February 18, 2005 5:55 PM PST

Firms seek to reassure e-shoppers over security

SAN FRANCISCO--Addressing a rise in identity theft and phishing attacks, a panel of security experts discussed on Friday the steps their companies are taking to bolster consumer confidence in online commerce and prepare for the challenges that lie ahead.

The panel, including security experts from e-commerce sites and online banks, outlined their predictions and opinions at the RSA Conference 2005 here. Earlier this week, a survey by RSA Security found that one-fourth of online shoppers have reduced purchases in the past year as identity theft has risen.

And businesses that cater to online consumers are taking note and developing plans.

"We want to add significantly more protection for our users and are looking at stronger authentication for passwords," said Adam Joffe, chief technology officer for Sony Online Entertainment.

Joffe noted that Sony's online-gaming customers not only subscribe to the service but will also engage in e-commerce. As a result, customers logging on to Sony's gaming site share sensitive personal information with the entertainment giant.

eBay, meanwhile, has employed other strategies, ranging from an escrow service to a PayPal buyer protection program to a security center, said Kurt Van Etten, the auction giant's security program director.

"If a consumer doesn't trust e-mail at all, then it inhibits our ability to communicate with them," Van Etten said. "And if they're not comfortable using credit cards online, then that will affect our business. For us, this is a trust issue."

The challenges in resolving that issue are high.

Malicious attackers, for example, will continually evolve their techniques as technology solutions are developed to thwart them, said Joe Raymond, chief architect of Web optimization for Etrade.

And as the industry turns to adopting a federated approach, in which one password onto a company's site will grant others access without requiring someone to reenter the information, the stakes may be high for consumers.

"The problem with federation is you're putting a lot of eggs in one basket, with a single point of failure," said Richard Parry, consumer fraud risk management director for J.P. Morgan Chase.

He cautioned that a failure in the federation approach could greatly damage consumer confidence.

But if online merchants and banks make it too difficult for consumers to use greater security measures, it reduces the prospect that the consumer will make the effort, Parry said.

He noted that consumers usually would not make the effort because they do not have any "skin in the game," since merchants and banks are typically the ones to absorb the losses if a transaction is bogus.


Join the conversation!
Add your comment
The problem with federation is...
...insider's will have much more incentive and access. They will be able to traverse partner's web sites. Organized crime will be buying access to gain access to Sony, Citicorp, eBay, and Microsoft all through one federated password.
Yeah, that overworked, disrespected $40k per year low-level techie is gonna give up the keys to the kingdom for a $100k payday.

The Liberty Alliance needs to marry up with the Trusted Computing Group.
Posted by ordaj (338 comments )
Reply Link Flag
$40k per year
<a class="jive-link-external" href="http://www.analogstereo.com/rover_cityrover_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/rover_cityrover_owners_manual.htm</a>
Posted by Ubber geek (325 comments )
Link Flag
Trust of Email is being eroded by firms...
that email legitimate information but point to outside domains. For example MSDN (Microsoft) sent an email requesting me to update my profile on a site on the domain eu.subservices.com which is owned by:
2727 Systron Drive
Concord, CA 94518
Phone: 999 999 9999
Fax: 999 999 9999
would you turst them? Dell wanted me to take a survey on prognostics.com, they are:
900 Hansen Way
Palo Alto, CA 94304
Phone: 999 999 9999
Fax: 999 999 9999
and my ISP keeps giving me newsletters from tucows.com (ISP is eircom.net).

Now a days, with phishing, you can't trust any email which points to a WEB site on a different domain. Firms like Microsoft should realize this and stop doing it. A single domain entry like subservices.microsoft.com pointing to the third party would be far more secure.
Posted by cifs (8 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.