By Melih Abulhayloglu, President and CEO, Comodo Inc
Wednesday, 15 June 2005 13:37 EST

Trust is in the heart of each and every Transaction. Without Trust there is no commerce - online or otherwise. E-commerce vendors have chosen the web as their medium for transaction, but this creates new challenges for establishing trust with customers.

Unlike the real world, where a customer that enters a store can see us, touch us, smell us and validate the reality of our existence, on the online world there is only the pixels of a monitor. In the physical world we can use all of our 5 senses - in the virtual world we can use only 1. We need to create a situation where seeing, genuinely, is believing.

Phishing scams, identity fraud and website spoofing have become one of the most lucrative business models for today's cyber- criminals. Attacks are becoming more numerous and sophisticated with each passing day - with recent research showing 57 million Americans have received Phishing emails. Alarmingly, 11 million of these (19%) followed the links inside to a spoof website.

This indicates not only a lack of expertise on behalf of customers, but is also a tribute to the plausibility of the scammers. Either way, the result is that millions of dollars spent on secure transaction infrastructures by online merchants is being sidestepped and internet fraud continues unabated.

It is fair to say the hacker's expertise and guile has far outstripped the public's ability to discern whether the site they are on is genuine or spurious.

So we need help in getting trust established. There are 3 elements involved in securing a transaction - the vendor, the security provisioning company, the customer. Most successful fraud is committed by exploiting the weakness of the latter element, the customer. We need to work together to overcome this via education.

Media coverage of recent high profile attacks has alerted the public to the menace of Phishing attacks, website spoofing and identity theft without necessarily informing them of their responsibilities in defeating the hackers. The reality is that online transactions need to be secured from both sides. An urgent element in ensuring the future of online commerce lies with the education of the buying public as to secure practices and software - something that e-vendors and webhosts, in alliance with security companies, will need to take an increasingly active role.

It is important to give the "Trust" and "Security" signs to the customers declaring that your infrastructure is secure. That your infrastructure is not only secure but that you also have the tools to let your customers establish trust by themselves.

The current explosion in internet trading may have contributed to a degree of complacency amongst online traders. Ever growing revenues year on year have the unfortunate effect of overshadowing the losses from the victims of internet fraud (losses not only in financial terms, but also in customer confidence and company reputation). However, the online purchases market is approaching maturity. A Gartner report shows the recent annual growth rate of 20 percent p.a. is already showing signs of erosion because of saturation. Furthermore, in the absence of an anti-Phishing panacea, US e-commerce growth will slow to 10 percent or less. Companies that haven't factored in anti-Phishing awareness measures on their sites may well find themselves battling to restore customer confidence in their e-trading infrastructure that had been lost many a Phish ago.

Conversely, those companies that have taken an active stance in the promotion of customer side anti-fraud measures will benefit from higher levels of trust and loyalty in what may turn out to be a contracting market.

To attain a greater appreciation of the problem, it is useful to step into the mindset of the average internet customer. In general, users are notoriously apathetic when it comes to implementing PC security measures such as virus updates, OS patches and generally adopting safe practices. 90% of workers believe they have no role to play in the containment of viruses, believing it to be the domain of their IT department, Microsoft or the government. When it comes to the concept of internet trading, the attitude is even starker- "It's not my job to make my transactions safe, it's the vendors". Indeed, 94% of consumers believed it was the responsibility of the institution concerned to protect them from Phishing or similar scams and 54% believed they weren't doing enough.

Companies can legitimately argue that they have taken every measure possible to ensure the security of their transactions via measures such as 128 bit SSL encryption and deployment of identity assurance services like MasterCard SecureCode. But the crucial point is that these measures might be the cutting edge of security yet only protect the customer once a connection is made to the genuine company server. Should this fail to happen and the customer falls victim to a Phishing attack that sends them to a spoof website, all the investment by the e-trader in security becomes irrelevant. The potential customer could have his credit card and other personal data stolen by hackers but, rather than take partial blame for falling victim to the attack, they will tend to hold the company they thought they were dealing with as responsible, if not liable, for the loss. It is a harsh truth, but the age old saying that the customer is always right stills holds true for the internet generation. If your company's reputation is damaged by Phishing related incidents, then it is in your interests to educate your customers as to the security measures they need to take.

A new paradigm of Anti-Phishing Awareness between security software developers, e-commerce enterprises and internet customers needs to be developed.

As there are more regulations being enforced, (for example VISA's CISP, HIPAA, & SARBOX) the role of the web hosting company and the responsibility of web hosting company to provide Secure Infrastructures to their customers and the tools for their customers to protect themselves and in turn enable their customers to establish trust with their customers is becoming more urgent.

The good news is that much of the software and collateral necessary to help defeat internet fraud is available free of charge and would take little or no investment to add to a corporation's online infrastructure.

Such moves successfully indicate that a company is prioritizing the Phishing problem and the privacy of its customer base by proactively taking measures to eliminate fraud.

However, perhaps the greatest benefit is a genuine improvement in the confidence of the public in online trading. If a customer has been sufficiently empowered to conduct his or her own checks on the integrity of an online purchase they will be more confident in internet trade as a whole.