A Summary of E-Commerce News and Topics on Compliance and Privacy
We gather together topics for E-Commerce
To avoid long load times news is archived periodically. If you can't find what you are looking for on this page please refer to our archives. Please use the search engine for ease of retrieval.
Main eCommerce News page |
Archives: (oldest)
1
(most recent)
Romanian Scammers hit TradeMe Milestone
The criminal group responsible for numerous phishing scams on TradeMe hit a milestone on Saturday August 18th, 2007. Internet watchdog group ScamBusters reports that the number of hijacked TradeMe accounts used by a Romanian gang to place fraudulent listings on the site in the past eighteen months has now reached a total of one thousand.
“That's a lot of compromised accounts” says spokesman Alf West. “And they're only the ones that we've recorded. These criminals have many more accounts waiting in the wings, ready to use.”
ScamBuster Peter Andersen has been collating the hijacked accounts and auctions. “The thousand TradeMe user accounts identified as being hacked in the past eighteen months have been used to run 3,391 fraudulent auctions” he says, “all for non-existent items.”
Read the article
New Research Reveals Consumers Delay 34+ Hours Between the Click and the Purchase
A new ScanAlert research report, revealed exclusively to MarketingSherpa for publication this morning, shows that consumers now delay on average 34 hours and 19 minutes from the time they first click to an ecommerce site and when they finally buy something there.
So, any marketer who measures conversions solely by click-to-immediate-sale is blind to the vast majority of his or her success.
But, the bigger news broken in this report is stunning trend data. You see, back in 2005 when the study was conducted for the first time, consumers took an average of 19 hours to covert. Over the past two years, that delay time has risen by 80%. So, more consumer comfort in shopping online equals *longer* conversion cycles. That's something I don't think any of us ever predicted would happen.
read Marketing Sherpa's exclusive article
Cyber Criminals Rely On Mind Games To Scam Internet Users
McAfee Study Offers Insight into Psychological Tactics Used in Online Scams
McAfee, Inc. (NYSE: MFE) today (25 June 2007) announced the results of a groundbreaking study that details the psychological games and other tactics cyber criminals use in social engineering scams propagated through junk email. In the study titled "Mind Games," the primary author, Dr. James Blascovich, Professor of Psychology at the University of California, Santa Barbara, offers analyses of multiple common scam emails and provides surprising insights into how cyber criminals use fear, greed and lust to methodically steal personal and proprietary financial information.
The same psychological practices used by cyber criminals were also investigated in a European report, commissioned by McAfee(R) in association with leading forensic psychologist, Professor Clive Hollin, based at University of Leicester in the United Kingdom.
"Scam spam works best by providing recipients with a sense of familiarity and legitimacy, either by creating the illusion that the email is from a friend or colleague, or providing plausible warnings from a respected institution," Dr. Blascovich noted. "Once the victim opens the email, criminals use two basic motivational processes, approach and avoidance, or a combination of the two, to persuade victims to click on dangerous links, provide personal information, or download risky files. By scamming $20 from just half of one percent of the U.S. population, cyber criminals can earn $15 million each day and nearly $5.5 billion in a year, a powerful attraction for skillful scam artists."
Read the article
UK extends ecommerce directive to terrorism laws
Regulations come into force this week that explain how and when a foreign company can be brought to justice in the UK over blog postings that encourage terrorism. The regulations integrate Europe's ecommerce laws with the UK's Terrorism Act.
The Electronic Commerce Directive (Terrorism Act 2006) Regulations 2007 were laid before Parliament on 31 May and come into force on 21 June.
The Terrorism Act 2006 is already in force. It created offences relating to the encouragement of acts of terrorism and the dissemination of terrorist publications. The Act contains a notice and takedown regime that applies to all website operators. If a person posts any remark to a blog that encourages an act of terrorism, a police constable can serve a notice on the operator of the blog requiring the removal of the offending post within two days.
Failure to comply within the two-day period, in the absence of "reasonable excuse", means the operator will be deemed to have endorsed the post and its directors could face up to seven years in prison.
Read more in The Register
Privacy: Do online shoppers care?
Would you pay a little more for that book you bought online if it meant lowering your chances of being hassled by marketers, spammers and hackers?
Researchers at Carnegie Mellon University believe consumers will pay more per item online to protect their private information, according to a paper presented at the 2007 Workshop on the Economics of Information Security.
The Carnegie Mellon Usable Privacy and Security Lab (Cups) monitored the habits of people ranging in age from 18 to 71 who were given money and instructed to buy certain items online while using the search engine PrivacyFinder.org.
PrivacyFinder.org, a search engine developed by Cups, evaluates a website's privacy policies according to the Platform for Privacy Preferences developed by the World Wide Web Consortium. It displays a site's rank alongside search results.
Read more on Silicon.com
Protect Your Ecommerce Customers From Identity Theft
There will be $24.3 billion in online transactions this holiday season; this will undoubtedly be accompanied by an equal rise in the number and type of attacks against the security of online payment systems and against ecommerce consumers. Some of these attacks will utilize vulnerabilities that have become noticeable in the third-party components utilized by websites, such as shopping cart software. Other fraud attempts will most likely use vulnerabilities that are common in any web application and can allow a knowledgeable hacker to penetrate the defenses of an ecommerce host webserver.
There are also the more popular electronic fraud techniques of "spoofing" and "phishing." This activity is on the rise with growing numbers of phishers sharpening their talents, producing quite convincing e-mails and dummy notices from ecommerce web sites; the number of consumers victimized using this method is increasing rapidly. Ecommerce website merchant have a clear mandate to exercise due diligence by doing everything possible to protect their hard-won customers from identity theft.
Read more at ISEdb.com
Web Hosting Watch: Network Security
Hackers are getting smarter; security threats are evolving. So what are the bigger Web hosts doing to protect servers and customer data from third-party Internet villains?
TopHosts.Com spoke to two mega industry players to find out how they view the current state of Web hosting security, and what weapons they hold to combat the delivery of malicious code, spyware and denial of service (DoS) attacks.
Bill Warburton, director of product management for EarthLink Business Solutions, says the job of all Web hosting companies should be to keep pace with hackers and, if possible, to stay one step ahead. While security threats and hacking methods grow in complexity, defense technology and expertise are making strides on the providers' side as well.
Read the TopHosts.com article
Verisign plugin brings green address bars to Firefox
Verisign Inc. has brought a new technology, used to identify trusted Web sites, to the Firefox browser.
The Internet services vendor has released a Firefox plugin that will show the same type of green address bar that is displayed by Internet Explorer 7 when it lands on certain highly trusted Web sites that use Extended Validation Secure Sockets Layer (EV SSL) certificates.
Companies such as Verisign, Entrust Inc., and Network Solutions LLC have been issuing these certificates since late 2006, but browser makers have been slower to adopt them. They were adopted by Internet Explorer 7 in late January, and Firefox is expected to support the certificates in Firefox 3.0, expected late this year.
Read the NetworkWorld article
eBay expands PayPal buyer protection scheme
eBay Australia has put its payment scheme PayPal at the centre of its buyer protection initiatives, doubling the amount it will pay back to customers for dodgy transactions involving a PayPal payment and extending the scheme to low-value transactions and new sellers. At the same time, the auction company's eBay-branded protection scheme will be phased out.
From June 7, eBay will refund up to $3,000 if a buyer pays for goods using PayPal and becomes involved in a disputed transaction. Previously, the limit was $1,500. Typical causes of disputes include failure to deliver any goods at all, or items differing hugely from their online description.
Sellers only qualify for the full protection scheme if they have more than 50 feedback messages and a 98% positive reputation. However, transactions with sellers falling under those thresholds will still be covered for up to $400, including postage costs.
The lower value scheme will replace eBay's existing buyer protection scheme, which included a $25 administration fee, making it useless for smaller purchases. It also establishes PayPal as the only means of payment with any form of eBay-backed guarantee. "The company will no longer be providing coverage when a person pays through other means," eBay trust and security director Alastair MacGibbon told iTWire
Read the ITWire article
PayPal security measures help stamp out fraud
PayPal's 133 million online customers are the biggest ocean phishers have to plunder. CISO Michael Barrett wants to make it safe to be in the water; and he's not going at it alone. Backed by PayPal's sophisticated fraud models and help from ISPs and browser makers, Barrett is succeeding in protecting the most-spoofed brand on the Internet.
Can you quantify losses due to phishing for PayPal?
Michael Barrett: Forty-one basis points is the total fraud number [on PayPal's fraud model], and we don't break out where phishing is in that overall mix. I will say: it isn't very high on that list. That's one of the issues here; there is a perception there is a huge problem, whereas the financials don't indicate that. Part of the issue is there's been a certain amount of hype about the magnitude of the problem from a financial sense. I don't at all discount the perception impact, but I don't think the financial impact is what some elements are saying it is.
How does PayPal defend against phishing?
Barrett: One of the back-end defenses we have is a lot of fraud modeling. It's very advanced, and it's resulted in extremely low fraud rates compared to the rest of the financial services industry. We've gotten very good detecting fraud on the back end, so what's [the phishers'] response? They generate more mail on the front end.
Read the full interview at Search Security.com
When Is It Time To Hire A Call Center?
More business is a good thing, but it creates challenges: A backlog of tasks, costly space and equipment demands and, frequently, a phone that won't stop ringing. Many ecommerce business owners turn to customer call centers for help.
That was the case for Revival Animal Health of Orange City, Iowa, a supplier of small animal products. The 65-employee company's growth meant more phone calls from its customer base of breeders and pet owners than its on-site call center could handle. Customers who called after hours and on weekends had to talk to the answering machine.
"It was hard to find people in our community to work on Sundays," said business analyst and accounting/IT manager Karen VandenBrink. It was time for Revival to consider an outside call center.
For most business owners, the switch to a call center is not so much a choice as something thrust upon them, said National Call Centers' executive director David Butler.
"Suddenly every person seems to be spending all their time on the phone," he said. "The whole staff becomes a mini call center. It stops people from dong their work." That's a poor use of time and expertise, said Sharon Rogers of Midco, an inbound customer call center based in Sioux Falls, S.D.
Read the article in Practical eCommerce
Phishing fraudsters widen net
The number of banks targeted by phishing attacks sky-rocketed in March, according to new figures from the ‘war-room' of RSA Security, the security division of EMC.
The security outfit's Monthly Online Fraud Report found that 202 banks were struck by cyber-criminals last month, a “dramatic increase” on the 153 attacks recorded in February.
Some ten per cent of brands attacked were located in the UK, placing the country second in the rankings behind the US, which hosted a whopping 73 per cent of attacks.
Read the CRN article
Merchants Advancing Slowly on Data-Protection Efforts
Merchants are taking a harder look at complying with industry standards to safeguard credit card data, according to an RSA, the Security Division of EMC, study released April 16.
Of those surveyed, 68% have made moderate progress in complying with Payment Card Industry standards. Another 10% have made significant progress. About 47.5% of respondents said reported they are PCI compliant.
PCI standards were created by American Express, Discover Financial Services, JCB International Credit Card Co., MasterCard Worldwide, and Visa International in 2004 to protect customers’ credit card data through its lifecycle. The standard was most recently updated last September.
"The [PCI] guidance has very specific requirements," said Dave Howell, Solutions Manager at RSA, a security-technology vendor. "It’s very prescriptive, with more than 230 requirements."
Read the BankNet 360 article
Popular Web Sites Highly Vulnerable to Attack
Eight out of ten Web sites contain common flaws that can allow attackers to steal customer data, create phishing exploits, or craft a variety of other attacks, a security company reported today.
WhiteHat Security regularly scans hundreds of "very popular, very high-traffic sites" for its online business customers, says Jeremiah Grossman, the company's founder. "More than likely, you have shopped there, or bank there," he says. Thirty percent of scanned sites contain an urgent vulnerability, such as one that allows direct access to a company database with customer information, he says.
Two out of three scanned sites have one or more cross-site scripting (XSS) flaws, which take advantage of problems with sites' programming and are increasingly used in phishing attacks. A recent eBay scam used a now-fixed XSS hole on the auction site to direct anyone who clicked on a phony car auction to a phishing site.
read the PC Word article
Online consumers not scared off by cyber criminals
Research from BT with support from the University of Plymouth and part funded by the DTI, indicates UK citizens are not ICT risk-averse
UK consumers are not as risk-averse when it comes to using online services as previously thought, according to recent research conducted by BT. Despite daily warnings about security threats and cyber-criminals, people are willing to take risks online, as long as they feel informed, and it is clear how consequences will be addressed.
According to the findings from the Trustguide report, which was a collaborative research project by BT with support from the DTI, people use specific online services not because they trust them, but because they believe the benefits outweigh the risks. Government and private industry must therefore take responsibility for educating and reassuring the public that safeguards are in place, if they are to succeed with e-Government and e-Commerce initiatives.
As a long-standing target for fraudulent activity, the banking industry has been particularly robust in communicating security measures to customers using internet banking services and, in many cases, guaranteeing to refund victims. Consequently, it has been successful in attracting customers online. Recent figures from Apacs show that the number of UK customers using Web banking services has outstripped those using telephone banking for the first time.
Read the article
Australia - Local security for other nations
Security experts believe Australia's geographical isolation represents an opportunity to offer secure online services to nations with poor reputations for security.
John Debrincat managing director of leading eBusiness solutions provider, eCorner said Australian eCommerce currently lags the more mature European and US markets by two to three years and that means the industry can learn from their mistakes and improve our success rate.
Debrincat believes Australia's low profile and the fact that the country has only a few highly secure conduits for online traffic in and out of the country gives us a far greater ability to control and protect users than Europe, North America or parts of Asia.
Read the SC Magazine article
Phishing Sinks Confidence in E-Commerce - Gartner
Consumers, fearing ID theft, are more cautious about shopping online.
Consumer confidence in the security of their online transactions is slipping due to the growth of phishing-related fraud and identity theft, Gartner reports. As a result, consumers are curtailing their online purchases.
Phishing is the sending of an e-mail by cyberthieves with a link to a fake website that is disguised to look legitimate, in order to lure recipients into divulging personal information. Gartner estimates that 73 million adults who use the Internet received a phishing e-mail between May 2004 and May 2005, and that 2.4 million online shoppers lost money as a direct result of phishing.
Most of the losses were repaid by banks and credit card companies. Nevertheless, 75 percent of the 5,000 online consumers who Gartner surveyed said they have become more cautious about where they shop online, and one-third reported buying fewer items than they would typically purchase due to security concerns. Eighty percent of those surveyed said they now trust commercial e-mail less, while 85 percent claimed to delete unexpected e-mails without ever opening them.
Read more in CIO India
TRUSTe and Ponemon Institute Announce Results of 2007 Most Trusted Companies for Privacy Study
Overall and Industry-by-Industry Rankings Rate Top Performing Commercial and Government Organizations
TRUSTe and the Ponemon Institute have announced the results of the 2007 Most Trusted Companies for Privacy Study, an annual evaluation of how consumers perceive organizations that collect and manage their personal information. The 2007 Most Trusted Companies for Privacy Study ranks companies and federal agencies industry-by-industry as well as providing a list of overall top performing companies.
TRUSTe and the Ponemon Institute are hosting a webinar discussing the Most Trusted Companies for Privacy Study from 1:00pm – 2:00pm EDT / 10:00am – 11:00am PDT today (28 March, 2007). To register for the live event, visit http://www.truste.org/mtc_webinar.php .
Overall, the top three rated companies for privacy trust in 2007 are, in order, American Express, Charles Schwab, and IBM. In 2006 the top three companies were American Express, Amazon, and Procter & Gamble. Previous years' winners have included E-Loan, Hewlett-Packard, and eBay.
Read the article
Online fraudsters ‘sting' users for £875 - Get Safe Online
Internet users who have experienced online fraud lost an average of £875* each over the past twelve months, according to “Internet Safety: The State of the Nation,” research by the government and industry online safety campaign, Get Safe Online .
A survey of UK internet adult users – who number 29 million – found that 12% (almost 3.5 million people) had experienced online fraud in the last year. In that time, 6% of all internet users (1.7 million people) suffered fraud while shopping online, 5% (1.5 million) experienced another form of general online fraud and 4% (1.2 million) were subject to bank account or credit card fraud as a result of activity online (some users experienced more than one of these).
The rise in online fraud comes as UK internet activity has risen dramatically. The report found that 93% of internet users now use the web daily and that, on average, we each spend £1,044 per year buying goods and services on the web – equivalent to £30 billion for the UK online population as a whole.
Read the article
Online fraudsters ‘sting' users for £875 - Get Safe Online
Internet users who have experienced online fraud lost an average of £875* each over the past twelve months, according to “Internet Safety: The State of the Nation,” research by the government and industry online safety campaign, Get Safe Online .
A survey of UK internet adult users – who number 29 million – found that 12% (almost 3.5 million people) had experienced online fraud in the last year. In that time, 6% of all internet users (1.7 million people) suffered fraud while shopping online, 5% (1.5 million) experienced another form of general online fraud and 4% (1.2 million) were subject to bank account or credit card fraud as a result of activity online (some users experienced more than one of these).
The rise in online fraud comes as UK internet activity has risen dramatically. The report found that 93% of internet users now use the web daily and that, on average, we each spend £1,044 per year buying goods and services on the web – equivalent to £30 billion for the UK online population as a whole.
Read the article
Phishing scams more costly than bank robberies
Although bank robberies are a perennial threat to banks, their employees and their customers, the increasingly sophisticated and accessible high-tech fraud tactics used by cyber criminals are a greater - and growing - threat to a bank's bottom line.
In a bank robbery, especially in the unusual case where the whole bank is taken hostage, a situation The Mechanics Bank encountered when its Point Richmond branch was robbed in November, the bank's main concern is safety. The amount of money taken typically is fairly small and will not dent a bank's bottom line. Further, bank robbers are apprehended in almost 58 percent of cases, according to Federal Bureau of Investigation statistics. Only murder has a higher rate of clearance by arrest.
That's a stark contrast to checking account fraud, which cost financial institutions $2.4 billion over one 12-month period that ended in 2004, according to a study by research firm Gartner Group. A portion of those losses was caused by "phishing," a scam in which crooks use fraudulent e-mails and Web sites in an effort to entice consumers to give up personal and account information. Since 2004, phishing attacks have grown exponentially.
Not only are the losses greater, it's also harder to catch a cyber thief; investigators often find themselves chasing a ghost who may have put up a fake Web site for just a couple of days. When it comes to financial losses, bad loans, unscrupulous employees, check fraud and identity theft are far more worrisome for banks than robberies.
Read the article in MassLive.com
Card fraud losses continue to fall
- Total card fraud losses fall from £439.4m in 2005 to £428.0m in 2006
- Card fraud losses at UK retailers fall by 47%
- Online banking fraud increases from £23.2m in 2005 to £33.5m in 2006
- Cheque fraud losses fall from £40.3m in 2005 to £30.6m
2006 fraud figures released today (14 March 2007) by APACS, the UK payments association, show total card fraud losses fell by three per cent in the past year to £428m – a decrease of nearly £80m over the past two years. This fall has been driven by a 13 per cent decrease in UK domestic fraud and the combined reduction of more than £45m in mail non-receipt and lost and stolen fraud.
Credit and debit card fraud losses on UK-issued cards split by fraud type
Fraud Type |
2006 (+/-change on 2005) |
2005 |
2004 |
Counterfeit (skimmed/cloned) card fraud |
£99.6m (+3%) |
£96.8m |
£129.7m |
Fraud on stolen or lost cards |
£68.4m (-23%) |
£89.0m |
£114. 5m |
Card-not-present fraud (phone/internet/mail) |
£212.6m (+16%) |
£183.2m |
£150.8m |
Mail non-receipt |
£15.4 m (-62%) |
£40.0m |
£72.9m |
Card ID theft |
£31.9m (+5%) |
£30.5m |
£36.9m |
TOTAL |
£428.0m (-3%) |
£439.4m |
£504.8m |
Contained within this total: |
|
|
|
UK retailer (face-to-face transactions) |
£72.1m (-47%) |
£135.9m |
£218.8m |
Cash machine fraud |
£61.9m (-6%) |
£65.8m |
£74.6m |
Domestic/International split of total figure: |
|
|
|
UK fraud |
£309.8m (-13%) |
£356.6m |
£412.3m |
Fraud abroad |
£118.2m (+43%) |
£82.8m |
£92.5m |
The introduction of chip and PIN has made it more difficult for fraudsters to commit card fraud in the UK , with losses at UK retailers falling by £146.7m over the past two years. However, criminals are still targeting our cards with the aim of copying the magnetic stripe data. They use this data to create counterfeit magnetic stripe cards that can potentially be used in countries that haven't upgraded to chip and PIN. This has caused the increase in fraud abroad losses over the last 12 months
Read the article .
Bank of England issues new £20 note - APACS gives an overview of Britons' use of cash
To coincide with the Bank of England's launch today (13 March) of a new £20 note featuring economist Adam Smith, APACS - the UK payments association – gives an overview of how we use cash and how this has changed in recent years. APACS figures show that although plastic card payments are increasingly popular, Britons show no signs of abandoning cash any time soon.
Cash still accounts for more than six in ten (63 per cent) of all day-to-day payments by volume, and the £20 note is one of the most popular denominations of them all – accounting for 66 per cent of all notes dispensed by British cash machines in the last quarter of 2006.
read the article
McAfee SiteAdvisor maps risky Web domains
A map unveiled this week by McAfee and based on data from its SiteAdvisor service paints Russia and Romania deep red as the countries whose domains are most likely to host "drive-by" exploits.
McAfee SiteAdvisor, a free-of-charge plug-in for Internet Explorer and Firefox, rates sites on several criteria, including dangerous downloads, spam tendencies and hosted exploits. It then posts green, yellow and red icons on search results obtained from Google, Yahoo or MSN.
McAfee applied the results of its site scanning to come up with the Flash-based map, which will be updated monthly.
"When it comes to safety, it turns out that the Web is no different than the physical world. There are safe neighborhoods and safe Web domains, and then there are places no one should ever visit," said Mark Maxwell, a McAfee senior product manager, in a statement.
Read the ComputerWorld article
Edinburgh Sheriff finds spammer liable for over £1300.
In what is believed to be the highest damages award an individual has received in the UK and thought to be the first case in Scotland, an Edinburgh man has successfully claimed damages from a sender of unsolicited commercial email.
Gordon Dick was granted decree in Edinburgh Sheriff Court against Transcom Internet Services Ltd (Transcom) of Henley-on-Thames. The judgement, in January, awarded Mr Dick damages and, unusually for a small claim, lifted the normal £75 cap on expenses the defender was ordered to pay.
For receiving spam email from Transcom, the court awarded Mr Dick :
| Damages: |
£750 plus 8% interest per annum from 10th May 2006 until paid |
| Expenses: |
£618.66 |
| Total |
£1368.66 (plus interest) |
If all 72,000 recipients of this particular spam were eligible to claim the same damages then the spammers bill could total over £54,000,000!
Read the article
PayPal CISO outlines antifraud strategy
PayPal has 133 million customers that use its Internet-based money-transfer service, which handled US$37 billion in transactions last year. Michael Barrett, who is CISO at the eBay subsidiary, recently spoke with Network World senior editor Ellen Messmer about new approaches PayPal is taking to combat online fraud.
Almost every day I get a fake PayPal e-mail that's obviously a phishing scam. How do you deal with this phishing fraud or even use e-mail to communicate with PayPal customers?
There's a lot of spoofing of eBay.com and PayPal.com. We get e-mail from customers asking questions about this and other topics and we respond within 15 minutes. We use our own Web-based e-mail to communicate. The problem with phishing and spoofing generally is there's no magic bullet. So it's classic defense in depth.
How much fraud hits PayPal each year?
As a class of operational loss, it's 0.41 percent. In the industry, that's known as 41 basis points, which is pretty low. When our customers are victimized, their user ID and password are compromised, we compensate them.
What are some of your defensive strategies?
If the consumer actually never actually saw the phish e-mail, it's hard for the criminal to victimize you. We're working with people who make e-mail clients and the ISPs, such as Yahoo, MSN and AOL, on a technical strategy that says if the e-mail is not signed by us, drop it. We're having good discussions, but we have nothing to announce now.
Read the Computerworld article
Are 'Sealed' Websites Any Safer?
As consumers become more concerned about protecting their information online, more "secure" labels have emerged, each promising to serve as a "Good Housekeeping seal of approval" for Website security. Hacker Safe and ControlScan, for example, prove that a site has been vulnerability-scanned. The new Extended Validation SSL (EV SSL) moniker, championed by digital certificate vendors such as VeriSign and Cybertrust, help verify that a site is not a phish or a phony. (See Cybertrust Enters EV SSL Fray .)
And now ScanAlert is rolling its "Hacker Safe" seal into a service for enterprises, company executives say. Hacker Safe Enterprise is a fully managed service that includes vulnerability assessment, hands-on analysis, and support from ScanAlert's security experts.
VeriSign, whose VeriSign Secured Seal logo is displayed on over 65,000 Websites, and Cybertrust, are in the process of rolling out EV SSL. If a site is EV SSL-certified, its address shows up in green on newer browsers such as Internet Explorer 7.
But are sites with a Website seal really more secure?
Website operators say displaying these logos demonstrates that they have made a good faith effort to run a clean site, and that they are being proactive in securing their sites. "I know that by implementing [Hacker Safe], I'm still ten times more secure than without it," says Lynnette Montgomery, general manager of e-commerce for Levenger, a $75 million reading and writing tools retailer that offers its products online as well as through stores and paper catalogs. "It's more that you are covering your bases, trying to be the best you can be, honest and putting your best foot forward."
Montgomery says another attraction of the Hacker Safe seal is its potential to bring in new customers. "Most companies I spoke to [about Hacker Safe] increased their conversion rate," she says. And that provides an ROI for the security service: "If I receive a two percent increase in conversion of customers, that's almost $500,000 in additional sales," she explains.
Read the article in Dark Reading
IE7 gives green light to trusted websites
Microsoft has quietly flipped the switch on a new feature in Internet Explorer 7 meant to combat phishing scams.
The software giant in early January made a change on its computer systems that allowed websites fitted with a new type of security certificate to display a green-filled address bar in Internet Explorer 7 (IE7), Markellos Diorinos, a product manager for Windows at Microsoft, said in an interview.
"We have rolled out many of the parts that are required to get it working. We're coming close to the point where all the moving parts are in place," Diorinos said. Microsoft plans to promote the green bar at next week's RSA Conference in San Francisco, an annual security confab kicked off by Microsoft chairman Bill Gates.
The coloured address bar, a new weapon in the fight against phishing scams, is meant as a sign that a site can be trusted, giving web surfers the green light to carry out transactions there. The green bar already appears on the secured sites of Overstock.com and VeriSign.
VeriSign has about 300 customers, including online retailer Overstock.com, that have signed up for the green bar certification process, said Spiros Theodossiou, a senior product manager at VeriSign. The company plans to unveil the names of more participating websites at the RSA Conference, he said.
Read the article in Builder.au
PayPal acts to stamp out phishing attacks
PayPal's decision to introduce an optional two-factor authentication system highlights the increasing concern of banks and online payment organisations over phishing.
The amount of money lost to online banking fraud in the UK increased 55 per cent to £22.5m in the first half of 2006, according to figures from banking industry body Apacs – and all the signs indicate this amount will continue to rise.
Most phishing emails now target PayPal and eBay customers, largely because they are such a huge demographic – 123 million customers at the end of 2006 – but also because PayPal is designed to make it easy to move money around, predisposing it to being phished.
Surprisingly, however, phishing is not a large financial problem for PayPal or its customers.
Michael Barrett, chief information security officer at PayPal, says the problem with phishing has more to do with perception than reality.
‘Financially, phishing is not even in the top five of categories that we suffer from fraud–wise. But when you say you work for PayPal, people say: ‘Oh I get all these emails from you. What are you doing about that?' People perceive that there is an issue, so there is an issue,' he said.
Customers receiving phishing emails lose confidence, so PayPal's two-factor efforts should help with some of these worries.
Read the IT Week article
New E-Commerce Identity Tag Makes Online Debut
A long-promised technology for helping consumers verify the legitimacy of commercial Web sites made its debut on the Internet Friday: Visit online security company Entrust 's login page with Microsoft's Internet Explorer 7 Web browser and you'll notice that the address bar has turned from white to green. Though when Compliance and Privacy looked first the greened page was reserved for the page when the seal is clicked. All functiions now, though
Entrust's site appears to be the first to feature what are being called " extended validation certificates ," a development that is equal parts technology, process and collaboration. It comes in response to an epidemic of phishing attacks, or online scams in which bad guys erect Web sites that impersonate trusted e-commerce and banking sites in order to trick users into revealing personal and financial data.
read the article in the Washington Post
PayPal users to get pass-code device
eBay is getting ready to offer its PayPal users a password-generating key fob that promises to increase the security of the online payment service.
The device displays a new one-time password in the form of a six-digit code about every 30 seconds. PayPal clients who opt to use the device will enter this password along with their regular credentials when signing into the service. The key fob is meant as another weapon in the battle against data-thieving phishing scams.
A PayPal spokeswoman said: "If a fraudulent party somehow got hold of a person's username and password, they still wouldn't be able to get into the account because they don't have the six-digit code. This by no means is a silver bullet that is going to stop fraud. This is just another layer of protection."
The "PayPal Security Key" will cost $5 for personal PayPal accounts but will be free for business accounts, the spokeswoman said. PayPal has been testing the device with employees for a couple of months and plans to start trials with customers in the next month or so, she added. As of 30 September, there were nearly 123 million PayPal accounts, according to eBay.
Read the article on Enterprise Security Today
Google blacklist sheds light on phishing tactics
An analysis of Google's blacklist of suspected phishing sites found that eBay, PayPal and Bank of America together account for almost two in three (63 per cent) of suspected scam sites.
Security researcher Michael Sutton also discovered that Yahoo! hosts a significant number of bogus websites - as identified by Google's blacklist) - that try to trick surfers into handing over Yahoo! login credentials. Information from the list is used by anti-phishing technology within the Firefox 2 browser and by the Google Toolbar for Firefox.
Sutton found that 83 per cent of sites detailed on the list are no longer available. By their nature, phishing websites have a rapid turnover but Google's blacklist, and other such initiatives, undoubtedly helpCERTs and other net defenders to identify and remove bogus websites more quickly.
Most of the websites contained in the list use social engineering techniques. Spam emails promoting these sites, often posing as security checks from recognised online firms, attempt to trick users into handing over login credentials. Sutton found little evidence of sites that attempt to use software vulnerabilities to swipe passwords from surfers.
Read the article in The Register
Opera Software Teams Up To Provide Anti-Fraud Protection
Opera Software announced the latest release of its popular Web browser, Opera 9.1, which includes a new Fraud Protection feature. The protection includes technology from GeoTrust and PhishTank. GeoTrust, which was acquired by Verisign in September 2006, is the world's second largest digital certificate provider and also the maker of the TrustWatch toolbar and search extension that helps alert users to potentially malicious Web sites. PhishTank is a collaborative effort that acts as clearing house for information about phishing sites.
Read the article on Windows IT Pro
'Safe' Web seal hard to earn
Beginning now, version 7 of Microsoft Corp.'s Internet Explorer browser will start flagging certain e-commerce and banking sites as green for ''safe.'' The browser will look for an extended-validation certificate issued by any number of vendors.
To qualify, vendors such as VeriSign Inc. and Comodo will be required to make extensive checks before approving such certificates. They also will have to undergo independent auditing through WebTrust, a service run by trade groups for certified public accountants.
Under the latest, 65-page draft guidelines, verification requirements include:
- Legal existence and identity
- Physical existence
- Telephone number
- Domain name
- Individual's authorization
Read the article in the Gwinnett Daily Post
Extend compliance and security efforts to the database level
When conducting business, either online or face-to-face, individuals trust that every reasonable step will be taken to ensure the privacy of their data. Corporations have a responsibility to protect that trust by extending robust protections and security best practices throughout their IT infrastructure. But with nearly 100 million personal records - including credit/debit card numbers and social security numbers - compromised through theft or mishandling in the past two years, it would seem perhaps that trust is misplaced.
Or is it? It's a complicated question. Over time, organizations have responded to threats against consumer privacy with substantial increases in IT perimeter security. Without a doubt, security systems have become more sophisticated. But hackers have too. And the nature of the threat has changed.
Read the article in SC Magazine
Major Industry Presentations now available for download - Q4 2006
Our sponsors VeriSign have been busy participating in many events this quarter here is a summary of some of the highlights with links to a number of presentations delivered .
- RSA Conference 2006, Nice, Acropolis , France 23-25 October 2006
- Tackling Organised Crime in Partnership, Victoria Park Plaza , London , UK - 22nd - 23rd November 2006
- Combating Online Banking fraud- 27th November 2006, IOD, London, UK
Download these and more
Macedonia, Blacklists, and the Security Solution
With just over 2m inhabitants and independent only since 1991, the Former Yugoslav Republic of Macedonia is one of Europe 's younger and smaller states.
But the country has ambition enough. The European Union granted it EU candidate status in December 2005. Business leaders in the country want to boost economic, and especially, export performance. Macedonia 's main industries include wine, cheese, textile production and tourism.
The Macedonian challenge is that it is a nation where education is strong, engineering and technology are valued and contribute to the economy strongly, and IT is essential. Being hamstrung by a bad reputation meant that Macedonian users were unable to indulge in eCommerce, could make no credit card payments online. They couldn't use eBay, PayPal, or any of the services we all take for granted.
Read the article
VeriSign Issues First Ever Extended Validation SSL Certificate in Support of IE7 and Microsoft Vista Launch
New Groundbreaking EV Upgrader™ technology will enable all IE7 browsers on Microsoft Windows™ XP client systems to also display the green address bar
VeriSign today (11 December 2006) announced the general availability of its Extended Validation (EV) SSL Certificates, which help protect users against online fraudulent activity by providing third party verification of a Web site's authenticity. These new certificates support Microsoft's IE7 and Vista operating system and also incorporate VeriSign's unique EV Upgrader technology enabling all Windows XP clients using IE7 to display the same green address bar and other interface enhancements as Windows Vista clients. VeriSign issued the first of these certificates to Overstock.com, one of the largest online retailers in North America.
Read the article
Security fears scare off US customers from online banking, shopping
Nearly $2 billion in US e-commerce sales will be lost in 2006 due to consumer concerns over the security of the Internet, according to a survey by Gartner, which also found that fear of fraud and identity theft have prevented around 33 million US adults from banking online.
The survey of 5000 online US adults in August 2006 found that recent security breaches - both online and offline - are having a significant impact on buying patterns and use of Web banking facilities.
Nearly half of those surveyed (46%) said concerns about theft of information, data breaches or Internet-based attacks have affected their purchasing payment, online transaction or e-mail behaviour. Of all the behaviors affected, online commerce - which includes Internet banking, online payments and Web shopping - is suffering the most.
Almost nine million US adults have stopped using online banking, while another estimated 23.7 million won't even start because of fears over security.
Gartner estimates that approximately $913 million in e-commerce sales was lost in 2006 because of security concerns among online shoppers. The analyst group says another $1 billion was lost from consumers who refuse to shop online because of security worries.
Read the article on Finextra.com
Security fears scare off US customers from online banking, shopping
Nearly $2 billion in US e-commerce sales will be lost in 2006 due to consumer concerns over the security of the Internet, according to a survey by Gartner, which also found that fear of fraud and identity theft have prevented around 33 million US adults from banking online.
The survey of 5000 online US adults in August 2006 found that recent security breaches - both online and offline - are having a significant impact on buying patterns and use of Web banking facilities.
Nearly half of those surveyed (46%) said concerns about theft of information, data breaches or Internet-based attacks have affected their purchasing payment, online transaction or e-mail behaviour. Of all the behaviors affected, online commerce - which includes Internet banking, online payments and Web shopping - is suffering the most.
Almost nine million US adults have stopped using online banking, while another estimated 23.7 million won't even start because of fears over security.
Read the article in Finextra
Plastic Card Fraud
Cards are always safer than cash. The chances of you becoming a victim of card fraud are still low (fraudulent transactions make up 0.141% of all transactions). If you are unlucky enough to be a victim you will not suffer any financial loss as a consequence providing you have not acted fraudulently or without reasonable care.
Criminals are always looking for ways to get hold of your cards, but the banking industry is committed to fighting the fraudster on all fronts. Chip and PIN is a vital tool to help us further protect cards and we continue to work on a raft of other initiatives.
Read the Article
Online Fraud
The Internet offers the opportunity to bank and to shop in safety whenever and wherever you want to.
Nearly 15 million people in the UK now use the Internet to access their bank accounts, and millions more regularly shop online.
The Internet is an extremely safe way of shopping and banking. However, security relies on vigilance and you should not relax your guard when you are online.
The majority of UK Internet users who bank and shop online are playing their part in making sure that they avoid becoming a victim of online fraud. But research commissioned by APACS shows that millions of Britons are not even aware of some of the basic online pitfalls from which they can easily protect themselves:
Read the Article
Survey Reveals Acute UK e-Phobia in Run-up to Christmas Spending Spree
An NOP survey of 999 adults* commissioned by Enterasys Networks, has revealed the deep distrust of the British public in using the Internet to shop online. Just half (50%) of the UK population have ever shopped online and 43% of us are put off shopping or banking on-line because of security concerns.
The survey revealed that e-commerce still has a long way to go to earn the trust of the public. It showed that more men than women have bought something over the Internet (54% versus 47%) and that the younger we are the more confident that our information will remain confidential. The 16-24 year age group are most confident, with 84% professing to be happy with security compared to just 54% of the 65+ age group. The profile of the active e-shopper is typically a married ‘thirty-something', working full-time and living in London or the South of England.
Our confidence levels in government agencies such as the local council is also worryingly low, with just 27% of the population scoring their security measures at one or two on a scale of five. Banks, on the other hand, can be a little more confident with 57% of us awarding them a four or five out of five for security
Read the article .
Microsoft puts security as top priority for IE7 and Vista
Despite antitrust pressures and complaints from partners (turned competitors), Microsoft announced that EU regulators have given it the go-signal to release its new operating system, Vista, without dropping any key security features.
A high-ranking Microsoft executive claimed that the enhanced security features in Vista will render third-party antivirus software useless. Irked, pure-play security vendors like McAfee and Symantec, claimed they were at a disadvantage since they were denied access to key parts of the new operating system, which thus impeded their development efforts. Microsoft announced that Vista , the first major upgrade since XP in 2001, will be released to major business clients by November 30 2006 and available to the public by January 30 next year.
In line with this, Microsoft rolled out Internet Explorer 7 for Windows XP months before the big release of Vista. Available for download now, the IE7 Web browser upgrade offers users fortified security which will combat malware and phishing. In cooperation with VeriSign and other Certificate Authorities (CA), Microsoft's new IE7 will feature extended validation (EV) SSL, which features increased scrutiny of organizations and more prominent display of certificate details.
Read the article
