Online business: do you? (No spam)

[Faberge]

I have to admit that my business in the internet is actually quite limited. Only thing I seem to be ordering is school books. And the place where I have ordered those thus far hasn’t got a “secure” labelled anywhere. It maybe because there is no real use for the credit card number because you fill the required information and order the books. Bill will come with the desired books and all works nice and smoothly.

But if I really have to order something else, I won’t be typing my credit card number, I prefer C.O.D, cash on delivery.

[Daianara]

In the first place I wish I could order stuff on-line. But thanks to some geniouses from our lovely country, Romania got banned from this type of sites. Meaning they either don't accept your card or they have a policy of not shipping products here.
Second, I guess I would buy some things from the Internet but definetly not electronics. You can very easily get burned, getting something that doesn't work and you'll never see your money back since you've payed them in the account of somebody's dead granny.

[C Elegans]

I have only skimmed through the discussion regarding safety, but let me state that

1. In Sweden, credit card frauds and money frauds in general very rarely occurr due to online technical issues, but instead, due to the type of cash-point machine hidden camera registrations that Xandax mentions. When people fall victim to frauds online, it is because they naively buy into obvious traps such as buying something from an obscure private site, paying with their credit cards. Ie it's situation that can easily be avoided.

2. I buy everything I can online, which is mostly flying tickets. Occationally I make and pay for hotel reservations, books, CD:s...and I've never had any trouble. We also do all our banking on internet. The hubby has however had problems with people stealing his credit card numbers at several occations - none of which were online but most likely through credit card readers.

[fable]

What I fail to understand is how you belive that shops can "loose control of their addresses" to "identity thieves", and how this can be such a problem in the US?

Online shops whose databases can be accessed, and whose "public face" can be replaced by another that transfers input to other sites. This isn't new information I'm suggesting. Websites illegally accessed either for profit or sheer mayhem aren't new, and this happens even to some sites with a relatively strong amount of protection. It seems to depend in part on the strength of desire of those who wish to bring in.

You've fallen pray to sensationalism, fable.

Nah, it's my regular interview and working contacts with heads of corporations, biometrics and security firms, and business analysts. They're the ones who are spouting sensationalist, generalized comments about these problems; people like the former Chairman of the International Biometrics Industries Association, the head of the American Securities and Exchange Commission, etc. Real, anarchists, that lot. After the first dozen or so interviews you conduct, you begin to sense a certain consensus arising. Personally, I make no pretense to great knowledge on the subject, and maintain a skeptical frame of mind at all times. But too many people whom I deal with regularly and whose opinions I respect are mentioning these problems to write them off.

What do you consider to be frequent reports? Time permitting, I try to keep up with tech news, and because breaking in to a major website is big news (this alone should tell you something - would it really be reported if it was a common occurrence?), it stays in the headlines for several days which is enough for me to notice.

No, I'm not talking about tech news. I'm referring to people who keep their eyes on professional journals in the fields of business security and economic models, or people who actually deal on a daily basis with online biometrics.

I'm also going to snidely point out you're using all your buzz-words incorrectly.

As I'm not sure what you're referring to, I guess I'll just continue to live in a bliss of mindful ignorance. And wave my privates in your aunties' faces.

[Xandax]

Online shops whose databases can be accessed, and whose "public face" can be replaced by another that transfers input to other sites. This isn't new information I'm suggesting. Websites illegally accessed either for profit or sheer mayhem aren't new, and this happens even to some sites with a relatively strong amount of protection. It seems to depend in part on the strength of desire of those who wish to bring in.
<snip>

I can not recall once I've heard of a case like this.
Usually when evil-doers go "phising" it is via e-mails requesting peope to go to some obscure link to their controlled site to "verify" creditcard, not by defacing a webshop and hijacking traffic that way. I'd be very, personal as well as professiona,l interested if you have some online sources pointing to these issue as it is something I work with each day, and would like to know how it is "over there".

Nah, it's my regular interview and working contacts with heads of corporations, biometrics and security firms, and business analysts. They're the ones who are spouting sensationalist, generalized comments about these problems; people like the former Chairman of the International Biometrics Industries Association, the head of the American Securities and Exchange Commission, etc. Real, anarchists, that lot. After the first dozen or so interviews you conduct, you begin to sense a certain consensus arising. Personally, I make no pretense to great knowledge on the subject, and maintain a skeptical frame of mind at all times. But too many people whom I deal with regularly and whose opinions I respect are mentioning these problems to write them off.

All respect to your "sources", but I also do think they are trying to over-sentionalize the issue, as Vicsun hinted at. Why? - because they sound as the people in charge of organisations others turn to when they think everything is unsafe.
Or perhaps while they have the excutive aspect, they lack the real hands on technological aspect. And while they have access to the reports, perhaps lack the aspect to read them in their prober light.
I referer once more to the compareing of "planes vs. cars as transportation". When a car chrashes it is everyday news, when a plane does it is headlines around the world yet the total amount of people injured are actually vice versa. I certainly read it as you see it this way. When real life people get cheated, it is everyday - but when somebody does it online - it is "front page news" so to speak - hence the chance of over-sentionalize the incident.

And one thing is also to mention the problems and seeing the pitfalls - and another thing is having them happen in the same scope as you seem to indicate. Chances are they are conveying fears, but not reality ... the so called FUD (fear, uncertaincy, doubt).

Online payments is so big a part of peoples lives now - at least in Denmark, and I venture most of IT-Europe, that if there was such huge risks, I'd think simply a proof of concept would slow that down.
Some statistics:
In 2005, the average british Internet user purchased 12 items for a value of €1285, whereas the danish average internet user purchased 9 for a value of €1078, and downwards for other european countries.
eiaa

And in Denmark, the amount of transactions with our national credit card doubled from 2003 to 2005.
With total online transaction (in reference to buying from online retailers) reaching a value of over DKK 1 billion, but with total online sales (where payment is different then online credit card transactions, either wire, payment in cash/delivery etc) total about DKK 7 billion, also in 2005 - sorry, but I only have danish sources to this (currently).
And yet, I hear of very few cases where what you/your sources indicate actually happen.

I thus simply can not recognize the view you express, so unless the US is some sort of lawless country online (wild wild west) of the "western world" where it is the rule of the strongest with Jesse-James gangs ride around plundering at will, then I'll simply write it off as FUD. I work with this and try to keep up with the news, the technologies and pitfalls - and while I do occasionally hear of (large) companies having some of their data compromised, the amount of transactions with creditcard I have read/heard about being compromised - given the customer wasn't blatantly ignorant and did something stupid - are next to none, and smaller then real life abuse of cards as already explained (either stolen physical cards, compromised card details or reading of magnetic strips).

As I'm not sure what you're referring to, I guess I'll just continue to live in a bliss of mindful ignorance. And wave my privates in your aunties' faces.

Well, if I should venture a guess - I'd think it is amongst other your usage of "identity thieves".

[fable]

I can not recall once I've heard of a case like this.
Usually when evil-doers go "phising" it is via e-mails requesting peope to go to some obscure link to their controlled site to "verify" creditcard, not by defacing a webshop and hijacking traffic that way. I'd be very, personal as well as professiona,l interested if you have some online sources pointing to these issue as it is something I work with each day, and would like to know how it is "over there".

No offense, but you're joking, right? Even leaving the matter of professional journals out of this, there are regular reports and not just in the US (from what I can gather on the BBC) when data-grabbing worms infilitrate practically any important governmental or corporate site. A few months ago, for instance, it made the news when worm.mocbot.a spread rapidly across Shanghai businesses (and presumably elsewhere, but that wasn't covered ), grabbing financial and private data and stored passwords. Last year, the University of Georgia's website and computers were hacked, and personal data on thousands of employees was stolen and quickly used elsewhere--and this kind of thing happens regularly, according to my sources: back in 2003, the University of Washington's online site was hacked, to steal data from its medical school, only to find the email addresses soon popping up with an onslaught of spam, and many credit cards compromised. Hell, even as early as 2001 I remember a major report on the BBC examining the fact that credit card information had been stolen by a hacker from the World Economic Forum. I can provide another dozen examples if I had the time; probably several times that if I worked at it. So what? Neither of us is going to change their views based on these frequent examples.

...When real life people get cheated, it is everyday - but when somebody does it online - it is "front page news" so to speak - hence the chance of over-sentionalize the incident.

The point is that people get cheated all the time in real life, but most don't realize data theft happens sometimes but on a massive scale when it does, online. So it remains news, because most people aren't aware of it. I suspect your considerable knowledge of computer-related matters and your constant access to the community has made this seemed so obvious, that you are unaware how little of this knowledge is getting beyond its boundaries.

Online payments is so big a part of peoples lives now - at least in Denmark, and I venture most of IT-Europe, that if there was such huge risks, I'd think simply a proof of concept would slow that down.

Why? Did the dot.com bubble crash halt venture capital investment worldwide, online? By no means; MySpace is sucking it in like a virtual black hole. Online business transactions are so transparent (in most cases), so quick, that they aren't about to stop unless there truly *is* the kind of sensationalist media wave you accuse me of providing. In fact, you've got it backwards: big business is extremely keen to prevent such instances from hitting the mainstream media, or else tries to spin the facts. They don't want these kind of incidents to become linked in the minds of consumers with a perception of risk. So much of this becomes known usually after-the-fact, when a company announces that it stopped a hacker...and only in the fine print is it revealed that data on 150 clients was stolen. Or the incident is simply too large to hide, as when a worm takes down General Electric's website for a day.

I thus simply can not recognize the view you express, so unless the US is some sort of lawless country online (wild wild west) of the "western world" where it is the rule of the strongest with Jesse-James gangs ride around plundering at will, then I'll simply write it off as FUD. I work with this and try to keep up with the news, the technologies and pitfalls - and while I do occasionally hear of (large) companies having some of their data compromised, the amount of transactions with creditcard I have read/heard about being compromised - given the customer wasn't blatantly ignorant and did something stupid - are next to none, and smaller then real life abuse of cards as already explained (either stolen physical cards, compromised card details or reading of magnetic strips).

I don't think there's going to be any resolution to this. As you see it, my concerns are entirely "sensationalism" and online data-knapping practically never happens. As I see it, you live in an insular world of computer professionals who aren't aware of way business (and personal) websites are regularly hacked or infilitrated for data that can be exploited. There's no meeting of the minds, here. It's probably best that we stop before anger and hurt start, and you Danes invade the US mainland. I like the music and literature very well indeed, but I really am not interested in living under a regime that mandates the regular consumption of Danish food.

[LordAce]

I shop a lot online, but only on sites that are reputable and have been around a long time.