Online retail has come a long way in the last few years. The consumer has done a u-turn on its "I'll never shop online" stance with over a third of the U.K. regularly participating in this activity and online sales set to double this year, while many of the IT security issues of the past have been buried. In fact, the security experts say that consumers "can't lose" when shopping online, but for the businesses themselves, it's a different story. The absence of denial-of-service attacks and teenage hackers may lure unwary online businesses into a false sense of security, new threats are emerging that may require a rethink of your entire business plan.
David Love, chairman of the e-security group InterForum, said the big problem is that businesses are failing to realize the main threat. "It's not the 16-year-old hackers with downloadable tools we're worried about now, it's organized crime cartels with sophisticated new methods and tools we're worried about. Organized crime is big business," he said.
Indeed, the experts say that many of the lessons of the past, taught to us by teenage hackers, no longer constitute a threat. In early 2000 the ebusiness world was knocked off its feet when one such teenage hacker, armed with simple tools he downloaded from the internet, managed to take out some of the biggest web sites in the world with a denial-of-service (DoS) attack. Amazon, eBay and Yahoo were just a few that suffered in this incident, and while millions of dollars were lost, the damage could have been a whole lot worse if there had been some real motive behind the attack other than gaining notoriety.
Peter Crowcombe, director of marketing for EMEA at firewall company NetScreen said: "DoS attacks are a technique that is well and truly in the past. The latest challenges are not technological, but human-based, and this is where we have to keep pace." According to Crowcombe, DoS attacks are less of a threat today because the firewall is a very mature technology. "Most businesses know what a firewall is and most have one now. Intrusion detection systems are the next step in security because it the most effective tool for dealing with the latest attack techniques without excluding legitimate users." Love added that security professionals are starting to see new techniques from the hacker underground. "We're looking at attacks we've never seen before, which means we need a new way to protect the system, across the whole spectrum."
This is where up and coming technologies such as IDS come into play. "We need to be able to the see the whole threat spectrum to the network at a level of granularity that is relevant to the enterprise," said Love. "You should be able to look at the entire network in one glance and see what a number of different alerts mean, and whether they constitute a serious attack."
According to the experts, stealth attacks for the purpose of information gain are the biggest worry now rather than script kiddies out to deface a web site. "Commercial espionage is a big problem," said Love. "Billions of dollars are lost each year, but no one is clued up about the threat. One example might be a company that gets beaten to the bid by a rival in a contract tender, because that company managed to get its hands on certain information." He added that companies are also terrified of research and development espionage, particularly in the pharmaceutical industry, and in sectors such the City and financial markets.
But NetScreen's Crowcombe explained that security firms are now focusing on the more human aspects of hacking, such as social engineering, rather than technological threats. In the first few months of 2003, online retailers were targeted by a rash of social engineering type attacks based around credit card scams. These attacks target human, rather than technical weaknesses. In recent weeks Amazon and Barclays Bank customers have been targeted by email messages asking them to log onto a fake web site and re-enter their user names and passwords or credit card details.
Analyst firm Gartner estimated that over $500m was lost over the Christmas period last year alone in the U.S., due to fraud and suspect transactions, however, fraud in the U.K. is still largely offline. But Gartner said that online merchants are not getting the help they need from credit card insurers to prevent fraud and advised that real time checks be carried out by merchants and suspect transactions highlighted for manual review. If money is lost, chargebacks should be made to the card issuer.
"If you're a consumer shopping online you really can't lose," said Netscreen's Crowcombe. "The ebusiness industry has done a good job of making sure it's insured. If your credit card is used fraudulently online, you know you can claim the money back from your bank." This attitude could also be behind the rising confidence of consumers with regards to online shopping. The Royal Mail advises web users to check their payment card statements carefully and reminds them that they have at least 90 days to report a suspect transaction. If a credit or debit card is used fraudulently, the card company must refund the victim.
Nigel Moore, Royal Mail's marketing director for home shopping, said: "The growing popularity of online shopping is certainly testament to the fact that many consumers have overcome their initial fears about security and the ability to deliver and that many retailers are now offering a wide range of flexible delivery options to suit the needs of consumers." And commenting on the figures revealed in the IMRG report, James Roper, chief executive of IMRG said that "within a few years, broadband internet will be as common in European homes as the telephone is today, and shopping online will be considered a normal, safe, everyday activity." But this is because security isn't something the consumer has to think about. "You can't put security requirements on the consumer, it all has to be your own system," said Crowcombe. "But you need technology and policy to go hand in hand. If you just throw technology at the security problem you won't get very far."
This is where good security policy comes in, although according to InterForum's Love, IT security is now more of a business than a technical issue. "Security today, it is all part of enterprise management, whereas it used to be carried out in piecemeal and point solutions. We used to have one solution for every problem – if you had 15 points to deal with, you had 15 solutions and you would check the integration of each product," he said. "But now enterprises need to understand the necessity of integrated security architectures to provide protection against sophisticated attack." Love said that security is part of the company itself, reflected by the fact that security decisions are largely made by the board of directors nowadays. "Shareholder interest requires companies to look at security as part of company management."
If you gain an insight into the role of security within enterprise management and the benefits it delivers to your organization, you can do it at a reduced price, said Love, and do away with provisioning. But if the industry starts on a healthy climb again, we're going to need more qualified people out there to meet the demand. "If you think we've got problems with security today just wait until the economy takes off again, there just aren't enough trained people out there," he warned.
Jane Murphy, portfolio director, Networks for Business