E-commerce Security???

From: jaywhy (jaywhy2@home.com)
Date: 09/01/01


Date: Sat, 01 Sep 2001 16:22:57 -0400
Subject: E-commerce Security???
From: jaywhy <jaywhy2@home.com>
To: <incidents@securityfocus.com>, <security-basics@securityfocus.com>
Message-ID: <B7B6BBE0.1EA1%jaywhy2@home.com>


    What is security in e-commmerce? Is there such a thing? Well isn't
there SSL to transfer credit cards? People think SSL most be secure, or why
would they use it?
    Certificate based public key encyption does provide secure transmission,
but security with who? Do I have a secure transmission with Amazon.com or
some hacker in a country with no extradition treaties posing as Amazon.com?
I know security isn't a one layer thing, and SSL isn't the answer. But what
is? SSL doesn't keep you secure from people hacking into Amazon.com, and
just stealing the information after transmission.
   How does a business keep credit information? You can't just encrypt the
customers credit information and think you're secure. The encryption
algorithm relies of the security of the private key, and the protocols in
which you deploy it. The layering of security on top of heavy encryption is
the best option. Deploying a firewall, NIDS, and making the server that
hold the credit information secure as possible.
    Even with all that security, the private key still has to be kept
private. How do you do that? Putting the private key on some type of
external device is an option. You most create security protocols for the
disk now. How do you keep it safe from some disgruntled employee looking to
trash your companies reputation. Furthermore the disk most be inserted
every single time you need it, automatic billing systems are no longer
automatic. Billing most be overlooked now.
    The private key is your doorway to bill your customers. What if the key
is lost, destroyed, or corrupted. If you lose the keys to your house, call
a locksmith. If you lose the key to your 128-bit algorithm, good luck.
Barring any organizations with three letter names, you're basically screwed.
No wonder business's place credit information in clear text. It's a whole
lot easier.

    I guess my question is, How do you keep customer information secure?
And I'm also guessing my question has no right answer.

-- 
Jason Yates
jaywhy2@home.com



Relevant Pages

  • Re: E-commerce Security???
    ... It details a fairly secure method of ensuring ... > I know security isn't a one layer thing, ... > customers credit information and think you're secure. ... > algorithm relies of the security of the private key, ...
    (Security-Basics)
  • Re: Ten least secure programs
    ... it's probably better you leave the topic alone ... I said I do not have security issues with the programs I code. ... I didn't realize you were a Linux user, ... > the most widely used and secure UNIX flavors? ...
    (Security-Basics)
  • "An Asp.Net accident waiting to happen" - Draft article
    ... In a time where Security ... in shared hosting environments. ... technologies that allow the creation and deployment of secure ... IIS 6 web server and windows 2003 also provide some tools to deploy ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: Why Easy To Use Software Is Putting You At Risk
    ... I do agree that the additions and changes to Solarius will make it more secure and that this is good. ... Why Easy To Use Software Is Putting You At Risk ... instead I would say that the view that security is ... Four Construction Workers Died after Crane Collapse in Toledo, ...
    (Security-Basics)
  • Why Easy To Use Software Is Putting You At Risk
    ... Anyone who has been working with computers for a long time will have noticed ... because DNS does not configure properly or security permissions are relaxed ... Is It Also Secure ... guarantee that no one really knows for sure, not even Microsoft developers. ...
    (Security-Basics)