Back to index
Quinn, Jane Bryant. Http://www.jbq.ok.com: the Internet is safer for
business than you think. Your password is the weakest
link.(Column). In Newsweek Oct 14 1996, v128, n16, p71(1).
The Internet is safer for business than you think. Your password is
the weakest link.
LAST WEEK I DROPPED INTO MY NEW FAVORITE bookstore:
http://www.amazon.com. That's an Internet shop that links me to 1
million books in print. In just a couple of minutes, I checked the
reviews for "Climbing Mount Improbable," ordered it at 30 percent off
the cover price, poked around for something else I might want to read
(books are my vice), paid by credit card and got back to work.
My little transaction is worth a mention because I don't cyberbrowse
for sport. By the time I adopt a technology, a lot of others are
doing the same. The Net supported an estimated $200 million in
commerce last year. Five years from now, that's going to look like
pocket change. Already, there's a bank that exists entirely online:
Security First Network Bank (www. sfnb.com).
Two things have held Net commerce back: access and security. The
World Wide Web created access by organizing vendors into storefronts
with addresses. To locate a product or service, you go through a Web
"browser," such as Netscape Navigator or Microsoft Internet Explorer.
They've made it possible to have electronic Yellow Pages. You can ask
for "bookstores" and get a description of 500 sites, along with their
Hacker horror: Security is the Scary part. When you type in your
credit-card number, is someone waiting to grab it? We've all read
headline stories about computer-network theft. There was the hacker
in Russia whose gang lifted $400,000 from Citibank. And the kids on
New York's Long Island who stole some credit-card numbers and went on
a $100,000 shopping spree.
Don't let these incidents put you off. When prudently used, the Net
today is safe enough for personal shopping, investing, even banking
online. Citibank made its customers whole, as it would after any
heist. You're at greater risk when you hand your credit card to a
waiter than when you use it to shop by computer, provided that your
electronic business is handled entirely in code.
Careful coding is the key. Without it, any clever snoop can watch or
alter your transactions. If you're using Netscape Navigator, look for
a picture of a key in the lower corner of your screen. Insecure
connections display a broken key; secure connections, a whole one.
With Internet Explorer, a lock pops up when the line is safe. No
security expert NEWSWEEK consulted would do a credit-card transaction
over an open line. But they did point out that you're liable for only
$50 in unauthorized charges if your card number is grabbed.
Let's say you do business only on an encrypted line. How secure is
it, really? This is two questions, not one. How impenetrable is the
code, and how do you know that amazon.tom is really the bookstore and
not a dominatrix ring?
Security experts say that, at present, encryption is looking pretty
strong. Some codes seem almost unbreak able. Others aren't worth the
time and cost that deciphering them would take--at least, not for
Say, for example, that you reach your bank online. Every time you
dial up, the system generates a new and secret number to protect that
one transaction. Some numbers are so long (128 zeros and ones) that
it would take most of the world's computing power to test all the
combinations. Shortcuts have been found to break shorter numbers, in
the 40-digit range. But what's the point? The next time you call, a
different number will come up.
Even with strong codes, however, a vendor can carelessly blow holes
in its own security system. "We're just waiting for the massive fraud
that takes down a brokerage house or Internet company," says security
expert Peter G. Neumann of SRI International in Menlo Park, Calif.
We're all exposed to that sort of risk, whether we use the Net or
not. But bank and brokerage accounts have other layers of protection.
Losses may be reimbursed by federal deposit insurance or the
Securities Investor Protection Corp.
To try to give people confidence in who's at the other end of the
wire, the Net has developed what it calls "certification." A trusted
firm certifies that amazon.com is indeed the bookstore, and issues it
an online ID. If the certifier errs, it may be liable for any money
you lose. Netscape users can find a firm's certificate by clicking on
the little picture of the key. Internet Explorers should search
"File." You may have to get an ID, too.
A sniffer: Even more security is in the works. In about six months,
you'll start seeing transactions protected by a new system called
SET. It lets you charge things to a credit card without showing
anyone the number. That should foil today's online "sniffers" that
steal card numbers electronically. Your number will also be hidden
from dishonest merchants or employees. As a bonus, SET prevents
merchants from monkeying with the price.
Then there's S/MIME, coming up by the end of the year. S/MIME lets
customers send encrypted e-mail (orders, letters, invoices) that
reproduce in a standard way on any machine. That will give Internet
commerce an enormous boost, predicts Mack Hicks, a specialist in
information security for the Bank of America, which opened an
Internet branch (www. BankAmerica.com) last June. Every new version
of Netscape Navigator or Internet Explorer will offer the latest
security tricks, so load it into your machine. Hicks thinks that
people will learn to trust the financial side of the Net at work,
then start using it at home.
The best advertisement for the Net is that many security experts
themselves do financial transactions on well-encrypted lines. Prof.
Doug Tygar at Carnegie Mellon in Pittsburgh, for example, says that
he uses credit cards there and may open a bank account when online
services get more sophisticated.
The weakest point in the Net today isn't the infrastructure; it's
you. World-class encryption won't help the klutzes who post their
passwords on their computers or leave the workplace without logging
off. If you're thinking of trying an online bank or stockbroker, ask
what the policy is if someone finds your password and messes with
your account. Check your statement online a lot. A quick response to
an error usually gets it fixed.
COPYRIGHT 1996 Newsweek Inc.