Tradelink-eBiz Tradelink corporate website
Members
Login ID

Password

Login
Free Membership Forgot your password?
Training Courses
Exhibitions/Seminars
What's New
eBiz-Highlights
eBiz Pulse
e-Post
BizCentral
TexWeb
CIECC
TradeAids
e-Law
Tariffs & Regulations
Trade Info Circular
TradeStat
Labour Legislation
e-Connect

Ad in eBiz

Chinese VersionHome
e-PostBizCentralTradeAids
Search eBiz

 
| Talking Point | Interviews | Success Stories | China Today | Import & Export | Legally Speaking | Regional Development |
How secure is this house of cards?
Credit cards are already the keystone of a vast global online shopping network. But some highly-publicized incidents have raised a serious question: how secure are these transactions?

In June of this year, 40 million credit-card owners, most of them in the USA, received a rude shock - and the world of e-commerce got a very big wake-up call. In an unprecedented hack attack, the 40 million card holders had their credit information stolen from what were apparently secure financial institutions.

In Hong Kong - and in fact, throughout the world - all credit-card holders were aghast. This was a nightmare come true, and the latest in a whole string of developments and admissions that was eroding public confidence in online financial security. Since the start of the year, a slew of credit card mishaps had highlighted the vulnerability of personal information, and consumers were becoming increasingly aware that once such information was stolen and used by clever criminals, the transactions were hard to track. These growing concerns about online financial fraud were further compounded by the spate of crimes targeting Automated Teller Machines. Terms like “phishing”, “keystroke logging” and “shoulder surfing” were entering the general lexicon of well-informed consumers, and both online bankers and their customers were getting increasingly uneasy. Could the average person still feel confident about doing day-to-day transactions online? Were electronic transactions simply too vulnerable to trust?

Closer investigation of all these incidents shows that online security systems can indeed be trusted, and just a little bit of caution and common sense can assure individual online transactions are very secure.

Human factor

Take the case of the 40 million credit-card holders whose information was snatched. The first reaction was to point the finger of blame at the credit-card companies themselves, but while they were being given a black eye in public, it quietly emerged that the real culprit was a breach in security procedures and practice, not the security system itself. In short, it was an appalling human error.

Richard Stagg, of security services provider Handshake Networking, is one who emphasizes that it was a case of mishandled security policies. “It was a compelling example of why security policies are so important, and what happens when you deviate from them,” he says.

Security policies are the guidelines that are set down to ensure that all vital information is kept safe under “a virtual lock and key”. But such policies are only as effective as the people who have to adhere to them: if they are lax in carrying out the policies, disaster immediately starts lurking around the corner.

That was exactly what happened in the “40 million cards” case. Lax attitudes resulted in information leakage. “Obviously the leakage of information is a disaster, and the company has paid dearly for its mistake,” says Mr Stagg.

The company in question is CardSystems Solutions, a third-party company that processes payment for the credit card companies.

“It wasn’t the [credit card companies’] card storage systems that got hacked. They did all the right things technically concerning data storage,” says Mr Stagg - and even emphasizes that their security systems were well implemented. The problem occurred when some of the data was copied.

”A bunch of live data was copied to a development system for testing purposes, and the weak development system got hacked. That’s how the data was stolen,” says Mr Stagg.

He feels the real security issue was how the ‘live’ data was allowed to be used in a development environment.

“You never use live data in a development environment. It would have been so much easier if they’d just generated a few thousand ‘random’ numbers and used those instead,” says Mr Stagg.

If a company must use ‘live’ data, he advises the development environment must conform to all the same standards of the ‘live’ environment.

According to MasterCard - one of the main card-issuing companies involved in the case – CardSystems wasn’t even supposed to keep any of that data on-site. CardSystems did, though, and apparently quite a lot of it.

“It is just another strong demonstration of that old adage that security is only as strong as the weakest link,” says William Tan at Web security company, Websense. “Despite millions and millions of dollars being spent on securing online e-commerce services, a simple security breach like can ruin everything, jeopardize customer confidence in online transactions - and even shake their trust in information technology at large.”

Hong Kong relevance

Although most major incidents have occurred in the US, they are still extremely relevant to Hong Kong shoppers. “The relevance is simply that this can - and will - happen again,” says Mr Stagg. As people buy and sell globally on the Internet international boundaries are swept aside: an online shopper in New Zealand may well become the next victim of a hacker in Finland.

So does that mean e-commerce is dangerous? Certainly not. For a start, there’s more reason to worry about your credit card information being copied in standard offline transactions - at a shop counter, for example - rather than online where the information is scrambled by encryption codes that take decades to break.

“For the typical Hong Kong consumer, the best defence is being detail-conscious,” says Krei Lewis at systems integrator Datacraft. “Credit card fraud and data theft are far more common in restaurants, shops and other retail locations - where individual credit card data can easily be copied - than in major institutions. It just doesn’t hit the headlines in the same way.”

Simon Green, of security solutions provider Network Appliance Hong Kong, offers further advice: “It’s best not to use Internet cafes and other such public Internet sessions to send secure data such as passwords and credit card details,” he says. But he also adds an optimistic observation: he believes that public awareness of the importance of caution when using identity information such as credit cards online has greatly improved.

Mr Tam, however, still feels there’s much to be done and consumers must always be vigilant: “It makes no difference whether you are a frequent traveller, an occasional tourist, or you’re never travelled internationally but shop with your credit card on the Internet,” he says. “The fact is that any security breach in the finance traction cycle will put you at risk.

“Just like any responsible credit-card user, keep the receipt of every transaction, review your monthly bill carefully, and report any suspicious transactions immediately.

Also, use your credit card only at reputable merchants. And use credit cards with lower credit limits for Internet-related transactions or any unknown merchants or merchants overseas. All this minimizes your exposure if something does go wrong,” he adds.

But Krei Lewis at systems integrator Datacraft points out that it’s also not entirely up to the consumer: a large element of responsibility for security lies with the people or organisations holding the data. “There is a range of programs that can improve the management of personal data. Additional safeguards are being rolled out worldwide. Chip-based credit cards, verification and inspection programs are some visible parts of this constant effort to keep ahead in the security arms race,” he says.

Some reassuring truths

As the “40 million cards” case highlights, your credit card information can get stolen, no matter how impeccable your Net etiquette when shopping online. But that, of course, need not have dramatic consequences for consumers.

“To be honest, on an individual level there aren’t many personal defences against large-scale card fraud,”says Mr Stagg. “But keep in mind that all the major card-issuing institutions make a commitment to absolve their cardholders from any obligation to pay for products purchased without their knowledge through fraudulent use of their card or card information.”

How big is the risk anyway? Not a lot, according to Simon Green. He believes the frenzy of publicity generated by a high-profile case of card information theft conceals an important truth.

“Whilst they do occur,” he says, “in comparison to the number of electronic transactions and the amount of data traversing the world’s networks, the number of incidents is surprisingly few. The organisations in this business have extremely sophisticated detection systems that shut down access to a card as soon as it is suspected. That greatly limits any losses stemming from such breaches.

“Some banks now offer a two-layer security where you not only need a legal card number and password, but you need to include an identifier which gets sent to your mobile phone to confirm the transaction,” he adds.

Debit is worse

So online credit card transactions are essentially very safe indeed.

And there’s an interesting comparison that emphasizes this point: the risk of an online credit card transaction compared to the risk of using a debit card. According to Richard Stagg, debit cards transactions have a very real element of danger.

“In fact it’s not a problem here,” he says, “because our banks don’t issue them - though there are some similarities with our EPS. Unlike a credit card, a debit card takes money straight out of your bank account. If you’re the victim of a credit card fraud the card company has to force you to pay the bill - and in the vast majority of cases the consumer is protected. But debit card fraud is another matter entirely: you have to force a bank to refund your cash - and that’s almost impossible!”

Digi-Sign Solution: Mobile Authentication

The credit card is perhaps the most popular tool for online purchase, and this has made card security a critical aspect of global e-commerce. A new “Mobile Authentication” technology, in the later stages of development by Digi-Sign, may provide the solution to many security issues.

Currently, Mobile Authentication is via SMS text. Many banks already use SMS to alert credit-card owners at times when a merchant seeks verification. However a problem can occur when the user responds with a personal identification number. SMS is not encrypted.

Hong Kong’s Digi-Sign Certificate Services Limited is testing a solution based on the sophisticated Public Key Infrastructure.

Digi-Sign embeds your digital certificate into your mobile device in a secure manner.

When a bank seeks confirmation for a credit-card payment, your phone will ask you to enter your PIN. Instead of sending the PIN, however, the phone will make use of the embedded digital certificate to generate and send a digital signature.

Since only your digital signature will be sent over the air, your PIN can never be intercepted. Private-key forgery is astronomically unlikely. Payment can be falsely authorised only if someone has both stolen your telephone and learned the PIN for your digital certificate.

Ultimately, this solution is not limited to mobile phones - digital certificate can be stored in any electronic medium, offering a long-term boost to the credit-card industry- and requires only that the authenticating company be well-established in the business community.
October 2005

divide
 


| Home | About Us | Site Map | Legal Notice | Privacy Policy | Help | Contact Us |
Tradelink Electronic Commerce Limited. All rights reserved.