With the holiday season fast approaching, many of us are starting to consider doing the Xmas shopping. For an ever increasing number of people that means avoiding the high street crowds and high street prices by heading online instead. Unfortunately, while the shopper is saving money the same cannot be said for the employer if that shopping is done on work time. A new set of surveys reveals that the average cost to business this Xmas could be as high as £2000 per worker!

ISACA has serves some 86,000 IT security, assurance and governance professionals across 160 countries. It has revealed the results of three simultaneous surveys, two in the US and one in the UK, which looked at the latest trends in online shopping and workplace Internet safety.

Concentrating on the UK survey, we can see that 82 percent of people said their organisation either does not have or they are not aware of a policy that prohibits employees from shopping online. Whatever happened to the good old Acceptable Use Policy then?

Anyway, of those organisations that do allow online shopping at work, only 32 percent educate their employees about the risks involved. But the real blinder from this survey comes as it reveals that more than 40 percent of organisations thought that they stood to lose an average of at least £2000 in terms of productivity per employee as a direct result of online Xmas shopping during November and December. At least it is not as much as the cost of workers being sociable online I guess.

ISACA president, Lynn Lawton, comments “The challenge for organisations is not only to educate workers about information security, but also to change their behaviour.”

Amen to that!

Blimey, just as I was about to leave for the regular weekly family supermarket hike to Tesco I have to go and read this rather disturbing news story from someone whose opinion on matters ITsec related I value very highly indeed.

Graham Cluley first got wind of the fact that there might be something fishy going on at the supermarket checkout a couple of months back, following a number of reports from local newspaper journalists asking if he knew anything about credit card fraud at the supermarket. It seems that readers of local newspapers had been getting in touch to suggest particular supermarket branches had been involved in some kind of chip and pin fraud.

Now the story has exploded into the national newspapers, with the The Telegraph reporting how hundreds of the chip and pin payment machines used in supermarkets across Europe have been tampered with to steal your credit card data.

OK, so nothing new in the old double swipe, or the false front card reader for ATM machines and even the odd bit of WiFi phreakery to do this sort of thing. But this is different, this the reports suggest, involves the terminals you use at the checkout actually having been tampered with before they shipped. Internally, so that there is no way of telling from an external examination that the device is compromised.

The head of the US National Counter Intelligence Executive warns that suspect devices have been shipped to Britain, Belgium, Denmark, Ireland, and the Netherlands. All with hidden hardware that can transmit card data via the mobile phone network to the criminal ring behind the scam based in Lahore, Pakistan.

Amongst the supermarkets said to have been affected in the UK are market leaders Tesco, Asda and Sainsbury’s. Graham Cluley says that supermarkets are now “weighing chip-and-pin devices to determine if they were compromised or not, as affected machines weighed three to four ounces heavier.”

Perhaps the most worrying of all is that this time the thieves have been clever. Patient and clever. They did not cash in on the stolen data immediately, as is the usual pattern of such things, but instead waited a couple of months to make tracking back the root of the data loss that much harder.

Cluley says that buying goods in a respected supermarket should be safe, however he does warn that “Retailers are going to have to do more in future to ensure the integrity of their payment devices is utterly without question, and to guard the supply of such devices from factory to supermarket checkout, or risk losing the confidence of their customers.”

It is also distrubing as it means that although previous news reports have suggested that credit card crime has been driven overseas, that the UK is actually still at risk.

I have written before about the problems of why ecommerce fails and the undeniable truth of the matter is that it usually comes down to treating customers like crap.

So here is a cautionary tale of how to spend £11.46 on absolutely nothing.

It all started when I purchased a Netbook. Yes, I know, I am a sucker for shiny new gadgets and the electric blue allure of an Acer Aspire One was just too much. Plus, it happened to be the perfect replacement for my elderly Sony sub-notebook from which I had managed to erase all the keyboard lettering over the years. I wanted something even smaller and lighter to drag around the world with me as I like to travel with one small bit of carry-on luggage when flying off for a day or two.

Which brings me on nicely to why I found myself searching online for a smaller power supply, one that would take up less room in my kit-bag than the relatively big thing that Acer supply and which consumes at least half as much space as the Netbook itself. What a daft idea, a tiny computer with a big PSU.

Anyway, a travel PSU is what I wanted, and preferably one that came with interchangeable plug heads for wherever I happened to end up on the planet. I found just the beast at Expansys. A shade under £30 including the all important Royal Mail Special Delivery option. All important as I needed it delivered the next day, but was not going to be around to take that delivery due to prior work commitments. I needed it the next day, as the next day was Friday and I flew off on the Monday. Most couriers would call, leave a not in card and then want to deliver it on the Monday while I was driving to Heathrow. The postman, on the other hand, would leave a card and I could just drive down to the depot on Saturday morning and collect it. Perfect.

Apart that it wasn’t.

When I unwrapped my package and got over just how small and light this thing was compared to the original Acer PSU, and made a mental note to annoy the Acer PC people next time I bumped into one as a result, I thought I had better live up to my ‘be prepared’ geek reputation. So I made sure the thing worked before packing my bag and flying off.

It didn’t.

Work that is. No power coming into my Netbook at all from it in fact. It was an ex-PSU, it had ceased to be, etc.

Oh well, once I got back from my trip, heavy PSU and all, I went through the annoying process of completing a ‘RMA’ returns form, emailing that to Expansys and getting the official RMA Request form to include when I sent it back for a refund.

There was no point getting another PSU, the trip had been and gone, along with my confidence that I could trust this particular device.

Imagine my surprise, then, when the refund is made and I discover it is not for the full amount. Instead, Expansys has deducted the cost of delivery, plus VAT. Immediately I am £6.41 out of pocket through absolutely no fault of my own. Expansys had sold me a dud, and charged me £6.41 for the privilege. Wow, nice going chaps.

Add the cost of returning the item to them, which I also sent Special Delivery (£5.05) to ensure it arrived in one piece, signed for and within the time limit for faulty returns, and I am £11.46 out of pocket.

Yes, I have spent £11.46 for absolutely nothing at all, and I am not even a certificated idiot. I tend to do my research and tend to pride myself on not getting caught by the short and curlies by shyster outfits. Which makes it hurt more when I am caught in the same area by a company which I have always thought of as being highly reputable.

Of course, a quick email was rattled off to customer services, and the chap who originally emailed me to let me know the short-change credit note had been issued responded that he had passed my ‘request’ for a refund of postage costs on to the accounts department. A week later, and another email exchange of ‘I have passed your request on the accounts department’ later and I am still £11.46 short with nothing but an increasing temper to show for it. Not even the name of the person in the accounts department who is dealing with my ‘request’ so I can talk to them, as I had asked for.

It isn’t really about the money, you know, even in these Credit Crunched times I can survive with a tenner less in my back pocket. It’s more to do with the injustice of being a mug punter, simply trying to buy something and instead getting a right royal shafting.

I suspect, and I haven’t bothered to look, that there is something buried on the Expansys site about customers having to pay delivery costs even if the item delivered is totally buggered. If that is the case, I would be hugely interested to know if this constitutes a ‘fair contract’ or is allowed under consumer law.

Meanwhile, I have learned my lesson and added another company to my ‘not with a bargepole’ blacklist…

A recently revealed vulnerability with Debian OpenSSL cryptographic libraries, covered in detail within the Debian Security Advisory DSA-1571-1, allows secure web sessions to be potentially decrypted by an attacker. In fact, the vulnerability impacts on Debian children distros as well, but that is almost by the by. What isn’t is the reasoning for the vulnerability to exist in the first place. Now you might be assuming that, like most of these things, a bit of unintentionally sloppy and insecure programming during development was to blame. While the words sloppy and insecure certainly still spring to mind, unintentional most certainly does not.

You see, according to an excellent piece of analysis at Dark Reading it appears that the programmer was “using Valgrind to debug applications in an effort to prevent security flaws. But two lines of code from the OpenSSL libraries caused Valgrind to complain, which prompted the programmer to take them out after an inquiry and short discussion on the OpenSSL development mailing list.” Amazing as it may seem, this simple act resulted in “two years’ worth of weakened cryptographic key creation (both SSH keys sand SSL certificates) on Debian-based systems.”

In effect, the work-around meant that every single one of the 32,767 cryptographic keys could now be generated ahead of time and that means a brute force attack becomes, pretty much, child’s play.

In his Dark Reading analysis, John Sawyer claims that this means “All communications that had been perceived as “secure” for the past two years — and into the unforeseeable future — could now be compromised if their encryption was based on the flawed keys and certificates.”

Sure, the developers concerned were only trying to make something more secure, and there was certainly no malicious intent involved here. But the irony is that it proves Linux can be just as insecure as Windows in some regards, perhaps even more so. More so, why so? Well, the perception is that Linux is secure, period. Working from that basis, users are perhaps more inclined to think less about the security and privacy implications of their online sessions. In the case of Debian users that could have devastating implications.

And the moral of this tale? Be it Linux or Windows, the user should always treat security seriously and never expect the OS to be a virtual fortress…

Like many people, I book our family holidays online these days. With young kids, we tend to stay within the confines of the UK and opt for a holiday cottage rental. Now there are numerous sites offering the ability to search for and book such a holiday cottage, covering the UK and beyond. They work by taking a fee from the owner of the cottage for each successful booking. They also seem to suffer from what I like to call the Tottenham Court Road effect whereby it used to be the case that you could not play one shop off of another in TCR when buying electrical goods because most of them were owned by the same people. So it is with the holiday cottage rental industry, the numerous differently branded services seem to come back to just one or two companies in the end.

Anyway, to cut a long story short, we found our ideal little cottage snuggled deep in a forest in North Wales for the dates we needed and paid a deposit back in July 2007. believe me, to get the good ones you do need to book that early! The balance of the rental is due tomorrow, although Cottages4You do not seem that keen on taking my money.

Being a good web warrior I attempted to pay online last night using the secure payment server, only to discover that the secure payment server did not want my money for a reason that wasn’t forthcoming. The error it returned was simply that it could not proceed with the transaction and I should try again or call the office and pay over the telephone. Well, what with it being after office hours I decided to try again. This time I got a different error, apparently the secure payment server was not actually working at the moment and would I mind awfully phoning the office. I gave it one more chance today, trying the elusive payments server again. yep, you guessed it, call the office is said.

So I called the office, debit card in hand, ready to pay the rental balance which was fast approaching its due date deadline. Here’s a precis of the conversation:

Cottages4You - Hello how can I help?

Me - I’d like to pay my final rental balance please

Cottages4You - Do you have your booking reference?

Me - Yes, it is XXXXXXXXXX

Cottages4You - Have you just tried to pay on the Internet?

Me - Yes, it wouldn’t let me

Cottages4You - Sorry, when an Internet payment attempt fails it locks us out of accepting payments on your account for 20 minutes so you will have to call back later

Me - <flabberghasted silence before hanging up>

Can you bloody well believe it, in this era of web based transactions where immediacy and availability are often the only thing that differentiate one service from another, that a company can be so daft? Customers are encouraged by Cottages4You to pay via the secure server, and when it barfs through no fault of those customers they are then unable to pay over the telephone– despite the website telling them to do just that. It really does drive me mad; mad enough to probably not bother using this service for future rentals. I’ll try the old fashioned method and pick up a copy of Daltons Weekly in order to approach the landlords directly instead. I might even save some money, not to mention sanity, in the process…

The UK payments association, APACS, has announced the creation of the Payment Industry and Police Joint Intelligence Unit (PIPJIU) as part of a banking industry £5 million contribution to fighting fraud. It comes as the result of an amalgamation of the banking industry’s Fraud Intelligence Bureau (FIB) which previously distributed information between the banking industry and law enforcement throughout the UK, and the intelligence section of the Dedicated Cheque and Plastic Crime Unit (DCPCU). Launched in April 2002, the DCPCU has been responsible for more than £230 million in savings from reduced fraud activity and has recovered more than 244,000 counterfeit cards and card numbers. It has also secured 156 convictions and made almost 400 arrests on fraud-related matters.

PIPJIU itself is to be staffed by banking industry fraud specialists who will work alongside officers from the City of London and Metropolitan Police. Indeed, PIPJIU is to be managed by Detective Inspector Graham Goodwin and consists of 15 staff, including ten police officers and civilian staff from the City of London and Metropolitan Police and five seconded banking industry specialists.

That’s a lot of impressive sounding acronyms, but what do is it all mean, what does it all add up to in the ingoing fight against banking fraud? APACS insist it will provide a more efficient approach to the collation and dissemination of fraud intelligence to police forces throughout the country, but more than this it will also have wider reaching responsibilities to address all types of banking fraud; not just cheque and plastic card fraud.

APACS has also announced the new Fraud Intelligence Sharing System (FISS) to go alongside the new unit, which will enable the banking industry to share information on all confirmed, attempted and suspected fraud in a central, shared database.

DCI John Folan, Head of the DCPCU, is rather excited by it all: “The combined investment by the banking industry in the DCPCU, the enhanced joint intelligence unit and the new data sharing system now totals almost £5 million per year. With this increased funding and a wider remit, our primary objective is to build on the already successful work undertaken by the banking industry and the DCPCU in combating fraud. We are confident that the merging of APACS’s Fraud Intelligence Bureau and the DCPCU’s intelligence unit will aid efficiency and help in the ongoing fight to combat all types of banking fraud.”

According to Will Beresford, the strategy director at social web experts Beyond Analysis 2008 could well be the year of social media for business. He predicts that the traditional models which consumers use to research products and services will not only start to change but will fundamentally so courtesy of social media. Think social networking sites, think user feedback and review sites, think consumers that are ready and willing to interact with each other in order to get the best deal. “Traditional search engines will become increasingly less relevant to the consumer and businesses will need to re-think their online strategies” Beresford insists.

Certainly it would appear that social media as a content creation genre will impact upon the way that search engines do business, thanks to the growth in the amount of data available. Beresford suggests that “search engine providers will look to introduce tiered services providing more accurate results to those willing to pay” which could mean tiered search services bundled into ISP packages as well as the more obvious provision of search services to the business sphere. Businesses looking to research consumers could also find themselves having to reappraise their strategies. “As more businesses realise the value inherent in their customer data and the strategic role it plays for the future, reliance on traditional qualitative research will fall into terminal decline” says Beresford. With customer data being enriched by that to be found on the social web, traditional research tools such as focus groups and questionnaires could find themselves in danger of extinction.

However, the greatest change looks like being firmly in that ‘how consumers make their purchasing decisions’ camp with feedback and influence from immediate social networks playing a much more important role than branding or advertising reach. Personal recommendations could become the new currency of consumerism online…

Reading that headline you are probably thinking something along the lines of what is he talking about, integrating back office services with front end functionality and wrapping it all up with an attractive public facing design is pretty straightforward these days. True. However, I was thinking about ecommerce from the sharp end of the usability stick, the part that has been poking me in my frustrated consumer eye this past week.

Despite my saying otherwise recently, I have been doing some online xmas shopping after all. I simple have not had the time during the week to escape into the high streets and shopping malls, nor the inclination to fight for a car parking space at the weekend. I am starting to think that the fight might be more pleasurable than some of the problems I have encountered with retailers that just do not get this new fangled Web thing.

Take, for example, the shop that was so desperate to impress new customers that along with the email confirmation of my purchase was news of an exciting discount offer because my business is important to them and I am an important customer. 10 percent off my next order, as long as I make it before the end of June 2007.

Or how about the shop which allows you to buy items that are showing as out of stock, but then leaves you in the dark about order progress. After a few days I noticed one of the items I had ordered was showing as in stock, however my customer account showed no outstanding orders. I used the web based contact system, and after 3 days got an email saying the order would be with me in mid-December for some odd reason. I replied to ask that they cancel the item as I had managed to source it elsewhere. That email bounced because, despite there being no ‘do not reply to this address’ warning the customer service department do not accept emails only web based contact or telephone. I overcame my phone phobia to ask them to cancel, and discovered that the reason I was being told mid-December was because that was when my other out of stock item was expected to arrive and they would send them together. A little information can go a long way, but only if you telephone them it seems.

Then there was the company whose ‘real time stock check’ apparently runs around 24 hours behind itself. I ordered an in-stock item, paid for it, got the confirmation within a few minutes only to get another the next day informing me the item is not in stock and will arrive as soon as possible, sometime in the next 14 days. Ding, no sale, refund please.

Not everyone gets it wrong though, and I do feel I should ‘big up’ the chaps at Japan Centre who despite my ticking the option of ‘if not available please cancel entire order’ had the good sense to email me instead. I had ordered a selection of cooking saki, because I am something of a food ponce, and one particular variety was not available in the size I had asked for. Instead of cancelling the entire order, Japan Centre asked if they could substitute this for the next size up (a third bigger) at the same price and with the same postage charge. Now that is what I call customer service, it’s just a shame not everyone understands that for ecommerce to be a truly enjoyable user experience it is not just the payment processes and shopping baskets that have to be transferred from real life retail - but the personal service as well…

According to a new report from those masters of the digital metric, comScore, more than one third of online shoppers in the UK, France and Germany have already started doing their Xmas shopping. If they had surveyed one particular little Yorkshire village they would have found at least one shopper who has done the same: me. I have been doing pretty much all my seasonal shopping online for the best part of a decade now. It has nothing to do with me practising what I preach, although that was the reason that I upped sticks and moved from South London to South Yorkshire 12 years or so ago. I was writing books and magazine articles saying how wonderful the Internet was, and how it was going to change the way we work. Teleworking was still something that existed more in media column inches than reality at the time, but I was saying the Internet would change all that. And so it was I moved from city life to rural idyll, eventually training my clients, my editors, my publishers and assorted PR bunnies so that after a year or so I did not have to travel down to London once every week to meet them.

However, I digress, the reason I do my seasonal shopping online is simply because I am a man. Which means I am a lazy shopper. Women take note, men do not hate shopping, truth be told we bloody love it, what we hate is shopping when there are loads of other people around getting in the way. What we hate is having to sacrifice an entire day, which could be better spent in the pub, watching the telly or playing Halo 3, just in order to load up with pants, socks and yet another gadget we really don’t need and really won’t use. What’s more, at this time of year we hate it more than ever as those crowds get bigger and bigger.

But there’s the rub, as more and more people shop online perhaps the high street will become something of a gentleman’s haven. Somewhere we can go to shop in relative peace, happy to flirt with the attentive shop girls desperate for some human contact, and maybe even enjoy the experience.

We may even be forced into so doing, because last year my Xmas shopping experience was the worse it has ever been. The online crowds meant that much of what I wanted to buy was not in stock, and there were no guarantees that stock would arrive in time for the big day - or more to the point in time for me to wrap the buggers up and get them delivered on to my globally dispersed family and friends. Even worse than that, items that were in stock, that were guaranteed to be delivered in good time, did not materialise. Yes, I got my money back under the guarantee, but what use is that when a child is missing a present or a mother-in-law for that matter? A combination of some kind of online shopping critical mass fuelled by the uptake of broadband, coupled with a meltdown in delivery logistics (we all know who the guilty any man with his white van courier companies are) conspired against the careful online shopper.

Perhaps that is why this year people are starting their shopping earlier than ever? That comScore survey reveals that, in the UK, 48% of respondents had already started Xmas shopping in October, and another 30% will have started by now. A meagre 4% will wait until a couple of weeks before Xmas to get started, while 5% will leave it right until the last minute.

Trouble is, as I have discovered already, this means that items are running out of stock even sooner. After last year am I prepared to risk all on the promise of the online retailers that an item will be back in stock in time for my required delivery schedules? Nope, I am not. I do not intend to be out at the last minute with all those sad blokes looking for gifts again this year. So I started my seasonal shopping early, and as far as online shopping is concerned I have now finished it as well. All the other gifts I buy this year are going to be purchased direct from the retailer, so I can pay my money and bring them home with me. It feels like a retrograde step, but you know what, this lazy shopper is actually looking forward to going out there and doing it…