The Incredibly Vulnerable Online Shopper

Despite frequent server upgrades, e-commerce sites remain as open to hacking as ever -- as witnessed by the continuous stream of headline-making viruses hitting the Internet. Online merchants often use marketing strategies to ease consumer fears, but it is ultimately technology that beats security threats.

Experts told the E-Commerce Times that hack-fighting weapons -- including scanning software, firewalls, ID authentication and secure payment systems -- constantly are being devised and made available, but many commerce sites have uneven records when it comes to employing these tools.

Many sites are still too small to invest the time and money needed to install and maintain the latest security measures. But their lack of diligence could cost them more in the long run, experts said.

"From a marketing standpoint, all commerce sites have an interest in maintaining trust," said Gene Alvarez, senior program director for electronic business strategies at Meta Group. "But for every positive message, all it takes is one catastrophe, like a hacking incident, to damage confidence."

Lack of Urgency

Alvarez said a lack of urgency among site operators has been fostered in part by consumer comfort with credit cards as the preferred mode of payment on the Web. Consumers are accustomed to providing their card numbers via phone and mail for purchases, and sometimes they do not worry about giving this information to Web sites.

But it is the unseen processes run on companies' back-end systems -- the ones consumers do not interact with directly -- that create cause for concern about vulnerability. Experts said consumers have little control over how their personal information is used and accessed behind the scenes after it has been entered.

Yankee Group analyst Matthew Kovar said some companies perform a finances-vs.-security balancing act by comparing the cost of upgrading security with the cost to consumers if they do not upgrade.

For example, some sites decide that since the law limits consumer liability to US$50 on unauthorized credit card purchases, they are not at severe risk in terms of the number of purchases they process.

That bet sometimes does not pay off, but in many cases, sites find that current security is doing the job, so they do not make improvements until they are caught off guard.

Human Factors

In addition to financial considerations, Kovar said limited knowledge among site operators often means that top security is not implemented.

"The real challenge is that there are few organizations with the right number of people who understand all the technical issues," he said.

Kovar added that even well-updated security systems are subject to errors. "Security is operated by humans, and it leaves them vulnerable to things that other people can exploit," he said.

In many cases, site operators need not invest constantly in new technology. Instead, they can make an effort to update security systems for which they already have paid.

Lax About Updating

Paul Robertson, director of risk assessment for security services provider TruSecure, said many companies remain lax about updating systems to combat the latest worms and viruses, even though there is plenty of technology available to do the job.

Robertson said the industry is seeing a trend toward use of software that provides automated security updates. Such software, which is used by companies like Microsoft (Nasdaq: MSFT) and sold by several firms, can access updates on a regular basis and can patch security holes that may have been discovered and corrected since the last server system-maintenance check.

Many companies do not want to incur the expense and downtime involved in updating security systems, but Robertson said frequency of updates is key when it comes to keeping up with security threats.

"If you patch once a quarter, then you'll be way safer than the median company," he said.

Some sites still make the mistake of placing credit and personal information databases on the same systems as their Web servers. Robertson noted that eliminating this practice could make many more sites safer.

Certification with Clout

Several commerce companies are having their systems certified by such companies as TruSecure and VeriSign (Nasdaq: VRSN), then posting that certification publicly to put consumers at ease. But experts note that such certification must be renewed regularly for it to provide any real assurance.

Robertson said that although some see these initiatives as marketing tools, they actually carry weight because the top security companies impose strict standards on sites wishing to carry certification. For example, the standards include rules for frequent updating.

According to the experts, change will occur when consumers, including users of business-to-business sites, demand better security as they spend more time and money shopping on the Web. In this climate, sites will use real security precautions -- not just marketing pitches -- as a badge to separate themselves from competitors.

"The fact that security awareness is high lets a lot of companies differentiate themselves and generate a better sense of trust," Robertson said.