Building online trust through technology

It would be complacent to suggest that when it comes to online crime we have nothing to fear but fear itself. But that idea still contains an essential truth.

Scaremongering and sensationalism have too big a role in the discussion of IT security. If we applied the demands we seem to be making for online trade to any other 'real world' commercial transaction, we'd never buy or sell anything.

"Today we have a mixed generation of individuals who have different views and experiences," explained Stuart Okin, chief security officer at Microsoft UK.

"For example, most people are happy to give their credit card details over the phone to pay for cinema tickets.

"A good proportion are also happy to do this over the internet, but there's a group that is not prepared to have that data stored on a system that can be viewed by others. They only trust an individual that they're talking to face-to-face.

"Ironically, a large number of fraud cases happen when you use your credit card in places such as a restaurant. The advice is don't lose sight of your credit card."

In talking-up the risks of online trade, the IT security industry may prove to have been its own worst enemy, warned Alex van Someren, chief executive at security specialist nCipher.

"The security market has shot itself in the foot because it has said how dangerous the internet is, and people have said: 'Well I'm not putting my credit card number over the internet,'" he explained. "For most people, security is the single most significant concern about e-business."

High-profile lapses in security, and figures suggesting that a large proportion of online 'business' is fraudulent, have done nothing to ease the situation. Nor do incorrect images of internet criminals.

Ignorance and misunderstanding have a major role in today's discussion, according to Robert Schifreen, once one of the UK's highest-profile hackers who is now a security expert.

He believes that the question is not one of an unbeatable threat from master criminal hackers, but of sound business practice.

"Security products exist, and have done for ages, that are pretty much bullet proof. They're either not being used, or they're not being used properly," said Schifreen.

And new technologies are offering better cover every day. For example, when the UK implements chip-based credit and debit cards in 2005, replacing magnetic strip-based versions, real-life fraud should decline because card users will have to input a Pin code instead of signing a piece of paper.

Consumers have been happily using ID numbers for years, so they should be comfortable with the process.

Credit card giant Visa set out some time ago to improve online security but, at the same time, provides the consumer with additional confidence in the security and validity of the transaction. The result was Verified by Visa, unveiled in April.

Using its 3D Secure technology, online buyers enter a password as well as their card details when conducting a transaction on a site that has signed up to the Visa scheme.

In addition, retailers which adopt Verified by Visa will no longer be liable for any 'card not present' charge backs, regardless of whether the cardholder has used Verified by Visa or not, something that has been costing unsuspecting consumers dear for many years.

Jon Prideaux, executive vice president at Virtual Visa, insisted that we have to face up to the fact that online fraud happens, and take appropriate measures to stifle it. "This is a real problem. The loss rate is 20 times more than in the real world and that comes down to the merchants," he said.

Chris Baker, Oracle's vice president of e-business for the UK and Ireland, believes a more pressing issue is the security of internal data, and the necessity to make sure that unauthorised employees cannot access proprietary customer data.

"This is about making sure that internal data and infrastructures are secure. Stopping people getting in with firewalls is a burglar alarm situation," he explained.

But Bob Ayers, director of business risk services at security specialist @stake, believes that the software must go further before true trust can be achieved.

"I don't believe that there is any technology that we can buy or put in place that makes people say: 'That's good technology and I feel secure now,'" he concluded.

SUMMARY

• Security companies have talked up the risks of online business resulting in a loss of consumer confidence.
• The technology that exists is pretty good, but is not being used in the correct way.

BANKS ARE AN EASY TARGET FOR CRIMINALS

Banks, large commercial organisations and government authorities have long been a target for online thieves and the victims of high-profile security breaches.

In August 2000 some of Barclays' online customers in the UK discovered that they could read the details of fellow customers following a problem with a software upgrade. The bank was forced to temporarily close the site.

In the same month Ireland suffered its first major hack. A teenager was arrested when internet service provider Eircom discovered that one of its servers had been broken into and was subsequently forced to change the details and passwords of some 30,000 account holders.

Also in 2000, nine UK websites were defaced with an attack on the government's smoking policy.

Organisations including eBay, Yahoo and CNN have also been the victims of security attacks on their sites in recent years.

According to a survey from America's Computer Security Institute earlier this year, 90 per cent of respondents, primarily large corporations, government agencies, banks, medical institutions and universities, admitted that they had detected a security breach in the past year.

Of those, 44 per cent revealed that the financial damage done to their businesses as a result was collectively $456m. The most serious losses came from the theft of proprietary information.