Cybersecurity

Five short years ago, the subject of Internet security would have been considered a ridiculous little piece of nerdsmanship for Microsoft's Bill Gates or Apple's John Scully to pontificate on at company meetings. Back then, the Internet was not a part of most people's consciousness, and not many had bought their children's underwear using a modem and a series of keystrokes. But we do now, or at least Richard Stiennon does. Stiennon, who works for Netrex, an Internet security consulting firm in Southfield, Mich., hates going to discount chains and prefers to buy briefs in the most brief manner available to him -- via the World Wide Web."Maybe I don't have a good focus on how everybody else's life is, but it seems like everybody I talk to is extremely busy all the time," Stiennon said."We just don't have the time to run out and buy a commodity like, for instance, underwear for our kids. You always have problems buying size 6, Hanes underwear. You have to go to K-Mart, and you don't like going to K-Mart -- such a waste of time."So, why not punch it up on the Internet and order it mailed to you? If I can buy it on the Internet, I do."This is probably not what a group of government technicians had in mind when they set up what would become the Internet in 1969. Then again, there was no such thing as a personal computer in those days -- computers were room-sized behemoths common only to IBM, AT&T and the "military industrial complex."But in 1997, one-third of all American households have a personal computer. In the last three years, a significant percentage of those households have subscribed to an on-line service such as America Online or an Internet service provider and have begun a somewhat furtive adventure into cyberspace. They're e-mailing Grandma, checking their stock prices and downloading photographs of Jenny McCarthy illegally purloined from the pages of Playboy.And they're buying stuff. Floral companies such as Teleflora and FTD now provide an alternative to placing a phone call and hoping the florist on the other end comes up with a close approximation of your order. Now, you look at a scanned photograph of a floral arrangement, plug in the delivery address, your credit card number and -- presto! -- your anniversary worries are over.You can buy two and a half gallon cans of popcorn, compact discs and formal clothing on-line, but there is something intrinsically scary about typing in your credit card number, hitting the "return" button and watching a closely guarded secret seemingly slip through your fingers. You didn't even get to sign a credit slip.There is a mantra forming on the lips of those who work closely with the Internet. It takes various forms, but it usually involves the word "waiter" and is designed to quell our fears about putting our money where our mouse is."I think I would rather give my credit card number over the Webthan give it over the phone, or give it to the $5-an-hour waiter," said Anne-Marie Funk, a partner in NStar Systems, a Norman-based Websystems design firm."It can be taken in both places."Look out, here it comes again -- this time from Ed Rosenfeld, publisher of BusinessTech, a monthly on-line business magazine."What we like to say at BusinessTech is, 'If you're willing to give your card to a waiter or waitress, you have no worries about the Internet,' " he said.This might be true -- after all, when the waiter takes your card and goes behind a partition, he or she could be getting ready for an evening of buying costume jewelry on QVC with your Visa. But there are reasons to be concerned about Internet commerce -- it's a new medium, there are a lot of kinks to be worked out and security systems are not as commonplace as they should be.Eli Singer, U.S. president of Memco Software, a Tel Aviv-based computer security firm, said truly secure commercial sites are still somewhat rare."My estimate is that it's a fairly small number," Singer said."Most of them are just trying to analyze the risk. If customers knew how accessible this data is on the network, many of them would probably shy away from doing business on it."Consumer confidence in Internet purchasing has been increasing in recent months, and sales over the Internet are expected to reach $6.6 billion by 2000. Funk believes this confidence in on-line credit purchasing is due to a strong public relations campaign on the part of the two largest distributors of Internet software, Netscape and Microsoft."I think there has been a public relations effort by people who control some of the big sites on the web, like Microsoft and Netscape, and part of that is also selling what's called secure servers, where you have encryption in both directions," Funk said. "But, what I think Netscape has done, they have made it known that if you're going to go to a secure site, one where you can feel confident in giving information, there's a little key down in the lower left. Anything simple like that does a lot for people's confidence."While there is a measure of security coming from such commercial servers, many companies are not providing much protection specifically for their own sites and, by proxy, their credit card customers. Stiennon said most of these companies feel that, because of the expansive, almost anarchy-like nature of the Internet, they will not be easy targets for computer crime."They have a problem," Stiennon said."They are depending on security by obscurity. Nobody knows they're on-line, so they're not a target for hackers, and they're depending on that obscurity to protect them."Stiennon cites a recent survey of 2,000 Internet sites in which 60 percent did not have any security systems. He said those 1,200 sites are just waiting to be victimized by that modern-day pirate known as the hacker."We're in the security business, and we say, 'Sooner or later, you're going to be hacked,' " he said.The most common and reliable Internet security system is known as a "firewall," which consists of an auxiliary computer server programmed to evaluate all connections and determine, based on the site owner's specifications, if the customer meets criteria for entering the system. A firewall can be designed to restrict access to particular areas of a site, such as a database in which thousands of credit card numbers are stored. This way, outsiders entering a particular site are limited to specific information -- credit card numbers can check in, but they can't check out.Unfortunately, many companies have not invested in such technology, either out of sheer lassitude or because the price is too high. "There's two price ranges," Stiennon said."One is a good system that is probably a $35,000 investment for hardware and software. Then, when you look at high availability, a dual firewall (a system in which a backup server operates in the event of a primary server crash). Those are usually in the $100,000 range. "For Ford Motor Company, it's chump change. For the on-line tobacco shop, it's their biggest investment."There is a reason for such an investment. Popular mythology spurred by films and television dictates that a hacker intercepts a credit card number while the hapless victim enters it on his or her keyboard. However, a resourceful hacker will go directly to the database in which all those account numbers reside. "I don't think the credit card fraud that's about to be perpetrated on them potentially is not from somebody lurking and waiting for them to enter their credit card," Rosenfeld said."It is more likely going to be a rogue, pirate individual who's going to amass hundreds of thousands of credit card numbers through some nefarious act."Singer agrees."They will not waste their time intercepting one credit card number at a time on the network," he said."What they will do is go to any one of those vendors on the network, find the database with all of the credit card numbers and steal the entire base -- 50,000 of them."A firewall system will adequately protect the company and its customers from being hacked by an outside criminal. Unfortunately, a firewall won't protect that cache of numbers from a uniquely Nineties corporate villain, the disgruntled employee. "So, the real jewels here are the entire databases of credit card numbers that each vendor holds. Who's after these?" Singer asked."By far, most of your risk for breaches or break-ins comes from inside, people who have access to your network. Over 70 percent of security breaches are from insiders."Singer's company, Memco, designs systems to protect such valuable material. These systems consist of a firewall and a series of security operating systems (SeOS) that compartmentalize the site and, as an example, don't allow the company's computer technicians to get into accounting files. While a multi-tiered system such as this can be very expensive, some large companies dealing in high-volume Internet transactions could see value in such a venture."It's very similar to a bank building a safe," Singer said. "You still want to lock your doors and windows and have your security guards. But you put your important stuff, the key stuff, in the safe. The teller who works in the bank cannot get access to it, and if somebody breaks through the window or the wall, they still have to break into the safe."While this seems like a complicated scenario, there are many parties interested in making Internet transactions as simple as handing money to a cashier and taking your groceries home. The first and most obvious group is consumers. For those who want to achieve full security on their end of the transaction, there are encryption programs, such as PGP, that can be downloaded from the Internet. In addition, there is computer hardware available that will encrypt your data before it passes to your modem.The merchants themselves, if they are educated on the issues, also are interested in security, since it could mean the difference between success and failure for their commercial Websites. But the entities that are the most reliant on Internet security for their future survival are the credit card companies themselves, and many pundits believe the onus for security rests squarely with Visa, MasterCard, Discover and American Express. It's true that the card companies take some of the sting off credit card fraud by charging customers a maximum of only $50 for such fraudulent transactions, but no successful company would want to absorb such negative points for very long."It should be the credit card companies that take the lead on this," Rosenfeld said."They have the most to lose and the most to gain."The credit card companies seem to have taken a proactive stance recently by testing in Europe what could become the standard Internet secure transaction procedure. On Dec. 30, IBM, MasterCard and Danish Payment Systems conducted an experiment using the Secure Electronic Transaction (SET) protocol. At 5:04 a.m. EST, IBM's Nordic director, Carl Aegidius, bought a copy of Stephen King's "Rose Madder" from the first SET-certified merchant on the Internet, Lademanns Forlag, in Denmark.To make the transaction, Aegidius used a Eurocard/MasterCard and an attached, electronic certificate, which confirmed the identity of both Aegidius and the participating merchant.Steve Mott, senior vice president of electronic commerce and new ventures at MasterCard, said the SET, which also involves Visa International as a participant, soon will become the industry standard."We at MasterCard feel the industry-standard SET will provide a platform on which our member institutions can build a secure electronic commerce system," Mott said.Despite the positive claims by MasterCard brass, Stiennon believes a transaction can only be truly secure if payment is merely verified by the merchant and the account number goes straight to the merchant's bank. "In theory, the merchant doesn't even have to have access to the credit card number -- the computer handles transmitting it to the bank. So it might cut out the biggest risk, which is the merchant," Stiennon said.While such theories have yet to be proved viable, Rosenfeld believes the SET protocol, in its current form, is a step in the right direction."There's still a couple of wrinkles to be worked out," Rosenfeld said. "SET isn't set in stone yet, but it's the closest thing we have."The next few years will be pivotal ones for those who do business on the Internet. Rosenfeld believes that if the major credit card companies can refine their work on SET, the banks with which these companies work will follow suit, and a far greater level of security will be available to consumers."I think what will drag everything, kicking and screaming, into some sort of standardized unification are going to be the big credit card companies, MasterCard International and Visa International," Rosenfeld said. "If the credit card companies get it together and agree on a standard and can work out all the wrinkles, then there is no reason for people not to jump on board. Then, suddenly, this becomes a greased skid."Of course, there will be those who will never trust the Internet to be their electronic shopping companion. Seeing that credit card number disappear into nowhere always will seem disconcerting to some (plus, you can never try anything on in cyberspace). However, Rosenfeld thinks the old way of credit purchasing was far worse."I remember several years ago, before there were carbonless copies, I used to cringe when I was buying something at the clothing store. They would tear out these carbons and kind of blithely let them slip into the garbage pail," he said.To ensure that your cybercarbons don't end up in unscrupulous hands, the National Fraud Information Center in Washington, D.C., encourages Internet shoppers to tread lightly on the info highway. On a tip sheet available through the center's Website, http://www.fraud.org, shoppers are told to ask merchants over the phone if their Internet sites have security systems and if they use SET software, when it becomes available, and are advised to be wary of flashy Websites. "Remember," the posting reads, "a sophisticated World Wide Web site does not guarantee its legitimacy."At any rate, this could be the primary method of making transactions in the very near future, a method Rosenfeld said is being ramrodded by the U.S. government. He said the federal government has set new guidelines for vendors doing business with federal agencies in the near future, and despite conservative estimates by leading bankers, we could all be making computerized transactions in the very near future. "The U.S. government has an edict out that to do business with the government by 1999, you have to do it electronically," Rosenfeld said."That's for all vendors, suppliers or others. "On the one hand, (Federal Reserve Chair) Alan Greenspan says we're a couple of decades away from electronic commerce. John Reed of CityCorp says it will be 2050 before we have electronic commerce. On the other hand, the federal government is setting up something so that, in two years, we better have electronic commerce."If that becomes reality, Rosenfeld said most problems with Internet security will become a thing of the past, along with those green pieces of paper you used to carry in your wallet."If I would say anything about the whole issue of security and commerce on the net, I would say this may seem gradual, but in two or three years we'll look back on all this and say well, that was quite quaint," he said."We were just getting the ducks in the row."

Enjoy this piece?

… then let us make a small request. AlterNet’s journalists work tirelessly to counter the traditional corporate media narrative. We’re here seven days a week, 365 days a year. And we’re proud to say that we’ve been bringing you the real, unfiltered news for 20 years—longer than any other progressive news site on the Internet.

It’s through the generosity of our supporters that we’re able to share with you all the underreported news you need to know. Independent journalism is increasingly imperiled; ads alone can’t pay our bills. AlterNet counts on readers like you to support our coverage. Did you enjoy content from David Cay Johnston, Common Dreams, Raw Story and Robert Reich? Opinion from Salon and Jim Hightower? Analysis by The Conversation? Then join the hundreds of readers who have supported AlterNet this year.

Every reader contribution, whatever the amount, makes a tremendous difference. Help ensure AlterNet remains independent long into the future. Support progressive journalism with a one-time contribution to AlterNet, or click here to become a subscriber. Thank you. Click here to donate by check.

Close
alternet logo

Tough Times

Demand honest news. Help support AlterNet and our mission to keep you informed during this crisis.