Almost a third of website visitors consider online shopping to be insecure and unsafe. A recent report published by the UK’s Office of Fair Trading found that 30% of internet users would not hand over their credit card details. The report concluded that consumer confidence is growing, but it’s occurring at a slow rate. Online trading could be held back for many years, especially when UK online sales are twice as high as the European average.
The issue of trust is not helped when large-scale security problems are covered in the press. In the past few days, Albert Gonzalez and two un-named Russian assistants have been charged with breaking into systems run by Heartland, an online payment provider for several large retailers including the 7-Eleven chain. Prosecutors have accused the hackers of stealing the details of up to 130 million credit cards with the intent of selling the data. If convicted, Mr. Gonzalez could receive a 25-year jail sentence.
Embarrassingly for the shops concerned, the credit card details were accessed using a SQL injection attack. Although the Department of Justice states this is a “sophisticated hacking technique,” developers have been aware about these attacks for many years. Whilst no system can ever be 100% secure, SQL injections can normally be thwarted with rudimentary data sanitization and securely-formed SQL commands.
Hacking “success” stories have an immediate impact. 7-Eleven’s online sales have certainly been affected, but the case will have a domino effect throughout the web.
In general, web shopping is safer than handing over your credit card to another person. However, when online security issues do occur, the consequences are far greater, they affect many more people, and the theft receives substantial press coverage.
The fact remains that a large proportion of users do not trust the web. Online shopping will never reach its full potential unless we tackle that problem effectively.
Have you been a victim of credit card or identity theft on the web? Do you trust online stores? Should payment providers be more accountable for basic security breaches?