Security Risks on the Net

E-mail messages and transactions (including stock trades) made over the Net often contain sensitive data such as credit card numbers and account information. This information is usually encrypted and only authorized recipient of the message has the key that can decrypt the data. The legal limit for encryption key length (and thus, strength) in the United States is 40-bits. Many experts feel that 40-bit encryption is inadequate for truly securing data and they have a point. A 40-bit encrypted message can be broken in a matter of hours with a network of computers working together to try every encryption key out of billions of possibilities -- a method that is really just brute force.

Charles Schwab's online brokerage boasts the use of Secure Socket Layer (SSL) encryption technology for all transactions made through its site. In 1995, the ISAAC computer group at Berkeley found a flaw in Netscape Navigator which made cracking SSL encryption possible without using a brute force approach like the one described above.

This, however, is not to say that SSL transactions made over the Internet are unsafe, because a credit-card number or tidbit of personal data culled from an e-mail message is really not worth the trouble of utilizing hundreds of computers for hours at a time to get a hold of. SSL provides a generally secure communication channel. The real danger to online traders and other participants in e-commerce is the security of the data in question before it leaves the client's computer and after it arrives at the web server, its intended destination.

In 1996, a merchant using an e-commerce product from SoftCart accidentally exposed a batch of credit card numbers to unauthorized access over the Internet by placing its credit card file in a publicly accessible directory. In another credit card-related case, Visa lost 300,000 credit card numbers when a computer was stolen from its offices. The computer had the numbers stored in unencypted files. Visa estimates the cost of replacing all of the cards at millions of dollars. At this time, the software for the e-commerce server is most neglected and insecure portion of the online-security equation. The information of online investors is really only as safe at the online brokerages make it on their servers and in their databases. Ensuring 100% web-secure transactions is hard to do when human error can easily lead to private information going public. Unless, e-commerce servers improve, the phrase "Initial Public Offering" could take on a whole new meaning.