For years, the vast majority of purchases made from e-commerce sites have relied on the same technology to keep them safe and protect consumers from identity theft.
Secure socket layer, or SSL, has helped complete millions of Web transactions, often working without consumers knowing it. When an SSL connection is made, most browsers show a closed lock, a signal that a user has connected with a trusted source and that the transaction is safe from third-party hijacking.
Even in the fast-growing world of e-commerce, however, online identity theft and security issues remain a major concern, one that potentially could slow online sales growth over time.
More-secure options are available and have taken root in other parts of the world. U.S. shoppers, however, may be the last to embrace additional purchase authentication through the use of smart cards or digital certificates. In a recent keynote address at the RSA Security conference, Microsoft Chairman Bill Gates previewed a digital wallet approach that will be available when Vista hits shelves — the latest of several attempts to provide consumers with higher levels of security and confidence without additional passwords or other authentication requirements.
In an interview with the E-Commerce Times, Neal Creighton, the CEO of GeoTrust, said enhanced authentication is on the way, thanks to Windows Vista and slow but steady adoption of more-robust security approaches. He also said that his firm is helping to pave the way for secure mobile transactions as well.
GeoTrust secures about 30 percent of all online transactions, with the GeoTrust symbol appearing on hundreds of Web sites to testify that they are safe and trusted. The firm is an Equifax spinoff, a background that Creighton said makes it an ideal third party for verifying online identities and trust.
ECT: Your biggest competitor is VeriSign. What are the main differences?
Neal Creighton: This is all we do. We’re completely focused on verifying and securing online transactions. We think we are very good at it and do it at a much better price point and do it in a way that gives consumers the immediacy they want. They want things to happen now. If you went to Google and entered a search term and got results a week later, it wouldn’t be very popular.
ECT: How much intrusion will consumers accept in their online buying process to build in more security?
Creighton: The process should be transparent for the consumer. The whole experience should happen without any work on their side. The problem isn’t really hackers reaching in and stealing data that’s being sent to a trusted site. That is not really a major problem. The main issue has always been that the consumer doesn’t always know when they are on a safe site or not. Most of the major browsers in use — Microsoft and Netscape and the others — were designed a long time before phishing or fraud was a big problem on the Internet. Through SSL, they provide this great verification service, but the consumer doesn’t know when [they are] verified. Most of them don’t even notice the little lock in the browser. If you look at what Bill Gates demonstrated, you see that it becomes absolutely clear to people that they are on a safe, validated site.
ECT: So the lack of such a certificate will tell people the site may be a fake and set up for a phishing attack?
Creighton: Ninety-nine percent of the fraud happening online today is around people putting information on wrong Web sites, not hacking user IDs and passwords. A lot of folks do it because they think they are on a legitimate site. The new browser interface that Gates demonstrated will solve the vast majority of [those problems].
ECT: How will it work?
Creighton: Under the new user interface, when you go to PayPal, there will be displayed — and you will be able to see from five feet away from a computer — a green and gold bar stating whether the site is legitimate and has earned a trust certificate. That will be based on a site’s real-time status, and we’re constantly checking for any problem.
ECT: What role do GeoTrust, VeriSign and others play other than providing the SSL technology?
Creighton: Geotrust, VeriSign — we’d hold the status of a site. We’d know in real time if it is a fraud site, and we can constantly be updating that based on reports that are coming in. The whole interface is based on SSL. We’re working together to come up with high verification process, especially for those phishing-targeted sites such as banks, PayPal and eBay.
ECT: How long will SSL remain the dominant technology for securing purchases online?
Creighton: I think it will be around for a very long time. I see it being augmented, and this is a good example — the problem of putting information on the wrong site is solved through SSL and new interfaces. I do think that over time, you will start to see more and more two-factor authentication. With this technology, a site can show that it is valid and safe, and in the future, sites might start to demand that the consumer show some credentials as well. There may be an expectation of some sort of authentication on the other end — so a site knows that you are really who you say you are.
ECT: What form will that two-factor authentication take?
Creighton: I think it will take a variety of different formats. It’s a really interesting time in this market. A lot of vendors are talking about this area. In the consumer market in the U.S., I think the forms will remain very lightweight for a while, but you can see the direction it’s heading. RSA bought Cyota and VerSign bought Snapcentric — right now they’re focused on watermarking — imprinting information on the consumer’s computer so that when they come back the next time, the site will know it’s the same person. Another version of that is to have consumers pick an image and basically authenticate themselves. The next time they show up at their bank, they will have to select that image and through that, [consumers are] verifying themselves.
ECT: Are smart cards for consumers on the horizon?
Creighton: You are seeing a lot more usage of digital certificates and smart cards — USB tokens and so forth — to authenticate business-to-business purchases, corporate banking, and for access to corporate networks. In Europe, consumers are already using smart cards much more. There definitely is a difference in the U.S. consumer market versus other areas. In the U.S., consumers want to have the least amount of distractions within a transaction. If they had a choice to use a smart card or have more lightweight authentication, most would choose the lightweight option.
ECT: What impact does the right of mobile commerce have on this discussion?
Creighton: I think as more things converge, you can make it easy on a consumer. If everything is converged to one device, it makes sense to put the same kind of authentication stuff on them all. Mobile security has the advantage of having learned a lot from the PC environment. As phones turn into PCs, they’re actually ahead on security — to the point where phones are being shipped with certificate readers that will only let verified applications be loaded on a phone. You’re starting to see that on the PC side as well. The Vista release [of Windows] will have the public key infrastructure built deep inside. Over the next five years — eight max — you’ll see that deeply integrated into PCs, so that the code itself will able to block 90 percent of viruses.
ECT: Do you see a future for GeoTrust in that world as well?
Creighton: We’re kind of the credit bureau of the new world. We’ve taken the concept out of the credit-scoring world, out of Equifax, and taken it over to the network. It fits perfectly.