Journal of Education for Business

ISSN: 0883-2323 (Print) 1940-3356 (Online) Journal homepage: http://www.tandfonline.com/loi/vjeb20

Retail E-Commerce Security Status Among Fortune
500 Corporations
Jensen J. Zhao & Sherry Y. Zhao
To cite this article: Jensen J. Zhao & Sherry Y. Zhao (2012) Retail E-Commerce Security Status
Among Fortune 500 Corporations, Journal of Education for Business, 87:3, 136-144, DOI:
10.1080/08832323.2011.582191
To link to this article: http://dx.doi.org/10.1080/08832323.2011.582191

Published online: 01 Feb 2012.

Submit your article to this journal

Article views: 369

View related articles

Full Terms & Conditions of access and use can be found at

http://www.tandfonline.com/action/journalInformation?journalCode=vjeb20
Download by: [Universitas Maritim Raja Ali Haji]

Date: 11 January 2016, At: 21:59

JOURNAL OF EDUCATION FOR BUSINESS, 87: 136–144, 2012
C Taylor & Francis Group, LLC
Copyright

ISSN: 0883-2323 print / 1940-3356 online
DOI: 10.1080/08832323.2011.582191

Retail E-Commerce Security Status Among
Fortune 500 Corporations
Jensen J. Zhao
Ball State University, Muncie, Indiana, USA

Downloaded by [Universitas Maritim Raja Ali Haji] at 21:59 11 January 2016

Sherry Y. Zhao
Massachusetts Institute of Technology, Cambridge, Massachusetts, USA

The authors assessed the Fortune 500 corporations’ retail e-commerce security to identify their
strengths and weaknesses for improvement. They used online content analysis, information
security auditing, and network security mapping for data collection and analysis. The findings
indicate that most sites posted security policies; however, only one third stated what security
measures were in action. Second, all of the sites secured My Account login with secure Sockets
Layer Encryption, but only 16% limited 3 attempts of login access. Third, although the sites had
most of their Internet ports filtered or behind firewalls, nearly one third of the sites’ computer
operating systems were detected from the few open ports.
Keywords: computer network systems, port 80/tcp, port 443/tcp, retail e-commerce, security

The U.S. Census Bureau (2009) reported that e-commerce
activities in the United States were growing faster than total economic activities. Over the past years, the e-commerce
share was on a continuous rise in the following major economic sectors: manufacturing industries, merchant wholesalers, retailers, and service industries. In the second quarter
of 2010 the U.S. e-commerce estimate increased 14% from
the second quarter of 2009, while total retail sales increased
7.5% in the same period (U.S. Census Bureau, 2010).
Although e-commerce has become popular, Internet privacy violations and cyber attacks to the e-commerce systems
are also on the rise. Privacy violations, such as failing to
protect sensitive customer and employee data, have put these

individuals at high risk of being victims of personal-identity
and credit-card thefts (e.g., Farrell, Sheer, & Garrison, 2009;
Lordan & Crawford, 2009). Cyber attacks have impaired
or even shut down the e-commerce activities completely by
damages such as website defacement, denial of service, price
manipulation, financial fraud, or data breach (e.g., Greene,
2008; Hovanesian, 2008; Mookhey, 2004).

Correspondence should be addressed to Jensen J. Zhao, Ball State University, Miller College of Business, Department of Information Systems &
Operations Management, 2000 W. University Avenue, Muncie, IN 47306,
USA. E-mail: jzhao@bsu.edu

Several federal laws are in effect to protect information
privacy and security in the United States. The U.S. Federal
Trade Commission (FTC) has been educating businesses
and consumers about the importance of personal information
privacy and security. Under the Federal Trade Commission Act (FTCA; 2006), the commission guards against
unfair competition and deceptive practices by enforcing
companies’ privacy policies about how they collect, use,
and secure consumers’ personal information. The U.S.

Safe Web Act (2006), which is incorporated in the FTCA,
enables the commission to cooperate with foreign law
enforcement authorities in dealing with international fraudulent spam, spyware, misleading advertising, privacy and
security breaches, and other consumer protections through
confidential information sharing, investigative assistance,
and enhanced staff exchanges (Federal Trade Act of 2006).
Even though the laws clearly mandate the privacy protection, some companies neglected the laws and failed to
protect consumers’ sensitive information or hackers violated
the laws and broke the companies’ cyber defense. For instance, the FTC charged CVS Caremark in violation of federal law for failing to take appropriate security measures to
protect the sensitive financial and medical information of its
customers and employees. CVS Caremark agreed to settle
the FTC charges and establish, implement, and maintain a
comprehensive information security program for protecting

Downloaded by [Universitas Maritim Raja Ali Haji] at 21:59 11 January 2016

RETAIL E-COMMERCE SECURITY

the security, confidentiality, and integrity of the personal information it collects from consumers and employees (Farrell
et al., 2009).

In July 2005, TJX Corporation experienced a massive intrusion into its computer network systems, resulting in the
largest systems and data security breach in history. As a January 2007 report of Computer World revealed, at the time TJX
disclosed the scope of its security breach, more than three
dozen banks in Massachusetts reported that credit cards they
issued had been compromised (Vijayan, 2007). According to
documents filed with the federal court in Boston, this TJX
security breach affected millions of consumers’ private information, including about 29 million MasterCard victims
and 65 million Visa victims (Schuman, 2007).
A 2006 survey of 214 bank websites (Hovanesian, 2008)
reported that 75% of the sites were vulnerable to hacking,
with two big worrisome trends: a) login boxes were placed on
unencrypted web (http) pages on a bank’s domain and b) the
use of third-party services transferred customers to insecure
outside pages.
Symantec’s Global Internet Security Threat Report (Fossi
et al., 2009) revealed that 90% of all Internet security threats
detected by Symantec during 2008 attempted to steal confidential information. Threats with a keystroke-logging capability, which can be used to steal information such as online
bank account credentials, made up 76% of threats to confidential information, up from 72% in 2007. As the reported
pointed out, in 2008 the average cost per incident of a data
breach in the United States was $6.7 million, which is 5%

increase from 2007.
According to a cyber security report by NetWitness
(Gorman, 2010), from late 2008 to early 2010, hackers gained
access to a wide array of data at 2,411 companies, from accessing corporate servers that process credit-card transactions to servers that store large quantities of business data,
such as intellectual property files, contracts, and even upcoming versions of software products. Because the Internet
is now the primary conduit for hacker attacks, it appears necessary to assess how secure the e-commerce sites are to block
cyber intrusions and attacks.

Purpose of the Study and Research Questions
The purpose of the present study was to assess the security
status of the retail e-commerce sites among the Fortune 500
U.S. corporations because these corporations are the leaders in their respective industries. In the present study we
addressed four research questions:
Research Question 1: What privacy and security measures
are stated in policies on Fortune 500 corporations’ ecommerce sites?
Research Question 2: How do Fortune 500 corporations’
e-commerce sites protect customer and employee information?

137

Research Question 3: How secure are the computer network
systems of Fortune 500 corporations’ e-commerce sites?
Research Question 4: Are there any significant differences
among industry groups of the Fortune 500 corporations’
e-commerce sites?
The findings of the study would benefit the participating companies for the continuous improvement of their ecommerce security. In addition, the findings would enable
students specialized in Internet security or e-commerce to
identify opportunities for internships or jobs at the Fortune
500 retail e-commerce sites that need to strengthen or maintain their Internet security.

METHOD
Three main types of security diagnoses for assessing network security are security audit, vulnerability assessment,
and penetration test. Security audit measures an information
network system’s performance against a list of criteria such
as laws and regulations through analyzing the web content
and performance. A vulnerability assessment seeks security
weaknesses of a network system exposed to hacker threats
by using the network mapping software. Penetration test is
a covert operation permitted by the network owner. In the
test, a security expert tries a number of attacks to ascertain

whether a system could withstand the same types of attacks
from a malicious hacker (Ciampa, 2009; Winkler, 2004).
To assess the security status of the Fortune 500 ecommerce sites, we delimited the research scope by using
information security audit and vulnerability assessment to
address the research questions. Although the information
security audit collected data for web content analysis and
security audit to address Research Questions 1 and 2, the
vulnerability assessment used the network security mapping
to answer Research Question 3.
The web content analysis is commonly used in assessing
organizations’ web content, deliveries, and strategies (Boggs
& Walters, 2006; Wilkinson & Cappel, 2005; Zhao & Zhao,
2004). This method was used to systematically and objectively identify and record the privacy and security policies
available at the e-commerce sites and then to analyze what
privacy and security measures were stated as in implementation. Specifically, two research assistants were trained to
use an instrument (see Appendix A) to collect data for the
web content analysis. To assure the validity and reliability
of the data, the research assistants followed the data collection procedure in the following way: Each week, the two
assistants were assigned same five sites. From the same sites
they collected data independently, and then, they compared

their collected data and reached an agreement if there was
any difference between them. When the research assistants
encountered any difficulty and could not come to a team solution or agreement, they met with the researchers for problem

Downloaded by [Universitas Maritim Raja Ali Haji] at 21:59 11 January 2016

138

J. J. ZHAO AND S. Y. ZHAO

solving and assurance of data quality. The method generated
the following content categories for analysis: a) existence of
privacy and security policies, b) antihacking notice, c) data
transmission encryption, d) intrusion detection, e) investigation of improper user activities, f) login authentication, g)
no-liability notice, and h) Internet traffic monitoring.
The information security audit was used to determine organizations’ compliance of the legislation, such as the Privacy Act (1974) and the Children’s Online Privacy Protection
Act (1998), which specify how organizations must handle information and protect privacy (Hurley, 2002; Winkler, 2004).
To determine how securely the e-commerce sites protect personal information, we audited the sites’ information security
by a) checking whether the My Account login pages were
secured with the Secure Socket Layer (SSL) encryption for

data transmission, b) testing whether the login pages set a
limited number of access attempts to prevent hackers’ guessing of usernames and passwords, and c) searching through
the sites’ search tools and Google search to see whether any
personal information would be identified (Ciampa, 2009).
The network security mapping is a method of using software tools for assessing the vulnerability of an entire computer network system without intrusion and identifying areas
of potential security threats (Garcia, 2004; Winkler, 2004). To
assess the vulnerability of the e-commerce network systems,
we selected a popular, free network mapping tool, Nmap, provided by the website insecure.org. Nmap is a port scanning
and network mapping software. It uses raw Internet protocol
packets to determine what hosts are available on the network;
what ports are open, filtered, or closed; what web services
(application name and version) those hosts are offering; what
computer operating systems (OS) and OS versions they are
running; what type of packet filters and firewalls are in use;
and many other characteristics (cf. http://insecure.org/).
To ensure that it would be legal and ethical to use Nmap for
port scanning, the study reviewed related literature and could
not find federal or state laws that specifically address the issue (e.g., U.S. Department of Justice, 2003). However, in a
Georgia District Court case of Moulton v. VC3 (Jamieson,
2002), the judge declared a port scan in the case legal because

it did not impair the integrity nor availability of the network.
The judge found that since the activity performed no damage
to the target, it could not be illegal (Jamieson, 2002). The
implication of this case is that a port scan is not an attack and
usually causes no damage to a target network; the legality
and ethics of a port scan depend on whether the intent of a
port scan is to cause damage or to improve security. As the
purpose of this study was to provide the e-commerce administrators with the findings that they need for the continuous
improvement of their e-commerce security, using Nmap for
this study was justified.
The population of this study consisted of the retail ecommerce sites of the Fortune 500 largest U.S. corporations.
A thorough search of the Fortune 500 corporate websites
(Fortune, 2009) identified 116 retail e-commerce sites. These

TABLE 1
Demographic Profile of Fortune 500 Retail
E-Commerce Sites (N = 116)
Group

Type of company business

n

%

1.
2.
3.
4.
5.
6.

Airlines and hospitality services
Apparel and shoes
Commercial banks
Computer/telecommunication/electronic tools
Food/beverage/drug/personal products
General merchandisers/specialty retailers

13
17
12
29
23
22

11
15
10
25
20
19

116 sites were all used in the study according to the sample
size requirement (Cochran, 1977). Table 1 shows the demographic profile of these 116 sites.
Data were collected between October 2009 and April 2010
and then coded for statistical analysis. Frequency counts, percentage distributions, means, and standard deviations were
prepared. The Pearson chi-square test was used to determine
if any significant differences existed at the .01 Cronbach’s alpha level among industry groups in order to address Research
Question 4.

RESULTS
The findings of the study are reported in the following sequence: a) privacy and security measures on e-commerce
sites, b) protection of personal information, c) security status
of e-commerce network systems, and d) differences among
industry groups.
Privacy and Security Measures on E-Commerce
Sites
Research Question 1 asked the following: What privacy and
security measures are stated in policies on Fortune 500 corporations’ e-commerce sites? As Table 2 shows, of the 116
sites, 112 (97%) provided a link to the privacy policy statement on their home pages, but the name of the link varied
and included “Privacy Policy,” “Privacy,” “Privacy Rights,”
“Privacy/Security,” “Privacy, Security & Legal,” and “Terms
of Use & Privacy.” The privacy policies commonly stated that
the e-commerce sites are committed or dedicated to protecting the privacy and personal data it receives from customers
in compliance with all relevant data protection and privacy
laws. Most privacy policies consisted of the following sections: a) what personal information does the site collect, b)
how does the site use the collected information, c) how does
the site protect users’ and children’s privacy, d) how can users
access their own information, and e) what about links to other
websites.
A total of 102 sites (88%) also presented a link to the security policy on their homepages or embedded it within the
privacy policy. The security policies usually indicated that

RETAIL E-COMMERCE SECURITY

Downloaded by [Universitas Maritim Raja Ali Haji] at 21:59 11 January 2016

TABLE 2
Fortune 500 Privacy & Security Policy Status on their
E-Commerce Sites (N = 116)

Privacy and security policy status
A privacy policy link available on e-commerce homepage
A security policy link available on e-commerce homepage
A proper-use note attached to the security policy or
disclaimer
A no-liability note attached to the security policy or
disclaimer
Security measures
Encryption: using secure socket layer (SSL) encryption to
protect data transmissions
Authentication: using username and password to protect
for account privacy and security
Monitoring: using software programs to monitor Internet
traffic
Auditing: identifying unauthorized attempts to upload or
change information
Investigation: investigating improper activities to identify
individual persons

n

%

112
102
66

97
88
57

54

47

83

72

64

55

49

42

42

36

30

26

the e-commerce sites use the appropriate physical, electronic,
and managerial measures to safeguard the data collected online and to prevent unauthorized access (see, for example,
Figure 1).
More than half (57%) of sites also included a proper-use
statement in their security policy for enforcing users’ proper
online behaviors. However, nearly half (47%) of sites also

FIGURE 1

139

included a no-liability note in their security policy to avoid
any legal liability if their sites were attacked and consumer
accounts were stolen (see, for example, Figure 2).
Regarding the security measures, most of the sites clearly
stated using SSL encryption to protect data transmission
(73%) and using username and password to protect account
privacy and security (55%). However, only around one third
of the sites stated how they monitor Internet traffic (42%),
how they audit unauthorized attempts to upload or change information (36%), and how they investigate improper online
activities (26%).
Protection of Personal Information
Research Question 2 asked the following: How do Fortune
500 corporations’ e-commerce sites protect customer and
employee information? As Table 3 illustrates, 100% of the
sites secured My Account login pages with SSL encryption
for data transmission. However, only 16% of the sites limited a user to have a maximum of three access attempts to
log in as a security measure to prevent hackers’ guessing of
usernames and passwords guessing. Obviously, the majority
(84%) of My Account login pages required only the basic
security measures of username and password for accessing
such private and personal accounts. This login practice was
vulnerable to hacker intrusion because hackers could easily
get into an account by using the software tools for automatically and repeatedly guessing usernames and passwords.
Regarding weather the e-commerce site’s search tools
would reveal employee and customer information, the test

Security statement on Gap.com e-commerce site (color figure available online).

Downloaded by [Universitas Maritim Raja Ali Haji] at 21:59 11 January 2016

140

J. J. ZHAO AND S. Y. ZHAO

FIGURE 2

No-liability notice on AA.com e-commerce site (color figure available online).

results indicated that only a minority of their search tools
would generate some results of company employees’ information such as their name (33%), job title (32%), affiliation
(5%), and salary (4%). No customer information could be
generated through the search with the e-commerce site search
tools.
The Google search also generated little to no information of the companies’ employees. Only two companies’ employee names and one company’s employee job titles were
searchable from Google. The search did not generate any information of the companies’ employee affiliation and salary.

TABLE 3
Customer and Employee Information Security on
E-Commerce Sites (N = 116)
Category
My Account page secured with SSL encryption
My Account login limiting 3 access attempts
E-commerce site search results
Employee name
Employee job title
Employee’s affiliation
Employee salary
Customer information
Google.com search results
Employee name
Employee job title
Employee’s affiliation
Employee salary

n

%

116
18

100
16

38
37
6
5
0

33
32
5
4
0

2
1
0
0

2
1
0
0

Security Status of E-Commerce Network
Systems
Research Question 3 asked the following: How secure are
the computer network systems of Fortune 500 corporations’
e-commerce sites? Computer network systems connect to
the Internet through communication ports. The ports of an
Internet-connected computer are classified into the wellknown ports, the registered ports, and the dynamic or private
ports. The numbers of the well-known ports range from 0 to
1023, those of the registered ports are from 1024 to 49151,
and those of the dynamic or private ports range from 49152
to 65535. If the ports are open on the Internet without firewalls or filters, they are very vulnerable to cyber intrusions
and attacks.
As Figure 3 shows, of the 116 sites scanned by Nmap,
112 sites (97%) revealed 1,705 Internet ports at each of their
network; only four sites showed 1,680 ports per each. The
scan report also indicated that most of these ports were filtered, behind firewalls, or closed, and only very few ports
were open. As Figure 4 shows, among 112 sites that revealed
1,705 ports at each of their network, 108 sites filtered, firewalled, or closed most of their ports, ranging from 1,701 to
1,704 ports at each site. Similarly, among the four sites that
revealed 1,680 ports (see Figure 3), two sites had all their
ports filtered, firewalled, or closed, whereas the other two
had 1,679 ports filtered, firewalled, or closed (see Figure 4).
However, three sites only filtered, firewalled, or closed 1,695
of their 1,705 ports. Only one site just secured 1,680 of its
1,705 ports.
The scan report also presented the network vulnerability from the open ports. Of the 116 sites, 113 (97%) had

Downloaded by [Universitas Maritim Raja Ali Haji] at 21:59 11 January 2016

RETAIL E-COMMERCE SECURITY

FIGURE 3 Number of Internet ports scanned at Fortune 500 e-commerce
sites (color figure available online).

port 80/tcp open for the web or http service. Web servers
frequently disclosed via port 80/tcp were Apache, Microsoft
IIS, and Netscape servers. In addition, 92 sites (79%) had port
443/tcp open for the https service of encrypted data transmission. Only 15 sites (13%) had port 22/tcp open for the secure
shell (ssh) communication. However, from the open ports,
the network scanner detected information of nearly one third
of the sites’ computer operating systems, such as Windows
IE7/XP/2003 Server, Sun Solaris 8, Linux 2.6.8–2.6.9, and
IBM AIX 4.3.2.0–4.3.3.0 on IBM RS/x. A follow-up analysis found that these sites did not include any commercial
bank sites. Finally, the scanner did not identify any of the
following ports open: port 21/tcp for file transfer protocol
(FTP) service, port 23/tcp for telnet remote access, and port
53/tcp for domain name server (DNS) service of mapping
domain names. These ports are usually the primary targets
for cyber attacks and intrusions if they are open.

nificant differences existed among the six industry groups
on privacy and security protection. Significantly fewer sites
in the apparel and shoes industry (Group 2, 59%) posted a
security policy link on their home pages in comparison with
88% of the Fortune 500 sites. Regarding the proper-use note,
significantly more sites in the general merchandisers and specialty retailers industry (Group 6, 86%) and the airlines and
hospitality services industry (Group 1, 85%) attached such a
note to the security policy, whereas significantly fewer sites
of the computer, telecommunications, and electronic tools
industry (Group 4, 28%) did so. In addition, although significantly more sites of the general merchandisers and specialty
retailers industry (Group 6, 91%) and the commercial banks
(Group 3, 83%) attached a no-liability note to their security
policy, no site of the apparel and shoes industry (Group 2,
0%) posted such a note.
Regarding the implementation of security measures, significantly more sites of Group 6 (95%) and Group 3 (92%)
stated using username and password authentication for security protection, when compared with 55% of the Fortune
TABLE 4
Pearson Chi-Square Test of Significant Differences
Among Industry Groups

Category
A security policy link is available at
e-commerce homepage
A proper-use note is attached to the
security policy or disclaimer

A no-liability note is attached to the
security policy or disclaimer

% of
Fortune 500

Industry
group

%

88%

Group 2

59

57%

Group 6

86

47%

Group 1
Group 4
Group 6

85
∗∗
28
∗∗
91

55%

Group 3
Group 2
Group 6

83
∗∗
0
∗∗
95

42%

Group 3
Group 2
Group 6

92
∗∗
18
∗∗
100

36%

Group 3
Group 4
Group 3

83
∗∗
3
∗∗
75

26%

Group 6
Group 4
Group 2
Group 3

68
∗∗
7
∗∗
0
∗∗
92

Group 2
Group 4

0
0

Differences Among Industry Groups
Research Question 4 asked the following: Are there any significant differences among industry groups of the Fortune
500 corporations’ e-commerce sites? As Table 4 shows, sig-

Authentication: using username and
password to protect account
privacy and security

Monitoring: using software programs
to monitor Internet traffic

Auditing: identifying unauthorized
attempts to upload or change
information

Investigation: investigating improper
activities to identify individual
persons

FIGURE 4 Number of ports filtered, firewalled, or closed at Fortune 500
e-commerce sites (color figure available online).

141

∗∗

p = .01.

∗∗

∗∗

∗∗

∗∗

∗∗

∗∗

∗∗

∗∗

Downloaded by [Universitas Maritim Raja Ali Haji] at 21:59 11 January 2016

142

J. J. ZHAO AND S. Y. ZHAO

500 as a whole. In contrast, Group 2 (18%) did significantly
less. For monitoring the Internet traffic, significantly more
sites of Group 6 (100%) and Group 3 (83%) stated using
software programs to monitor the traffic than did the Fortune
500 (42%). But significantly fewer sites of Group 4 (3%) did
so. Concerning the audit of user activities, significantly more
sites of Group 3 (75%) and Group 6 (68%) stated auditing
and identifying unauthorized attempts to upload or change
information when compared with the Fortune 500 (36%) as
a whole. However, significantly fewer sites of Group 4 (7%)
and Group 2 (0%) did so. Finally, regarding the investigation of improper user activities, significantly more sites of
Group 3 (92%) stated so when compared with the Fortune
500 (26%) as a whole. Nevertheless, no single site of Group
2 and Group 4 did so.

SUMMARY AND DISCUSSION
Most of the Fortune 500 retail e-commerce sites posted privacy policies (97%) and security policies (88%) on the home
pages and described ways of handling and protecting the privacy and personal data in compliance with privacy laws. The
policies clearly stated using SSL encryption to protect data
transmission and using username and password to protect
account privacy. These findings indicate that the large U.S.
corporations’ sites did much better than other companies in
privacy protection, as the 2009 InformationWeek analytics
survey of 430 business technology professionals found so
little encryption on so much enterprise data (Davis, 2009).
However, improvement is needed because only around
one third of the sites stated how they monitor Internet traffic,
audit unauthorized attempts to upload or change information,
and investigate improper online activities. Clearly, the other
two-thirds of the sites have to review their policies and assure
to include needed security measures to protect consumers’
sensitive information from hacker attacks. Otherwise, if data
breach happened to their sites, the companies would face the
legal charges by the law enforcement authorities as shown in
the CVS Caremark case (Farrell et al., 2009).
Nearly half of sites included a no-liability note in their
security policies to avoid any legal liability if their sites were
attacked and consumer accounts were stolen. Obviously, this
no-liability note would very likely stop cautious online shoppers from buying anything at these sites (Yang, Chandlrees,
Lin, & Chao, 2009). Furthermore, whether a site is liable
to a data breach is not up to the no-liability statement, but
up to the law enforcement authorities’ examination of the
site’s privacy compliance (Kaplan, Kresses, & Marcus, 2008;
Lordan & Crawford, 2009).
All of the sites secured My Account login pages with SSL
encryption for data transmission. However, 84% of the sites
failed to limit a maximum of three access attempts for login.
The failure to set this second security defense has made
the login vulnerable because hackers could easily get into

an account by guessing username and password (Ciampa,
2009). Obviously, these 84% of the sites need to improve
their login pages by limiting the number of login attempts.
No site’s search tools generated any customer information. When searching for employee information, one third
of the sites revealed some employee names and job titles.
The Google search generated little to no information of the
companies’ employees. These findings indicate that the large
U.S. corporations’ sites in general are secure in protecting
employee and consumer information.
Moreover, the sites had most of their Internet ports filtered, behind firewalls, or closed, with only very few ports
open, such as port 80/tcp and port 443/tcp. From the open
ports, the network scanner detected nearly one third of the
sites’ computer operating systems information. These findings indicate that the sites still had a few spots vulnerable
to cyber intrusions, as the open ports would enable cyber
intruders to detect the ports’ detailed information such as
server names and versions, service status, and computer operating systems. Knowing such detailed information, cyber
intruders would be able to find their ways to intrude into and
hack at those open, vulnerable ports. As a consequence, web
services could be paralyzed by the denial of service (DoS)
attacks (Symantec, 2007), important data could be changed,
stolen, or deleted by cross site scripting and Structured
Query Language (SQL) code injection (Moen, Klingsheim,
Simonsen, & Hole, 2007), and computer operating systems
could be impaired (Halcnin, 2004), if the website has no 24
hr/day, 7 days/week security surveillance for monitoring the
web traffic.
Significant differences existed among the six industry
groups on e-commerce privacy and security protection. Commercial banks, general merchandisers, and specialty retailers
did significantly better than other industry groups in implementing security measures of authenticating username and
password, monitoring Internet traffic, and auditing unauthorized attempts to upload or change information. In addition,
the commercial banks’ sites were significantly more active
than other industries in investigating improper online activities to identify individual persons.
Furthermore, the Nmap scanner did not detect any operating systems information from the sites of the commercial banks. Obviously, the findings of the commercial banks
in this study did not support the 2006 survey results of
Hovanesian (2008) that 75% of bank websites were vulnerable to hacking. This could mean that banks had made
continuous improvement in securing their sites. The findings
would also enable other industry groups to benchmark commercial banks, general merchandisers, and specialty retailers
in implementing their e-commerce security measures.
Practical and Pedagogical Implications
The findings of this study identified strengths and weaknesses
of the Fortune 500 retail e-commerce sites. These findings

Downloaded by [Universitas Maritim Raja Ali Haji] at 21:59 11 January 2016

RETAIL E-COMMERCE SECURITY

would not only enable e-commerce administrators to learn
from the other sites’ strengths and improve over their own
weaknesses, but also assist business and information technology educators in advising their students in internship and
job searches.
First, because two-thirds of the sites failed to state the
security measures in their policies, it is necessary for the administrators of these sites to consider including the following
security measures in their security policies and implementing them immediately: monitoring Internet traffic, auditing
unauthorized attempts to upload or change information, and
investigating improper online activities to identify individual
persons and report them to the law enforcement authorities.
Second, because only 16% of the sites set the limit to a
maximum of three access attempts to My Account login to
prevent hackers’ guessing of usernames and passwords, the
administrators of the other 84% of sites should consider the
need for limiting a maximum of three login access attempts
as a security measure.
Furthermore, the administrators of the sites should consider following the Fortune 500 commercial banks’ examples
and filtering or firewalling ports 80/tcp and 443/tcp. Therefore, the internal hosts’ server names and versions, service
status, and computer operating systems would not be detected
by port and network mapping scanners.
Finally, around two-thirds of the sites need to improve
their privacy and security policies and technologies. Such
needs appear to imply opportunities for student internships
and jobs at the Fortune 500 retail e-commerce sites. Therefore, business and information technology educators should
consider contacting the administrators of these sites for creating internships or job positions for students specialized in
e-business or Internet security.
REFERENCES
Boggs, R. A., & D. Walters. (2006). A longitudinal look at e-government in
practice. Issues in Information Systems, 7, 161–164.
Ciampa, M. (2009). Security+ guide to network security fundamentals (3rd
ed.). Boston, MA: Cengage Learning.
Children’s Online Privacy Act of 1998, Pub. L. 105–277, 112 stat. 2581-728
(1998).
Cochran, W. G. (1977). Sampling techniques (3rd ed.). New York, NY:
Wiley.
Davis, M. A. (2009, November 23). What will it take? So much data, so
little encryption. InformationWeek, 1249, 23–31.
Farrell, C. B., Sheer, A., & Garrison, L. (2009, February 18). CVS Caremark
settles FTC charges: Failed to protect medial and financial privacy of
customers and employees [Press release]. Retrieved from http://www.ftc.
gov/opa/2009/02/cvs.shtm
Federal Trade Commission Act of 2006, 15 U.S.C. §§ 42–58 (2006).
Fortune. (2009, May). The Fortune 500 largest U.S. corporations. Fortune,
159(9), F-34–45.
Fossi, M., Johnson, E., Mack, T., Blackbird, J., Low, M. K., Adams. T., . . .
Samnani, A. (2009, April). Symantec global Internet security threat report: Trends for 2008 (Vol. 14). Retrieved from http://eval.symantec.com/
mktginfo/enterprise/white papers/b-whitepaper internet security threat
report xiv 04-2009.en-us.pdf

143

Garcia, R. C. (2004). Network security: Mapping intrusion and anomaly
detection to very-high-degree polynomials. Signals, Systems, and Computers, 2, 1449–1452.
Gorman, S. (2010, February 18). Hackers attack 2.411 firms. Wall Street
Journal, p. A3.
Greene, T. (2008, August). Business hacks reap money from e-commerce
sites. Network World, 25(30). Retrieved from http://www.networkworld.
com/news/2008/080808-business-hacks.html
Halcnin, L. E. (2004). Electronic government: Government capability and
terrorist resources. Government Information Quarterly, 21, 406–419.
Hovanesian, M. D. (2008, August 11). Security holes at the online bank.
Business Week, p. 16.
Hurley, E. (2002, April 3). Audits confirm enterprise security.
Tech Target. Retrieved from http://searchsecurity.techtarget.com/news/
article/0,289142,sid14 gci814796,00.html
Jamieson, S. (2002). The ethics and legality of port scanning. Bethesda,
MD: SANS Institute. Retrieved from http://www.sans.org/reading
room/whitepapers/legal/the ethics and legality of port scanning 71?
show=71.php&cat=legal
Kaplan, P., Kresses, M., & Marcus, P. (2008, December 11). Sony
BMG Music settles charges its music fan web sites violated the Children’s Online Privacy Protection Act [Press release]. Retrieved from
http://www.ftc.gov/opa/2008/12/sonymusic.shtm
Lordan, B., & Crawford, M. (2009, February 5). Consumer electronics
company agrees to settle date security charges [Press release]. Retrieved
from http://www.ftc.gov/opa/2009/02/compgeeks.shtm
Moen, V., Klingsheim, A. N., Simonsen, K. F., & Hole, K. J.
(2007). Vulnerabilities in e-governments. International Journal of Electronic Security and Digital Forensics, 1, 89–100. Retrieved from
http://www.inderscience.com/storage/f125431610811792.pdf
Mookhey, K. K. (2004, April 26). Common security vulnerabilities
in e-commerce systems. Security Focus. Retrieved from http://www.
securityfocus.com/infocus/1775
Privacy Act of 1974, Pub. L. 93-579, 88 stat. 1896 (1974).
Schuman, E. (2007, October 24). TJX breach more than twice as bad as
reported. eWeek. Retrieved from http://www.eweek.com/print article2/
0,1217,a = 217939,00.asp
Symantec. (2007, September). Symantec internet security threat report.
Symantec Enterprise Security, 12, 1–30.
U.S. Census Bureau. (2009). The 2007 e-commerce multi-sector “E-Stats”
report. Measuring the electronic economy. Washington, DC: Author.
U.S. Census Bureau. (2010). Quarterly retail e-commerce sales: 2nd
quarter 2010. E-stats—measuring the electronic economy. Washington,
DC: Author. Retrieved from http://www.census.gov/retail/mrts/www/
data/pdf/10q2.pdf
U.S. Department of Justice. (2003). Fraud and related activity in connection with computers. In the United States Code Annotated Title 18,
Chapter 47, Section 1030. Washington, DC: Author. Retrieved from
http://www.justice.gov/criminal/cybercrime/patriot redline.htm
U.S. Safe Web Act of 2006, Pub. L. No. 109-455, 120 stat. 3376 (2006).
Vijayan, J. (2007, January 19). Breach at TJX shows IT security still
lacking in retail industry. Computer World. Retrieved from http://www.
computerworld.com/action/article.do?command=viewArticleBasic&
articleId=9008599
Wilkinson, V. O., & Cappel, J. J. (2005). Impact of economic prosperity and
population on e-government involvement. Issues in Information Systems,
6, 204–209.
Winkler, I. (2004, July 19). What is a security audit? Tech Target.
Retrieved from http://searchcio.techtarget.com/sDefinition/0,,sid182
gci955099,00.html
Yang, M., Chandlrees, N., Lin, B., & Chao, H. (2009). The effect of perceived
ethical performance of shopping web sites on consumer trust. Journal of
Computer Information Systems, 50(1), 15–24.
Zhao, J. J., & Zhao, S. Y. (2004). Internet technologies used by INC.
500 corporate web sites. Issues in Information Systems, 5, 366–
372.

144

J. J. ZHAO AND S. Y. ZHAO

APPENDIX—Security Audit of Retail E-Commerce Sites
Company Name:
Auditor Name:

URL: http://

Auditing Date:

/

/

Directions: Please read each of the following questions carefully and audit the site meticulously. You must save each of
your search results digitally, print out a hard copy, and attach it to its audit instrument for double-check.
PART I. E-Commerce Privacy and Security Policy Status

Downloaded by [Universitas Maritim Raja Ali Haji] at 21:59 11 January 2016

1. Is there a Privacy Policy statement or disclaimer on the company e-commerce homepage?
Yes
No
2. Is there a Security Policy statement or disclaimer on the company e-commerce homepage?
Yes
No (please skip Question 3 and continue on Question 4).
3. Which of the following security measures were stated in use? (Please check all that apply.)
a. Monitoring: using software programs to monitor traffic
b. Auditing: identifying unauthorized attempts to upload or change information or otherwise cause damage
c. Investigation: investigating improper activities to identify individual persons
d. Authentication: using username and password to protect for account privacy and security
e. Encryption: using secure socket layer (SSL) encryption to protect data transmissions
f. Other (Please specify:
.)
4. Does the security/privacy statement provide a no-liability note similar to the following?
“The information contained in this policy should not be construed in any way as giving business, legal, or other advice,
or warranting as fail proof, the security of information provided via this website.”
Yes
No
5. Is there a Proper Use or Anti-Hacking statement on the e-government homepage?
Yes
No
PART II. Customer Account Security Status on E-Commerce Sites
6. Does My Account link use https:// (SSL) encryption?
Yes
No
7. Does My Account Login page limit a maximum of three access attempts of typing usernames and passwords?
Yes
No
8. Does e-commerce site’s Search tool reveal sensitive information of company top executives?
Yes.
No
If yes, which of the following information are revealed? (Please check all that apply.)
a. Executive’s name
b. Executive’s job title
c. Executive’s annual salary
d. Executive’s other compensation
e. Executive’s phone number
f. Executive’s email address
f. Other (Please specify:
.)
9. Does e-commerce site’s Search tool reveal sensitive information of company employees?
Yes.
No
10. If yes, which of the following information are revealed? (Please check all that apply.)
a. Employee name
b. Employee job title
c. Employee salary
d. Employee’s affiliation/employer
e. Employee’s home address
f. Other (Please specify:
.)