Is today make or break for UK trusted on-line trading?

| 2 Comments | No TrackBacks
| More
Today is the annual peak of on-line transactions in the run-up to Christmas. Will consumers stay away because they are scared of being ripped off? Will they once again flock on-line for their annual binge? If so, will the proportion of fraud be such as to trigger a backlash in the New Year?

Last monday at a meeting of the EURIM E-Crime Group to help plan support for the E-Crime Reduction Partnership one of the contributors, speaking on behalf of the Information Security Awareness Forum said that we were very good at preaching to each other but not to the outside world. Another suggested that perhas we needed a plot line in East-Enders.

On Saturday the BBC did much better: a crisp three minute clip on Breakfast TV, repeated and also placed on the main news webside. The only thing missing was the Get Safe On-line website address. Tony Neate did a crisp summary of the problems with Fake websites. A BBC voice-over said that inside a day of Operation Papworth (which took down 1200 in one day) the fake Tiffany sites were back up.  Rik Fergusson of Trend Micro (one of the global operations than is looking beyond current generation reactive security) then pointed out than anyone in the world can use .co.uk. It is no more trustworthy than .com. 

The key messages were all there - and will hopefully reach a larger audience than East-Enders - including those whose businesses rely on on-line trust.

It will take a few days to see the impact of the advice and perhaps a month to see the fall-out - not just from the advice and but also from the annual peaks of on-line business and on-line fraud.

Pressure is building up to cleanse the domain name system as a key point of leverage in the fight against on-line fraud and malpractice but that raises the interesting question of who is serious. Co.uk may be unpoliced but the registration details for .ltd.uk and .plc.uk are supposed to match those registered with Companies house - and almost no-one uses them.

Is that because they are not promoted or because the commercial value of the increased trust is negligible?

If on-line business today falters, or sees an unacceptable (what is that?) level of fraud, how long will it be before that changes? 

And will the change be business-led and "simple" - for example, registrars enforcing the e-Commerce Directive by reminding customers of the need for trading web-sites (such that those using .co.uk to carry contact details for use in the event of dispute and charging a "deposit" to cover the administrative cost of de-registration that will be refunded once they have shown that they have done so).

Or will we have rounds of impractical legislative and regulatary flummery.

Part of the discussion at the EURIM meeting was on the need for industry and government to work together to identify the actions needed and bring them about lest concern over on-line rip-offs triggers the on-line equivalent of the Dangerous Dogs Act.

  

No TrackBacks

TrackBack URL: http://www.computerweekly.com/cgi-bin/mt-tb.cgi/37865

2 Comments

I'm really not sure that increased regulation of the DNS is the way to improve security and trust. Telling consumers to "look for .co.uk and https:" (as the BBC story does) is training consumers to trust information that can very easily be spoofed by the fraudsters. Increasing the bureaucracy in registering UK-specific domains will push businesses and then consumers elsewhere.

What is going wrong with the existing online consumer protection mechanism of joint liability for credit card providers? Banks have a much better idea of who merchants are than consumers can easily obtain; as well as appropriate risk management procedures.

Ian is correct, just because it says "https://" in the address bar and has a padlock / green address bar, doesn't mean the content is necessarily on the same server, or to be trusted e.g. browser in a browser attacks. The server or TLS (SSL) may be configured incorrectly or in a weak way which means "https" doesn't necessarily mean "secure (transmission)". Increasing awareness is great, but we need to build in better base-line protection for users of web browsers and websites. Initiatives like content security policies, http-only and ssl-only flags on cookies and verifying website security will provide greater protection to everyone, even most of us who can't spot every phishing or dodgy website. After all, the dodgy site may be after your card details, not selling you counterfeit goods.

I like the concept of an on-line equivalent of the Dangerous Dogs Act though.

Leave a comment

About this Entry

This page contains a single entry by Philip Virgo published on December 7, 2009 7:24 AM.

Puzzled or paranoid: Can you trust pop-ups on a "trusted" site? was the previous entry in this blog.

Who trusts who and what over the Internet? is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Archives

Recent Comments

 

-- Advertisement --