Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:50 AM
Connect Directly

Attention, Online Shoppers: Where R U?

Security worries are slowing online shopping and banking, but consumers should be afraid of that POS instead, Gartner says

Online shopping and banking sites won't be as crowded this holiday season, but who knows about the mall parking lot: Nearly half the consumers surveyed in as-yet unreleased studies by Gartner say security breaches have prompted them to shop and bank less online.

Nearly $2 billion was lost in e-commerce sales this year alone due to security concerns, according to Gartner's findings, and $913 million of that was from existing online shoppers, not newbies.

Studies conducted after last year's holiday shopping season support Gartner's findings. According to the Business Software Alliance, 38 percent of consumers who shopped online during the 2005 holiday season said they spent more than the year before -- but 30 percent said they spent less, citing concerns about credit card fraud, identity theft, and spyware. (See Power Pay.)

"They are not trusting the electronic commerce systems as much as they used to," says Avivah Litan, a vice president at Gartner, which will publicly disclose details of the e-commerce and security studies it prepared for clients later this month in conjunction with its Identity & Access Management Summit 2006 in Las Vegas. Nearly 47 percent of the 5,000 online consumers surveyed said concerns about data theft and breaches, and Internet-based attacks have affected their purchasing, payment, online transaction, and/or email behavior.

E-commerce is suffering the most, according to the Gartner study. For example, 57 percent say they've modified their online shopping behavior; 55 percent have changed their online payment practices; and 43 percent have adjusted their online banking. Interestingly, 57 percent say they use cash now in light of their security concerns -- only 25 percent are using PIN debit cards, and just 24 percent are using credit cards. Another 20 percent use checks, and 14 percent pay with signature-based debit cards.

But this online paranoia may be somewhat overblown. Most consumer breaches actually occur at the point-of-sale system, not via electronic commerce, according to Gartner's Litan.

One forensics assessment firm says 59 percent of the breaches they are investigating for Visa and MasterCard occurred at an actual POS-type terminal, not via a Website. "Retailer breaches are more brick and mortar, with thieves breaking into the POS system exposed to the network," Litan says. "If thieves find out which model of terminal it is, they can break into it and find who the customers are. POS has been the biggest vulnerability point when you look at all the data" from forensics investigators.

Even so, consumers seem to be equating security problems as e-commerce problems, which has disrupted online banking and shopping, according to Gartner's data. But attackers are going after the easy marks -- a gas station's POS that uses the manufacturer's default password, for instance, or sometimes that of an ATM machine, Litan says.

Litan says enterprises and retailers spend plenty of money on protecting their servers, but often forget about protecting consumers and devices such as POS, ATMs, and printers. "The big issue is they don't want to inconvenience the consumer too much." But often that means sacrificing security for convenience.

Litan says the key is a multilayered approach of end-user, application, and infrastructure security. User security means stronger authentication coupled with proof of identity and transaction verification, and applications should be running fraud-detection tools in the background to ensure a transaction is legit. Most banks, for instance, have the infrastructure security part down pat already, she says.

The best way to avoid a man-in-the-middle attack or Trojan from spoofing a user's online privileges and identity is to add an "out-of-band" component, Litan says, which some European banks are starting to deploy. This means verifying an online transaction with a phone call to the account holder that "replays" the transaction so the user can confirm if he or she is actually behind the transaction or not, Litan says.

Meanwhile, 53.4 million adults say they don't shop online at all, according to Gartner, 27.4 percent because they don't feel secure buying online, 53.2 percent because they didn't need to buy anything during the past three months, and 29.1 percent because they prefer other modes of shopping. So get to the mall early for that coveted parking place.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Gartner Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 9/21/2020
    Cybersecurity Bounces Back, but Talent Still Absent
    Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
    Meet the Computer Scientist Who Helped Push for Paper Ballots
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    Special Report: Computing's New Normal
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    How IT Security Organizations are Attacking the Cybersecurity Problem
    How IT Security Organizations are Attacking the Cybersecurity Problem
    The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-09-22
    Sourcecodester Simple Library Management System 1.0 is affected by Incorrect Access Control via the Login Panel, http://<site>/lms/admin.php.
    PUBLISHED: 2020-09-22
    Sourcecodester Simple Library Management System 1.0 is affected by Insecure Permissions via Books > New Book , http://<site>/lms/index.php?page=books.
    PUBLISHED: 2020-09-22
    Ozeki NG SMS Gateway 4.17.1 through 4.17.6 does not check the file type when bulk importing new contacts ("Import Contacts" functionality) from a file. It is possible to upload an executable or .bat file that can be executed with the help of a functionality (E.g. the "Application Star...
    PUBLISHED: 2020-09-22
    Ozeki NG SMS Gateway through 4.17.6 allows SSRF via SMS WCF or RSS To SMS.
    PUBLISHED: 2020-09-22
    Ozeki NG SMS Gateway through 4.17.6 has multiple authenticated stored and/or reflected XSS vulnerabilities via the (1) Receiver or Recipient field in the Mailbox feature, (2) OZFORM_GROUPNAME field in the Group configuration of addresses, (3) listname field in the Defining address lists configuratio...