Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Power Pay

As the 2006 holiday season looms, retailers consider bypassing credit cards in favor of more secure online payment options

Online purchasing showed double-digit growth last holiday season, for the third straight year. But one trend got lost in all the excitement: 30 percent of consumers actually decreased their online shopping, citing concerns about Internet security.

As they gear up for another big shopping season, retailers are searching for ways to get that 30 percent back. And one of their chief weapons will be online payment systems that don't require customers to type a credit card number into a retailer's online system.

"With the continued growth of identity theft, credit card fraud, and phishing scams, security on the Internet is more important than ever," says John Rogers, founder, chairman, and CEO of Pay By Touch, an online payment service. Working with UPEK, a vendor that makes a USB-capable fingerprint sensor, Pay By Touch earlier this week unveiled TrueMe, a biometric authentication service that lets users protect payments with a fingerprint.

Other experts agreed. "There is a strong perception out there that credit cards are not secure," says Marwan Forzley, president and CEO of MODAsolutions, which offers Secure-eBill, a service that helps consumers make retail purchases through their online banking systems.

Statistics support this conclusion. According to the Business Software Alliance, 38 percent of consumers who shopped online during the 2005 holiday season said they spent more than the year before -- but 30 percent said they spent less, citing concerns about credit card fraud, identity theft, and spyware. A June report by Javelin Strategy & Research says that 79 percent of consumers would buy more online if they had a more secure payment system. And Gartner and Jupiter Research estimate that there are still 80 million Internet users who don't buy anything online, many of them concerned about security issues.

"A substantial number of shoppers are still wary about e-commerce safety," says Diane Smiroldo, vice president of public affairs at BSA.

With so many potential sales at stake, it's not surprising that retailers -- and the technology vendors that supply them -- are experimenting with new, more secure methods of enabling consumers to pay online. One of the most novel approaches is TrueMe, a service that enables consumers and business users to verify their identities with a fingerprint before giving authorization for payment.

Using Pay By Touch's finger sensor -- which is already built into PCs such as Lenovo's -- or UPEK's finger sensor, which can be added via a simple USB connection, Pay By Touch is offering a service that lets retailers, banks, or businesses authenticate their regular users with a second, biometric factor. Information about the user is encrypted with the fingerprint, ensuring that only authorized users can initiate a payment, the companies say.

Retailers that are less cutting-edge are now accepting payments from a variety of other alternative payment systems. One of the best-known is PayPal, a service acquired by eBay last year. PayPal stores the user's bank account and credit card information in a single, secure account, then acts as a proxy for paying retailers or auction sellers online, without giving out one's account data to the recipient.

With Secure-eBill, MODA Solutions is doing PayPal one better, according to Forzley. Instead of paying online, the Secure-eBill service lets customers make a purchase and then get an online invoice, just as they would from their phone company or gas utility, he explains. Then the consumer can pay the bill using any online banking service, eliminating the need to put any account information out on the Web.

"For consumers, it's all about trust," Forzley says. "We think consumers trust their banks more than any retailer or online service."

Retailers that have tested Secure-eBill say it works. Big Al's Online, which sells supplies for aquatic hobbyists, has increased its customer base by 39 percent since adding Secure-eBill to its site, according to Dan Hamilton, director of e-commerce at the company. "Repeat order rates also have exceeded expectations."

Yet another company, Bill Me Later, essentially extends an automatic line of credit, enabling the consumer to make purchases online without giving out any credit card or bank account information. Bill Me Later uses online credit reports to authorize payments up to a certain level, basically giving the user a loan to make an online purchase. If the user fails to pay for the purchase on time, the service may be declined for subsequent purchases.

Use of alternative payment services is still nascent, as most purchases are still made through credit cards, experts say. Forzley says Secure-eBill only accounts for about 10 percent of the purchases made on its retailers' sites so far, but he expects that figure to increase.

None of these services is foolproof, however. PayPal already has seen a number of phishing scams, and others could be penetrated if an identity thief had the right information, critics say.

Still, the new systems may be more secure than asking users to input their credit card information. "Retailers want to increase their business online," Forzley says. "Alternative payment services are a proven way to do that."

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. If an unauthenticated attacker makes a POST request to /tools/developerConsoleOperations.jsp or /isomorphic/IDACall with malformed XML data in the _transaction parameter, the server replies with a verbose error showing where the application resides (the a...
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the _transaction parameter.
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) loadFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL is affected by unauthenticated Local File Inclusion via directory-traversal sequences in the elem XML ...
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) saveFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL allows an unauthenticated attacker to overwrite files via vectors involving an XML comment and /.. pat...
PUBLISHED: 2020-02-23
danfruehauf NetworkManager-ssh before 1.2.11 allows privilege escalation because extra options are mishandled.