Identity theft, fraud and security risks: some home truths about online music
By Richard Gooch, Technology Director, IFPI - June 2007
Are people too afraid of the security risks from getting music from the internet – or are they not afraid enough?
The answer is that the security risks of purchasing music online via legitimate sites are generally over-rated – while, conversely, using unauthorised P2P programmes is a lot more risky than many people think.
Anxiety over risks such as identity theft and fraud are undeniably a brake on the growth of online shopping. It is easy to find evidence, direct from consumers or from research, that many people fear entering their bank details into a website to complete a purchase transaction. There is a fear of identity theft and a fear of others ‘overseeing’ the private data. And there is a fear that the correct goods may not be delivered.
Such fears are having a real economic impact. Research firm Gartner estimates that online trade worth US$2 billion is lost due to internet security concerns among US shoppers. Gartner’s study, in August 2006, found that nearly half of all online US adults say concerns about theft of information, data breaches or internet-based attacks have affected their purchasing payment, online transaction or email behaviour. Of all the behaviours affected, online commerce is suffering the most.
Interestingly, the security fears of internet users vary markedly by region. In the US, identity protection is the number one security concern, followed by ‘guarding personal financial information’ and ‘safety of family’, according to a report by researchers eMarketer. In Europe, safety of family comes first, followed by ‘personal safety’ and ‘security of internet transactions’.
In Germany, research shows buying is growing healthily but it is still significantly contained by security fears. According to a 2006 study ‘Security in Online Trading’ by eBay/TNS, 58% of the population use online services, 3% up on the previous year. The report showed security to be the most important single factor in consumers’ willingness to buy online - more important than price.
The fear, then, is real. But what about the reality?
The truth is that shopping online is generally safer than handing over your credit card in the average bar or restaurant. In fact most security incidents – online or offline - don’t stem from interception of the payment details related to purchasing. Most incidents actually stem from physical theft or careless disclosure of information.
A report on internet shopping by the UK Office of Trading (OFT) indicates that the risks of buying online are over-rated. In most cases, card details are collected offline – OFT research showed that 56% of respondents considered that credit card details were most commonly obtained offline.
This view is supported by APACS, the UK Payments Association. Its view is that much of fraud issues originate offline rather than from online shopping, and that ‘the incidence of computer hackers stealing and using cardholder data from websites is very low.'
Other experts agree. According to Ben Macklin of eMarketer, “The majority of security breaches, information losses and even identity theft occurs offline. Stolen laptops, lax use of IDs and passwords, inadequate disposal of confidential documents and a lack of education of security risks are more likely to lead to security breaches than computer or network vulnerabilities.”
There is a good reason why security breaches mainly occur offline – it is that banks and online merchants have made it very difficult for criminals to attack the online payments process. Banks actively ‘vet’ merchants who want to accept online payments. For a business to even obtain ‘Internet Merchant Service’ status from a bank typically requires a minimum two year offline trading record with the bank, or a thorough vetting of the business backed by a cash bond.
The merchant website will protect bank details associated with your purchases, by encrypting your data from your browser right through the internet, and into the payment system. You can check for this by looking to see the payment webpage URL beginning ‘https://’ and checking that a locked padlock icon is displayed in the frame of the browser window. Most merchants will then use secure ‘Payment Service Provider’ tools to process online payments automatically into the banking system.
This gives extremely robust protection of your information, right through the system – quite a contrast from a restaurant or a filling station, where you trust your card to a stranger without knowing what they do with it when they pop across to the cash register.
It is advisable to take a few simple precautions in order to enjoy the convenience and security of shopping over the internet.
Security tips for online buyers
The most important points are below, but there are links to further information and advice at the end of this article.
If these precautions are taken, the risk of your data being snagged by snoopers should be eliminated.
What about actually entering your data into the computer? There’s practically only one way that you could lose your data at this stage, and that’s through viruses or spyware hidden on your computer. There are simple steps that you can take to prevent this risk: above all, avoid surfing ‘dodgy’ websites. There’s almost no chance of picking up a virus or spyware from a bona fide website. Keep a clean computer and keep secure. In any case use up-to-date virus and spyware checkers.
Card fraud and protection
The risks of card fraud are low, whether shopping online or offline. APACS gives this advice: credit cards are always safer than cash. The chances of you becoming a victim of card fraud are still low (fraudulent transactions make up 0.141% of all transactions). If you are unlucky enough to be a victim you will not suffer any financial loss as a consequence providing you have not acted fraudulently or without reasonable care.
Additional anti-fraud protection for online shoppers is underpinned by legislation, such as the UK distance selling regulations. This means that the protection offered by banks in the unlikely event of card fraud online, should be cast-iron.
Barclays, for example, says “Wherever you use your Barclaycard, including the Internet, we guarantee you against fraud.” HSBC states “You will not be charged for online card transactions undertaken without your authority.” RBS says “If you do discover that a transaction has taken place on the Internet without your knowledge or consent, we guarantee not to hold you liable for the fraudulent transaction.” Other banks offer similar guarantees to their customers.
Online shopping is safe and secure. There are simple precautions that can be taken, and there is strong overarching consumer protection. And this applies to online music sites (such as iTunes, HMV, Napster, Yahoo Music, Fnac, Virgin, Tesco, Amazon and so on) as much as anything else.
The security risks of unauthorised P2P – a different story
So are all the fears of the security risks on the internet overdone? The answer is no. Security fears for some kinds of internet behaviour – and use of unauthorised P2P networks is the most obvious form of them - are not at all exaggerated, and nor is the consequent financial cost.
One particular problem identified with use of unauthorised P2P is viruses. The vast majority of computer viruses are actually carried by ordinary e-mailing between people's computers. However, unlike P2P networks, e-mail is usually very well protected by firewalls and does not leave your computer open to millions of other internet users.
A September 2006 report by security specialist Symantec also shows that the problem of viruses carried on P2P is getting worse. It says 29% of all virus infections were carried by P2P networks in the second half of 2006, up from 14% in the same period of the previous year.
McAfee research highlights search risks of P2P
Searching for unauthorised P2P programmes can be a risky business, according to experts who have studied the matter. Specialist security technology company McAfee has comprehensively researched the safety of internet activity as part of its SiteAdvisor safety programme. McAfee looked at the risk levels of searching the internet, in terms of damage and annoyances it causes for the user.
McAfee’s report, The State of Search Engine Safety, highlights that searches of keywords involving P2P services, such as Limewire, are among the most dangerous. Limewire (one of the major unauthorised P2P programmes) ranked third of 2,300 search words tested on the five major search engines in the US. One in three (37%) searches for the unauthorised P2P programme were defined by McAfee as “dangerous or risky”. McAfee’s data shows that searching for Limewire is actually three times more risky than obviously dangerous internet activity such as searching for pornography.
Search terms involving legitimate online services such as iTunes and Napster come way down the list, showing a risk level of below 5%.
McAfee says: "We recently studied the safety of search engines and popular search categories like file sharing. We found that the world of file sharing is full of dark alleys that are really dodgy and dangerous in terms of the damage and annoyances they can cause to your computer. There are a whole range of risks, from spyware and scams to viruses and identity theft, which expose people searching for those programmes to a high level of risk.”
Consumers are paying a price for these kind of risks. Americans spent at least US$8 billion in computer repairs, parts and replacement over the past 2 years as a result of viruses and spyware alone, according to researchers Consumer Reports.
More than half of all US internet households reported an internet security problem in 2006, according to Parks Associates, June 2006. And an estimated US$3 billion of online revenues were lost due to online payment fraud according to e-tailers in 2006 in the US (CyberSource and Mindwave Research).
Unauthorised P2P also greatly facilitates inadvertent disclosure of confidential information contained in individuals’ and firms’ computers. Inadvertent disclosure of confidential information is clearly identified as a high risk-factor associated with financial fraud and identity theft.
An academic paper by Eric Johnson at the Dartmouth College, Tuck School of Business, reinforces this. Inadvertent Disclosure – Information Leaks in the Extended Enterprise (June 2007) examines inadvertent disclosures through p2p networks. The research reveals a significant information risk firms and individuals face from p2p file sharing networks.
The report comments:
“Unrecognised to many (P2P) users is the serious security threat these networks pose to both corporate and individual security.
“Confidential and potentially damaging documents have made their way onto these networks. The research also shows that criminals actively search p2p networks hoping to find information that they can exploit.”
It finds that there are several routes for confidential data to get onto p2p networks: for example a user may accidentally share folders containing the information or store music and other data in the same folder that is shared. Alternatively, a user may download malware that, when executed, exposes files; or the client software may have bugs that result in unintentional sharing of file directories. (Source: http://weis2007.econinfosec.org/papers/43.pdf)
For further information:
Internet Shopping – a report by OFT at www.oft.gov.uk
Adrian Strain, IFPI London