Want CNET to notify you of price drops and the latest stories?

Net stores get ready for Santa cons

Holidays bring more money for online retailers--but also more security worries.

Dawn Kawamoto Former Staff writer, CNET News
Dawn Kawamoto covered enterprise security and financial news relating to technology for CNET News.
Dawn Kawamoto
5 min read
A couple of days before Thanksgiving, mom-and-pop e-tailer Tina Koenig's phone kept ringing with calls from people verifying they'd won a laptop.

The only problem: Koenig had no idea what they were talking about.

Cybercriminals had used her online gift store in a "phishing" scam, which set up a fake version of the site to try to extract visitors' credit card information. An e-mail enticed victims to the fake site by telling them they had a prize. The lure was a free Hewlett-Packard laptop computer.

"We got at least 10 to 20 phone calls and e-mails from people wanting to confirm they'd won the computer. It was a situation that could have hurt our brand, reputation and sales, if we didn't return those calls and e-mails," said Koenig, founder of Cybercalifragilistic, a gift site for geeks that generates 80 percent of its annual revenue during the holiday season.

The holiday shopping season, with its boom in traffic and sales, casts a spotlight on concerns over the security of e-commerce. Online fraud is becoming more professional as organized crooks begin to flex their muscle in digital scams. But major retailers and services providers have become more savvy too, bolstering security all year round. That leaves midsized and small Web stores as possible prey of criminals.

Those small businesses have more to lose, in credibility and income, from attacks. "This is the kind of thing you don't want to happen any time of the year--especially (not) during the holidays, when it's the busiest time of the year," Koenig said.

Santa fraud
Online retailers are expected to generate about 30 percent of their overall revenue for 2004 in November and December, according to figures from research firm Jupitermedia. That adds up to about $20 billion in holiday sales.

But the spike in holiday traffic brings a 20 percent rise in the number of attempted security breaches, estimates VeriSign, which provides authentication of Internet transactions.

"Fraud activity increases with the level of volume activity to the site," said Trevor Healy, VeriSign's vice president of payment services. "There's a belief in the fraud community that retailers may not be as vigilant during the holidays because they're busy filling orders and getting their holiday sales out."

That traffic plays a part in one fraud scheme, in which criminals use a large number of stolen credit card numbers to make purchases on one site, to make sure those numbers are valid. The fraudsters then use those cards to buy goods at another e-commerce business. Another credit card scam that is increasingly popular, Healy noted, has corrupt employees issue refunds on numbers that don't exist.

Credit card fraud, phishing and denial-of-service (DoS) attacks linked to extortion are the security threats that have online businesses most worried, security analysts agree.

But larger online stores tend to have more experience in handling fraud, so the increasingly professional fraudsters on the Internet have started to target smaller businesses, said Roy Banks, president of Authorize.net, an online credit-card processing company.

"If you are looking for opportunities to defraud a merchant, you are going to look downwards in order to find those that are susceptible to fraud," Banks said.

Koenig and her small online business are familiar with the dangers of DoS attacks. Back in 1996, Cybercalifragilistic suffered an outage for a couple of days during the holiday spending season after its Internet service provider, WebCom, was hit with a flood of data that swamped its servers.

"It cost our company 20 percent of our holiday sales," she recalled. "This happened during the pioneering days of the Internet, and the attack was to protest commerce on the Internet."

Carrie Johnson, an analyst with Forrester Research, noted that the retailers most likely to lose customers from a DoS attack are those

that don't have a unique brand or that can't guarantee to deliver products on time--typically, smaller businesses.

Recently, mid-tier and smaller Web stores have made efforts to improve data protection, a security move that is also seen as a marketing move.

"In the past, consumers generally drifted to the larger e-tailer, even if their price wasn't as good, because they were perceived as being more secure," Healy said. This year, small companies have made efforts to boost system protection so they can post certification logos from security companies on their sites, he added.

Large online retailers say they already have good security in place and don't feel compelled to take additional precautionary steps during the holidays.

"We have security measures in place to safeguard against multiple external factors. We continue to monitor and prepare our site for various traffic increases throughout the year," said Amy Colella, a spokeswoman for Walmart.com, the online outlet of retail giant Wal-Mart Stores. "Historically, we have not experienced significant security threats during the holiday season."

Security experts agree that while the absolute number of attempted security breaches at e-commerce sites goes up during the shopping season, the percentage of overall traffic they represent remains steady--at around 4 percent to 7 percent, according to VeriSign.

Be prepared
Retailing giant Amazon.com, which was hit with outages last week, declined to comment on its security measures during the holidays. Last year, the company made 37 percent of its revenue between October and December, according to a regulatory filing.

For larger merchants like Amazon, the main worry is defending their storefronts from extortionists that threaten online attacks if they are not paid. In September, just such an attack intermittently disrupted Authorize.net's service for about a week, leaving many merchants unable to process credit cards, Banks said.

The lesson, he said, is to be prepared. In response to the attacks, Authorize.net built a much greater capacity into its network and deployed defensive technologies.

"We know--and quite frankly, it is an unspoken truth in the industry--everyone is getting attacked," Banks said. "We have all been there; it's an industry problem. There is no way to eliminate those attacks. You can only fortify and mitigate against them."

Moreover, shops that fail to take steps to harden their site against attacks, may instead attract them, said Jupitermedia's Cundiff.

"There seems to be focus on fraudsters on the merchants that don't so such stringent checking of transactions," Cundiff said. "That tends to be the merchants that are new online."

Online retailers should take a tip from the criminal community, which shares information such as hacking tips and stolen credit card numbers all the time, Healy said. By communicating about the threats they encounter during the holidays, they can mount an effective common defense. Without that, the impact of fraud prevention systems and other security protections are lessened.

"Until the industry moves to a more collaborative effort to fight fraud and share information, the rubber isn't going to hit the road," Healy said.