When hackers unleashed distributed denial of service attacks against the likes of Yahoo!, Amazon, eBay and Buy.com and even the FBI Web site in February, more than a few hours of downtime resulted. Recent polls reveal the attacks took a bite out of a less tangible commodity: consumer confidence.
Though only 9% of Internet users responding to a Gallup poll acknowledge they were affected by the attacks, half say they’re less likely to use their credit cards for online purchases or provide personal or financial information online. Even worse, 20% are less likely to use the Internet at all.
Another study, conducted by At Plan Internet Inc., also shows signs of diminished confidence. One-third of Internet shoppers 18 and over say they’re less apt to make a purchase online in the future. Among respondents who hadn’t made a online purchase in the last three months, 47% say it’s unlikely they will in the future.
“Consumers are clearly alarmed by the recent hacker attacks,” says Mark Wright, chairman and CEO of At Plan. “Most online consumers are indicating that the onus to resolve these issues falls squarely on the shoulders of the online industry.”
Some e-commerce experts blame the media for helping shake consumer confidence. “The reality is that, while some sites have suffered, people are back online. The biggest fallout of this is the press,” says Gartner Group e-retailing analyst Robert Labatt. “It hasn’t affected revenues any great amount. It’s a non-story.” Labatt says the attacks will benefit the industry by contributing to a stronger, safer security system. “It’s made the industry say, ‘We’ve got to look into this.’”
His position gets a strong second from Lauren Freedman, president of the E-retailing Group in Chicago, who says flatly: “These attacks won’t affect shopping.”
But others disagree. “The lost sales are pretty significant,” says Gene Kim, chief technology officer for Tripwire Security. Although Kim concedes it’s difficult to quantify lost sales, he points to a report by the Yankee Group that indicates the temporarily disabled sites may have cost more than $1.2 billion. The Yankee Group arrived at that figure by estimating revenue losses at the affected Web sites, losses in market capitalization, and the amount spent on improving security as a result of the attacks.
Most chilling to online merchants is the specter of legal responsibility. The Yankee Group report places the burden squarely on CEOs and CIOs, saying they should be held accountable for failing to have safeguards in place to fend off denial of service assaults and other online mischief. Web sites, the report states, operate under simple business rules that call for keeping sites up and available and providing sufficient bandwidth for peak use. Security, the report goes on, must be “the number one issue in provisioning a Web site.”
Kim agrees, but shifts some responsibility to the servers used to launch the attacks. He compares them to an unfenced neighborhood swimming pool. “It poses a threat, and the owner should be held responsible.” Investigators so far have determined that vandals hijacked servers with wide access and little security, most likely based at universities and research facilities, and remotely signaled them to carry out the denial-of-service assaults. The tool was a new version of software called “Trinoo,” which can be spread by e-mail. The ease of the attacks leads Kim to believe they will get worse.
As techies explore sturdier firewalls, experts suggest small actions online retailers can take to reassure consumers, including posting a toll-free phone number in case of site outages and guaranteeing transaction security. “The most important thing for e-commerce,” Kim says, “is that consumer confidence doesn’t go away.”