Breaking the Code and Confidence
By Bill Bittner, president, BWH Consulting
On Tuesday, one of the front page stories in The Wall Street Journal concerned the breaking of a popular encryption technique used by many Internet applications to ensure
data integrity. ChoicePoint, the personal data aggregator, and DSW, the discount shoe retailer, have both recently admitted to breaches in their customer screening or internal
security procedures that made information from their databases available that should not have been provided.
The breach described in the WSJ relates the algorithm (called SHA-1) used to ensure authenticity of individuals and data. By associating the algorithm to a “signature,”
the receiving party can assure themselves that the sender is who they claim to be. This is often used to detect “phishing,” where another party pretends to be an authentic Internet
site. The algorithm is also used to ensure a document has not been changed since it was created. This prevents repudiation by the author and ensures the reader it is accurate.
Companies have relied on encryption technology to build Virtual Private Networks (VPNs) that are created by sending encrypted data into the “Internet cloud.” Their faith in the
privacy and security provided by VPNs gives them the confidence to send money transfers, stock transactions, and other critical transactions through a common channel that millions
of other computers can access.
Broadband connections are making the use of the Internet easier for consumers. This has encouraged them to use the Internet for purchases, banking, financial management and personal
research. This enthusiastic acceptance of the Internet has changed the way people conduct their lives.
Moderator’s Comment: Will the fear of lost security put a chill on consumers’ enthusiasm for shopping and submitting personal information over the Internet?
Is there anything that retailers should do to allay consumers’ fears? What is the government’s role?
The truth is that any encryption method is vulnerable. While encryption can make it more difficult, by its very application it must allow for decryption
and is therefore unable to provide complete protection from imposters and data corruption. The challenge is that while courts and laws have been established for policing international
business, the Internet is still the “Wild West.” International laws to trace, capture, and prosecute perpetrators all over the world are not yet in place.
Just in case we don’t have enough to worry about regarding attacks on our “physical world,” imagine the effect of a full-scale attack on the communications
network. As companies continue to expand the use of VPNs and consumers use the Internet, the impact of such an attack could be catastrophic. Imagine not being certain you are
logged into your own bank account or that the transfer you have authorized is going to the individual you intended.
There is no protection against a government sponsored attack, but just so some private individuals don’t profit from their misdeeds I feel this is one area
where the United Nations and the international community in general have to get together to establish laws and a means for enforcement. –
Bill Bittner – Moderator