Policing in cyberspace

It might look easy, but online sales bring with them a range of risks and responsiblities. Here’s how to keep on the right side of the law – and avoid the online shoplifters, writes Robert Schifreen


Setting up an online shop is simple, quick and cheap. It’s easy to appreciate why so many companies do it and why many traditional retail premises lie empty, displaying nothing more than a few fading posters from when the circus last came to town.

Companies such as Actinic will sell you everything you need to install on your server in order to create your e-store. There are even some free offerings, such as osCommerce (open source commerce). Most products will automatically link up with PayPal, Google Checkout or your own bank’s system, making it simple to accept customers’ payments.

But selling goods or services online brings with it certain legal, moral and regulatory obligations. The Data Protection Act (DPA) is probably what springs to mind first, especially its rules about storing confidential customer information safely and securely. But as Danvers Baillieu, an IT lawyer at Pinsent Masons points out, there’s more to the DPA than that. “It is imperative that the correct consents are collected from customers when they sign up, in particular to ensure that data can be transferred as part of a sale,” he says.

In the business world, online threats are aimed at maximising damage or gathering swathes of highly sensitive data

“Other rules cover marketing to customers and it is important to respect opt-out requests.” Online stores are also required to adhere to the Payment Card Industry Data Security Standard or PCI DSS. Formal validation and verification is not mandatory, but is recommended. “Although choosing non-compliance may alleviate stress in the short term,” says Mark Stephens, head of business development at hosting company NetBenefit, “there’s a very real risk that the decision will come back and bite you.” Statistics bear this out. A study by Verizon found that companies which suffer a data breach are 50 per cent less likely to be fully compliant than would otherwise be expected.

“In the business world,” says Ron Perris, chief technology officer at security specialist Outpost24, “online threats are substantially more dangerous, and are aimed at maximising damage or gathering swathes of highly sensitive data.” If you store any customer information online it is vital that everything is encrypted in order that, should hackers gain access, they cannot read the information. As Sony discovered when hackers used SQL (data programming language) injection attacks to steal 100 million passwords from its websites, a failure to encrypt can be catastrophic.

Injection attacks are the most common method used by hackers to steal information from online databases. SQL is a database technology, and in essence a weakness arises if the web site accepts input from the site’s user without first checking it for malicious words and phrases. For example, you type “toaster” into a search box and the website passes that word straight to a database search which says “bring me all the product descriptions which contain the word toaster.” So far so good. Now imagine what happens when you replace the single search term with the phrase “toaster; then email me a copy of the database”. Without the necessary checks in place, the database system blindly obeys both of those commands.

Encryption doesn’t stop at databases. “It’s in the interest of businesses to help users have as secure and safe an online experience as possible”, says Mark Reeves, senior vice president at Entrust. This means implementing SSL, or secure sockets layer, so that users’ passwords and card numbers are encrypted during transmission. This also automatically displays the padlock symbol in users’ web browsers, which helps to reassure them that your site can be trusted.

FAKING IT ONLINE

Selling things online is very simple, which is precisely why it’s proving such a problem for the law enforcement industry and for unsuspecting shoppers. The Metropolitan Police’s Central E-Crime Unit recently announced that it had successfully managed to close down a total of 2,200 online stores, mostly for selling fake goods or failing to deliver anything at all.

“Most of them were based in Asia, despite having co.uk names,” said a Scotland Yard spokesperson. Registering a domain name that does not correspond to your own country is surprisingly simple. Few international registration organisations require residency or even a local contact address. If you run a small caravan site (a certificated location or CL) in Sussex and you like the idea of a web site that ends with “.cl”, registering the relevant Chilean domain name takes five minutes and costs just £25 a year.