E-commerce turns 10

After a decade, even your mom buys books online. But are secure transactions secure enough yet?

Alorie Gilbert Staff Writer, CNET News.com
Alorie Gilbert
writes about software, spy chips and the high-tech workplace.
Alorie Gilbert
6 min read
Before Amazon, eBay, E*Trade or Orbitz, there was NetMarket.

Few remember or have ever even heard of the Web retailer, but on Aug. 11, 1994, the college grads that founded NetMarket in Nashua, N.H., claimed they had conducted the very first secure retail transaction on the Web.


What's new:
Not e-commerce. Secure online transactions have been around for a decade this month, by some estimates.

Bottom line:
Online shopping is one of the most prominent ways the Internet has changed how we live. It has certainly changed how Jeff Bezos lives. But as more people shop, more criminals prey on them, setting up new e-commerce challenges.

More stories on e-commerce

They said the first item purchased via a Web site protected by commercially available data encryption technology was the CD "Ten Summoner's Tales" by Sting, according to former NetMarket founder Daniel Kohn. One of Kohn's Swarthmore College classmates purchased the CD with his credit card for $12.48, plus shipping costs, exactly 10 years ago on Wednesday, according to a New York Times article that chronicled the transaction and credited the company with making e-commerce history.

Kohn, now a venture capitalist at Skymoon Ventures in Palo Alto, Calif., said the online sale also landed him on National Public Radio and CNBC. "At the time, it was a huge deal," Kohn said. "It was our 15 minutes of fame."

The pedigree of e-commerce is not so clear, however. Though the media was quick to credit NetMarket for breaking new ground, recognition from peers in the field is harder to come by. The Internet Shopping Network, which started selling computer equipment on the Web in 1994, beat NetMarket by about a month, according Randy Adams, former Internet Shopping Network CEO.

Watching e-commerce
New converts to Internet
shopping are helping sales.

"There are a lot of people who claim a lot of things," said Adams, now the chief executive of AuctionDrop in San Carlos, Calif. "We were out there on the edge. We did the first (secure transaction)."

Though they have their differences, Adams and Kohn both agree that in August 1994, online retailing was on the cusp of a breakthrough. Advances in Web security that year started the trickle that has become a significant chunk of the economy. But that didn't "solve" the problem of transaction security. Many data security battles are still being fought, against such foes as "phishing" and Trojan horse viruses.

Despite these dangers, U.S. shoppers will spend $144 billion online this year, according to Forrester Research and Shop.org, a division of the National Retail Association for online merchants. That's 27 percent more than they spent online last year and 6.6 percent of total retail sales across the country, according to their joint study, released in May.

Blazing trails
In 1994, entrepreneurs eager to set up shop online faced plenty of obstacles. For one thing, the United States government still controlled some of the Internet's infrastructure. Under the rules of the National Science Foundation, commercial activity on the Internet was technically forbidden until the spring of 1995, when the agency relinquished all sponsorship of the Internet's network backbone. Federal export limits on strong encryption software also hamstrung early e-commerce efforts as companies grappled with a safe method to collect payments online.

A lack of standards for incorporating encryption technology into Web browsers presented another barrier. Both Adams and Kohn concede that without those standards, the mechanics for encrypting transactions were clunky and awkward by today's standards.

Both the Internet Shopping Network and NetMarket required online shoppers to download special programs before they could safely transmit their credit card numbers over the Web. NetMarkets, which is now operated by a subsidiary of hotel and rental car company Cendant, used a special browser that incorporated Pretty Good Privacy (PGP), a program that went on to become a popular e-mail encryption tool but never caught on for e-commerce. Internet Shopping Network relied on a program called Secure Mosaic, a browser that required users to grasp the concepts of public key encryption technology, a system for securing electronic transactions and managing digital signatures.

The programs were hardly geared toward the mainstream shopping public. They required technological proficiency to configure and operate correctly. And at the time, they only worked on computers running the Unix operating system, while the vast majority of the computing public used Microsoft Windows or Apple Macintosh machines.

That's why the Internet Shopping Network, which the Home Shopping Network later acquired, continued to gather customers' credit card numbers by phone and fax for most orders in 1994, Adams said. The data encryption mechanism was difficult to use and most people didn't trust it at that point, he said.

"It was not something your mom was going to use," said PGP creator Philip Zimmermann.

Web retailing began to flourish the following year, when Netscape (now a division of Time Warner) came out with a version of its Web browser that incorporated the Secure Sockets Layer (SSL) security protocol, Kohn said. SSL creates a connection between a desktop computer, or client, and a server, over which data can be sent securely. The most recognizable sign of SSL at work are Web addresses that begin with "https:" rather than the more familiar "http:" designation.

Microsoft also adopted the SSL protocol as the encryption standard for its Internet Explorer Web browser, further cementing it as a common method for protecting the transmission of confidential information on the Web. That same year, a little Seattle company called Amazon.com set up a book shop online.

Security still a worry
While 10 years of fine-tuning the technology have made e-commerce easier, data security remains a concern for online shoppers and merchants. Though SSL is nearly impossible to break, hackers have found other ways to attack, using computer viruses, "phishing" and other tricks.

Phishing is a scam involving bogus e-mails that appear to come from legitimate businesses, such as Citibank, eBay or PayPal. The e-mails often say the company has lost or must update the recipient's accounts. The user is prompted to follow a link to a phony site and enter passwords, credit card numbers and other personal information.

At least 30 million Americans have been the target of a phishing attack, and nearly 2 million of them have been hooked, divulging credit card numbers and other information, according a Gartner survey. The technology research firm recently warned that phishing, which cost U.S. credit card companies and banks more than $1.2 billion last year, may seriously sap consumer enthusiasm for online shopping if nothing is done to combat it.

Another threat to e-commerce is the proliferation of computer viruses that override security features in popular Web servers and browsers, particularly Microsoft's Internet Explorer (IE). One such virus that infected computers in June redirected visitors from certain Web sites to sites controlled by hackers in Russia. The virus, dubbed JS.Scob.Trojan, also planted a remote-access program onto infected computers to record keystrokes and capture login information.

Computer security experts believe the attack affected a relatively small number of Web sites but was that largest, most effective assault of its type to date. The attack prompted some people to switch from using Explorer to alternatives, such as Mozilla and Firefox from the Mozilla Foundation and Opera from Opera Software.

Despite the threats, most people are more comfortable than ever with shopping online, said Darin Sennett, director of design and technology, at Powell's City of Books. The Portland, Oregon, book store has been taking orders online for nearly 10 years and has been largely unaffected by such attacks, he said.

"That was sort of the James Bond of e-commerce high-jacking," Sennett said of the Russian virus that spread in June. "I don't think there's an overwhelming concern about doing commerce online because of threats to security."