Back to index
Quinn, Jane Bryant. Http://www.jbq.ok.com: the Internet is safer for
     business than  you think. Your password is the weakest
     link.(Column). In Newsweek Oct 14 1996, v128, n16, p71(1). 


The Internet is safer for business than you think. Your password is   
the weakest link.                                                     
                                                                      
LAST WEEK I DROPPED INTO MY NEW FAVORITE bookstore:                   
http://www.amazon.com. That's an Internet shop that links me to 1     
million books in print. In just a couple of minutes, I checked the    
reviews for "Climbing Mount Improbable," ordered it at 30 percent off 
the cover price, poked around for something else I might want to read 
(books are my vice), paid by credit card and got back to work.        
                                                                      
My little transaction is worth a mention because I don't cyberbrowse  
for sport. By the time I adopt a technology, a lot of others are      
doing the same. The Net supported an estimated $200 million in        
commerce last year. Five years from now, that's going to look like    
pocket change. Already, there's a bank that exists entirely online:   
Security First Network Bank (www. sfnb.com).                          
Two things have held Net commerce back: access and security. The      
World Wide Web created access by organizing vendors into storefronts  
with addresses. To locate a product or service, you go through a Web  
"browser," such as Netscape Navigator or Microsoft Internet Explorer. 
They've made it possible to have electronic Yellow Pages. You can ask 
for "bookstores" and get a description of 500 sites, along with their 
Internet addresses.                                                   
                                                                      
Hacker horror: Security is the Scary part. When you type in your      
credit-card number, is someone waiting to grab it? We've all read     
headline stories about computer-network theft. There was the hacker   
in Russia whose gang lifted $400,000 from Citibank. And the kids on   
New York's Long Island who stole some credit-card numbers and went on 
a $100,000 shopping spree.                                            
                                                                      
Don't let these incidents put you off. When prudently used, the Net   
today is safe enough for personal shopping, investing, even banking   
online. Citibank made its customers whole, as it would after any      
heist. You're at greater risk when you hand your credit card to a     
waiter than when you use it to shop by computer, provided that your   
electronic business is handled entirely in code.                      
                                                                      
Careful coding is the key. Without it, any clever snoop can watch or  
alter your transactions. If you're using Netscape Navigator, look for 
a picture of a key in the lower corner of your screen. Insecure       
connections display a broken key; secure connections, a whole one.    
With Internet Explorer, a lock pops up when the line is safe. No      
security expert NEWSWEEK consulted would do a credit-card transaction 
over an open line. But they did point out that you're liable for only 
$50 in unauthorized charges if your card number is grabbed.           
                                                                      
Let's say you do business only on an encrypted line. How secure is    
it, really? This is two questions, not one. How impenetrable is the   
code, and how do you know that amazon.tom is really the bookstore and 
not a dominatrix ring?                                                
                                                                      
Security experts say that, at present, encryption is looking pretty   
strong. Some codes seem almost unbreak able. Others aren't worth the  
time and cost that deciphering them would take--at least, not for     
small transactions.                                                   
                                                                      
Say, for example, that you reach your bank online. Every time you     
dial up, the system generates a new and secret number to protect that 
one transaction. Some numbers are so long (128 zeros and ones) that   
it would take most of the world's computing power to test all the     
combinations. Shortcuts have been found to break shorter numbers, in  
the 40-digit range. But what's the point? The next time you call, a   
different number will come up.                                        
Even with strong codes, however, a vendor can carelessly blow holes   
in its own security system. "We're just waiting for the massive fraud 
that takes down a brokerage house or Internet company," says security 
expert Peter G. Neumann of SRI International in Menlo Park, Calif.    
We're all exposed to that sort of risk, whether we use the Net or     
not. But bank and brokerage accounts have other layers of protection. 
Losses may be reimbursed by federal deposit insurance or the          
Securities Investor Protection Corp.                                  
                                                                      
To try to give people confidence in who's at the other end of the     
wire, the Net has developed what it calls "certification." A trusted  
firm certifies that amazon.com is indeed the bookstore, and issues it 
an online ID. If the certifier errs, it may be liable for any money   
you lose. Netscape users can find a firm's certificate by clicking on 
the little picture of the key. Internet Explorers should search       
"File." You may have to get an ID, too.                               
A sniffer: Even more security is in the works. In about six months,   
you'll start seeing transactions protected by a new system called     
SET. It lets you charge things to a credit card without showing       
anyone the number. That should foil today's online "sniffers" that    
steal card numbers electronically. Your number will also be hidden    
from dishonest merchants or employees. As a bonus, SET prevents       
merchants from monkeying with the price.                              
                                                                      
Then there's S/MIME, coming up by the end of the year. S/MIME lets    
customers send encrypted e-mail (orders, letters, invoices) that      
reproduce in a standard way on any machine. That will give Internet   
commerce an enormous boost, predicts Mack Hicks, a specialist in      
information security for the Bank of America, which opened an         
Internet branch (www. BankAmerica.com) last June. Every new version   
of Netscape Navigator or Internet Explorer will offer the latest      
security tricks, so load it into your machine. Hicks thinks that      
people will learn to trust the financial side of the Net at work,     
then start using it at home.                                          
                                                                      
The best advertisement for the Net is that many security experts      
themselves do financial transactions on well-encrypted lines. Prof.   
Doug Tygar at Carnegie Mellon in Pittsburgh, for example, says that   
he uses credit cards there and may open a bank account when online    
services get more sophisticated.                                      
                                                                      
The weakest point in the Net today isn't the infrastructure; it's     
you. World-class encryption won't help the klutzes who post their     
passwords on their computers or leave the workplace without logging   
off. If you're thinking of trying an online bank or stockbroker, ask  
what the policy is if someone finds your password and messes with     
your account. Check your statement online a lot. A quick response to  
an error usually gets it fixed.                                       
COPYRIGHT 1996 Newsweek Inc.