Privacy And Security

Security and Privacy

A secure trading site is paramount for e-commerce. In the same way that bricks-and-mortar sellers must ensure they provide security and peace of mind for their customers via safe stores, well-lit and available parking facilities, competitive pricing, regular hours, returns policies, etc. – online these take on different forms: protection from identity fraud, secure payment methods, site availability, reliable and affordable shipping and the knowledge that there is recourse if they have complaints.

In 2009 eBay won the Reader's Digest Most Trusted Site award. The survey listed eBay as "the Most Trusted Company for privacy, proving that an e-commerce site can protect consumer privacy, all while handling massive volumes of sensitive data across the globe" (Crum, 2009). Shipman, CPO of eBay, detailed privacy, security and trust as qualities synonymous with the eBay brand, and credited the trust levels with how they "constantly and carefully listen to customer feedback and respond with program enhancements to improve the high level of trust and satisfaction our members enjoy" (Crum, 2009).

"The e-commerce business is all about making money and then finding ways to make more money. Of course, it's hard to make (more) money, when consumers don't feel safe executing a transaction on your Web site. That's where SSL (Secure Socket Layer) comes into play. Understanding how SSL affects e-commerce business can also potentially help you to unlock (more) money from your customers." - webopedia (2010)

Six years ago, Gartner’s study of 5000 US consumers found that e-tailers lost $2 billion because of consumer security fears (Schuman, 2006), with half of the losses due to people avoiding sites that appeared to be less secure. The rest of the people were too afraid to conduct business online. The introduction of Secure Sockets Layer, or SSL in 1994 was integral to improving transactional security as it encrypts security information such as credit card numbers. While the number of people buying and selling online has dramatically risen since 2006, with e-commerce predicted to account for 53% of all purchases by 2014 (James, 2010), there are still obstacles that prevent e-commerce from reaching its potential markets.

O’Raghallaigh (2010) outlines five maxims for conducting e-commerce securely:

  • Privacy – that the information exchanged is kept from unauthorised parties
  • Integrity – that the information exchanged is not altered or tampered with
  • Authentication – that both sender and recipient prove their identities
  • Non- repudiation – that proof is received of the exchanged transaction
  • Protection against external threats

Privacy

Ruth Gavison defines three interrelated aspects to privacy (Gibbs, 2008): control of information about oneself (secrecy), freedom from the attention of others (anonymity) and freedom from surveillance and observation (solitude).

While it is unreasonable to expect to have complete privacy and belong in a society, all individuals have a right to control the degree of privacy that they attain. In the electronic age it is becoming more difficult to remain anonymous and ecommerce businesses have an obligation to properly manage the personal data that they collect about their customers.

In 2010, Australia updated its Privacy Act to impose severe penalties for the misuse of online personal data (Bita, 2010). Banking and financial institutions and e-commerce sites amass information on us in direct and indirect ways. As members we provide personal and locational data, and our behavioural tastes and habits are captured not only through what we purchase but via clickstream and cookies. Many e-commerce sites use predictive modelling to recommend new items based on past purchases. This valuable information in many instances is shared with subsidiaries or sold. eBay’s members have to agree with its privacy policy and a user friendly version is provided online as well as the full policy. The overview cites the use of safe and secure technology such as “procedural and technical safeguards including firewalls, encryption and Secure Socket Layers” to protect user data but at the same time declares that user data is shared with “third parties to help provide our services, to allow members to contact you , to enforce our terms and conditions, and to help keep our community safe”. The majority of users do not read the fine print but rely on brand-trustworthiness which is generated by the network effect. As more member patronise this site, the trust level increases.

Trust

IBM’s 2012 Smarter Consumer Study reveals that in the current economic climate Australian consumers are more discerning with their purchasing both online and in-store. Wong of IBM says that consumers are spending their shopping dollars with only a few selected retailers that they trust. He goes on to say that “trust is a key theme…” and the importance of the “set of values – convenience, community and trust – which underpin how consumers engage with retailers both online and offline”.

eBay touts its Community value of “open, honest communication” and around this value has constructed a range of safeguards to protect both buyers and sellers. eBay has managed to build its brand and followers through the use of feedback systems – a seller with a 100% feedback will attract more buyers due to their solid reputation. This in turn encourages sellers to maintain a level of standards as it will increase their sales in the long term. Other safeguards include a Resolution Centre and rules and policies for trading. A comparison of other successful online ecommerce merchants, for example, Amazon, shows similar safety nets in place.

Consumers need that level of trust in a site, especially when it is ecommerce, before they will be part of the community. Wong says this shift, “where retailers should no longer be focused on whether their customers are being loyal to them, but whether they are being loyal to their customers” is fundamental in attracting and keeping customers in a marketspace of abundant choice.

Integrity

Integrity, authentication and non-repudiation form important links in the chain of trust. Commercial transactions will only occur if both seller and buyer are confident that they will get what they want.

James (2010) defines the following security concerns affecting online commerce: the fear of identity theft and fraud, a negative perception of the merchant’s security practices and hesitation during the checkout process. Identify fraud is a major concern, so much so that the “promise of security” outweighs other perks in the online world. James further says that shoppers believe it is the merchant’s responsibility to create a safe, online environment, and this perception will build up trust and confidence of its members and foster brand loyalty. eBay is certainly perceived to have achieved this.

The check-out process usually involves personal and financial information being requested and may stop users from continuing with the transaction. In this arena again eBay has stepped up to provide a further layer of authentication via its subsidiary PayPal. Paypal is an example of a digital wallet – similar to a physical wallet this can store identification, links to bank accounts and credit cards and enable payments and money transfers to be conducted via the internet.

Security Issues

Internet commerce faces many forms of attack. Distributed-Denial-of-Service (DDoS) involve saturating the resource (e.g. eBay) with so many illegitimate requests that it is unable to respond to its intended users. In 2008, Amazon, eBay and Priceline were all targeted by Dmitry Olegovich Zubakha. During the attacks traffic on Amazon rose between 600-1000% (Computerworld). As well, Zubakha and his accomplice managed to acquire 28,000 credit card numbers. Incidentally, Zubakha was arrested this week (Gross, 2012) but his accomplice remains free.

comp_surfing-the-web.jpg
Reproduced by permission of sangrea.net

Other attacks are more subtle. In 2010, an Avnet researcher (Prince, 2010) exposed several security vulnerabilities at eBay which included cross-site request forgery. This attack forces a user that is currently authenticated to a website to perform activities without their knowledge, for example, change their password. In this way the attacker can gain access to that account and complete purchases.

Phishing is another way that fraudsters obtain personal data. Emails are sent out to users that purport to be from reputable and well-known companies appealing for sensitive and confidential information. Links in the email will redirect the user to a spoofed website. In 2009, a Romanian compromised the bank accounts of 1200 eBay users through phishing sites (Perez, 2010). In a separate attack he disrupted the operations of eBay auction marketplace, costing eBay $3 million in total.

For all these attacks, the trust in eBay as an online market space is high relative to other sites. One reason for this is eBay’s support structure for both its buyers and its sellers. As well, the volume of sales and trade within this site compared to the few attacks that the site has come under has given this network community the confidence to trade.

M-Commerce

It would be remiss not to mention the effect of mobile devices on e-commerce, or m-commerce. The rapid rise in the mobile device is changing the way in which consumers access the internet and conduct online commerce. IBM’s study (IBM, 2012) shows that Australian consumers are leaders in adopting new ways of buying online, with 17% willing to use three or more technologies in the shopping process. The Gartner prediction is that by 2015 tablet unit sales will match that of PCs and be $326 million, while smartphone unit sales will equate 1 billion. In Asia mobile device use is higher (Liau, 2012) so e-commerce vendors looking to enter major Asian markets will need a “mobile-first” strategy – from tailored website design to robust security and payment systems.

Smartphones are heralded to replace credit cards via the use of QR codes or built-in NFC (near-field communications) or digital wallets. Consumers will relinquish more information about themselves in order to receive timely and relevant marketing messages – growing location-based marketing. Mobile transactions will grow as consumers purchase more goods and services while on the move. The line between online and offline shopping will blur.

Because mobile devices are so personal (most people carry their smartphones on them all the time), it is important that users do not feel they are being tracked by m-commerce merchants for location-based marketing. Mobile devices also contain a lot of personal data without an opt-out framework. Tode (2012) points out that the privacy of children using mobile devices is under threat because there is no structure in place to obtain permission. Privacy policies also need to be regulated around mobile applications.

For eBay, the growth of mobile shopping will increase their earnings (Ortutay, 2012). It has introduced a mobile payments service called PayPal Here, and its CEO Donohue said the business is benefiting from a “profound change” in shopping habits due to the smartphones and tablets.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License