Derek s Wonderful Homepage: Writings, Research and Ravings

Security and Internet Commerce

Monday, November 22, 1999

Every day more and more people use the Internet. Every day that more people use the Internet, they use the Internet for online shopping. What Internet users do not realize however, is what they do on the Internet is not secret. Although the connection to a shopper may seem secure, it really may not be, leaving personal information, such as credit card records out in the open for anyone to see. However, measures can be taken to make electronic commerce safer. As more people use the Internet's World Wide Web for shopping, more people must be made aware of the security risks that Internet commerce poses, because Internet commerce is not as secure as it seems.

The Internet is used my more people every day, mostly due to the ease of use provided by the World Wide Web. The Internet is a worldwide network of computers, which allow rapid and vast retrieval of data. The most common and popular way to navigate the Internet is the World Wide Web (WWW). The World Wide Web is popular because it allows the user to view a graphical representation of the Internet. The Federal Trade Commission (1999) estimates in its report to congress that there are eighty million adults using the internet in the United States alone ("Self-Regulation and Privacy", p.2). That number is growing daily with Internet service providers now providing free or very low cost service. The World Wide Web is booming.

Just as web use is becoming more widespread, so is Internet commerce, or buying and selling goods over the Internet. Buying a product over the Internet is fast and easy, and it is shipped right to your door. Online revenues of North American retailers in the first half of 1998 were approximately 4.4 billion dollars. The FTC (1999) also reports that online sales tripled from 1997 to 1998, and are expected to increase at an even higher rate ("Self-Regulation and Privacy", p.1). According to Baskin (1999), some 17 million households will be shopping online by the end of the year (p.1). All of the increased revenue and sales make sense however, as more and more companies bring their catalogs online. People in today's American society want things here and now, and Internet shopping provides that. Internet stores are open twenty-four hours a day 7 days a week 365 days a year, as long as their web server does not go off-line. People that use the Internet from their home as well as businesses are discovering online shopping, or e-commerce, enticing because of the expedience, lucidity and robustness (PricewaterhouseCoopers, 1999, p.1). Today, you can find every kind of product that you could want on the Internet, and buy it if you have the magic key, a credit card.

Internet commerce requires the change of funds, and the only way to do this now is with a credit card number. Just as there are crooks that steal credit card numbers in the real world, crooks online will abduct credit card numbers and use them to their advantage. This is the drawback to shopping online, the risk that the shopper's personal information is out in the open, where most computer literate people could intercept it. Experienced Internet users know that this is true. In a survey of experienced Internet users by the FTC (1999), eighty-seven percent were somewhat or greatly concerned about their privacy while shopping online ("Self-Regulation and Privacy", p. 2). The eighty-seven percent that were concerned about their privacy certainly have the right to be. The most common method of web commerce secure data encryption, secure socket layer (SSL) has been cracked by David Doligez (1999) as well as many other hackers (Doligez, p. 1). What this means is that whatever you submit using SSL can be decrypted, leaving your personal information quite vulnerable. Because "[t]he Internet was originally created as a research tool and not as a commercial environment[,] … it was designed for ease of use and collaboration, rather than security" (Gutmann, 1999, p. 2). SSL is a security measure that was designed for the Internet which was not created to be secure or use security protocols. SSL nothing more than a security patch for an internet that cannot be patched. Therefore, since the Internet itself is insecure, companies must work to find ways to use the existing Internet structure in a secure manner.

There are many different types of Internet security measures that commerce sites employ. The most common method used to secure your connection between the user's computer and the web server receiving your order is SSL, or secure sockets layer. Netscape Communications Corporation developed the SSL, which uses a public key encryption system (Stein, 1999, Q59). A public key system works as follows: each party, the home user and the web server each have a public key, that is viewable to everyone, and a private key, which is always kept secret. The private key can decrypt data that is encrypted with the public key. Conversely, data encrypted with the private key can only be decrypted by the public key. Internet users want to make sure they have a secure connection to the correct host. Today's web browsers do all of the work in the background. First, the browser checks what level of encryption it can use. Then the browser sends out a public key to the server. Next, the server responds with some type of message. This message is then received by the browser, encrypted with that computer's private key, and returned to the web server. Soon afterward, the server gets the message back, decrypts the message using the browser's public key. If the message matches the message that the server sent out originally, then the server knows it has a secure connection and is talking to the browser, and can start to send and receive sensitive data (Netscape, 1999, p. 6). When there is a little key, or lock showing in the browser window, that means that the browser has established a secure, encrypted, connection with the server. Therefore, credit card numbers and other personal information is safe, right? Wrong. The SSL standard is not crack proof, and depending on the way in which online merchants use it, personal data is still vulnerable in many other ways.

The most common method of security used, secure socket layer encryption has and can be easily broken. The 40-bit version can be broken more easily than the 128-bit or higher versions, because the higher the bits the more complex the encryption coding. It took David Doligez eight days to break the 40-bit SSL encryption, which uses 1.1 * 10¹² keys. He wrote a program that went through all the key codes one by one until one fit the lock, and the data was revealed (Dogliez, 1999, p1, 2). The 128-bit encryption is much more secure, using 3.4 * 10³⁸ keys, making it very hard to crack (Netscape, 1999, p.4). Although the 128-bit SSL is very hard to crack, it is possible to do it. Nevertheless, SSL is still somewhat safe, but not totally.

Breaking SSL is not the only way crooks can get your information. Merchants can leave your information out in the open, even if you have a "secure" connection. There are multitudes of ways that supposedly secure data can be compromised. One of the ways is if the merchant leaves their web server unprotected. Often web servers are the targets of malicious hackers because they are easy to break into and have a high return on information. Spending several days cracking a code for one credit card number is much harder than breaking into a web server and stealing hundreds of numbers (Ghosh, 1999, p. 1). Another way in which data can be compromised is by third party hosting of commerce sites.

Some businesses that are not immense corporations do not have the wherewithal to fabricate their own web sites and maintain their own servers. This class of businesses relies on other companies to host and design their pages for them, and simply send them the transaction information. Third party web commerce companies provide a CGI (common gateway interface) program called FormMail for their clients. This program gathers the personal information that the shopper provides to it, and submits it to the company, through e-mail. Although the customer may have a secure connection to the third party server, it really does not matter, because the information is being send unprotected through e-mail (Mencik, 1999, p. 1). Sending a message on the Internet is much like writing it on the back of a postcard. Everyone that comes across it on the way has the ability to read it (Gutmann, 1999, p. 1). Giving consumers a false sense of security is more wrong than no security at all. Many smaller companies offer no security at all when purchasing, at the risk of the customer. This is why the majority of Internet users are concerned about their privacy, and there concern is valid.

What can customers do to protect themselves and their data? There are many things they can do, but none of them can provide the ultimate level of security. Internet users in the United States can do a few simple things to make their shopping much more private and secure. Clearly, when making an online transaction, it is prudent to make sure the key or lock is present in the browser window (if you are using Netscape or Mosaic). Another thing shoppers should check out is the companies privacy and security policy. If a company does not have a privacy and security policy, it is not a good idea to buy anything. Furthermore, Internet shoppers should check in the companies' security policy and make sure it states that credit card information will never be sent over the Internet unencrypted. Once the shopper is confident in the merchant's security measures, the highest level of security should be used. The two most popular web browsers offer 128-bit encryption, the highest level of consumer security available in the United States. . Replay associates (http://www.zedz.net) operates a web page where 128-bit versions of Mosaic and Netscape can be downloaded free of charge. To be safe, shoppers should not even consider buying products internationally over the World Wide Web, due to the fact that the United States government does not allow exportation of 128-bit encryption for national security reasons (Stein, 1999, Q58). Furthermore, Internet users should upgrade their browsers to the newest versions and check often for security updates. Customers that follow all of these suggestions can feel a little more safe when conducting business over the Internet, but not completely secure.

The number of people on using the Internet for shopping is growing. This growth has created a new breed of crooks, stealing credit card and personal information and using it for their own gain. There is no such thing as a truly secure connection, and standard SSL connections are not very secure at all. Internet shoppers should be aware of these security risks, and take all possible countermeasures to keep their commerce experiences as safe as possible. Internet commerce is not as secure as it might seem, but there are steps that can be taken to make it a much safer experience.

Works Consulted

Cobb, S. (1999). Security Issues in Internet Commerce. [On-Line]. Available: http://www.isca.net/library/research/intsec2.shtml

Baskin, C. (1999, December). E-Shoppers of the World Unite! PC World, 17, p. 19.

Doligez, D. (1999). SSL Challenge Virtual Press Conference. [On-Line] Available: http://pauillac.inria.fr/~doligez/ssl/press-conf.html

Federal Trade Comission. (July 1999). Self Regulation and Privacy Online: A Report to Congress. Washington, DC: Author.

Ghosh, A. (September1999). Developing secure buisness application logic for e-commerce. [On-Line]. Available: http://www-4.ibm.com/software/developer/library/securelogic/

Gutmann, P. (1999). Secure Internet-based Electronic Commerce: The View From Outside the US. [On-Line]. Available: http://www.cs.auckland.ac.nz/~pgut001/pubs/icommerce.pdf

Kabay, M. E. (1999). Identification, Authentication, and Authorization on the World Wide Web. [On-Line]. http://www.isca.net/library/research/iaawww.shtml

Mencik, S. (1999). Are Secure Internet Transactions Really Secure? [On-Line]. Available: http://jsweb.net/paper.html

Netscape Communications Corporation. (1999). Introduction to SSL. [On-Line]. Available: http://developer.netscape.com/docs/manuals/security/sslin/contents.htm

PricewaterhouseCoopers LLP. (1999) Security Basics: A Whitepaper.

Stein, L. D. (September 13, 1999). The World Wide Web Security FAQ. [On-Line]. Available: http://www.w3.org/Security/Faq/

Ziff-Davis Inc. (1999). The Standard for Internet Commerce. [On-Line]. Available: http://www.commercestandard.com/