Report: E-Commerce Sites Not Keeping Pace with Security Threats

Separate reports released Wednesday by research firms GartnerGroup and Deloitte & Touche show that while security dangers at e-commerce sites are on the rise, many organizations are failing to develop clearly defined policies to cope with consumer vulnerability.

According to GartnerGroup, high-speed Internet services are making it easier for hackers to break into systems. The research shows that digital subscriber lines (DSL) and cable lines inadvertently eliminate some of the built-in protections associated with slower Internet connections, as the slower connections make a hacker's presence more detectable.

Additionally, the report points out that the always-on nature of high-speed connections makes consumers easier to target. Slow-speed users reconnect on different IP addresses each time they log on, but always-on consumers have a constant address.

Fifty to 500 consumers usually share a single cable-based line, which makes it easier for hackers to break into various systems, according to the study.

GartnerGroup suggests that PC owners who use high-speed connections should use strong encryption and authentication software, while also undergoing periodic configuration audits and security scans.

Web Sites Make Security Low Priority

In the midst of continual questions about Internet security, most e-commerce organizations put security issues at a low priority compared with profitability, according to Deloitte & Touche's six-month survey of e-commerce companies. The low priority was shared by business-to-business (B2B) and business-to-consumer (B2C) sites.

The findings show that a majority of organizations are satisfied with their security, even though they do not take their vendors' security issues or policies into account. Paradoxically, the study also found that organizations view security as a major contributor to the growth of e-commerce.

"We have always believed that in order to maintain satisfaction with security, organizations must have clearly defined policies," said Steven Ross, project leader and director in the ERS practice at Deloitte & Touche. "We were surprised to learn that many do not."

Deloitte & Touche interviewed 150 participants from 46 countries around the world, and the firm also sent 250 written surveys.

Cross-Site Scripting Link Danger

In related news, the FBI, U.S. Defense Department and the Coordination Center of Carnegie Mellon University issued a warning Wednesday that a widespread threat called "cross-site scripting" can allow a hacker to launch malicious programs through links to popular Internet sites. The warning said the risk is so serious that even the largest and most successful Web sites are unable to completely protect consumers.

Though the warning was just issued yesterday, government organizations discovered the problem of cross-site scripting weeks ago. The danger involves computer codes that can be hidden within innocent-looking links to popular Internet sites. These links can be e-mailed to victims or posted in chat rooms and on Web pages.

Using the code, a hacker can capture the victim's credit card number or other sensitive information as it is passed to the popular site that the link is connected to. The code can alter information displayed in a consumer's Web browser, including account balances or stock prices. It can also capture and forward a Web site's "cookie," which allows the hacker to impersonate a consumer at the Web site.

The agencies are not aware of any victims as of yet. The warning cautioned users against using links from untrustworthy sources such as unsolicited e-mail or chat room links.

The experts also suggest consumers can prevent their Web browsers from launching scripts, but they also acknowledged that many sites require this function to operate.