http://www.cert.org/congressional_testimony/PA_ecommerce_hearing_sep99.html Electronic Commerce Doing business over the Internet is quick, easy, and inexpensive—compelling reasons for companies to turn to electronic commerce. As of April this year, an estimated 23 million shoppers are online in the United States. Last year, they spent more than $6 billion. An additional $15.6 billion was exchanged in business-to-business transactions. Those figures are expected to rise significantly every year for the foreseeable future, with much of the growth coming from the continued expansion of the Internet. An additional 13 million hosts connected to the Internet between January and July of this year, bringing the estimated total to 56.2 million. As for individual users, the number of adults online in the U.S. has nearly doubled since 1997 (31.3 million in Jan. 1997; 61.5 million in Jan. 1999). Cyber dialogue, a market research firm, reports that 63% of the online population are daily users. This group is behind 87% of all ad clicks, 90% of dollars spent online, and 95% of offline store and mail order sales that begin with online information gathering. With an e-commerce transaction comes an exchange of information that requires protection from exposure or tampering and the need to stay open for business—protection against network "downtime" and denial-of-service attacks. But the current state of Internet security is cause for concern. Vulnerabilities associated with the Internet put users at risk. Security measures that were appropriate for mainframe computers and small, well-defined networks inside an organization are not effective for the Internet, a complex, dynamic world of interconnected networks with no clear boundaries and no central control. Furthermore, security issues are not well understood and are rarely given high priority by software developers, vendors, network managers, or consumers. Evidence of the current security situation can be found in the results of several surveys. For example, of 500 organizations contacted for the 1999 CSI/FBI survey, 62% reported computer security breaches within the last year. Of those, 38% reported from 2 to 5 incidents, and 26% reported 10 or more incidents. Those reporting their Internet connection as a frequent point of attack rose for a third straight year, from 37% in1996 to 57% in 1999. Twenty-six percent reported theft of proprietary information (an increase of 8 percent over 1998). The cost of computer security breaches is rising, too. Financial losses regularly exceed $100 million a year. The top causes are loss of proprietary information ($42.5 million) and financial fraud ($39.7 million). The 1999 CSI/FBI Survey, which provided this information, also found that 96% of the 521 survey respondents have Web sites, and 30% of them provide e-commerce services. Of the Web and e-commerce sites, 20% had detected unauthorized access or misuse of the sites within the last 12 months. Even more worrisome is the fact that 33% answered that they didn’t know if their site had been compromised. A survey published by Information Security magazine (July 1999) found that companies conducting business online are 57% more likely to suffer leaks of proprietary information than companies that aren’t on the Web. And the rate at which intruders are breaching corporate networks has nearly doubled in the last year. Overall, companies suffered an average loss of $256,000 to security breaches last year. Of the 745 organizations surveyed, 91 quantified their financial losses for a total of $23.3 million. The White House Office of Science and Technology estimates an annual cost of $100 million for U.S. losses of proprietary information. The American Society for Information Science (ASIS) estimates that the losses may exceed $250 billion. Additional, costly damage can be done by changing price lists, discount rates, or interest rates. Untold costs in loss of business can occur when customers lose faith in a company’s ability to protect information such as credit card numbers, names, addresses, credit information, and the like. Just last month (August 1999) PC Magazine reported on the "real security hot buttons," commenting that "All of the recent online shopping studies confirm that privacy and security are the most important issues to consumers by far. You wouldn’t trust a bank that didn't lock its doors at night; why would you trust a Web site that was similarly open?" Here are just a few examples of security breaches that have been reported in the press. In addition to these examples, the CERT/CC handles reports of breaches at e-commerce sites daily. An attacker obtained 100,000 credit card numbers from the records of a dozen retailers selling their products through Web sites. He used a packet sniffer to capture the numbers as they traversed the Internet. The credit cards had limits between $2,000 and $25,000, putting the potential cost of theft at $1 billion. This type of intruder activity is one form "identity theft." The attacker was caught when he tried to sell the card numbers to an apparent organized-crime ring that turned out to be the FBI. Intruders gained unauthorized access to proprietary information on the computer network of a major U.S. corporation. The company was not able to identify the techniques used by the intruders to break through the firewall. The company shut down its Internet connection for 72 hours as a precaution, denying access to legitimate users and cutting customers off from information that the company normally makes available through the Internet. Hundreds and perhaps thousands of credit card numbers, home addresses, and phone numbers were exposed for months through a security hole on many small Internet auction sites. Records at several sites using older versions of the same auction software were exposed when administrators either did not secure their sites with keys or otherwise failed to use the software properly. The risk varied from site to site, ranging from data immediately accessible with a few mouse clicks to information obtainable through rudimentary hacking. The sites known to have used the software belong to small and medium-sized businesses, in some cases stores trying to capitalize on the e-commerce boom by running their own online auctions. Credit card numbers were not the only information available. One site, for example, also exposed the names, addresses, phone numbers, email, and passwords of more than 100 customers. The same type of information was available—although not as readily—on other sites as well. It is obvious from these examples and the ongoing activity of the CERT Coordination Center that there is much work to be done to secure our electronic networks adequately to meet the needs of the expanding e-commerce marketplace. © 1999 Carnegie Mellon University CERT and CERT Coordination Center are registered in the U.S. Patent and Trademark Office.