Internet Security: How Safe are Financial Transactions on the Internet?
Yves Tchapda (05-03-05)
With the popularity of the internet, the proliferation of computers has been achieved at a
staggering pace. Many homes around the globe have access to the internet for many uses,
ranging from home education for the children to financial and commercial transactions.
Many of us are using the internet more
and more to access our bank accounts to check our balance, disable direct debits,
transfer funds, etc.
Because of its global reach, the internet is also fraught with so many risks.
We've all been aware of viruses, but
other criminal activities take place on the World Wide Web every day.
In order to respond to the threat
of having confidential information compromised, the internet has adopted
a cryptographic standard to enable
secure transactions across this global network. SSL (Secure Socket Layer)
was developped by Netscape and is now the
standard used for secure communication across the internet.
The next section will explain SSL protocol and explore a possible weakness.
How Does It All Work?
When a browser (Netscape or Microsoft Internet Explorer) is directed by the user
to a site where secure communication is needed,
the browser attempts
to negociate with the secure server at the remote end. This negociation involves exchanging
some information before the
ciphering of data is activated. The browser informs the server as to what
encryption standard it is capable
of using. The remote server then responds by communicating the encryption standard it can accept.
It also sends
a certificate for authentication. The certificate is made up of 2 sections:
The information part and the
encrypted signature of the certificate issuer. The browser validates the certificate
by deciphering the signature and comparing it with the hashed version of the information field.
It then uses the server's public key given in the certificate, to encrypt a symmetric key that
will be used for encrypting
the actual data. The server uses its private key (that is to be kept secret at all time)
to decrypt the symmetric key. The standard used during this process
is usually the RSA, a well known encryption protocol, which has proved difficult to break .
Once both parties are in possession of the symmetric key, the encryption and decryption of
data can take place.
The level of security for this communication is dependent on the length of the key. Currently,
40-bit and 128-bit keys are used. Irrespective of the length of the key,
this method of communication is known to be relatively secure.
Where is the Weakness?
The weakness of this system (even though some would disagree) is in the issuing of certificates.
The Certification Authority (CA) are trusted companies. They are supposed to check
the authenticity of
the certificates requesters, making sure that they are what they claim they are, by checking
the validity of the domain name, the legality of the requester, etc. While this is true
in the majority of cases, some CAs have not been diligent enough,
with the potential to compromise overall security.
For example, suppose a fraudulent company mimics the
domain name of a bank such as Natwest.
Natwest's domain name is natwest.co.uk or natwest.com . Imagine the fraudulent
company adopts the domain name ntwest.com . Can you spot the difference?
This company could actually be given a certificate
by a less stringent CA. Worse, the name in the certificate could actually refer to a valid name, in
this case "Natwest Bank". The fraudulent company could then set up the server,
just waiting for someone to make the mistake in the domain name (omitting the 'a')
while attempting to access the genuine Natwest
bank's page. The fraudulent company could then record the vital information of the user,
before actually redirecting him or her to the legitimate site.
To reduce this kind of risk, it's always important when accessing a site for secure
communication, to check the certificate issuer and making sure it's from a reputable CA.
This requires some knowledge of reputable issuers. For those who make intensive use
of the internet for financial transaction,
this little knowledge could help enormously.
Spyware Attack
After so much attention having been given to computer viruses, the focus is now on dealing with
a new generation of computer threats called spyware. Spyware (Adware, Keyloggers, Hijackers, etc) is a piece
code that gets into a machine, primarily through downloading some software (freeware) from a website.
Some spyware just monitor your browsing habit and build a profile of your internet accesses. This
information is downloaded, using your internet connection, to another website, mainly for advertising purposes.
These spyware could also hijack your home page, so that everytime you open your internet browser,
you are immediately directed to an advertisement page. They could also change your internet search options or
bombard you with some pop-ups, which can be very irritating. While these software are irritating
and can considerably slow down your machine, there is a more sinister category of spyware, whose purpose is
to covertly steal confidential information and pass it on to another shady site. Some of these spyware
are actually in the form of key loggers, which monitor all keys that are typed on a keyboard,
with the information
relayed to the perpetrator. This is particularly dangerous to all those who rely heavily on online
banking for their financial transactions. These code intercept login information, passwords, and
other vital data, before they go through the encryption mechanism. An example of this was used to
atempt to steal more than £220 millions from a Japanese bank in London.
A number of ways exist to deal with this threat. There are Software that could
detect and remove these spyware. Spybot as well as Microsoft Antispyware program
are good candidates for cleaning an infected machine. However, they need updating regularly
to be effective, as new strains of spyware
are constantly being developed. As it is always said, prevention is better than cure.
The best way to prevent infiltration in the first place, is to avoid using
Microsoft Internet Explorer. These spyware exploit security
weaknesses within Internet Explorer to penetrate a machine, through the use of Microsoft ActiveX technology.
I personally do not touch Internet Explorer (also for different reasons). I use Firefox, which can be
downloaded, free of charge. If Internet Explorer has to be used, it is important to turn up the security options,
by disabling the downloading of ActiveX enabled code, or at the very least, set it so that you are prompted
before any downloading of such components.
Cookies, Cookies, Cookies
A cookie is a piece of data that is stored on your machine when you visit a website, mainly to
enable the server to gain access to some information, without you having to re-enter that information again
and again.
For instance, when you log in, the server could keep the login details into your machine, so that
when you subsequently access the server, you don't have to input that information again.
This is also true when you set some preferences on a page that is frequently visited. It is important
to note that a cookie
can only be accessed by the website that created it. Although cookies can be turned off on
your browser, some sites may not operate properly without them, as they heavily rely
on cookies. Yahoo is one of them
However, just like television, online companies are making more and more use of advertisement
agencies. These agencies insert some code on their client's websites, so that when the user browses
a company's website, this code (in the form of a Javascript, one-pixel image, etc) stores some cookies on the
user's machine. These are subsequently used for well targeted advertisement images.
Such cookies are referred to as third party cookies. Although cookies are in general
harmless, for some people, this is a violation of privacy, given that most users are unaware
of what is happening within their internet connection.
First party and third party cookies can be controlled in the browser. The user
could decide to turn them off, or selectively choose which cookies to accept or reject.
In the light of issues outlined in this article, it is now imperative for users
who intensively make use
of the internet for financial transactions, or any other form of confidential
communication to constantly keep
informed and update their protection software. Just as you would not go out, leaving your door
open, do not leave your computer exposed. The internet is a huge jungle, with so many beasts ready to pounce!
Designed by Yves Tchapda
Copyright © 2005. All rights reserved