A Forrester Research report analyzes the early successes and failures of Apple’s mobile payments system.
(Page 2 of 4)
To security experts, the state of cybercrime has evolved to the point where consumers and retailers must take several levels of precaution and maintain constant guard against fraud, carrying the same level of wariness of anyone who lives with common street crime. “The Internet was built on a foundation of trust, but today that’s pretty naïve,” says Craig Spiezel, director of industry and business strategy for the technology care and safety group at Microsoft Corp. “But there’s no silver bullet to fight fraud. The web retailer needs to have solutions across the board.”
Moreover, it isn’t only the largest retailers and brand names that need to guard against phishing and other forms of fraud, experts say. With the biggest targets like eBay, PayPal and banks taking steps to stop fraud, criminals are looking at other, less-guarded targets. “Fraud acts like an air bubble; you push it here, it goes there,” says Ori Eisen, CEO and founder of risk management firm The 41st Parameter and a former director of anti-fraud efforts for American Express Co. and VeriSign Inc. “We need to run faster today just to stay ahead of the bad guys.”
Some say the threat of cybercrime and the damage it can do to brands and consumer confidence are even greater for smaller retailers. “A small retailer has an even bigger concern because just one bad incident could cause it to lose credibility,” says Jeffrey Neuburger, chair of the technology, media and communications department at Brown Raysman Millstein Felder & Steiner LLP, a New York law firm that represents online retailers.
Neuburger, noting a recent lawsuit brought against Bank of America by a customer victimized by a phishing attack that had used the bank’s brand, warns that the spread of phishing attacks could lead to legal liability for retailers who don’t take the necessary precautions to prevent them. “I don’t think the Bank of America case will go far, but the trend is that as these issues become more serious, retailers are in an area of potential liability,” he says. “Retailers have to take reasonable precautions under the theory of negligence.”
To guard against phishing and related “pharming” attacks, which spoof web site domain names and try to get consumers to enter account information on fraudulent sites that appear to be legitimate, experts encourage retailers to look to certain crime-fighting areas:
- consumer and employee education to maintain a clear distinction between legitimate and illegitimate e-mail and web sites;
- technology, including web monitoring software and services, that identify when a brand’s identity is being stolen and used to create a fictitious web site;
- sharing of fraud and fraud-fighting information among retailers;
- technology to prevent criminals from making online purchases with stolen financial account information.
Consumer and employee education starts with procedures for clearly stating on a retailer’s web site its policies about communicating with customers. Standard retail policy should be that merchants never ask customers to enter account information by linking to a site through an e-mail message, experts say.
Yet the popularity of e-mail as a marketing tool still leaves some retailers with their guard down. “You need to educate marketing and IT departments how not to send e-mails that look like phishing, like sending e-mail that’s not from your own domain name or sending e-mail that asks customers to click a link in the e-mail to update their account information,” Jevans says. “We’ve seen quite of lot of retailers doing that. But if they keep sending e-mail that looks like phish, they’re training their customers to respond to phish.”
Other aspects of consumer and employee education include deploying standard operating policies like displaying “https” in web addresses and Secure Sockets Layer lock icons and third-party security seals to present a secure image. In addition, marketers should follow e-mail authentication methods under systems such as Microsoft’s SenderID, under which marketers register IP addresses authorized to send e-mail under its name.
Some retail executives say they’re planning to be more aggressive with consumer education related to fraud, even though they haven’t been subject to attacks. Joe Devine, CTO of Safeway.com, the online unit of supermarket chain Safeway Inc., says consumer education on phishing and related concerns will become more critical as customers follow the grocer’s lead in participating in more online communication with Safeway, even if they only shop in its stores. “We’re using the Internet to drive customer loyalty in our stores, whether or not they shop online, so they’ll have to log on and enter a password,” Devine says.
Safeway will educate customers about the types of e-mail correspondence they can expect from the grocer, and instruct them to never click a link in an e-mail to enter any account information even if the message appears to come from Safeway, he says.
Although Devine says he doubts criminals could ever hack into Safeway’s encrypted customer databases, they could still try to steal customers’ log-in and passwords in phishing attacks and attempt to use that information to break into other sites where customers keep financial account data.
In fact, criminals don’t even need to capture complete account information. Because many consumers use the same log-in and passwords for multiple web sites, criminals know that by simply learning the log-in and password that a consumer uses to enter any web site, they can use that same information to enter financial sites under the same consumer’s name, proceeding to capture more sensitive credit card account information. The spoils for the criminals can be as basic as a quick $10 for each consumer identity package they sell to other criminals.
The Anti-Phishing Working Group and TRUSTe, a web site security certification firm, conducted in June the first “Phish Fry” Consumer Education Summit. Indeed, even TRUSTe has had its logo used in phishing attacks, says executive director and president Fran Maier, who chairs the consumer education committee at the APWG. “We’re getting phished along with eBay and PayPal, so one of our responses has been to take a leadership role in consumer education,” she says.