Black Friday online shopping was a big hit this holiday season as e-commerce consumers reportedly spent a record $9.12 billion the Friday after Thanksgiving — which traditionally marks the beginning of the make-or-break period for retailers. But the convenience offered by online shopping can also offer an opening for cybercriminals who seek to rip off consumers, lining their own pockets while leaving retailers looking like the villain. Merchants, however, can work with their cybersecurity solutions provider to boost their e-commerce security.
It starts with the trust that retailers and consumers place in an SSL (Secure Sockets Layer, or more formally, a Secure Sockets Layer/Transport Layer Security, SSL/TLS) certificate. This digital marker – usually represented by a padlock icon next to the URL or website in the address bar –is supposed to authenticate a website’s identity and verify that an encrypted link is established between the web server and the consumer’s web browser. Encryption aims to protect sensitive credit card and other payment information and has been a vital part of the acceptance and growth of e-commerce.
But here is a dirty secret about SSL technology: there has been no meaningful improvement to the system in the last decade, even though the computer firepower available to hackers doubles every six months, according to Moore’s law. This means merchants have been forced to use outdated digital “fences and moats” while hackers are penetrating their defenses with increasingly sophisticated, powerful tools.
More Tech Intelligence
The organization that sets voluntary standards for SSL certificates, the CA/Browser Forum, has recognized the threat, and in a bid to keep up with cybercriminals has periodically reduced the lifetime validity of SSL certificates – cutting the time that hackers have to try to break SSL protections – from the original eight-year lifespan to a two-year period in 2018, with a further reduction to about 13 months (398 days) in 2021. But the widespread adoption of cellphone shopping (half of e-commerce holiday sales are estimated to come from mobile devices, which tend to be easier targets) combined with rapidly increasing computer power (remember Moore’s Law), means that the one-year window for SSL certificates may need to be reduced even further.
The challenge for merchants now, however, is threefold: they often suffer reputational damage and lose future sales if a consumer gets scammed, since customers do not care about the technical detail behind the hack; merchants may suffer economic damage from the canceled sale; and finally, there is a growing fear that continuing e-commerce crime could curtail consumer demand for online shopping in general. But merchants do not have to stand by idly as their customer base gets hacked — and, importantly, a robust security solution will not add time or complexity to the consumers’ online shopping experience.
Cloud Security services providers that are at the top of their game can offer certificate generators that can automatically replace SSLs as often as every week, immediately reducing the amount of time available for cybercriminals to attempt a workaround. These solutions, which are often available at a competitive price point, can put a merchant ahead of the cybercrime curve while enhancing their reputation as a safe shopping spot. This kind of safety designation is becoming more valuable, especially as savvy consumers are increasingly running their own security tools, like SSL tests that quickly do a deep analysis of the configuration of shopping site web servers and score them on how much protection they offer. As these and other security checkup tools spread, shoppers will be more likely to use them and shun low-scoring e-commerce sites.
A merchant’s reputation is priceless — and in the long run, it costs a lot less to proactively take steps to boost consumers’ safety and shopping confidence, instead of attempting to rebuild it after they’ve been victimized.
Carl Mazzanti is president of eMazzanti Technologies in Hoboken.