Online shopping reaches record highs

Ikea joins the e-retailing revolution.

Internet shopping is growing at the fastest rate in six years, shrugging off the gloom being seen on the high street.

Online spending on retail purchases rose by 35% to £14.7bn last year as the number of internet shoppers hit an all-time high, according to Verdict research. The rate of growth is almost 10 times that of the overall UK retail market.

This growth is set to continue thanks to faster broadband, with online retail predicted to rise to £44.9bn by 2012, amounting to 13.8% of total spend.

The number of online shoppers rose 24.7% to 22.6 million last year.

Yet, despite some degree of cannibalisation - people switching to the internet to buy what they would previously have gone to the shops for - physical shopping is far from doomed, Verdict said.

"In many cases, online and in-store sales channels will blur into one, becoming fully integrated," said Malcolm Pinkerton, senior retail analyst at Verdict. "There is still a need for physical locations but the number of stores required will vary according to sector. With the rise in music downloads, there will not be such a need for music and video stores, for example. Having an internet presence is now vital and the combination of an in-store and online presence, with strong links between the two, is essential."

Electrical goods and food and grocery made up just under half of all online retail spending in 2007. Music and video has the highest online penetration at 30.8% of total sales.

Online shoppers are purchasing more frequently (an average of 16.9 times last year, an increase of 2.7 times on 2006) and each spent an average of 7.8% more than in 2006.

Convenience is the main factor cited by more than half of online shoppers from the 4,059 people surveyed.

"The internet is widely perceived as a cheaper and easier way of finding lower prices and bargains in most sectors," Pinkerton said. "As the cost of broadband falls, consumers become accustomed to internet shopping and retailers continue to enhance their online propositions, the channel will find itself well-placed to capitalise on the falling consumer confidence and lower levels of disposable income impacting the retail market."

In the long run, growth will be driven by the ageing population - as today's younger shoppers get older and their spending power increases, they are likely to spend more online.

Last year, new entrants to the online retail market included home-furnishing retailer Ikea.

Is online shopping ever secure?

Few websites meet industry standards when it comes to storing our credit card details. So, asks Danny Bradbury, is e-commerce in the UK fundamentally flawed?

If you use an e-commerce site in the UK, how safe are your personal details? Not as safe as you might think, according to SecureTest, a security consultancy that specialises in "ethical hacking". After testing 100 UK websites, it has accused the UK e-commerce community of fundamental flaws in the way it handles customers' details.

Ethical hacking is normally done with the target's consent: paid security experts look for holes in the system. In this case, the tests were not sanctioned, and so SecureTest was careful not to breach the Computer Misuse Act (CMA). Instead, its team signed up for customer accounts on each website, and then walked through the standard procedures all customers have access to, drawing conclusions about how those sites handled customer data.

For example, almost all sites use a customer's email address as a username, which they ask for when helping customers with a forgotten password. Of those tested, 60% responded to forgotten password requests by explicitly stating whether the email address was in the database or not.

"That's a fatal mistake," says SecureTest's managing director, Ken Munro, arguing that it lets attackers verify that a particular email address is registered on an e-commerce site. An attacker could then create lists of addresses with which to start testing targeted attacks. "If I wanted to deliver a cross-site scripting attack via email to steal their customers' account details, I now know the email addresses of their customers," he says.

Pass the password

The sites surveyed recovered user passwords in one of three ways, all via email: sending a link to a web page where users enter a new password; generating and sending a new password; or simply sending the original one.

Sending account credentials over an unprotected network is a bad idea, says Michael Owen, head of security management at security consultancy and penetration tester IRM. "I wouldn't recommend any system that mailed back passwords," he says. "You're assuming that you can trust all of the machines that it will pass through, and that the customer definitely has control of his email at the time you're sending it out."

Even sending a link to a password reset page is insecure unless the page also asks the user a secret question when they arrive there. Only 14% of sites took that approach, Munro explained.

Tom Kellermann, vice-president of security awareness at security firm Core Security Technologies, goes even further. "Passwords themselves are obsolete. It is shocking to me that the standard in e-commerce is pushing people towards stronger passwords," he says, arguing that they're notoriously difficult for consumers to manage securely. "We should be moving towards two-factor authentication".

Some banks have started to adopt this approach (which generally combines something you know, such as a pin, with something you have, such as a smart card). Few, if any, e-commerce sites do it, though: the cost of giving away hardware tokens to every user would put most of them out of business. The contention over these basic security issues raises an important question: how can e-commerce companies walk the line between usability and security?

These decisions seem to be based on a mixture of de facto approaches to the problem and gut instinct, says Owen: "At the end of the day, it boils down to the risk appetite of an organisation."

Compliance complaint

The credit card industry has imposed its own regulations on the storage of credit card details. The PCI-DSS standard governs the security with which companies store credit card information. Unlike most security regulations, it was imposed by the private sector, rather than the government.

The credit card companies which designed them have promised to fine companies that don't conform to the guidelines, but most still fall short. LogLogic, which makes software that analyses security logs, commissioned a survey last week of 65 UK firms with at least 500 employees that handled credit card transactions. Only 14% were PCI-DSS compliant.

Littlewoods, which also manages the website for Adidas, isn't yet compliant, says spokesperson Anthony Taylor. But they are "well on our way to achieving compliance within the agreed timescales".

Nor is retailer New Look, says Shaun Wills, strategy and business development director, who admits that newlook.co.uk doesn't encrypt its customers' passwords either. He's not that worried, though, because the company doesn't hold customers' credit card data. Like some other sites, it forces customers to re-enter their credit card details for each transaction - thus dodging the PCI bullet. "It's a big disadvantage," he says. "But for the time being until we're absolutely confident that we have robust systems in place; we think that's probably a better way to go."

For Donal Casey, principal consultant at systems integrator Morse, the most trustworthy websites don't take credit card information at all. "I'm more interested in sites that use things like PayPal or Google Checkout because I don't necessarily want to give my card details out," he says.

The LogLogic survey didn't say what level of certification the handful of compliant companies had attained. The PCI standard has several, based on the volume of transactions a company processes. Only tier one (the highest) is externally audited, says James Cronin, CTO of tier one-compliant e-commerce platform provider Venda. "Anyone who wants to can be level two, three or four compliant just by filling in questions on a web form. It's not really a validation," he says.

But PCI only addresses the handling of credit card data. Today's websites face other problems. For several years, one way for criminals to infect victims' computers with malicious software was by using shady websites serving porn and pirated software to covertly deliver malicious scripts. Once infected, the computers became part of a botnet, remotely controlled by online crooks. Recently, criminals have refined their tactics, hacking into legitimate websites and turning them to the dark side. A survey by security firm WebSense in January found that 51% of all sites serving up malicious scripts were legitimate sites that had been hacked. "Our figure is 83%," says Graham Cluley, senior technology consultant at anti-virus firm Sophos. Every 14 seconds, Sophos finds a site delivering malicious scripts, and eight in 10 are legitimate sites that were hacked, he says.

On Valentine's day, the company found an e-commerce site selling flowers that was unwittingly infecting customers' machines. "The florist wasn't really interested, and didn't understand what we were talking about. He was into flowers, not websites," recalls Cluley.

Some sites using databases to serve up their content have been attacked using SQL injection, in which criminals manipulate the web server's database by typing carefully crafted text into a web form or the address bar. Another attack involves stealing FTP passwords from an infected PC, says Joe Stewart, senior security researcher at managed security services firm SecureWorks. "Someone gets infected with a bot, it's stealing their other passwords, and so it steals FTP passwords as well," he warns.

Web advertisements are another attack vector, warns Stewart's colleague at SecureWorks, senior security researcher Don Jackson. E-commerce companies may have control over their own content, but if banners display advertising content from third parties, how do they know they're not serving malicious scripts?

A question of trust

Such trust relationships often extend to a third-party web host looking after a company's e-commerce site, says Kellermann. "Those who host websites, portals and e-commerce engines are not being effectively tested and forced through contracts to remediate exploitable vulnerabilities before the enemy does," he warns.

These issues are worryingly real. Last October Fasthosts, a UK web hosting company, was forced to ask all of its customers to change their FTP and email passwords (stored unencrypted) following a data breach. And many e-commerce websites hosted by third parties share servers with other companies' code, so one infected application can affect others' software.

All of this makes it difficult for e-commerce customers to know who they're trusting, let alone how secure they are. And with criminals now operating in stealth mode so that they can milk compromised computers of their data for as long as possible, how will we ever really know?

E-commerce: the facts

14%

Proportion of websites tested that ask users a secret question to reset password

51%

Proportion of sites serving up malicious scripts that are hacked legitmate sites

14 seconds

The time it takes Sophos to discover a new website with malicious scripts