A possible reason why many e-commerce sites do not use encryption?

If you have read my past articles, you may have noticed that I am a little annoyed by the low number of e-commerce sites using HTTPS encryption to protect their customers. While most do use encryption for payments, usually that is because they use the services of a payment processor, and because using encryption for the payment info submission pages is required by the credit card companies. As far as I can tell, very few e-commerce sites use encryption for displaying the shopping cart, collecting customer information about name and address, or the customer login, although I have an impression that larger e-commerce companies are better at this than smaller ones.

In the past few weeks I may have discovered a possible clue to why this is happening: Computer security and encryption does not appear to be a topic of concern at major E-commerce industry conventions.

I first noticed this when I became aware of a Norwegian e-commerce convention in February, E-Commerce Norway 2015. I quickly looked at its agenda and exhibitors list, and none of topics for the keynote speakers mentioned security, and the most security related exhibitor I found seemed to only market physical security for brick-and-mortar shops, which is not very e-commerce-related in my opinion. I was not able to find any mention of security consultancy companies or certificate authorities, not even any of the Norwegian ones.

This could just be a regional convention fluke, but my initial feeling was that such conventions will follow templates defined by larger international conventions; if a topic is covered by a major convention the smaller ones “have” to include it, and if it wasn’t covered, then it is not included by the smaller conventions.

I proceeded to check three major US e-commerce conventions, and based on the available information on their sites (information that did not require registration) none of them covered security in any broader fashion than the Norwegian convention, although one did have an empty exhibitor category for “Internet security”.

In Europe the situation was similar, at most including fraud as a topic (which essentially means protecting the e-commerce company against losses, not the customer), with the major difference being the Interop London 2015¬†convention (previously named “Internet World”), which is co-located with a “Black Hat Security Zone” and IFSec International¬†convention in the same venue.

Although such co-location is good, in my opinion it would be much better if the exhibits and programs were combined into a single event, or at least that each event include relevant exhibits and speakers from the other conferences, creating a possibility for a better exchange of ideas and information.

While InterOp London did improve the picture compared to how it looked initially, I still get the impression that the e-commerce conventions do not properly cover customer online transaction security and privacy, and I believe that this topic should be integrated into the conventions, and not be an add-on in a separate convention.

If my impression is correct, what caused the problem? My guess is that it could be due to a combination of several factors: Encryption is still considered very technical and for the specially interested, and is probably outside the area many web designers and backend implementors consider their area of responsibility, possibly leaving no-one considering security in smaller organizations. Those designers and developers are the ones who, along with managers, would likely go to e-commerce conventions and do presentations there. The resulting lack of security related program items and exhibitions might result in fewer security professionals attending those conventions. Add to this that security and security related conventions may have a “only hackers go there” reputation, discouraging the e-commerce developers from attending, and we might get a self-reinforcing loop creating significant distance between the e-commerce and security communities.

To fix this problem I would suggest that the CA Security Council, as well as individual Certificate Authorities and security consultants should start attending e-commerce conventions as both speakers and exhibitors.

5 thoughts on “A possible reason why many e-commerce sites do not use encryption?”

  1. … additionally some “voting with the wallet” aka: “Don’t buy there if it isn’t secured” awareness campaigns for the customers might help to convince the companies …

  2. Good idea but as long as the companies are selling product and have not had an e-commerce security/privacy breach I do not see the situation changing.
    It seems on an actual breach and lawsuits against the company(ies) by those affected may make a change, but only at that company. Others simply bury their heads in the sand saying “It will never happen to [i][b]us[/b][/i].”
    That is the primary reason I do not shop on-line. I will browse the retailers’ sites then go to the store and make my purchase. So I miss out on ‘Free Delivery’… I haven’t had my banking information stolen.
    I follow QuHno.

  3. Additionally the encrypted transport does not prevent the site from storing the data in an insecure way or against a hacked page, like seen with one of the latest breaches at e.g. park’n fly, where the company decided not to update the Joomla install “because it broke parts of the site” and promptly got cracked open.
    The transport encryption/certificate related stuff only shows that I am indeed connected with the site I want to be connected too, nothing more. In cases like the mentioned it even provides a false sense of security, because the connection might be encrypted, but the page itself has gigantic holes open for all kinds of miscreants, publicly known holes even.

    Just slapping some security on the outside (like: “We now use TLS and EV certificates, so everything is secure”) is not enough. It must be built in from ground up, meaning:
    You can’t use a simple CMS and just slap a shopping cart to it and believe that it is secure. The whole system needs a security audit.

    Companies need real security experts, not only administrators and I am saying that as working in the administrative area. While I educated myself in security related stuff (with strong support from the company), I still need real security experts because of their different mindset:
    I try to keep the systems up and running, but security experts try to break them (and should do so).

    Additionally there is a simple psychological factor:
    Everyone makes mistakes and it is very likely that you don’t see your own. It is always helpful to have someone who thinks different to find them. The art is not to make no mistakes, that is quite impossible for mere mortals, but to accept, even embrace advice and to make sure that you don’t make the same mistake again.

    (@Yngve: Yes, I know that this goes in a slightly different direction than your post, but it is strongly related.)

  4. slightly off topic…

    [quote]encrypted transport does not prevent the site from storing the data in an insecure way[/quote]

    This to me is the most abhorrent of mistakes. Why even bother having a secure login if you are going to store the raw data on a vulnerable server?
    Going back more than 15 years, the company I worked for had a chap come in with every new server install (and even some software upgrades/changes) to verify all network aspects and security in order for it to be used. Even in those days he commanded about $300/hr. A worthwhile expense for the security of the data we stored.

  5. I don’t think anything will change until companies stop assuming they are safe because they have not been hacked yet, or that it is somebody else problem to clean-up.
    Lower-ranks need to be brave enough to say to the people above them “Sorry that is not a genuine solution, we need a better idea”
    Too many managers and not enough geeks is also a problem.
    If Sony had more IT staff than managers, they would have had the man-power to protect the separate parts of the business in suitable ways.
    It tuned out that the 5 people in charge of the Sony security were 3 managers, and 2 people that actually do stuff, so no surprise those 2 workers made the system as easy and connected as possible.
    What is the betting they just hired a bunch of new managers again ?

Comments are closed.