Security Concerns Cloud Online Shopping

Computerworld - The big increase in online sales that is expected this holiday shopping season comes amid what appears to be unprecedented consumer concern over data privacy, online fraud and identity theft.

The results of a new survey of 1,005 consumers released last week show that although 78% of U.S. Internet users plan to shop online this year, more than 69% of those shoppers will limit their online purchasing because of concerns associated with the safety of their personal information.

The survey was conducted by Truste , a nonprofit privacy organization in San Francisco, and market research firm Taylor Nelson Sofres PLC in New York. More than 40% of the respondents said that privacy-related concerns would deter them from purchasing from smaller online retailers. About 22% said they won't be purchasing online at all. The survey was conducted online between Oct. 27 and Nov. 1.

"There's definitely a reason for both consumers and merchants to feel more concerned" about data security and privacy issues compared with previous years, said John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc.

Assessing the Risks

For consumers, the biggest risks come from hackers' increasing use of keystroke- logging and password-acquisition tools, Pescatore said. Such remote access tools let cyberthieves capture sensitive information, such as credit card numbers, from consumers who are conducting business online, he said.

A Gartner study conducted in March showed that despite a higher awareness of phishing scams, a large number of consumers continue to be fooled into visiting Web sites that download such hacker tools, Pescatore added.

And it's not only consumers who need to be wary about the increasing proliferation of such tools. Companies whose employees use corporate systems to buy online should also be concerned, said Charles King, a product manager at Blue Coat Systems Inc. , a Sunnyvale, Calif.-based security vendor.

According to King, the encrypted connections between employees and the shopping sites they go to can often be used as a conduit for spyware, bot programs, viruses and worms. Such encrypted sessions are often allowed to pass through untouched to employees' PCs, raising all sorts of security issues, he said.

"Encrypted communications are agnostic. It doesn't tell you if the traffic is good or bad," said Pete Lindstrom, an analyst at Spire Security LLC in Malvern, Pa. So companies need to have controls in place—such as proxies to terminate Secure Sockets Layer traffic—to ensure that employees' shopping behavior doesn't pose a security risk, he said.

The results from the Truste survey appear to reinforce the findings of other recent surveys.