E-commerce Security???

From: jaywhy (jaywhy2@home.com)
Date: 09/01/01


Date: Sat, 01 Sep 2001 16:22:57 -0400
Subject: E-commerce Security???
From: jaywhy <jaywhy2@home.com>
To: <incidents@securityfocus.com>, <security-basics@securityfocus.com>
Message-ID: <B7B6BBE0.1EA1%jaywhy2@home.com>


    What is security in e-commmerce? Is there such a thing? Well isn't
there SSL to transfer credit cards? People think SSL most be secure, or why
would they use it?
    Certificate based public key encyption does provide secure transmission,
but security with who? Do I have a secure transmission with Amazon.com or
some hacker in a country with no extradition treaties posing as Amazon.com?
I know security isn't a one layer thing, and SSL isn't the answer. But what
is? SSL doesn't keep you secure from people hacking into Amazon.com, and
just stealing the information after transmission.
   How does a business keep credit information? You can't just encrypt the
customers credit information and think you're secure. The encryption
algorithm relies of the security of the private key, and the protocols in
which you deploy it. The layering of security on top of heavy encryption is
the best option. Deploying a firewall, NIDS, and making the server that
hold the credit information secure as possible.
    Even with all that security, the private key still has to be kept
private. How do you do that? Putting the private key on some type of
external device is an option. You most create security protocols for the
disk now. How do you keep it safe from some disgruntled employee looking to
trash your companies reputation. Furthermore the disk most be inserted
every single time you need it, automatic billing systems are no longer
automatic. Billing most be overlooked now.
    The private key is your doorway to bill your customers. What if the key
is lost, destroyed, or corrupted. If you lose the keys to your house, call
a locksmith. If you lose the key to your 128-bit algorithm, good luck.
Barring any organizations with three letter names, you're basically screwed.
No wonder business's place credit information in clear text. It's a whole
lot easier.

    I guess my question is, How do you keep customer information secure?
And I'm also guessing my question has no right answer.

-- 
Jason Yates
jaywhy2@home.com