Consumers are wary about returning to shop at retailers that have been the subject of security breaches, according to a new study. The survey of 1,200 UK consumers revealed that the majority would take their business elsewhere in the event of loss of customer data as a result of a security breach or hack attack. One in seven …
I run an on-line shop using one of the more popular open source e-commerce packages (I'll not say which one for reasons that will hopefully become clear).
Like many open source projects, it has it's support forums etc, and I read and post on these occasionally when I get bored.
Now when I started up, I spent a considerable amount of time and effort securing my website and the server it runs on, and I still address issues that come up from time to time. I'm no security expert (no such thing!), but I'd like to think I learned a good deal about the subject over the years of working on my little shop. The one thing that constantly amazes me from reading the forum for the e-commerce software that I use is the brazen disregard for security in general and in particular the cavalier attitude sys-admins (I use the term loosely) have for the security of the personal data that they are entrusted with by their customers. Basically, given a choice between "It works, and is nailed down, but it's not as pretty as I would like" and "It works and is cool and flash, but my customers' personal data is laid out for the whole world to see. Oh well, never mind, eh?", it is staggering how many of these shop owners go for the second option.
And one of the main "reasons" given for this is "it's too difficult to do", to which I have to ask, "what the f*** are you doing messing about with this stuff if you can't do it?".
I delayed opening my shop for some time (at obvious financial cost) until I was as confident as I could be that it was secure and that my customers' data was safe. Sadly, it seems that most are happy to open-up shop over the weekend with total disregard for such issues; as long as it looks cool then that's fine.
I am not in the least bit surprised that many websites get hacked and the data stolen.
Expect to see less security breaches..
..admitted-to by e-commerce companies in the future.
There won't be any less actual occurances but the victims will do whatever they can to hush-up their crappy security measures and their implications fro customers.
The logic of protecting your bottom-line by paying security expecrts to get proper security procedures in place rather than paying PR experts to protect your bottom from the firing-line wbhen it all goes tits-up seems to miss so many of these companies.
But at least when these breaches come to light customers can vote with their wallets - when it's the military (see Reg article today on spam originating from US militiary computers) there is nothing much you can do as you are tied into their service and by all accounts they are increasingly tied into inherently insecure systems (yes, I mean M$).
Don't avoid stores, avoid credit cards
If one wants to use cash, one can safely shop at any TJX store that one likes. That may be a bit too much for some to go along with, but it's like abstinence: it's guaranteed.
I can rattle off myriad reasons to ditch your plastic -- heck, I do consulting for http://unfaircreditcardfees.com -- and if prodded, I will. Security and hidden fees are serious problems. The former is good for nobody, the latter is certainly bad for you but great for the banks.
They're keeping your credit card info
Part of the problem is companies keeping the information you give them to process a transaction. Credit card numbers, expiration dates, and even PIN numbers are stored on servers which, if they aren't hacked already, can be hacked at any time after the transaction is completed and they get the same information.
Why does the retailer need to retain this information after the transaction has been processed? Once they get an authorization or approval number/code, they don't need the PIN number, they don't need the (whole) credit card number, or expiration date. They are keeping enough information to process additional transactions without your consent. I've read they keep it encrypted, but may also keep the decryption keys on the same server.
Why has this not been made illegal? It should be illegal to keep unencrypted customer data. It should be illegal to keep the data encrypted but have the decryption keys right there with the encrypted data. It should be illegal to retain even the encrypted data once the auth/approval has been received. It should be illegal to NOT notify customers a breach has occurred. And, there should be a law (if there isn't already) that allows consumers to sue the retailer for damages due to negligence/violation of the above-mentioned should-be-laws.