Online Trust Failing Overall

twitter writes "The BBC and ZDNet are reporting on an RSA poll of 1,000 users about failing confidence in ecommerce. 43% of respondents were reluctant to give details to online sites and 70% said that firms were not doing enough to keep their data secure. The BBC goes on to quote experts who back up the perception, ZDNet claims that action is being taken and is well."

A lot of the problem is bad design

[hsmith]

or not taking the security concerns seriously. If you are saving peoples Social Security Numbers and CC Numbers then you should be encrypting that data. Venture to guess how many places actually encrypt that in a database?

But then again i would say most larger places do take these steps. More often than not I won't buy from somewhere I am unsure of or if they are not in the http://www.bbb.org/ [bbb.org]. Plus, how many people know how to always use SSL when sending sensitive stuff? I would venture my grandparents and mother have no idea.

On a side not to the last statement, i would like to say, office depot does NOT use SSL for their secure communications when you order something from in store.

Not just online

[Turn-X Alphonse]

I think society as a whole doesn't trust any companies any more. Everyone is so sick of the Government screwing them over and companies ignoring the laws these Governments got paid (by other companies usually) to put in place. Lets face it, I don't trust anyone I can't blackmail or back stab and get back whatever I've give them. The world has become like that and it's getting worse and worse.

lots of large scale compromises lately

[ArbitraryConstant]

While I'm somewhat surprised the average user pays attention to such things, I'm not surprised trust is failing in light of recent large scale compromises.

Until the industry as a whole adopts a strategy of preventing compromises, this is not going to improve. Most companies would rather pay a PR guy to fix their image after the fact than a security consultant to keep it from happening in the first place. That's certainly not how I want my information taken care of.

Quotes from the BBC article:

[TripMaster Monkey]

Some [users] resort to using the same one for all their online accounts. Those who use several passwords often write them down and hide them in a desk or in a document on their computer.

Dear God, ain't this the truth??? I'm a network admin at a large company (please don't ask which), and the password situation here would be laughable if it weren't so sad. I ran LC5 on our hash file here, and was shocked and dismayed at the number of passwords cracked within 10 seconds. I'm constantly finding passwords on sticky notes on monitors and under keyboards, and many users haven't even bothered to change the default Lotus password ('password') to something else! >:(

Last year, a street survey found that more than 70% of people would reveal their password for a bar of chocolate.

That seems to be about the right figure for users in my company.

Another fact for the timid

[14erCleaner]

I recently heard that 50% of identity theft is done by somebody who knows the victim.

Kind of like the great majority of child kidnappings involve a non-custodial parent. But that's not a scary enough story to draw viewers, so doesn't get reported much.

(at this point the child-kidnapping activists will rise up and smite me with their negative mod-point hammers, I'm sure. :)

Proxy CC#

[donnyspi]

I like using MBNA bank's credit card number proxy feature whereby you create a onetime use CC# with a limited spending limit to give out online. It's a great feature for paying at Sam's Shady Online Store with a CC# that has a $30 limit and expires in a month.

Worrying about that right now myself...

[Pengunea]

...As I'm currently working on three sites that have a variety of eCommerce worked into them. One is linking to a ridiculous third party all-in-one shopping cart package the client repeatedly insisted on using. I'm having the damndest time trying to ensure that everything is secure and that items being paid for are being flagged properly when they are fully paid for. Because of the hopping back and forth from our server to theirs I'm using browser cookies and I'm not fond of it at all.

I have to ask how does one inspire confidence and secure feelings in visitors to the site? It helps to make sure the site looks nice and has a minimum of spelling errors, but there isn't anything I can think of that will suggest "Hey! We're really a legitimate business and won't just take your money and run" to people who don't know what SSL is.

As someone who likes to buy things online I only trust a handful of sites to accept and process my transactions properly. I know what will keep me from using an online store (no SSL at payment, no multiple protected ways to pay, ridiculous things like having to get a Yahoo! account just to be able to checkout my shopping cart). But I can't put my finger on what keeps me feeling secure in making my transactions after that.

Let the banks bear the burden

[/Wegge]

In Denmark we have very good consumer protection on online trades. Whenever the card holder challenges a withdrawal, the issuing bank shall reverse the transfer immediatly. Afterwards, the burden of proof for actual goods delivery lies with the bank. The banks of course passes the burden on to the online merchants, so we have very few fradulent online traders here in denmark.

I'm not sure how it works for foreign trades, but as the banks must make the refund, no matter what, the general confidence in denmark is pretty high.

Why should we trust them with our CC?

[Acer500]

Put your faith in your CC company and their fraud prevention

I think we shouldn't, or at least, I don't want to.

There should be a method of paying that was time-sensitive, say a two-level authentication method that consisted of a PIN and a randomly generated number that changed with time that could only be authenticated by you and your CC company... just like we do with some sensitive computer passwords (and I'd say that Credit Cards ARE a sensitive password for the users). It could one-transaction only.

That would cut the timeframe and opportunity for frauds.

Now that I think of it, I might be able to market this to someone...

Sensational

[the0ther]

This is a bunch of hoohey. It is not in the sense that this is really how people feel, but those people are actually very ill informed. All they listen to is the news reports about identity theft, or they listen to their banks who are touting improved protection against identity theft. What people don't consider is that online transactions probably lower the risk for identity theft. If these banks actually offered an alternative to their competitors perhaps they could curtail their alarmist advertising.

The Problem isn't the Internet

[popo]

The problem is that Credit Card companies, banks and anyone else whose revenue is generated by transaction volume have a vested interest in making transactions easier and more frequent.

As big a problem as fraud is, the reality is that there is far more to be gained from lowering barriers to credit card use than there are to raising barriers. The other sad corrolary is that the real losers when it comes to fraud are the consumers.

We have voluntarily traded security for convenience. Now it seems we want our cake too.

I don't get it? (n/t)

[ggvaidya]

nt

Re:Sheesh...

[piltdownman84]

On BC Ferries (Operates in the waters around Vancouver) the cafeteria use to (might still do this) print not only your entire CC number but also your expiry date on the receipt. To make matters worse, instead of letting you dump the contents of your finished tray into a trash, they have shelves to put your empty trays on. So if your were not paying attention you would leave your receipt on the tray, where anyone could grab it.

Over the years I complained to everyone from the cashier, to the chief Stewart, to the Consumer Relations guy. Never say a change. Don't know if they ever fixed the problem, as I don't catch the ferry very often now, and when I do I'm cash only. Now that I think of it I'm catching the ferry on Sunday to visit my brother, maybe I'll check to see if they still do, and if they do I'll write into the local papers as well as their head office.