I haven't bought much over the Internet, and until current trends improve, I probably won't buy much in the future. Consumer-based e-commerce isn't safe yet. Sure, you can probably trust a handful of vendors with electronic transactions, but you're still accepting a huge risk because no standard exists for gauging information security compliance for e-commerce. You have to accept the vendor's word when it alleges that its systems are secure, and in most cases the vendor's word about security is backed up with nothing.
Case in point: Last week, hackers found that several large e-commerce sites, including CD Universe, contained major security risks that exposed customer information, including credit card numbers. The intruders probed some sites and pointed them out. In other cases, intruders actually cracked the sites and stole credit card data and then held the data for ransom. So who's watching who? The black hats are apparently watching everyone and everything that comes into view, but where are the white hats to keep the black hats at bay?
Every time I hear about intruders cracking an e-commerce site, I get colder toward making online purchases. The last thing we need is our credit card numbers in the hands of a system cracker. So how can we help prevent credit card theft without giving up on e-commerce? The answer is, we can't. For now, if we use e-commerce, we must accept the risk because we don't know which sites to trust and which ones to shy away from.
We need a method to determine which e-commerce sites are secure and which sites remain in question. How else can we learn to trust e-commerce with a given vendor? Perhaps we need an international standards body to develop a system of testing and rating a site's e-commerce security. If a Web site passes the required examinations, it could display a seal of approval.
I remember hearing talk about forming a security standards organization, but I never heard whether it came to pass. Based on last week's discoveries regarding lax security on various e-commerce sites, I'd have to guess that either no such body exists, or e-commerce site developers are ignoring it.
If you're aware of any such organization or standards for e-commerce security, please share with me what you know. Until next time, have a great week.