1. Home
  2. UK Finance Discussions
  3. Are "bad" security practices going to kill e-commerce

Are "bad" security practices going to kill e-commerce

Over the last couple of weeks I've felt it necessary to backtrack e-commerce submissions, to three different companies, because:

- one site wanted my mother's maiden name, as well as all the usual credit card details;

- one site's card processing agency, rather than the issuing bank (as determined by the SSL certificates), requested my Verified by Visa password;

- one site's system wouldn't tell me who the actual courier would be, at least not before I had committed to a contract, but required unspecified ID to be provided before they would send to a work address, and required an email to find out how to provide it. I'm still waiting for the reply to the email.

Before I go into details, the real answer to the question in the subject is probably no, at least for the first two cases, as the general public will not appreciate the security issues. The only winners will be the con artists, for whom social engineering will be made easier.

All these companies were seemingly reputable UK companies.

The maiden name wasn't even asked for the payment system, but was a condition for entering it. It was the lost password recovery password for their "customer relationship" system. I really don't like having to register in CRM systems if I'm only making ad hoc purchases. I hope the security implications of mother's maide name are obvious.

Verified by Visa is promoted as using the challenge phrase to confirm that you are really talking to the issuer, but anyone who has the information you have already given can find that, so the only way of checking properly is to verify SSL certificates (caution: some banks use pages with certificates belonging to Cyota Inc, although not the one in this case - if the certificate doesn't match your bank, you should not rely on what I just wrote here about Cyota as this is not a secure channel from your bank).

What happened in this case is that the card processing agency copied the banks form into their form. It did actually purport to submit to the bank, but, without extensive checking, that could have been subverted by checking. In any case, they had to handle the clear text challenge phrase to do this.

They are actually one of the major UK agencies, who have recently changed their name, something that you also shouldn't do, as it breaks the trust relationship. The e-tailer did link to them from a secure page, so there was trust there.

Fortunately, in this case, the company also accepted BACS.

The third case is really one of a secure system getting in the way, although it could be partly mitigated by giving complete shipping details up front. The main security risk here stems from the fact that the key product in my order can be obtained about 30% cheaper by ordering from some slightly dodgy looking US companies. Being US companies, the UK business names rules don't apply and you can't, easily associate the web site with a geographic address and company registration.

By making place of work delivery difficult, they are making so that I would have to wait for the failed delivery card and then go to the depot, to collect. Without knowing the courier in advance, I don't know how difficult it will be to get to the depot, or whether there is a risk of having the delivery returned before I can get there. Also, there is no signature at the door.

I didn't get as far as their verified by Visa system, but the card processing agency was a total unknown to me, and there was no warning about who they used on the web site, and presumably none on their offline literature. I forgot to note whether the link to the agency was secure.

So, all my recent purchase attempts have either encountered overbearing security measures, some of no direct benefit to the customer, or security measures that are actually insecure.

Reply to
David Woolley
Loading thread data ...

Irrespective of the security issues in asking for personal data, requiring customers to register in order to make a purchase is a huge disincentive and, in most cases, leads to significantly reduced sales. So it's primarily their problem, not yours (unless they're fortunate enough to be the only supplier of the item you want). Companies which do that deserve to be overtaken by those with more customer-friendly checkout systems.

VbV (and the Mastercard equivalent, 3D Secure) is a whole new can of worms that, sooner or later, is going to result in a major customer service failure for the banks involved.

Delivery location and method are different, and, in this case, I do have a lot of sympathy with the vendor. Requesting delivery to an address that isn't the cardholder address is the single biggest indicator of potential fraud, so vendors do have to take this seriously and manage the risks appropriately. The actual level of risk depends a lot on the type of product and the retail sector, so there isn't a one-size-fits-all solution. Some online vendors won't deliver at all to any address other than the cardholder's, and consider that any sales which are lost as a result of this policy are less significant than the potential costs of being defrauded if they accept non-cardholder delivery addreses. Others will accept the risk provided everything else matches (eg, there are no warning flags on the transaction), while others try to find a midpoint by attempting to verify any delivery address. It's not ideal, but it's a reflection of the realities of operating an online retail system.

As far as shipping is concerned, it isn't always possible to say in advance which courier will be used. Many vendors who use couriers (as opposed to simply posting everything) have contracts with multiple couriers and choose the appropriate supplier according to the size and weight of the package, the location of the delivery address, how many other orders are going to that area on that day and whatever special offers they're getting from the various suppliers at any one time. Although these factors could, theoretically, be included in the checkout system so that the identity of courier could be displayed as soon as it's known, in practice that's the sort of thing that's highly likely to go wrong too often for it to be acceptable from a customer service point of view. And, given that most customers don't really care about the identity of the courier, it's not worth the effort of creating the necessary systems to make that information publicly available.

Mark

Reply to
Mark Goodge
[--snip--]

They should be. You'd think these large companies could afford to employ decent security experts to help design their systems, rather than get pre-schoolers to do it with crayons.

Verified by Visa does not add any extra security IMHO. It's just a way of (trying to) shift liability.

The only way I know of to deal with this is to take your business elsewhere.

Reply to
Mark

Agreed. I lumped this in because it was a security related issue that was forcing me to abandon yet another possible vendor. (I eventually switched to another one that was cheaper, and, although they wouldn't send to an alternative address at all for the first order, at least they did respond to my enquiries about couriers. They nearly lost out because I had trouble finding their Business Names Act information, but it was there. I'm still going to have to lose a couple of hours some Saturday, or an hour and a half at the start of a week day, to get to the depot.)

Although the first two issues were about insecure practices, all of them were security related issues that seem, to me, to be making e-commerce more and more difficult to use, especially if one is aware of security risks to the customer.

(On a slightly different tack, when I started going through the alternative Google Shopping hits, the next one I tried was using the same e-commerce package with the same categories as the number three one in the original article, and the same stock levels, although with slightly different prices. That put me off both of them. I got the impression that the one I used was also just a middle man for the same set of wholesalers, but they were slightly cheaper and weren't using the same indexing.

I presume that the way the business works is that that there is a top layer of companies that set prices and operate virtual e-tailers, a second layer of services that provide rebrandable e-tailing services, and a third layer that actually has the goods. I'm not sure which layer puts complete shipments together, or do the couriers offer services for doing that?)

Reply to
David Woolley

There's no simple categorisation like that; a lot depends on the market sector and the nature of the vendor. The similarity in appearance is often due to the fact that the market for off-the-peg e-commerce systems is dominated by a small number of providers (both commercial and open source), so unless the vendor writes their own software then it's very likely to be based on one of the more common packages. And that in turn affects the way that the product catalogue is categorised, as it needs to fit into the existing database structure, so two vendors selling broadly similar products (often sourced from the same wholesalers) using the same e-commerce system will inevitably end up looking very similar indeed. And, if they're relying on a common wholesaler (or group of wholesalers serving their particular market sector), then their leeway to set prices is often limited as well. However, the fact that they look similar and have a similar order/checkout process doesn't mean that they'll be the same in terms of delivery, customer service, etc - one could be very good, and the other could be very bad, depending on how efficient and customer-friendly their dispatch and service staff are!

That's one of the reasons why it's not easy to judge in advance, by looking at the website, how good on online vendor actually is - the things that make the real difference tend to be the ones you don't see, such as the skill and attitude of the staff, rather than the things you can see, such as the design of the website.

It's also not uncommon for vendors to offer a "white label" system whereby other companies can create a website based on the underlying vendor's system and sell the products under their own name. In that case, the fulfilment (and often the payment handling) is usually done by the underlying vendor, while the front-end vendor merely provides the website and advertising. In such cases, it doesn't really matter too much which of the front-ends you use, as the customer service and delivery aspects will be common to all of them.

As a general rule, couriers don't have any role to play in the e-commece system - they just collect the goods from the warehouse and deliver them to the customer.

Mark

Reply to
Mark Goodge

BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.