Security Threat: Protecting Adult e-Commerce

Hackers, thieves, and frauds: They are the delinquents of the online adult market. Like electronic terrorists, they're a constant threat to online financial stability and user and company safety. Hackers attack adult sites to pilfer content for several reasons, ranging from free personal access to the resale of stolen porn material. A hacker's attack on a company translates to lost revenue. Even more damaging than the hacker is the thief. Thieves break into "protected" directories on a company's server to steal sensitive company information or customer data such as credit card numbers and billing addresses. A thief may violate a site's security for purposes as simple as stealing mailing lists. Used with company-sensitive information, creative SPAM attacks can be pinned on the company - which complicate customer relations and privacy assurances, end up in fines or system shutdowns, and eventually yield to increased expenses and lost revenue.

Hackers and thieves attack companies directly. Frauds, on the other hand, are the ones who use stolen or forged credit card information to purchase goods or access Websites. According to most credit card companies and merchant account providers, because there is no written signature for an online transaction, the vendor (a.k.a. the victim company) is responsible for eating the cost of the fraud's access. Again, lost revenue.

Recent studies show that as time goes on, the need for security services will increase. By 2006, the market for products and services for stopping unauthorized access is predicted to be worth as much as US $700 million. Additionally, it was determined this past January that the world's commerce lost $13.2 billion last year due to unauthorized users deploying malware ( Due to coveted content and already existing privacy issues with consumers, the online adult niche is a perfect playground for hackers and thieves as well as frauds.

Protect Yourself

A large company can (and probably should) make sure it has full-time employees who understand security. This is a costly method, of course. It requires a separate human resources budget for hiring and educating employees to be able to choose, install, and implement security systems. The same staff must also be able to configure and eventually scale and maintain the security system.

A smaller company may choose to outsource security selection and implementation by hiring a consulting group. Independent consulting outfits, such as SWI, Certaire Technical Services, or MAD Enterprises, charge around $3,000 per day, whereas some consulting firms may charge as much as $20k+ per day. It's a broad range. Usually the higher-cost consultants can charge more due to their connections with purchasing executives in major companies. While this is important for organizations such as enterprise software developers, adult business owners should do just fine with the lower-cost consulting groups.

Companies can also perform some in-house security assessments and follow proper vendor selection guidelines. Even organizations that can afford to hire or outsource technical decision-makers should do a preliminary security check and research the various security service providers to ensure that their technical staff is on the right track: Just this past May, Gartner Inc., a leading IT research firm, released a study indicating that more than half of all security attacks originate from within the victim organization.

Step-By-Step Security Analysis

Thankfully, a three-step security analysis can be performed by anyone willing to learn some basic security technology.

STEP 1: Audit the complete security infrastructure. Find out what security components and practices are currently in place. If there is a particular security service installed, who makes it - VeriSign, Entrust? These are some of the popular security system vendors.

STEP 2: Conduct a risk analysis. Based on the components discovered in STEP 1 and their abilities, determine any areas of security exposure and brainstorm what can be done to lower risk and protect sensitive and protected data.

STEP 3: Develop a security strategy. This step requires some technical background in security systems. For example, a Website may be using a CGI program to handle credit card processing and authentication, so it may be likely that transactions are done via a Secure Sockets Layer (SSL). Depending on the company's technical needs, this transaction method may not be desirable. SSL is a method designed by Netscape for securing commercial transfers by encrypting the communications link between the browser and the server. The information that the customer enters (such as a credit card number, a billing address, and/or an email address) is encrypted before it is sent to the server for processing. Therefore, if a third party intercepts any information, it cannot be read directly. A downside to using SSL is that it makes configuration on a single server complicated and can possibly conflict with other standard systems, causing glitches that may sometimes require users to log in several times before finally gaining access. If customer relations in a company with limited server numbers is an active part of operations, then there are other methods besides SSL that should be considered. There are also different encryption technologies for transmission data as well as stored information.

A firewall is an important consideration. Firewalls are designed to stop unauthorized access. "Application Gateway," "Circuit Level Gateway," "Packet Filter," and "Proxy Server" are all firewall techniques that can be used in conjunction with each other to help prevent user break-ins. Public Key Infrastructures (PKI) is another important consideration that attempts to scan a user's credentials to help prevent security violations.

Also, if an organization is to be secure, it needs to include some primary prevention in its system selection criteria. A few terms that a technical team will use to evaluate the future performance of a security system are:

Scalability: How easy will it be to implement advances in the system due to company growth or system upgrades?

Flexibility: If there's a problem, how easily can the system be modified?

Embeddability/Integration: How well does the security system perform with the installed components of other programs? Will it cause future malfunctions?

Ease of Maintenance: Does an expert need to be called in whenever there's a problem, or can most problems be solved in-house?

Selecting a Vendor

Once a company decides upon its security strategy, it's time to choose the appropriate purchases necessary for implementation. Selecting the right security system is usually not a simple decision. Each vendor has designed a product that almost certainly carries different strengths and weaknesses when compared to another vendor's product. The ideal security system depends on - and caters to - the dynamic and often changing needs of an individual company. It's always a good idea to gain competitive knowledge about each vendor and their products.

Vendors will prepare in-depth presentations that will demonstrate their products' integration abilities, and their ease of use and maintenance. The key to getting an informative presentation is to request a time where a question-and-answer session can be conducted, during which everyone involved with the selection decision can make inquiries regarding the company's personal security strategy. At times, the sales team's product hype can be overwhelming and distract from the issues, but a live Q&A session should help filter out the unneeded information, as does requesting a prototype to prove the product does what it's advertised to do. A knowledgeable security consultant can distinguish between features that are frills and features that are essential to accomplishing the company's security objective. For example, if an organization insisted that their security product be able to handle extreme company growth, then knowledgeable employees will accept a loss in extra features in exchange for high scalability.

A few important questions that vendors should be asked while they're on the spot are:

Who are your competitors, and why is your solution better than theirs for our particular security strategy? A vendor that knows its competition is most likely focusing on competitive advantage, and is aware of various customer needs. For example, Entrust should be able to clearly demonstrate why their product suits a particular company's security needs over Thawte's product, and vice-versa. Thawte is a VeriSign company.

What is your target market? How does your product specifically help security within adult e-commerce? Adult entertainment may not necessarily be the target market for these companies; many focus on financial organizations, the aerospace industry, communications industries, or manufacturing firms. A vendor that focuses on the general e-commerce market, but has no experience with adult sites, should be able to forecast the needs of the necessary security.

Does the product integrate well with the popular systems (IBM, Microsoft, Oracle)? If it can't, then this can be a HUGE problem. Find out what software the product does integrate with and if it will work with the applications that the business currently runs on.

What platforms is the product designed to run on? Most companies do business using Windows 95+, Windows NT, various types of OS, or Unix/Linux. It is crucial to know which operating system the product is optimized for.

What are the up-front and ongoing costs for maintenance? Maintenance and customer support costs should be stated clearly.

Is the product "out of the box" operational, or is there some configuration required? Configuration often requires the hiring of experts, which can increase the implementation costs. A security system with as little need of configuration as possible is usually preferable.

The most important question for the business owner to ask is How long will it take for this security strategy to pay for itself? Return on investment (ROI) is defined as the ratio of "profits earned from" to "dollars spent on" a given system. The predicted income from implementing the security strategy can be displayed as a percentage over the total invested cost of the project. ROI calculations are not decision-making tools, but more of a method to analyze the assumptions made in the security strategy. In some cases, organizations have demanded vendors to show proof of earnings and ROI for a given product. A safe guideline to adhere to is to choose a product that is predicted to pay for itself in two years or less.

Privacy Issues and Customer Loyalty

A recent study that my colleagues and I performed on consumer trust and online purchasing revealed that a sense of trust can significantly yield higher customer retention and increase users' intent to purchase (SWI Research). Thus, it's important to address customer privacy when considering the final solution. It may add to revenue.

A good privacy policy establishes consumer trust and confidence. A common method to increase a customer's sense of retail-faith is to publicly display a privacy policy on the front page of the site. The policy should declare that a security strategy is in effect, and that all data transmitted is secure and won't be used for delinquent purposes. A privacy policy should state how the information transmitted is being used. Statements like "The customer billing address is used only to verify credit card accuracy and to prevent fraud" should help ease a customer's trust and confidence issues. The policy should also boldly declare any top-notch security systems and rules that are in effect to further enhance customer loyalty and relations. The way the market is structured, the greater the amount of privacy a consumer chooses, the less features and benefits become available.

Privacy, and its characteristics, can be described to exist within different circles. In the outermost circle, visitors choose to be anonymous like during a "free tour" walk-through on a Website. They knowingly give up certain features and benefits that paying members receive in exchange for not having to reveal their credit card number and other personal information. As customers cross into the second circle, they agree to communicate necessary information. The online company agrees to never contact the client without prior permission, and to never divulge any customer information to outside organizations. Within the third circle, there is communication between both the customer and the retailer. The customer decides to give more information, such as an e-mail address and approval for mailing list subscriptions, in exchange for promotional discounts or additional features and benefits. Finally, the center circle is a full trust and confidence relationship between the customer and the retailer. In this circle, consumers ask for contact from the retailer so they can receive a more personalized service package or additional benefits.

It's important for a good privacy policy and security plan to take into consideration which circle the company's clients participate in and in which circles the company itself is willing to participate.

Technology Evaluation

When a user is authenticated through a user-identification and password method, the authentication process checks a directory for profile information. A good security system will have a directory server that accepts major standards such as directory access protocol or the popular X.500. The directory server stores profile data as well as encryption data for PKI, which uses encryption techniques to convert information and digital user-identification credentials so the data can only be decoded by the system that has the decryption "key." PKI products vary from vendor to vendor and tend to be quite expensive. The level of encryption definitely plays a role in the ranking and pricing of some security products. The sophistication of the encryption technique that the product uses is a substantial evaluation factor.

After all the planning, selection, and implementation of a security strategy, a company is ready for personal configuration of components. Security system infrastructures can sometime lead to diminishing performance of the overall site/system. Authentication and general security processing is taxing on the CPU and can degrade the performance of the machine. Unfortunately, this is yet another variable in achieving optimal safety. It was disclosed by that 58 percent of online customers identified quick download time as a key factor in determining whether they would return to a Website ( Too many security components may slow down processing, perhaps lose customers, or force spending on system growth. However, too little security can lessen customer loyalty, cause privacy violations, and also limit operating income.

It's truly a balancing act to protect today's e-business objectives. The security-suave company that will not only survive hackers, thieves, and frauds but also prosper is the one that can balance the trade-off of security function and risk reduction versus overall run-time performance.