The Nuts and Bolts of Information Security Part 4: Myths and More

    February 20, 2004

If you’ve been following these articles and thinking about all of the things you should be doing to protect information, your brain is probably on fire by now. This is the forth and final installment and we have only have just touched on some of the possible risks to your vital information.

Don’t worry, protecting information is a matter of creating security layers and that is done over time. Make a list of objectives and assign priorities based on actions that will patch the biggest holes in the least amount of time at the lowest cost.

The first article exposed some of the risks and suggested that a risk management program should be set up to create policy. This is your first step. It will make you aware of your vulnerabilities by identifying vital information and creating procedures and methods for protecting that information. This cost you practically nothing.

The second article covered the CISP (Cardholder Information Security Policy) being instituted by the credit card acquiring networks. Even if you aren’t running a storefront making credit card transactions, you should find that much of the information provided there is useful across the board.

The third installment described a number of site and form design practices that should be followed. Certainly, if you have a large Web site, upgrading can be a daunting task. This is why you need a management plan to identify the areas of greatest risk and fix those first.


CISP is a misnomer! It could more accurately be called MAPP (Merchant Acquirer Protection Policy). After all, who is being protected? The cardholder already has a maximum exposure for card misuse of $50 and for some newer card issues, no liability at all. So what’s this about Cardholder Security? CISP is about protecting the acquiring merchant bank from exposure so they can pursue agressive marketing programs. This agressiveness isn’t all bad, though. It does put more buying power in the hands of the consumer with more confidence to make on-line purchases. Consequently, the on-line merchant benefits; unfortunately for the small merchant, the burden increases.


SSL (Secure Socket Layer) is the commonly used protocol solution to encrypting data while in transit on the Internet. This protocol is enabled with a digital certificate installed on a server. The certificate serves two functions: It should verify that the host domain is who they say they are and it encrypts the data traveling back and forth between your customer’s browser and the host server.

Certificates are sold to a requesting party by issuing companies. These companies have a critical interest in sales growth. One might conclude that the certificate will only reflect the rightful identity of the applicant to the extent that the issuer is willing to invest time and money checking the applicants bonafides. Such a conclusion wouldn’t be unfounded. Recently a perpetrator represented themself as Microsoft and received two certificates.

Certificates are often shared on a single server in a multi-domain environment. When this is done, the only verification of identity is that the domain resides on a particular machine at a particular IP address number. It doesn’t mean that the site you’re visiting is to be trusted.

Certificates on a “trusted” site can in some instances act the same as signatures for signed code. Depending on your browser security settings, this “trusted” code could be be used for vile purposes like reading and erasing your hard drive. The chances are that you’ll never know who did it or even that it was done, unless of course, your files are erased.

Certificates use a symmetric scheme to encrypt data in transit over the Internet. This means that the client browser and the serving host are using the same key to encrypt/decrypt the data. A sophisticated hacker can get the key and begin a packet sniffing session.

Packet sniffing is the re-routing of data bits over the Internet, usually to a hacker’s machine. The hacker’s machine will set up a session with the client computer by pretending to be the intended client target (the host) or simply by inserting themselves transparently between the client and the host. Once the session is established, the hacker can read anything you, the client, send to the host and anything that the host sends to you.

This means that, in spite of SSL, logon and administrative passwords are still vunerable to reading by someone that is determined to do so. These passwords may give the hacker full run of the office. IE: once admin passwords on a server are compromised, all information on that server is available to the hacker.

A more mundane point is that any hacker with the savvy to run packet sniffing will probably go after your databases of vital information. Unless you run a very busy site, it is unlikely that they will bother with one credit number at a time. As we’ve seen a lot of lately, there are much easier ways to get into your machines using back door viruses with administrative permissions.

Unfortunately SSL certificates and the little lock that shows up in the browser have become the de jure standard for making a customer think they are engaged in a protected transaction. According to a Market Facts Interactive study earlier in 2001, 56.9% of respondents say they are “comfortable” or “somewhat comfortable” providing credit card information over the Internet, versus 43.5% by telephone.

Making customers feel secure is good for business, but it is the responsibility of the merchant and site manager to make sure that their vital information is really protected. This takes a lot more than an SSL site.


In light of the recent terrorist attacks, the idea of a national identity smart card is gaining traction. We don’t think this will be realized anytime soon, though. On the other hand we do think that credit cards, over the next couple of years, will emerge as smart cards with built-in biometric identity capabilities. We’re already seeing the emergence of chip imbedded credit cards.

While these chip cards provide some rudimentary functions, they don’t provide any higher levels of security. The smart credit card on the other hand could incorporate a biometric signature and the rightful owner’s public PKI (Public Key Infrastructure) key. Such a smart card could be designed to function only if in possession of that rightful owner. It could be used to automatically encrypt vital consumer information transmitted over the Internet or any other network for that matter.

Smart cards in turn will be good news for the merchant and any web site manager collecting vital information. You won’t need any forms to get client information, you’ll know that the client is whom they say they are, and you’ll know that they are in possession of their card when they make a transaction. This approach will virtually eliminate problems of fraudulent transactions, inadvertent errors, and unauthorized access.

Smart card use will also be good news for the consumer. A lost or stolen credit card will be of no use to anyone but the rightful owner and internet user names and passwords will no longer be required. For cardholder protection, a smart card can be designed to pass only the information that the rightful owner wants to give out.

The sticking point with a biometric smart card is how to issue cards that have a digital biometric signature while at the same time authenticating the recipient. This need will certainly curtail some of the mass distribution of cards that is currently evident. On the other hand, mass distribution could continue and the biometric information entered locally by an agent of the issuer and only after positive identification of the receiving party. The agent could be your local bank or even a local police station.

If you think about it, this type of smart card doesn’t require any centralized databank of everyone’s digital biometric signature. The signature is on the card itself and remains in the possession of the individual. This diffuse method of storing biometric information should allay the fears many of us have about centralizing our personal data.


Whether you’re an on-line merchant taking credit cards or simply operating a web site where e-mail addresses are stored, you will have to attend to privacy policies and the accompanying security provisions that make privacy work. Stating a privacy policy and leaving vital information open to access by unauthorized users is the same as having no privacy policy at all. You must be honest with your clients and not make statements that aren’t entirely valid.

This doesn’t mean that you need to panic and start a zillion security projects all at once. It does mean that you have to start thinking about what is your vital information, albeit client or proprietary, and begin to take steps to protect it. Your first step in risk management is accessing the risks and creating a plan to manage those risks. The second step is to address the gaping holes and build from there. Securing vital information is an ongoing task. Unfortunately, given our current technology and state of affairs, just about everyone with a Web presence must be vigilant.

Mel Davey is the creator of ImagineNation (, a full service E-Commerce Application Service Provider, offering Storefronts, Order Management Utilities, and 3rd party credit card processing.