Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:50 AM
Connect Directly

Attention, Online Shoppers: Where R U?

Security worries are slowing online shopping and banking, but consumers should be afraid of that POS instead, Gartner says

Online shopping and banking sites won't be as crowded this holiday season, but who knows about the mall parking lot: Nearly half the consumers surveyed in as-yet unreleased studies by Gartner say security breaches have prompted them to shop and bank less online.

Nearly $2 billion was lost in e-commerce sales this year alone due to security concerns, according to Gartner's findings, and $913 million of that was from existing online shoppers, not newbies.

Studies conducted after last year's holiday shopping season support Gartner's findings. According to the Business Software Alliance, 38 percent of consumers who shopped online during the 2005 holiday season said they spent more than the year before -- but 30 percent said they spent less, citing concerns about credit card fraud, identity theft, and spyware. (See Power Pay.)

"They are not trusting the electronic commerce systems as much as they used to," says Avivah Litan, a vice president at Gartner, which will publicly disclose details of the e-commerce and security studies it prepared for clients later this month in conjunction with its Identity & Access Management Summit 2006 in Las Vegas. Nearly 47 percent of the 5,000 online consumers surveyed said concerns about data theft and breaches, and Internet-based attacks have affected their purchasing, payment, online transaction, and/or email behavior.

E-commerce is suffering the most, according to the Gartner study. For example, 57 percent say they've modified their online shopping behavior; 55 percent have changed their online payment practices; and 43 percent have adjusted their online banking. Interestingly, 57 percent say they use cash now in light of their security concerns -- only 25 percent are using PIN debit cards, and just 24 percent are using credit cards. Another 20 percent use checks, and 14 percent pay with signature-based debit cards.

But this online paranoia may be somewhat overblown. Most consumer breaches actually occur at the point-of-sale system, not via electronic commerce, according to Gartner's Litan.

One forensics assessment firm says 59 percent of the breaches they are investigating for Visa and MasterCard occurred at an actual POS-type terminal, not via a Website. "Retailer breaches are more brick and mortar, with thieves breaking into the POS system exposed to the network," Litan says. "If thieves find out which model of terminal it is, they can break into it and find who the customers are. POS has been the biggest vulnerability point when you look at all the data" from forensics investigators.

Even so, consumers seem to be equating security problems as e-commerce problems, which has disrupted online banking and shopping, according to Gartner's data. But attackers are going after the easy marks -- a gas station's POS that uses the manufacturer's default password, for instance, or sometimes that of an ATM machine, Litan says.

Litan says enterprises and retailers spend plenty of money on protecting their servers, but often forget about protecting consumers and devices such as POS, ATMs, and printers. "The big issue is they don't want to inconvenience the consumer too much." But often that means sacrificing security for convenience.

Litan says the key is a multilayered approach of end-user, application, and infrastructure security. User security means stronger authentication coupled with proof of identity and transaction verification, and applications should be running fraud-detection tools in the background to ensure a transaction is legit. Most banks, for instance, have the infrastructure security part down pat already, she says.

The best way to avoid a man-in-the-middle attack or Trojan from spoofing a user's online privileges and identity is to add an "out-of-band" component, Litan says, which some European banks are starting to deploy. This means verifying an online transaction with a phone call to the account holder that "replays" the transaction so the user can confirm if he or she is actually behind the transaction or not, Litan says.

Meanwhile, 53.4 million adults say they don't shop online at all, according to Gartner, 27.4 percent because they don't feel secure buying online, 53.2 percent because they didn't need to buy anything during the past three months, and 29.1 percent because they prefer other modes of shopping. So get to the mall early for that coveted parking place.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Gartner Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Stop Defending Everything
    Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
    Small Business Security: 5 Tips on How and Where to Start
    Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
    Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
    Jai Vijayan, Contributing Writer,  2/13/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    How Enterprises Are Developing and Maintaining Secure Applications
    How Enterprises Are Developing and Maintaining Secure Applications
    The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-02-18
    Huawei HEGE-560 version; OSCA-550 and OSCA-550A version; and OSCA-550AX and OSCA-550X version have an insufficient authentication vulnerability. An attacker can access the device physically and perform specific operations to exploit this vulnerability. Succe...
    PUBLISHED: 2020-02-18
    CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below contains an improper ACL handling vulnerability in the robot (controller) component. A remote attacker can execute commands, read from, or write to the target system.
    PUBLISHED: 2020-02-18
    CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below contains a null pointer dereference vulnerability in the robot (controller) component. A remote attacker can crash the Controller service.
    PUBLISHED: 2020-02-18
    CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below contains a buffer overflow vulnerability in the robot (controller) component. A remote attacker can execute arbitrary code.
    PUBLISHED: 2020-02-18
    HUAWEI Mate 20 smartphones with versions earlier than have an improper authorization vulnerability. The system has a logic judging error under certain scenario, successful exploit could allow the attacker to switch to third desktop after a series of operation in ADB mode.