Many banks and commerce sites have more complex legacy sites and data centers that impede their ability to quickly adopt many of the best practices, the OTA noted.
When it comes to e-commerce, American Greetings achieved the No. 1 ranking of all internet retailers. Amazon, Big Fish Games, Bike Bandit, Books-A-Million, iHerb, JackThreads, Levenger Co., LivingSocial, Netflix, Ralph Lauren and Rock Auto also qualified for the top 10 e-commerce sites (two sites tied for two rankings).
"Through an ongoing process, we have evolved our data security and privacy practices from one of compliance to one of stewardship," said Joseph Yanoska, vice president of technology at American Greetings, in a statement. "We're honored by the recognition the OTA has given us, and are committed to supporting their efforts. We share and embrace their approach to security and hope that it results in a higher level of trust from our customer base."
Privacy scores climbed in all categories, representing the importance of transparency for data collection and controls on sharing with third parties.
“The 2013 report demonstrates how business leaders have recognized the need to move from compliance to stewardship. This is critical to consumer trust and to help stem the call for more regulation,” said Craig Spiezle, president and executive director of OTA, in a statement.