Tag Archives: online commerce

The Slow Death of the iPod

Jupiter Research has come up with figures [BBC] suggesting that only 20% of the tracks found on an iPod will have been bought from iTunes. The conclusion: “Digital music purchasing has not yet fundamentally changed the way in which digital music customers buy music.”

Paul Thurrot reckons that for Apple things are the other way around to what was expected (where the iPod was the razor, iTunes was the blades they made their money off): Apple has to sell more hardware for its business to thrive. He also reckons that Apple has got to come up with something neat to keep the circus rolling: “As iPod moves from gotta-have-it fashion accessory to all-too-common electronics device, it will be interesting to see if Apple can keep the momentum going.”

There are plenty of folk heralding the doom of the iPod. The Observer last week: “Sales are declining at an unprecedented rate. Industry experts talk of a ‘backlash’ and of the iPod ‘wilting away before our eyes’. Most disastrously, Apple’s signature pocket device with white earphones may simply have become too common to be cool.” One of its main sources: Tomi Ahonen, author of Communities Dominate Brands. (Check out these two posts for more discussion of this.)

This kind of talk infuriates fans of the iPod, Apple and Jobs. A piece on Arstechnica’s Infinite Loop points out that given CDs have been around for 20 years, and iTunes for only three, the idea that there are more CD tracks on iPods than from the Apple store isn’t overly surprising. (The article and the comments below, however, convey some intriguing vitriol against iPod-doom merchants specifically, and technology journalists more generally.)

A lot of this, I suspect, is down to the differing experiences across the globe. U.S. cellphones have long been woeful, but online commerce cheap and highly efficient, so it’s not surprising the iPod/iTunes model would work well. Europe is a little trickier: great cellphones, but at least in the case of the UK, overpriced iTunes content is apparently driving users legally dubious music download sites like AllofMP3.com (which overtook Napster.com in traffic about a year ago, according to Alexa). Asia is a different kettle of fish: cheap, small, generic MP3 players are so ubiquitous here, as are cellphones, it’s a tough call. But most people are going to prefer one device to two, so as music on phones gets better and easier, expect to see music shift.

That said, Apple are now so much more visible in Asia because of the iPod and there’s no reason they can’t be a part of that although if the iPod becomes commoditized, it’s hard to imagine Apple keeping pace with the already commoditized cellphone. I guess the final point here is the shift from music as a product to a service: It makes a lot of sense to listen to music on your phone if your collection is somehow fed to you by your cellphone operator. Subscribe to songs and they are on your music phone when and where you need them, and the whole ripping/syncing thing is going to seem pretty antiquated. Think ringtones, a market 12 times the size of iTunes.

Banks, Phishing And A Dereliction Of Responsibility

Online commerce suffers from one major flaw: It’s online. That means we need to use computers (or computer-like devices, such as cellphones). It means we need to use the Internet. Together this is a lethal cocktail. And for online banking, it just may mean it is fatal.

Online banking, for example, is not like using an ATM. Or a credit card. Or a cheque. Or even cash. All these types of transaction are vulnerable to fraud but they are relatively easy to protect yourself against. If you lend your credit card, cheque book or ATM card to strangers then you are probably not taking the right precautions. For banks, deciding whether you as a customer have taken ‘reasonable precautions’ is quite an easy calculation to make, and they will make it in assessing whether or not they will compensate you for losses.

But what about phishing? Online fraud is — and will become — a lot more complex than offline fraud. Firstly, most folk don’t really know what’s going on in their computer, so how can they take reasonable precautions? I bet, for example, that if you ask most people to identify the icons in their system tray they won’t be able to get all of them. Secondly, if you use broadband, you are connected to the Internet most of the time. It’s a bit like hanging out overnight on a street corner in a bad part of town: You can’t reasonably assume that you won’t attract the attention of some bad guy at some point.

These are calculations of risk the individual should make when he or she conducts any kind of transaction online. But they are hard. We can look around for suspicious type when we stand at an ATM machine, or hand over a credit card to a store clerk, but online we have no really easy way to measure our security and safety. Online banking is not the same as undertaking other transactions.

Which is why I think banks are wrong if they try to pretend it is. The BBC quotes Britain’s payments association, the Association for Payment Clearing Services (APACS) as saying that in a few years’ time “compensation could be denied if people had safety information but ignored it”. Apacs director of corporate communications Sandra Quinn is quoted thus: “What we have always said is that we won’t forever provide a guarantee. A good parallel might be with something like card fraud – if you act reasonably, you are covered.” The bottom line: where a customer had “not acted with care and been negligent”, the BBC quotes her as saying, banks in three or four years’ time could begin refusing refunds.

I’m sorry, but I think this is daft and the wrong way around. Banks were very, very slow to get off the mark over phishing. If I was a customer and had been phished I would have sued the pants off my bank for not warning me about it. Banks have a duty to monitor their website, their name, in fact the whole Internet, to protect their customers. For example, one company I spoke to gave me a list of website names registered that appeared designed to impersonate legitimate banks — Citibank was a favourite, with hundreds of names that could be mistaken for a legit Citibank site. Most banks, he told me, weren’t interested in subscribing to this service. Why? Because they didn’t feel monitoring these names — and the accompanying websites — was worth their time or their money. If I was a customer I would be livid: If a scammer set up a fake bank in the high street to defraud customers, you would hope the bank in question would be on top of it within seconds, warning customers everywhere to watch out and doing its damndest to close the operation down. The Internet is now the high street and banks need to start patrolling it, not ignoring it.

Sadly, I think banks still don’t get it. They think phishing is a static problem that will recede as more people know about it. But that’s not it at all. Phishing is the thin end of a new wedge that will lead to increasingly sophisticated efforts to use technology and social engineering to part consumers with their data and money. The banks’ role is not to put a few silly little warning notices on their website and set up silly little websites nobody visits (like this one) but to throw serious resources at protecting their customers: by building secure sign-on systems, by monitoring the bad guys, by offering well-staffed and accessible customer support hotlines. Anything less is a dereliction of responsibility.

Phear Of Phishing Doesn’t Just Hit The Bankers

Beware The Fear. The blizzard of coverage about phishing (usually involving some awful pun) has done a lot to raise awareness about the problem, but is it enough?

A survey by Insight Express for Symantec of 300 people (no URL available yet, sorry) shows that while three quarters of folk are aware of spyware only a quarter of them have heard of phishing. This cloud of ignorance creates confusion and fear: 44.2 percent of respondents thought they had visited a fraudulent Web site but were not sure. 19.3 percent said they had definitely visited a fraudulent Web site. A little over half are somewhat concerned about online fraud, while 42 percent are ‘very concerned’. In other words, nearly everyone is worried.

This fear is already having an impact. Three quarters of folk will now only purchase purchase products through secure sites. That’s encouraging — and not bad for business — but the following figures are: nearly half will not now provide confidential data over the Internet while nearly a third won’t use the Internet for online banking. About 15% said they don’t trust the Internet.

This fear and distrust is not going to go away. More than half of respondents felt they knew how to protect themselves from online fraud and/or online identity theft, while a bit under half didn’t think they knew how to protect themselves. Taken with my own unscientific dabbling and MailFrontier’s recent survey which found that 28% of American adults “inaccurately identify phishing emails”, I’d say we have a problem. Or in fact several.

First off, many of those people who think they know how to protect themselves are easy prey. They are going to continue to be duped as phishing attacks grow more sophisticated. That’s going to keep the problem going, in part because of weak or misleading ‘solutions’ such as browser tools and software that supposedly ‘identifies’ fraudulent emails or links. These tools only raise people’s comfort levels and lower their guard.

The broader problem is this: As the number of victims rises, the number of people not giving confidential data over the Internet, not using Internet banking, and ‘not trusting the Internet’, is going to rise. This is already hurting retailers who have found major cost savings by shifting business over to the Internet. A piece yesterday by The Register’s John Leyden quotes a recent survey by LogicaCMG as saying that one in five British users would ”hesitate about booking trips online because of mistrust of the ability of travel companies to keep their financial and personal details secure”. Given it costs a travel agent 40 times more to take a booking by phone than online, this is hitting their bottom line hard. This will only get worse as more victims succumb, and phishing attacks are no longer one of the bad things that happen to other people.

Then there’s the banks. It’s been suggested to me that banks don’t really care about whether people use Internet banking, since if people start going back to their branches to do their business banks will make their money anyway. But, while appealing, that conspiracy theory fails to take into account the link between online commerce and online banking. If people don’t trust the Internet to do banking, it’s very unlikely they’ll buy something online. That will hit credit card business hard, a mainstay of retail banks. Like it or not, the fate of banks is inextricably tied to the fate of online retailing. So banks don’t have much choice.

Bottom line: The future of online commerce is not just about whether it’s viable for retailers to do some of their business online. For many retailers it is their business, or at least it’s the difference between being profitable or not. Phishing is not just an attack on banking and financial sites. It’s an attack on the future of online commerce, which, believe it or not, is still vulnerable because it relies on trust. And trust is not just about reassuring customers, or launching vague ‘education campaigns’ to give people a vague idea about whether they’re safe, and what to do to make themselves safer. It’s about making transactions secure, policing website registries for fraudulent domains, working together for a better way to communicate between retailer/bank and customer. All of these things, a year after phishing took off, haven’t been done. Hence The Fear.

Ho, Ho, Ho, Tis The Season Of The Online Scam

Phishing — the art of depriving folk of their sensitive password data and then using it to empty their pockets — has become the scam du jour of the holiday season. The Anti-Phishing.org website says it has seen ‘dramatic’ growth in November and December of email spoofing (emails claiming to be from, for example, your bank) and general fraud activity. (Anti-Phishing is an industry group founded by Tumbleweed Communications, a builder of anti-spam software.) For example:

— More than 60 unique new phishing email fraud attacks have been launched against consumers in the last 2 weeks
— Over 60 million email fraud attacks are estimated to have been sent out in the same period – timed for the peak of the holiday season
— eBay customers were the most highly targeted by scammers, with 24 unique email fraud attacks over the past 60 days
— Online financial institutions, including banks, Visa and PayPal, represented the largest target group with 35 unique email fraud attacks reported over the past 60 days

It seems that phishing has been remarkably rewarding for the scammers involved. The Anti-Phishing Working Group reckons an average of 5% of recipients respond to such emails, resulting in financial losses, identity theft, and other fraudulent activity. And, perhaps worse, this “activity threatens the integrity of companies that do business online”. (I’m assuming they’re talking about banks, eBay and other folk who rely on ordinary folk to maintain their faith in the security of online commerce.)

There are a number of ingenious scams that play on the holiday theme — which also highlight that it’s not just banks and big-ticket items that the phishers are targeting. One example is a fake online Christmas card, designed to compromise AOL accounts. In this scam, the recipient receives a spoofed email from the “AOL Hallmark” team, and is asked to visit a website to pick up his/her card. In order to access the site (which is run by the scammer), the user is asked to log in to his or her AOL account, thereby divulging the account name and password. The compromised account can then be used, anti-Phishing says, to launch further phishing attacks, virus attacks, spam, or other nefarious activity.

Clearly this sort of thing is going to grow, becoming more sophisticated as users wise up to the scams. Recent emails now play upon the growing awareness of scams by claiming to be from your bank, warning you about such scams and telling you to ignore other emails. They then, of course, go on to tell to visit the legitimate website to confirm your password. (The main component of this trick is that 90% of the email is genuine, in that the images are all from the bank’s website, and if you hover your mouse over the link you’re being asked to visit, it may well look genuine too. What you’re actually seeing, is a clever ruse: the real website is buried at the end of the link, hidden after a lot of empty space. So checking that sort of thing is no longer enough. It should go without saying that you shouldn’t react to any email that requires you to do anything with your password. For a good resource on such scams, check out Codefish.)

In the end all this will help educate users about the Internet and improving their own security. I don’t see it doing any serious damage to online commerce, at least in terms of undermining public confidence. I do believe, however, that we’ve seen only the tip of the iceberg in terms of the sophistication of scammers, and banks and other online institutions must improve their awareness of the threat, as well as protect and educate their customers.

Have a phishing-free Christmas.