Breaking the Code and Confidence

By Bill Bittner, president, BWH Consulting

On Tuesday, one of the front page stories in The Wall Street Journal concerned the breaking of a popular encryption technique used by many Internet applications to ensure
data integrity. ChoicePoint, the personal data aggregator, and DSW, the discount shoe retailer, have both recently admitted to breaches in their customer screening or internal
security procedures that made information from their databases available that should not have been provided.

The breach described in the WSJ relates the algorithm (called SHA-1) used to ensure authenticity of individuals and data. By associating the algorithm to a “signature,”
the receiving party can assure themselves that the sender is who they claim to be. This is often used to detect “phishing,” where another party pretends to be an authentic Internet
site. The algorithm is also used to ensure a document has not been changed since it was created. This prevents repudiation by the author and ensures the reader it is accurate.

Companies have relied on encryption technology to build Virtual Private Networks (VPNs) that are created by sending encrypted data into the “Internet cloud.” Their faith in the
privacy and security provided by VPNs gives them the confidence to send money transfers, stock transactions, and other critical transactions through a common channel that millions
of other computers can access.

Broadband connections are making the use of the Internet easier for consumers. This has encouraged them to use the Internet for purchases, banking, financial management and personal
research. This enthusiastic acceptance of the Internet has changed the way people conduct their lives.

Moderator’s Comment: Will the fear of lost security put a chill on consumers’ enthusiasm for shopping and submitting personal information over the Internet?
Is there anything that retailers should do to allay consumers’ fears? What is the government’s role?

The truth is that any encryption method is vulnerable. While encryption can make it more difficult, by its very application it must allow for decryption
and is therefore unable to provide complete protection from imposters and data corruption. The challenge is that while courts and laws have been established for policing international
business, the Internet is still the “Wild West.” International laws to trace, capture, and prosecute perpetrators all over the world are not yet in place.

Just in case we don’t have enough to worry about regarding attacks on our “physical world,” imagine the effect of a full-scale attack on the communications
network. As companies continue to expand the use of VPNs and consumers use the Internet, the impact of such an attack could be catastrophic. Imagine not being certain you are
logged into your own bank account or that the transfer you have authorized is going to the individual you intended.

There is no protection against a government sponsored attack, but just so some private individuals don’t profit from their misdeeds I feel this is one area
where the United Nations and the international community in general have to get together to establish laws and a means for enforcement.

Bill Bittner – Moderator

BrainTrust

Discussion Questions

Poll

7 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Warren Thayer
Warren Thayer
19 years ago

I think it already has chilled people on giving out personal info on the net. People are much more careful, but they’ve come to depend on the Internet. So I don’t think we’ll see major changes in existing behavior. Sad to say, we’re back to the catastrophic fears I recall from the days of crawling under my desk in grade school, “preparing” for the Russian A-bomb attack. I expect major future terrorist attacks, and I expect major catastrophic events with the Web and ID theft, etc. We’ll work as hard as we can to prevent it, but it just seems inevitable. The only viable alternatives (moving to Tasmania? building a bomb shelter?) don’t appeal. So I’ll go on as I have, like most people. It’s largely beyond my sphere of influence.

David Hudson
David Hudson
19 years ago

As a computer person in a past life, I have to confess that I am both dismayed and heartened by recent developments.

The consolidation of data on thousands of people and the ease of transporting that information around the world in seconds should engender some concern. We all, in one form or another, rely ever more on our increasingly interconnected world. There are plenty of bad scenarios, from inconvenient (credit card theft) to scary (identity theft) to doomsday (crashing the internet ). Like Warren, I believe the truly scary things are largely out of [our] sphere of influence. I am a firm believer in the old adage that the defense will always be one step behind the offense.

However, it is our job as citizens and consumers to force our governments and vendors to stay only ONE step behind. More often than not in these well publicized events, the culprit is ignorance of basic security measures or simple negligence. Maybe there will be enough small disclosures to give us time to get it right.

Frankly, the odds of your next waiter or clerk stealing your credit card number is much higher than someone choosing your number from a list thousands off a website listing stolen cards. The sheer volume of data protects you.

There is cause for caution, but not for alarm. It’s not too late to try taming the ‘Wild West.’ If we don’t, it will only get worse. Then we will all surely have reason to be afraid.

Ted Gladson
Ted Gladson
19 years ago

The impact will be directly proportional to the amount of press the breaking of the encryption gets. If this gets coverage on local news and local newspapers, then the impact will be greater. Most people who would be affected by this don’t read the Wall Street Journal. If this information is widely distributed, then it will have a great impact on e-commerce sites. Many people already have a basic distrust of Internet security. The ones who are just beginning to try shopping on the Internet will probably stop.

Al McClain
Al McClain
19 years ago

The toothpaste is out of the tube on this one, and there is no going back – the Internet is here to stay. Just like other forms of communication/transportation like phones, air travel, TV, etc., there are some downsides. Each time a problem occurs, people and companies will get hurt physically and/or financially, and corporations and the government will make course corrections. The least prepared consumers will get hurt the most.

But people who are disinclined to use the Internet because of privacy worries are those who would be the least prepared to run anti-virus, anti-spyware software routinely anyway, and be most vulnerable to scams. In a nutshell, it will all sort itself out; the good guys will be ahead of the crooks 99% of the time, and the Internet will continue to see double digit e-commerce growth.

Jeff Weitzman
Jeff Weitzman
19 years ago

I’m with the glass-half-full crowd. I believe consumers’ fear will be inversely proportional to the ability of “the system” to protect them when data is stolen. For example, we probably all blithely hand over our credit cards in restaurants, where someone we don’t know disappears with it for a few minutes. We know, however, that if false charges appear, our liability is limited to $50 and the credit card company is pretty good about investigating and clearing our account.

I think people are less concerned that someone knows their age than they are with identity theft. If consumers could be assured that there was a straightforward, expeditious process for notifying them of suspicious activity, stopping it, and correcting it, without damage to their credit or great disruption of their lives, the problem would be a mere nuisance, not a horror.

We will never stop the breaking of encryption codes, but we have a long way to go in addressing the fallout of information theft.

Bernice Hurst
Bernice Hurst
19 years ago

Another day, another scare. Some people may take it to heart and decide that the internet is one risk too many but others will just chalk it up to life. There are big buses and bears to be afraid of as well as terrorists and tsunamis. Yep, there are bad guys out there no matter who does what and although it makes sense to try and minimise the threats they pose, they will never be stopped altogether. Expecting governments worldwide and international agencies to come up with laws and to enforce them is just a way of passing the buck. It can never happen, no one can protect everyone all of the time. But I do think that if Bill Bittner or anyone else has a specific suggestion that will solve the problem, they should either pass it on to the authorities with the wherewithal to implement it or do it themselves and enjoy the massive profits they would reap.

M. Jericho Banks PhD
M. Jericho Banks PhD
19 years ago

Here’s the business solution you’ll see fairly soon: Consumers will be able to create “shopping Avatars,” non-personal identities for anonymous Internet surfing and online shopping. Avatars are independent, accessible by consumers but not traceable back to consumers. Basic payment information is not given to the Avatar until the user logs in and enters it, thus verifying the purchase. After processing each purchase, the payment information is erased. Like a firewall, information can be sent to the Avatar, but the Avatar cannot send information back. It has to be accessed directly, like a Post Office Box.