How secure is online trading

Many of us have used credit cards to buy goods on the internet. I have paid for books, software and courses online with my credit card because it has seemed easy and convenient. However, major doubts about security have been raised by what happened on the website of Powergen, the generator and supplier, in mid-July 2000.

John Chamberlain, an IT consultant and Powergen customer, visited the site and found insecure files with some 7000 names, addresses and credit card details, including his own, who had paid their bills online. He told the newsagency www.silicon.com, who broke the story on 19 July. Powergen promptly closed the site, advised customers to change their credit cards and offered them £50 in compensation. Was it too little, too late.

This threat to online payments had a prequel in an article in The Financial Times in early June. There was a startling warning from Dr Neil Barrett, one of the UK's leading computer crime experts, who has spent much of his life learning about, teaching about and working with computers.

A lecturer in computer science at York University at 23, Dr Barrett later joined Bull Information Systems, where he became only one of three fellows in a company of 22,000. He left Bull in 1999 to help set up Information Risk Management (IRM), where his present role is technical director. His reputation as a computer crime expert has come from lectures, papers, and two books on the subject. He has worked with many organisations including, police, customs, banks, the inland revenue, military defence, the NHS and National Criminal Intelligence Service.

The FT article said that Dr Barrett's experiences have left him feeling jaundiced about e-commerce. He told the FT: "I have taken out so many hacker's systems and seen so many credit card numbers on their computers - including my own credit card number - that I barely use the internet for e-commerce. Everyone should check their credit card statements and look out for unusual transactions."

Dr Barrett added "By using software which sits on your PC's hard drive, I can watch everything you do from anywhere on the internet. I can see exactly what you type, where you move the mouse and read any e-bank passwords. I can see when you write a cheque and then change it without you knowing anything about it. Until smart card technology [which is likely to act as an individual's PC passport] is used for e-banking, I wouldn't touch it."

That looked like a major threat to the idea of trust and security which have been the watchwords of safe trading on the internet. Does this software make a mockery of supposedly secure trading sites, being outside the control of the vendor?

To find out more I posted questions on a number of discussion boards under the heading: "Scary warning from expert about using your credit card online". There were some interesting replies, and the exercise was an interesting case study in the value (and also the shallowness) of online discussion boards. Here is a summary. of the debate

An early response came on the Product Developers discussion board at http://www.profitlines.com, where Steve Johnson pooh-poohed my concerns in no uncertain fashion. "...And a hundred years ago the Experts were telling us the world was too populated and we could never produce enough food to feed 2 billion people..." Johnson wrote.

"You have more likelyhood (sic) of losing your card number to a waiter at a restaurant than you do through a SSL or PGP transaction...Anything someone can invent, someone else can circumvent. I believe this guy has some legitimate concerns, but he certainly sounds like... a guy beating his own drum.

"Simply because he [Dr Barrett] states he can watch and modify, doesn't mean people are actually doing it. And even if they were, Don't you check your credit card statements anyway?"

At the end of his message Johnson gave some reassurance on secure online trading. "Use PGP encryption and you will have NO problems." There was more scepticism at the respected discussion board of Tony Blake, at:http://www.ablake.net/forum

"The only thing we have to fear is . . . was the headline to a response posted by Dennis Hessler: "Yes, there are concerns out there and, yes, it's good to be aware of them but sometimes I think we spend too much time with issues of hacking, stealing, cheating and the rest. Yes, these things happen but as someone who has been happily marketing for years on the Net and even B.I. (before Internet) I can tell you that these incidents are few and far between.

"I buy stuff from Amazon and other places all the time with my credit card. It has saved me hours and hours of time I would have wasted in traffic or searching in stores.."

On the same board, Dan Butler added: "Remember that security people like the one in this article make their living scaring people. Just like anti-virus companies. Does that mean there is nothing to worry about? Not at all. But it needs to be kept in perspective...

"My belief is that cards are no riskier on the net than off the net. I wrote a little article about a while back in our newsletter. Received lots of mail about it. Seems that the technical folks all said "thank you for a voice of reason" and the non-technical folks were still sceptical. Only one person claimed his card had been stolen online..."

Here's where you can find Butler's articles: "Credit Cards on the Net and You ". Go to: http://www.thenakedpc.com/articles/v03/02/0302-02.html)

Over at the Dog Byte Marketing Forum (http://www.homebusiness-websites.com/cgi-bin/index.cgi?) came a cheery message from Steve MacLellan: "I think this is a valid concern. There is software available to help combat this, though. If you are worried about all of this you might want to take a look at Zone Alarm. I was browsing some feedback about it at ZDNet and have heard others claim what a great product they think this is. Anthony Blake, among others swear by it. But check out the feedback at ZDnet. And check out your own security to see just how concerned you should be.

A useful tip was provided by Harmony Major at http://www.homebasedheaven.com "I recently read an article by Kate Schultz of EzineUniversity.com that had to do with just this kind of security hole, and how to protect your computer against it. There's a website that gives you step-by-step instructions on how to protect your PC, and it's a completely free site. It's at:http://www.shieldsup.com

Incidentally, I've looked at Shields Up and they have given my laptop a clean bill of health.

At Friends in Business (http://www.friendsinbusiness.com/board1), Willie Crawford, said: "The only part that I find scary is the part about being able to monitor your computer activity from your desktop. There are a lot of trojan programs out there that hackers can send to you in an email. These programs can search your hard drive, email your passwords and certain documents to hackers, and then allow the hacker to take control of your computer anytime it is connected to the internet. Many anti-virus programs will detect these trojans as they are being downloaded. Norton AntiVirus works great against many of these trojans for example."

On Taylor Trump's engaging board at, http://www.the-illuminati.com, Moderator Hilton Moore. wrote cryptically: "Anytime tools/technologies are created, both good and bad will be put to practice of those tools/technologies..."

And finally, here are the thoughts of two of old friends at http://www.tipsbooklets.com

First, Tipsbooklets' proprietor Paulette Ensign: "Yes, I am quite sure the technology exists and the motivation and skill on the part of some people exists to be able to hack into anything anyone wanted to get into. This part is fast becoming old news.

"Think about this, though. First, in the total population, how often do we actually hear of this kind of hacking happening to John and Jane Q. Public? I do not pose this question to sound naive as much as to attempt to put it into a useful perspective. If this kind of financial rape and pillage were happening on any kind of large scale at all, wouldn't that be publicised so we'd be hearing about it? I think it would. I think it's happening on a very limited basis and nipped pretty quickly when it does happen.

"Second, the technology, skill, and motivation have existed for people to break into our bank accounts long before e-commerce took center stage. Yes, some accounts of some people get tampered with. Is it on a grand scale, from country to country in the civilised world? I think not."

And Billi Perry advised everybody to "look both ways before crossing the street". She explained: "Generally I'm a very cautious person. I try to combine education, experience and instinct, and to avoid hysteria, naysayers and devil's advocates. I'm comfortable purchasing online - at secure sites. And I did considerable homework before I offered online credit card sales to my own customers.

"As adults, we're taught to make 'educated decisions' and then proceed with caution. So I've explored the pros and cons about plugging in my credit card numbers online, and also about accepting credit card payments from customers and clients. I've read the reports of numerous possibilities (the negatives about credit card purchases and sales are minuscule), then plugged in my own instincts and experiences.

"In four years, I have never personally had a problem with online sales or purchases. Nor have any of my small biz clients.I try to remind myself of several points:

• make educated decisions;
• avoid well documented high risks;
• avoid hysteria; --'80% of our fears never happen'."

The lesson for me is to read and enjoy discussion boards, but be sceptical. The participants also have a vested interest in the internet being OK, in just the same way as they accuse the scare-mongers. In fact, one UK internet expert expressed his confidence in using a credit card online, even after the Powergen experience. But he advised that credit cards were probably safer than debit cards. This was on the basis that the credit card companies would probably support you, whereas debits went quickly out of your bank account, and the banks were not renowned for restoring money which had already been debited.

It is simply a question of taking great care and only trading online with companies you know and trust. A good way of building your confidence is to visit a company's website, read their ezines and watch their discussion boards. But, who would have previously doubted that Powergen's website was secure?