Attention, Online Shoppers: Where R U?

Online shopping and banking sites won't be as crowded this holiday season, but who knows about the mall parking lot: Nearly half the consumers surveyed in as-yet unreleased studies by Gartner say security breaches have prompted them to shop and bank less online.

Nearly $2 billion was lost in e-commerce sales this year alone due to security concerns, according to Gartner's findings, and $913 million of that was from existing online shoppers, not newbies.

Studies conducted after last year's holiday shopping season support Gartner's findings. According to the Business Software Alliance, 38 percent of consumers who shopped online during the 2005 holiday season said they spent more than the year before -- but 30 percent said they spent less, citing concerns about credit card fraud, identity theft, and spyware. (See Power Pay.)

"They are not trusting the electronic commerce systems as much as they used to," says Avivah Litan, a vice president at Gartner, which will publicly disclose details of the e-commerce and security studies it prepared for clients later this month in conjunction with its Identity & Access Management Summit 2006 in Las Vegas. Nearly 47 percent of the 5,000 online consumers surveyed said concerns about data theft and breaches, and Internet-based attacks have affected their purchasing, payment, online transaction, and/or email behavior.

E-commerce is suffering the most, according to the Gartner study. For example, 57 percent say they've modified their online shopping behavior; 55 percent have changed their online payment practices; and 43 percent have adjusted their online banking. Interestingly, 57 percent say they use cash now in light of their security concerns -- only 25 percent are using PIN debit cards, and just 24 percent are using credit cards. Another 20 percent use checks, and 14 percent pay with signature-based debit cards.

But this online paranoia may be somewhat overblown. Most consumer breaches actually occur at the point-of-sale system, not via electronic commerce, according to Gartner's Litan.

One forensics assessment firm says 59 percent of the breaches they are investigating for Visa and MasterCard occurred at an actual POS-type terminal, not via a Website. "Retailer breaches are more brick and mortar, with thieves breaking into the POS system exposed to the network," Litan says. "If thieves find out which model of terminal it is, they can break into it and find who the customers are. POS has been the biggest vulnerability point when you look at all the data" from forensics investigators.

Even so, consumers seem to be equating security problems as e-commerce problems, which has disrupted online banking and shopping, according to Gartner's data. But attackers are going after the easy marks -- a gas station's POS that uses the manufacturer's default password, for instance, or sometimes that of an ATM machine, Litan says.

Litan says enterprises and retailers spend plenty of money on protecting their servers, but often forget about protecting consumers and devices such as POS, ATMs, and printers. "The big issue is they don't want to inconvenience the consumer too much." But often that means sacrificing security for convenience.

Litan says the key is a multilayered approach of end-user, application, and infrastructure security. User security means stronger authentication coupled with proof of identity and transaction verification, and applications should be running fraud-detection tools in the background to ensure a transaction is legit. Most banks, for instance, have the infrastructure security part down pat already, she says.

The best way to avoid a man-in-the-middle attack or Trojan from spoofing a user's online privileges and identity is to add an "out-of-band" component, Litan says, which some European banks are starting to deploy. This means verifying an online transaction with a phone call to the account holder that "replays" the transaction so the user can confirm if he or she is actually behind the transaction or not, Litan says.

Meanwhile, 53.4 million adults say they don't shop online at all, according to Gartner, 27.4 percent because they don't feel secure buying online, 53.2 percent because they didn't need to buy anything during the past three months, and 29.1 percent because they prefer other modes of shopping. So get to the mall early for that coveted parking place.

— Kelly Jackson Higgins, Senior Editor, Dark Reading