Consumers Still Wary of Online Security

Even consumers with several years of experience online continue to cite
security and privacy features as a key factor in the decision to spend
online, according to a new study by MasterCard International, lending
weight to recent
suggesting financial institutions and other enterprises stop
using Microsoft’s .NET Passport service.

MasterCard’s U.S. consumer study found that assurance that personal
information would be kept private, a guarantee that consumers would not
receive unwanted emails as a result of purchases, and an extra layer of
security for credit card transactions were “among the most important
factors influencing the degree to which consumers would make purchases

“Internet retailers should take a close look at this study as it indicates
that extra security programs and assurances will motivate consumers to shop
online,” said Steve Orfei, senior vice president and head of MasterCard
International’s e-Commerce and e-B2B Center of Excellence.

Passport, a Microsoft service that is billed as a
one-stop-shop for storing personal information for use in online activities
like shopping and accessing content, is used as an authentication mechanism
by many online retailers. Despite Microsoft’s extensive efforts to secure its code through the Trustworthy Computing Initiative (it spent
more than $200 million and delayed several key products, including its
Windows Server 2003 operating system, to conduct a line-by-line audit), the
Passport service made headlines last week with the detection
of a serious security hole that could have put the personal information of
millions of Passport and Hotmail users at the mercy of attackers.

The vulnerability, which has since been fixed, could have allowed an
attacker to use a Web-based scenario to change any Passport user’s password
to an arbitrary value. With the password reset, the attacker could get
complete access to the hacked account.

“Microsoft failed to thoroughly test Passport’s security architecture, and
this flaw — uncovered more than six months after Microsoft added the
vulnerable feature to the system — raises serious doubts about the
reliability of every Passport identity issued to date,” John Pescatore and
Avivah Litan, analysts for tech research firm Gartner ,
wrote in a report in the wake of the flaw’s discovery.

The analysts said the breach was serious enough to cause many businesses to
stop using the Passport service “until at least November 2003.”

“It could theoretically have enabled unauthorized access to any of the more
than 200 million Passport accounts used to authenticate email, ecommerce
and other transactions,” the analysts said.

“Whether any attackers exploited this flaw before Microsoft patched the
problem is important to enterprises that depend on Passport identities, but
it doesn’t affect the actions they must take to limit the damage,” they
wrote. “As with any piece of software with serious security flaws, more
vulnerabilities will likely surface in Passport.”

That’s bad news to online retailers, especially when faced with
MasterCard’s findings that 73 percent of study participants agreed that
enhanced security features would influence their decision to purchase
online in the next three months, 70 percent were concerned with security
and fraud issues, and 61 percent were concerned that their credit card
numbers would be intercepted by hackers.

Even among Internet users that MasterCard identified as “confident core
users” — the 22 percent of study participants who showed the greatest
depth and breadth of Web usage and online buying among all segments, and
who conducted about 18 percent of their credit card spending online —
still had “moderate concerns about Internet security.”

“Cautious shoppers” and “mainstream users,” each of which clocked in at 22
percent of the study group, both had a “higher level of concern related to
credit card fraud on the Internet,” MasterCard said, though neither group
was quite as likely to spend online as confident core users. “Curious but
not convinced” users were 23 percent of participants, showing lower levels
of Internet purchasing and usage of online products and services with a
“high level” of concern for Internet security. The smallest group,
“technology skeptics,” were 11 percent of the participants and showed the
least experience and lowest levels of utilization across all areas. This
group, MasterCard said, had the highest concerns about Internet security,
privacy and technology in general.

“This segment-specific attitudinal analysis implies that key security and
privacy concerns inhibit online buying among consumers with even two to
four years of experience online,” Orfei said. “It also suggests that online
retailers and issuers could and should do more to ease consumer fears.”

The study, “MasterCard Internet Consumer Segmentation Research,” was
conducted by Hammill Associates in fourth quarter 2002. MasterCard said
1,024 Internet surveys were completed among a “nationally representative
sample of banked adults with Internet access.” Half of the participants
were male and the other female. MasterCard said consumers were recruited
and screened over the phone and then sent to the Web to complete the
survey. All participants were between 18 and 69 years old, owned a
general-purpose payment card, have an email address for personal emails,
had been online for 30 days of personal use, and had a household income of
$15,000 or more.

Microsoft could not immediately be reached for comment.

News Around the Web