How are we able to shop online securely?
- Asks Carol from New Athens, IL
Rachel Mahan • February 25, 2008
Cryptography enables secure online shopping. [Credit: Jessie Birks]
You enter your credit card numbers online, click “OK” and wait with bated breath for your CD to arrive the next day … but what about that lingering question of how secure you really are?
Cryptography, the process of encoding information, has been around since Julius Caesar’s day. In fact, the technology is so solid, a method that was revolutionary 30 years ago is still used today. It’s called public key cryptography, and despite being decades old, it makes secure Internet commerce easier.
Public key cryptography allows anyone to scramble a message (like credit card information) to an intended party, but it lets only that party unscramble it. It also plays a role in authentication (Is that really Amazon I’m ordering from?).
Public key cryptography’s invention was the “most remarkable act of genius,” says Steven M. Bellovin, a computer science professor at Columbia University in New York who has served on the Department of Homeland Security Science and Technology Advisory Committee.
But if this kind of cryptography is so great, why are we still worried about Internet security? It isn’t cryptography’s fault, says Nasir Memon, a computer science professor and director of Polytechnic University’s Information Systems and Internet Security Lab in Brooklyn.
Memon says it’s like we have nice locks on a cardboard house. He maintains that problems can occur if our information isn’t stored securely once it gets to its destination, if the technology isn’t applied properly or even if we don’t know how to protect ourselves.
Although public key cryptography isn’t the whole story of online security, it is an important component.
Here’s how Memon describes encryption and decryption: Say a professor has 30 students who want to communicate privately with him. He can put up 30 mailboxes outside his office, each locked with a combination for each student, but then he has to remember 30 combinations. This is called private key cryptography — both sides know and agree on a way to encrypt and decrypt the message.
Instead, he could leave a box of unlocked locks next to the open mailboxes. All of these locks require the same combination. This way, every student can lock up a secure message, but the professor is still the only one who can open any of them, and he has only one combination to remember. This is public key cryptography — anyone can encrypt the message to a recipient, but only the recipient can decrypt it.
However, because encryption and decryption by public key cryptography take a long time, people often just use them to decide on a secure way to communicate by private key cryptography.
These processes are admittedly more complicated than the combination lock analogy. In real life, the “keys” involve very large numbers, usually over 100 digits, and people like you and me usually don’t have to think about them when we use secure sites. Here, encryption, decryption and also authentication go on mostly behind the scenes. Try clicking on the little yellow padlock on the web page where you enter your credit card information. You’ll often see the number of bits listed. The more bits, the longer the numbers and the more secure the connection.
The math behind encryption and decryption by public key cryptography is complex. In fact, the processes are incredibly time-consuming, even on the fastest computers, says Scott Annin, an associate professor of mathematics at California State University in Fullerton.
Given long enough, hackers could use trial and error, but secure systems change their keys often. If quantum computers became practical, however, the computers would make breaking in much faster. So far this hasn’t happened, and many believe the threat is a long way off.
The bottom line for now is: The math is working hard for us. It’s the human element that can be the problem. So buy that new CD, but you might also want to learn about other ways to protect yourself online.
3 Comments
Orbiscom, a Dublin, Ireland-based technology provider to the payments industry, pioneered in 1998 a solution for securing online payments. The product permits credit and debit cardholders to shop online or on the telephone without revealing their real credit or debit card details. A substitute card number, expiration date and security code is generated at the point of online checkout to protect real credit card details. The consumer receives the substitute number via a small download that sits on their desktop or by going to their bank’s website…there is no need to get another plastic card or any other physical device…and the online or telephone merchant does not need to modify any procedure because the substitute number is a valid card number (Visa, MasterCard, or Discover). Since the “substitute card number” is the one that resides in the online merchant’s data base, the consumer’s true card details are not exposed. In the seven years that we’ve been in market, our clients and their customers have never had an incident of fraud or misuse of credit card details when using this product on millions of transactions totaling billions of dollars. This security product is offered for free for cards under the various brand-names of our clients: “VAN” (Virtual Account Numbers) at Citibank, “ShopSafe” at Bank of America, and “Secure Online Account Numbers” at Discover Card. PayPal has recently introduced a version of this product for their customers, “Secure Cards”. The PayPal Secure Cards product also offers a very cool feature…a “receipts manager” that retains copies of completed transactions for all online purchases made with Secure Cards.
Very interesting article! Kudos to the author. Now I know a lot more about online cryptography
There are many benefits from shopping online, such as saving my time and money. http://www.pickcheaps.com, it is a good site, nice products, fast shipment, good reply, good service. I really appreciate that,