Consumer Watch: The Myth of Secure E-Shopping

When Ryan Roth's monthly credit card statement arrived with more than $2000 in unauthorized charges, the 30-year-old public relations executive from Palm Beach Gardens, Florida, thought she knew just who to blame. An avid online shopper, Roth suspects that her credit card information leaked from a transaction with a small kitchen supplies site she visited while doing holiday shopping. The site had not posted any privacy or security statements, and Roth admits to having had a "bad feeling" about this omission.

Roth's credit card company covered the bogus charges, but Roth drew an understandable conclusion. "I'll stick with national e-tailers from now on, established sites that have the resources to invest in security technology on their end," she says.

Unfortunately, the moral of the story may not be so clear. It's tempting to believe that the biggest, best-established Web merchants have security all figured out. But judging from frequent reports of major sites being hacked and customer information compromised, that's not the case. As unlucky customers of CD Universe, Travelocity, Columbia House, Ikea, and even Western Union can attest, small sites aren't the only ones to get hit. "Virtually every medium-size to large e-commerce site has been affected by fraud of some sort," says Joseph McDonnell, CEO of online security firm IShopSecure.

And a recent Gartner Group study predicts a wave of small-scale e-commerce theft within the next two years, mostly attributable to the larcenies of an increasing number of technically sophisticated individuals in economically depressed countries. According to the study, many recent hack attacks on e-commerce sites can be traced to Russia. Recent FBI reports corroborate this, adding that stolen credit card information may have been sold to organized crime rings operating in Eastern Europe.

Okay, so you may be taking a chance by purchasing that digital camera online. You already knew that. But isn't it just as dangerous to plunk down your credit card at a bricks-and-mortar retail store or the café down the street? Not according to McDonnell. "Anonymity is a key difference," he says. "People can hide behind their computers." Add to that the vast quantity of personal information a determined hacker can obtain on the Internet--your name, address, e-mail account, phone number, credit card information, passwords, Social Security number, and mother's maiden name, just for starters--and you have an environment that's ripe for theft. McDonnell puts it bluntly: "Consumers should be 100 times more cautious [doing business] online."

What are e-tailers doing to maintain or beef up site security? Not enough, experts say. The security statements found on many retail Web sites may sound comforting, but in many cases they don't mean much. Most offer vague reassurances about using industry-standard encryption technology, but such encryption applies only to the actual transfer of customer data.

As important as the transaction itself is how a Web site stores your data after you buy--and here many sites falter. One of the most common hack attacks involves breaking into a server that stores customer data from past transactions. "The important question," says IShopSecure's McDonnell, "is where your credit information is being stored. You don't want it sitting unprotected in a database."

And the Web site you buy from may not be the only one you have to worry about. Many sites contract with other firms to process credit card information, and those third-party sites may be vulnerable to attack, too. Last December, Creditcards.com, which handles credit card transactions for a number of online merchants, revealed that someone had hacked into its site and posted more than 55,000 credit card numbers on the Internet.

The lack of a posted security or privacy policy should raise a red flag. Last year, John Hairell, a senior programmer/analyst for NASA in Greenbelt, Maryland, was about to complete a transaction on the rare-book site Bibliofind when he noticed the site had no posted security or privacy statement. Hairell e-mailed the company to ask about its security policies. Two months later, he received a vaguely worded response that did little to reassure him. He decided not to do business with the site. Hairell's caution looked wise when in March of this year, thousands of Bibliofind customers received a terse e-mail message saying that the company's servers had been violated, compromising customers' credit information.

At press time, the site--which has been on the Web since 1996--still hadn't posted a privacy or security policy. Bibliofind representative Alisa Feinstein says that the company (now owned by Amazon.com) is planning to update the site. That may be too little, too late for Hairell. "This has put me off of online retailing," he says. "There's just not enough accountability when it comes to security."

Ultimately, however, online security breaches are more harmful to merchants than to consumers. After all, consumers have a powerful safety net: credit cards. As long as you use one for your online purchases, you're covered for any unauthorized charges over $50--though dealing with a fraud claim is usually a hassle. (Many Web sites, such as the Lands' End site, promise to reimburse you the $50 if the security leak is traced to their servers.)

In contrast, online merchants are largely liable for fraudulent charges, so a security lapse can easily ruin a smaller e-tailer. And the problem is not just financial--the bad publicity from a break-in can do more damage than the dollar loss.

Caveat E-Emptor

Clearly, if e-commerce is to flourish, e-tailers need to start taking security more seriously and put tools in place to prevent online fraud. Some companies have, but too many haven't. In the meantime, here is what you can do to protect yourself:

Review your credit card statement regularly and carefully.

Think about obtaining a low-credit-limit card specifically for online purchases. That way, you have less at stake if your credit information is stolen.

Change your passwords frequently, and keep them cryptic.

Consider the pros and cons carefully before permitting a site to store your credit card information for future purchases.

Avoid sites that don't post clear privacy and security policies or contact information, including a physical street address and working phone number.

When you inspect a site's security policies, look for assurances that information is encrypted on all servers connected to the Net and that security tools are in place to protect applications like the shopping cart. If the policy doesn't say, ask the site's administrator for clarification.

I'm not trying to scare you away from shopping online. The vast majority of transactions go through without a hitch. But shop safely. And if you come across a site whose security you don't trust, let the administrator know why you won't shop there. Online retailers will take security seriously when they know we do.