Even consumers with several years of experience online continue to cite security and privacy features as a key factor in the decision to spend online, according to a new study by MasterCard International, lending weight to recent analysis suggesting financial institutions and other enterprises stop using Microsoft’s .NET Passport service.
MasterCard’s U.S. consumer study found that assurance that personal information would be kept private, a guarantee that consumers would not receive unwanted emails as a result of purchases, and an extra layer of security for credit card transactions were “among the most important factors influencing the degree to which consumers would make purchases online.”
“Internet retailers should take a close look at this study as it indicates that extra security programs and assurances will motivate consumers to shop online,” said Steve Orfei, senior vice president and head of MasterCard International’s e-Commerce and e-B2B Center of Excellence.
Passport, a Microsoft service that is billed as a one-stop-shop for storing personal information for use in online activities like shopping and accessing content, is used as an authentication mechanism by many online retailers. Despite Microsoft’s extensive efforts to secure its code through the Trustworthy Computing Initiative (it spent more than $200 million and delayed several key products, including its Windows Server 2003 operating system, to conduct a line-by-line audit), the Passport service made headlines last week with the detection of a serious security hole that could have put the personal information of millions of Passport and Hotmail users at the mercy of attackers.
The vulnerability, which has since been fixed, could have allowed an attacker to use a Web-based scenario to change any Passport user’s password to an arbitrary value. With the password reset, the attacker could get complete access to the hacked account.
“Microsoft failed to thoroughly test Passport’s security architecture, and this flaw — uncovered more than six months after Microsoft added the vulnerable feature to the system — raises serious doubts about the reliability of every Passport identity issued to date,” John Pescatore and Avivah Litan, analysts for tech research firm Gartner, wrote in a report in the wake of the flaw’s discovery.
The analysts said the breach was serious enough to cause many businesses to stop using the Passport service “until at least November 2003.”
“It could theoretically have enabled unauthorized access to any of the more than 200 million Passport accounts used to authenticate email, ecommerce and other transactions,” the analysts said.
“Whether any attackers exploited this flaw before Microsoft patched the problem is important to enterprises that depend on Passport identities, but it doesn’t affect the actions they must take to limit the damage,” they wrote. “As with any piece of software with serious security flaws, more vulnerabilities will likely surface in Passport.”
That’s bad news to online retailers, especially when faced with MasterCard’s findings that 73 percent of study participants agreed that enhanced security features would influence their decision to purchase online in the next three months, 70 percent were concerned with security and fraud issues, and 61 percent were concerned that their credit card numbers would be intercepted by hackers.
Even among Internet users that MasterCard identified as “confident core users” — the 22 percent of study participants who showed the greatest depth and breadth of Web usage and online buying among all segments, and who conducted about 18 percent of their credit card spending online — still had “moderate concerns about Internet security.”
“Cautious shoppers” and “mainstream users,” each of which clocked in at 22 percent of the study group, both had a “higher level of concern related to credit card fraud on the Internet,” MasterCard said, though neither group was quite as likely to spend online as confident core users. “Curious but not convinced” users were 23 percent of participants, showing lower levels of Internet purchasing and usage of online products and services with a “high level” of concern for Internet security. The smallest group, “technology skeptics,” were 11 percent of the participants and showed the least experience and lowest levels of utilization across all areas. This group, MasterCard said, had the highest concerns about Internet security, privacy and technology in general.
“This segment-specific attitudinal analysis implies that key security and privacy concerns inhibit online buying among consumers with even two to four years of experience online,” Orfei said. “It also suggests that online retailers and issuers could and should do more to ease consumer fears.”
The study, “MasterCard Internet Consumer Segmentation Research,” was conducted by Hammill Associates in fourth quarter 2002. MasterCard said 1,024 Internet surveys were completed among a “nationally representative sample of banked adults with Internet access.” Half of the participants were male and the other female. MasterCard said consumers were recruited and screened over the phone and then sent to the Web to complete the survey. All participants were between 18 and 69 years old, owned a general-purpose payment card, have an email address for personal emails, had been online for 30 days of personal use, and had a household income of $15,000 or more.
Microsoft could not immediately be reached for comment.