The ecommerce threat: real or imagined?

It is less than a month since Department of Trade and Industry minister Patricia Hewitt formally launched TrustUK, a government-backed scheme for accrediting commercial websites in an attempt to encourage cautious UK consumers to buy online.

But the move comes as sceptics and stay-at-homes who have so far shunned such siren calls are starting to look increasingly vindicated. To judge by a host of recent high profile bloopers, corporate UK is a long way from living up to the government's claim that this country is the beating heart of Europe's ecommerce revolution.

On the contrary, we are in danger of cementing something of a reputation as the continent's hapless, accident prone e-incompetents.

Undermining confidence
Barclays is the latest household name to fall foul of the trend for spectacular own goals. A week ago last Saturday, engineers upgraded some of the software behind its online banking operation, which, with some 1.25 million customers, is one of the biggest web-based financial services operations in Europe.

But problems emerged last Monday when four customers reported that they had seen the account details of other customers when simply logging on to view their own accounts. The bank immediately suspended the online service, although it reopened for business a few hours later using the older version of the software.

The error might have gone unnoticed had not two of the four customers in question chosen to notify the bank and, more importantly, the BBC.

In an attempt to mitigate the media flaying that followed, the bank's PR machine quickly assured anyone who would listen that it would not have been possible to carry out transactions using the exposed account details. An investigation to determine the root cause of the problem has also been promised.

But an even dafter and, in some ways darker, example of a commercial ecommerce cock-up involved Powergen. A customer contacted the company to say that by the simplest of keystrokes, anyone could access other customers' financial details on its website. These included credit card numbers with their expiry dates, customers' addresses, phone numbers and email details, and the amount and date of their last transaction.

In the immediate aftermath, the media pointed out that a small child would be capable of perpetrating fraud with this kind of information on tap.

But Powergen managed to spice the story still further by refusing to notify affected customers until the whistle blowing customer said he was thinking of approaching the Data Protection Commissioner. The company first denied there had been any kind of problem, then relented and accused the customer of deliberately hacking into the system.

Both the Barclays and Powergen cases are notable for reasons other than the ludicrous ease with which confidential data was made available to all comers, however.

It was pure luck that both incidences were exposed by well meaning and honest parties and not more malicious forces. It's the equivalent of dropping £500 in cash on the concourse of Victoria Station on Saturday night and it being picked up and handed in by a vicar.

And in both cases, the threat of bad PR clearly rang far louder alarm bells with the parties involved than did any risk of having compromised their customers' private information.

So what's the problem here? Is technology simply not capable of keeping sensitive information in the right hands? And is the principle of internet banking and online payment therefore fundamentally flawed? If this is the case, rather than trying to encourage us to shop online, would the government's time not be better spent knocking various corporate heads together in our defence?

Don't blame the technology, says Greg Jones of specialist ecommerce security consultancy IRM. "The problem is not the principle of online banking or systems per se. The problem is implementation. If something important is done with a lack of relevant skills, in a rush and with minimum testing, then this kind of thing can happen in any area of business," he said.

The pressure to get online with some sort of service, rather than wait until full testing is complete, is too great for many organisations, he added, saying it is this, in combination with short-term values, that is at the core of the problem.

"If you are faced with the cost of having 10 people spend five weeks to run through security issues, then it becomes tempting to cut corners, particularly as there is every chance that that work will end up having had no tangible result," he said.

This is not, he believes, purely a UK disease, however. "Web security problems can happen anywhere. But ecommerce generally is not trying to attain the unattainable. Businesses can get this right," he said.

The bigger story
But there is perhaps an even wider issue involved here: that of allowing technology to infiltrate our lives to the point where we are beholden to it. Human error is nothing new, but technology can multiply its effects to a potentially catastrophic extent.

Clive Longbottom, an analyst with Strategy Partners, fears that there may be some basis for this concern. "If you go back 30 or 40 years, the worst that could happen is that your bank could send your statement to your neighbour by mistake, who might take a look at it and then pop it through your door," he said.

"Then in the 1970s, you could go through rubbish bins and find mainframe green line print outs with people's details on them. Now, if you are a bit of a net head, you can go online and get data on maybe 250,000 people," he added.

Longbottom feels that while the press might occasionally give web security stories a bit more attention than they deserve, holders of customer databases need to heed the warning.

"Companies have got to stop paying more than lip service to security. For example, an obvious precaution would be to have the customer details on a server behind the website, not as part of the site. The only thing you should be able to see on a site [is] corporate marketing info and catalogues," he said.

But while these simple precautions are apparently being ignored, it's hard to look a Luddite in the face and assure them that web commerce is as safe as houses. After all, there's nothing worse than someone saying "I told you so."