Security in E-Commerce

Anyone who has watched the retail market place in the last decade has surely noticed the growth of the e-commerce marketplace. The percentage of retail transactions that take place online has grown year by year. With such large growth, there has risen a large array of security dilemmas surrounding e-commerce retailers. As with any industry where so much money is moved, there are those who try to exploit the system. This paper will analyze the nature of security issues within the e-commerce marketplace. The different types of security problems, from full-scale identity theft to web profiling make up the myriad issues that plague vendors and consumers alike. These security issues have had a paradoxical effect on the growth of the industry. The nature of this paradox has resulted in a burden being placed on the consumer to ensure that they monitor their own safe practices in e-commerce. This paper will examine all of these elements in order to put the importance of cybersecurity technologies into perspective and information on what security measures are in place.

The Nature of Security Issues Associated with E-Commerce

With the growth of internet-based shopping, e-commerce behemoths have taken center stage on the issue of consumer security. Small retailers are funneled through websites such as Amazon and eBay (along with their satellite companies), which experience huge amounts of customer traffic. The vendors that sell on these sites and the websites themselves make up a multi-billion dollar industry, with the vast majority of their customers paying with credit cards, online. The total amount of internet sales will be analyzed later in this paper. According to the Wall Street Journal’s Market Watch, Amazon did $75.45 billion dollars in sales last year (Annual Financials for Amazon.com Inc., 2013) and eBay did $16.05 billion (Annual Financials for eBay Inc., 2013). This amount of money makes both eBay and Amazon huge targets for hackers looking to get credit card information from their customer accounts.

There was a case in 2012 where a security breach perpetrated by hackers occurred. Amazon.com owned websites, Zappos and 6 PM, had their security compromised in what was described as the biggest breach since Sony was hit by a series of cyber attacks the year before. The attacks on Amazon’s two companies ended up affecting the accounts of over 24 million customers. As Amazon is considered to be one of the stalwarts of the e-commerce marketplace, these cyberattacks were especially alarming to consumers who had previously felt confident that these sites had effective security measures in place (Perlroth, 2012). The importance of consumer confidence, when it comes to cybersecurity is an interesting issue within the e-commerce trade. Just how vital it is will be put into perspective later in this paper.

Another case in which a security breach lost consumer confidence for a company was in the case of eBay in 2009. The company reported that over 141,000 customers had filed suits against eBay’s parent company, IAC (Internet Auction Company), for issues connected to identity theft. The end result of these lawsuits was that eBay paid anywhere from $35-$200 to those who filed, even, in some cases, where no damage had been done (Schachter 2009). While eBay does not have the volume of sales that the aforementioned Amazon does, it is still a major player in the e-commerce marketplace. The capital that it took to pay all these customers and the hit in consumer confidence are both reasons attributed to eBay’s slowdown in growth during the past few years. However, eBay has been one of the companies that have effectively responded to consumer concerns. In order to increase the security of its customers, it became one of the pioneers of secure payment methods by embracing companies like PayPal, which handles the transactions made by customers and vendors. With the introduction of PayPal, we see just how seriously e-commerce businesses take the security of their customers. The nature of the security problem can be seen in the attempted solutions (Mik, 2012).

The main issue when it comes to problems with security in e-commerce is how to protect consumer’s identities. This is the problem that needs a solution. When hackers are able to access customer information, they steal a piece of the customer’s identity. Whether it is their credit card number, their address, phone number, or anything else, the end result is that the customer will feel insecure with the process. The interesting thing about this insecurity, however, is that it comes right alongside the exponential growth seen within the e-commerce marketplace in the last decade. Even as cases of identity theft and hacking are on the rise, growth in the marketplace has hardly slowed (on a whole). This represents something of a paradox that is unique to e-commerce. Whereas regular, brick and mortar businesses would, in most cases, go out of business if mass amounts of customers were being robbed, e-commerce giants like Amazon continue to grow (Feigenbaum, 2009).

Privacy Issues Relating to E-commerce and its Association with Social Media

There are less intrusive ways that e-commerce affects people’s lives than identity theft alone. One of these ways is through the process of web profiling. E-commerce is built on a foundation of web-based marketing. It attracts consumers with advertisements that are strategically placed on websites that are frequented by their target demographic.

The way that these sites decide where to put these advertisements is an area of some debate because some consumers believe that it is a violation of privacy and potential security. This is, in large part, due to the usage of the internet “cookie” (Rosen, 2012). A cookie is a piece of data that many websites use to monitor internet usage. This piece of data is downloaded onto a user’s web browser. It keeps track of the user’s activity on the page. For instance, if someone were on Facebook, and frequently clicked on advertisements and links relating to Hawaii, a travel company may gain access to that data and tailor their marketing toward a person who may want to take a trip to Hawaii (Hayes, 2012).

The problem that people are having with this is that they consider it to be, in fact, a milder form of identity theft and a violation of privacy. The way that advertisers take advantage of this is through real-time bidding. This is a process in which advertisers are able to bid on the rights to market to individual people. The data which the cookies collect becomes a sellable good that is picked up by marketing and advertising companies. Some of the many sellers of this data are social media sites. On sites like Facebook and Twitter, people click on links and pictures that they take a real interest in. This is incredibly valuable in terms of data collection because it reflects the kinds of goods and services that people will truly be willing to purchase (Rosen, 2012). Therefore, some people feel like they are being watched online, which decreases their sense of security.

In the European Union, enough people have felt strongly about this that various laws have been put into place, which require websites to warn users when they are using cookies. When this happens, users are issued a warning that reads something like, “This website uses cookies to provide you with a range of functionality, as well as collecting anonymous user data for analytics and advertising. Do you agree to accept our cookies?” The user then has the choice of whether or not they want to accept that particular website’s usage of cookies. The problem with getting rid of cookies or opting out of them is that they are truly used to help make the user experience on websites easier. Proponents of their usage say that the vast majority of their function has to do with “security neutral” mechanisms. These include things like the font size preferred, what order news stories will appear in, and the “add to cart” function on most e-commerce websites such as Amazon and eBay (Hayes, 2012).

The way that companies are able to buy the data that is gleaned from these cookies is through websites like BlueKai.com. These sites are able to create a web profile for internet users based on what they click when they are on social media and other sites. In Jeff Rosen’s 2012 New York Times article (Who Do Online Advertisers Think You Are?), he describes his experience in creating artificial web identities for himself using only the click of his mouse. He cleared the cookies off of two different browsers and attempted to create the identities of “Democrat Jeff” and “Republican Jeff”. As Republican Jeff, he went on campaign websites for republican candidates, looked up flights to Hawaii, and looked at links leading to Cadillac cars. As Democrat Jeff, he looked at democratic candidate’s websites, flights to Los Angeles, and Volvos. Clearly, Mr. Rosen picked stereotypical versions of what Democrats and Republicans look like, but it worked. Sure enough, after a couple of days of doing this, he began to see two different advertisements on otherwise identical web pages. The advertisements in each browser were catered to the identity he had created using only cookies. After a period of time had passed, he went on to Bluekai.com and looked at the web profiles that had been created for him. They included information about whether he liked celebrities, how much he probably made, and his taste in travel. All this information was available for companies to purchase if they wished to advertise directly to his fictitious personas.

The reason why a description of Mr. Rosen’s article is included in this paper is that it is extremely important to understanding just how much information is being stored. The illusion of privacy and web security is blown away as soon as the surface is scratched. The experiment that Mr. Rosen did was not incredibly in-depth or scientific, but it does show that cookies are able to collect an incredible amount of data about who we are and our internet habits. This is the reason for the amount of insecurity that caused the law in the European Union to change requires user permission for the use of cookies. The worry of these people is that the cookies will be used by hackers to collect personal data like credit card numbers, social security numbers, and addresses. This data could then be used to aid in more serious crimes like identity theft. The issue that cookies really raise is that there has to be a line as to how much data a cookie can collect, and the layman cannot easily tell if the cookie is malicious or benign (Hayes, 2012).

When it comes to cookies, individual users will have to decide when they can trust cookies. Even the laws in the EU which alert users that they are using a site with cookies are only really there to provide information. Cookies are thus far a necessary part of using the internet. It is hard to detect whether they are malicious or not but to be sure, the average user has their clicks documented, analyzed, and sold to advertisers. This is also where a line has to be drawn as to where it becomes an individual web user’s responsibility to monitor their security. The government can only go as far as alerting users to the presence of cookies. If cookies are forcibly disabled, the internet sites that use them become crippled. It becomes the user’s responsibility to ensure that they do not enter their personal or credit card information into sites that are not verified. Many web browsers make it simple to see if a site is verified by giving it a seal of approval or a security rating. Common sense can go a long way in ensuring cybersecurity on e-commerce sites.

Current Protocol for Handling E-commerce Security Issues

E-commerce is such a big area in the retail world that there have been strategies put in place to help combat issues of fraud. When a breach in security occurs, it is important that it be addressed and measures put into place to prevent it from happening in the future. In this section, we will look at a few examples of the measures that have been taken to prevent fraud and increase web security.

The issue of cybersecurity is so large, that the United States government has decided to take a stand on the issue. The government initiative, supported by the Obama administration, is called The National Strategy for Trusted Identities in Cyberspace (NSTIC). This initiative came into being because the need to keep the internet as a safe marketplace was seen as integral to the growth of the American economy. Many of the major e-commerce vendors are American companies, and the simple answer to seeing the US economy grow is seeing American companies succeed in all spheres. The internet is currently a decidedly decentralized structure with many of the benefits therein. Some world governments have tried to create internet security systems, which created a more centralized structure, through methods like national ID cards. These cards attempted to tie people to a central database. The downfall of these cars was that not all vendors or customers wanted to be included. There is a certain reluctance in many places to have the world governments be so hands-on in this relatively new marketplace (Schwartz, 2011).

The basis behind the NSTIC is to provide security in which violators are peer monitored rather than government monitored. This better represents the lassiez-faire type of environment that many e-commerce vendors and customers would prefer. Keeping this idea in mind, US president Barack Obama released the 2009 Cyberspace Policy Review. This review analyzed the steps that could be taken to improve internet security in both the public and private sectors. The short term strategies that were laid out in this plan included the development of better security technologies and a focus on making sure that people’s online identities are secure. The NSTIC hopes to do this through not only increased security but also by limiting the information that consumers are required to enter into e-commerce websites. The vision statement of the NSTIC is to, “keep individuals and organizations utilize secure, efficient, easy-to-use, and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation” (Ibid.)

The plan has thus far outlined four standards that will be put into place to improve the security of the online marketplace. The four standards put out by NSTIC are meant to be guidelines for the program that they call “The Identity Ecosystem”. The guidelines are meant to apply to any measure taken under the authority of the NSTIC. The first of these guidelines is that any identity solutions presented will be voluntary and privacy-enhancing. This essentially allows users to choose from security providers in either the public or private sectors. Compulsory participation will not be allowed. This also means that the level of risk in a given transaction will be matched to the amount of security given. This helps to solve the issue mentioned earlier of customers having to give out too much personal information for small transactions. The second guideline is that identity solutions be secure and resilient. This means that they must be able to stand up to strong cyber attacks. This guideline also entails that the information systems be adaptable to the changing nature of cyberspace. The third guideline is that the security systems offered be interoperable. This essentially means that many different service providers and e-commerce vendors will be able to use them. This way there will be some consistency in the types of security systems that customers and vendors encounter. The fourth and final guideline is that the security systems be easy-to-use and cost-effective. The idea behind this is that vendors will be able to use these systems with minimal training. This will reduce the instances of errors being made and possibly having customer information being put at risk. These four guidelines are what was put into place in 2011 and are what the industry has adhered to since then. While cybersecurity is not yet perfect, these guidelines have given it direction and participants in e-commerce have been able to shop online with minimal feelings of insecurity (Ibid).

The private sector has been contributing to web security as well. In an attempt to keep customer information safe, the company PayPal was formed. PayPal acts as an intermediary between vendors and customers as a secure way for customers to pay. Rather than having to give their personal information to multiple e-commerce sites, customers give their information only to PayPal, and then PayPal pays the vendors. PayPal also acts as a way for people to pay each other. Anyone with a PayPal account can be paid by anyone else with a PayPal account. The site has some competitors, but it is by far the biggest company of this kind in the marketplace. Our behemoths, Amazon and eBay both use this as a way for their customers to pay them and the smaller vendors that sell on their site.

Secure payment sites like PayPal are not without their problems. Technically, PayPal is considered a “money transmitter” and not a bank. While money transmitters sometimes act in much the same way as banks, they are not under the same regulations and the accounts are not FDIC insured, like those in regular bank accounts. The resultant effect of the lack of regulations is that PayPal is not held as accountable to consumers as a regular bank would be. This means that when there are glitches in PayPal’s servers, customers may lose control of their money for brief periods of time. The general recommendation for consumers is that they not leave large sums of money in their money transmitter accounts (Kandra, 2005). Overall, e-commerce has become much more secure than it was in its early days. With recent security breaches in brick and mortar retailers, many consumers feel more secure with online shopping. The data breaches of early 2014 targeting retailers such as Target, Nieman Marcus, Michaels, and White Lodging attacked their Point of Sale (POS) systems. These are the physical card readers that the cashiers at these retailers use. Millions of customers were affected by these breaches, and even those who did not have data stolen were issued new credit and debit cards by their banks. This represented an inconvenience, at the least, and caused many consumers to question traditional retailers in a way that used to be the territory of e-commerce. Due to the fact that consumer confidence in e-commerce has risen as its security has become more effective, these data breaches reinforced the superiority of e-commerce in the minds of many (Budd, 2014).

The Bottom Line in E-Commerce Security

Thus far, we have covered issues of what security issues are in e-commerce, how they occur, and how they are handled. The importance of all these factors is in how they affect the e-commerce industry on a whole. As mentioned previously, there is really very little effect on the bottom line of the e-commerce market as a whole. Consumer confidence in the United States has always been shown to have an effect on overall retail sales, but when it comes to e-commerce, there is little recognizable sign of a slowdown. As seen in the attached graph (Note. From Emarketer, United States,2011, Caverly, Doug), the market has grown and is projected to continue growing in the years to come. Though the percentage change in growth has slowed down in the last five years, e-commerce sales still grow each year.

In January 2014, Global published an article outlining what has made e-commerce boom in a time of low consumer confidence and elevated web security concerns. The first of the reasons for this growth is that shoppers have learned to “showroom”. What this means is that they are going to the brick and mortar stores and finding the product that they like, then returning home and buying it online. Another reason is that mobile (or m-commerce) sales are on the rise. As more people get smartphones, it becomes easier for them to shop online, adding to the overall sales numbers for e-commerce. The third reason presented is that people are using e-commerce to comparison shop. Consumers can compare the price of a single item at several different retailers with just a few clicks. This provides an advantage to the consumer, so they are beginning to make large purchases online. The fourth reason provided is that customers are looking to purchase more specialized products. They know that they can get the color or size they want of a particular item if they buy online. The final reason is that it makes holiday shopping easier. Shopping around this time of year is considered to be a hassle by many. The ease of online shopping is very appealing. With the introduction of Black Friday and Cyber Monday sales online, customers can save while never having to leave their homes and brave holiday crowds.

Cybersecurity threats may provide one reason that the rate of growth has slowed down in recent years. However, the bottom line is that e-commerce is still growing by billions of dollars in sales per year. There are few industries in which consumer insecurity does not drastically affect the bottom line, but e-commerce is one of them. Security threats, both large and small shake consumer confidence in both physical retailers and e-commerce retailers, but e-commerce has proven its resiliency in the numbers. It has stood up to drops in consumer confidence and continued to grow. Consumer confidence is still important, and as such, both the public and private sectors have created measures to improve web safety. However, at the end of the day, consumers must take advantage of the security tools presented to them in order to ensure that their online identities are safe.

References

Annual Financials for eBay Inc. (2013). In Market Watch by the Wall Street Journal. Retrieved February 03, 2014, from http://www.marketwatch.com/investing/stock/ebay/financials

Annual Financials for Amazon.com Inc (2013). In Market Watch by the Wall Street Journal. Retrieved February 03, 2014, from http://www.marketwatch.com/investing/stock/amzn/financials

Budd, C. (2014, February 23). The Target Tipping Point: How e-commerce trumped traditional retail in transaction security. In Geek Wire. Retrieved March 3, 2014

Caverly, Doug. (2011, March 17). Big Growth In U.S. Retail Ecommerce Sales Predicted eMarketer forecasts $269.8 billion in 2015. WebPro News. Retrieved March 8, 2014 from http://www.webpronews.com/u-s-retail-ecommerce-sales-growth-2011-03

*Feigenbaum, J., Parkes, D. C., & Pennock, D. M. (2009). Computational Challenges in E-Commerce. Communications Of The ACM, 52(1), 70-74.

*Hayes, J. (2012). 'COOKIE LAW': A HOSTAGE TO FORTUNE?. Engineering & Technology (17509637), 7(8), 66-69.

*Kandra, A., Brandt, A., & Layton, S. (2005). The Problem With PayPal. PC World, 23(2), 37- 41.

*Mik, E. (2012). Mistaken identity, Identity Theft and Problems of Remote Authentication in E-Commerce. Computer Law & Security Review, 28(4), 396-402. doi:10.1016/j.clsr.2012.03.009

Perlroth, N. (2012, January 17). Even Big Companies Cannot Protect Their Data. The New York Times. Retrieved March 3, 2014, from http://bits.blogs.nytimes.com/2012/01/17/even- big-companies-cannot-protect-their-data/

Rosen, J. (2012, November 30). Who Do Online Advertisers Think You Are? The New York Times. Retrieved March 4, 2014

Schachter, K. (2009). eBay Mulls Cyber-Theft Price Tag. Red Herring, 2.

*Schwartz, A. (2011). Privacy and Security Identity Management and Privacy: A Rare Opportunity To Get It Right. Communications Of The ACM, 54(6), 22-24. doi:10.1145/1953122.195313.