Experts say security fears
shouldn't worry Internet users

January 21, 1996
Web posted at: 3:15 p.m EST (Original: http://www.cris.com/~alcanh/eb/ccexp.html)

[Captured from the net 4/30/98 in case the page goes away -JumpDevGrp]

SAN FRANCISCO, California (AP) -- You're bopping around the World Wide Web checking out cool sites and you stop in at one of the shiny new on-line malls sprouting up everywhere. There's that CD you've been meaning to get. You pull out your credit card, and you --

Stop.

Technology hasn't stopped you; the technical part of making a purchase by computer was worked out long ago. The gods of commerce haven't stopped you; they're eager to sell through cyberspace.

What has stopped you is your own mistrust -- the fear that by putting out your credit card number on-line, you are opening yourself up to fraud. Perhaps, you think, some hacker will take my number and buy himself a new skateboard.

In fact, public fear of security risks on the Internet is stalling the boom many companies anticipated. But experts say sending your credit card number over the Internet to buy something is as safe as calling up L.L. Bean and ordering a sweater.

It's not that the computer security flaws being discovered every other week by bored graduate students -- and trumpeted by the media -- aren't problems. They're just not problems for the average user.

"If a person's standards are that they're not willing to send their credit card over the Internet, they probably shouldn't order anything by phone or from a store where they don't know the proprietor," said Rod Kuckro of Information and Interactive Services Report.

Says Douglas Barnes, who helps build secure computer systems for Electric Communities in Los Altos, California: "Credit card information is given out to hundreds of thousands of low-paid clerks all over the country every day -- it would be hard to imagine a less secure approach."

Stories about wily hackers stealing thousands of credit card numbers have created the public perception that the Internet is a dangerous place to do business. When the FBI's "most wanted hacker" Kevin Mitnick was arrested last year, one of the things he was credited with doing was for stealing a file from an Internet service in California that contained information on 30,000 credit card accounts.

What wasn't as widely reported was the fact that Mitnick apparently never used any of the accounts, and probably only wanted the file as a trophy.

Security problems have been overhyped, even according to Simson Garfinkel, author of a book on one of the strongest publicly available encryption programs, Pretty Good Privacy. Encryption uses complex mathematical algorithms to turn computer files into a soup of letters and numbers unreadable by anyone except the person for whom they are intended.

Scares about security loopholes on the Internet only really affect large corporations who use computers to transfer sensitive information. Individuals buying a few CD's on-line aren't at risk, Garfinkel said.

"The whole thing about encryption over the Internet is that it's not to protect the customer -- it's to protect the credit card companies. By law, if there is no signature, the customer is liable for nothing. If there's a signature, they're liable for $50. The reason the credit card companies want (cryptography) is to limit their own liability. It has nothing to do with protecting the consumer," he said.

For many Internet users, their first encounter with security issues is the dire warning that pops up on the widely used Netscape Navigator browser for the World Wide Web if they attempt to send information across the Web.

"Any information you submit is insecure and could be observed by a third party while in transit," says the stern message, labeled 'Security Information.' "If you are submitting passwords, credit card numbers or other information you would like to keep private, it would be safer for you to cancel the submission."

But according to Garfinkel, the warning's just a scare tactic.

"Netscape Navigator is printing those messages because they're trying to sell encrypted servers. It's an ad. It doesn't look like an ad, but it is."

Netscape says the feature, which can be turned on and off, lets people using the Web know whether their transaction is encrypted.

"We want users to make an informed decision about whether or not they want to send credit card data over the phone," said spokeswoman Rosanne Siino.

To convince shoppers to take the plunge into electronic commerce, San Mateo, California-based eShop counters consumer fears by taking the direct approach.

"We have what we call the 'eShop Secure Purchase Guarantee.' If you have any financial loss due to the use of your credit card at E-shop plaza, we cover you." said chief operating officer Matt Kurt. "We're not going to explain 128-bit public key encryption to you -- you don't care. But what we will say is that you're not going to lose any money."

Kurt believes that it will take two things for people to begin buying on-line -- being told its safe, and trying it for themselves. All of which will take time.

"I am old enough to remember 20 years ago when the idea of seeing an ad in the newspaper and picking up the phone and giving someone your credit card number seemed really crazy," he said.

Whether or not it's really that dicey to give out your credit card number on-line is a big issue because the potential market is enormous. At least one market research firm is predicting a huge increase in on-line transactions for the coming year as more and more people use the Internet.

Input, a California-based information services research firm, estimates a jump from $40 million in business done in 1995 to an estimated $260 million for 1996. Those figures may seem high, but compared to the estimated $650 billion in credit card transactions done in the United States in 1995, they're only a drop in the bucket.

Catalogs alone did $50 billion dollars in business in 1995. Kuckro thinks on-line sales can be that big or bigger.

As for the possibility of theft, it's a random act, no more or less in the real world than the virtual.

"You're never going to have a payment system that's totally bullet proof," said Bob McKinley, who tracks the bank card industry for RAM Research Group in Maryland. "Eight hundred million dollars (a year) in bank card fraud is the price of convenience in America."

Bullet proof or not, some wonder if the hype over security issues isn't being hyped in turn.

"All this talk about security really comes down to companies that are unhappy because people aren't buying things over the Internet," said Kuckro. "Right now it's being used as an alibi."

<END>