Dial-up vs. Web Security ?

[KFISHER]

My Finance officer doesn't feel secure processing any transactions via the web if they contain names, SSN's, payment, or other sensitive data. Our bank, retirement system, and federal/state agencies all offer supposedly secure web-solutions, but none have convinced him that they are as secure as the dial-up connections we have used for many years.

I have heard within IT that "good" web solutions are actually MORE secure than dial-up lines, but no one has been able to define conclusively what a "good" solution looks like. I looked for a standard (FDIC, SEC, etc?) that I could share with my Finance officer, & he could then ask potential web-partners if they met that standard --- but haven't found any such thing. The best thing I've been able to find is "look for the little lock symbol at the bottom of the screen," but that doesn't feel like a professional IT response I'd want to give to Finance.

Any thoughts or recommendations you guys can share? Thanks a bunch!

[Juridian]

There really is no great way to prove that a company's web applications are secure enough for you to do business with them. There are some good things to avoid however...

1) App's that use your social security number for identification.
2) App's that use a canned list of security questions that you provide an answer for. It's far better if you can make up your own (and don't make it easy to guess).
3) Make sure that they use ssl (lil lock) where appropriate.
4) I recommend against allowing companies to store your credit card information for faster purchasing....not only is your credit card info stored in a database that evil-doers can eventually get access to....but it makes it one step easier to take advantage of if they hijack your web account.
5) Watch out for any web application that puts your sensitive data into the query string (the address bar of your browser).

There is no guarantee that the companies are not keeping your financial data in logs, databases, printed out files someplace. You need to do the proper research and maybe even contact them to find out what they are doing to ensure your privacy and safety.

[nihil]

IMHO there are two questions here?

The first is the security of the link. Now, I am firmly convinced that given enough time, any encryption and security can be broken. With the kind of data your finance guy is concerned about, that is an issue, because it is very long term and does not change.

The second issue, and the one I find personally more disturbing, is the security of your data on the site that you are dealing with. Regular finance systems are generally on some mid-range or mainframe, out of the way of hackers, too old for them to understand, and so on. We have all heard of exploits where systems have been hacked, and sensitive information stolen?

I personally would not bank online, and only make purchases with a low limit credit card I have specifically for that purpose.

At this moment in time, I am inclined to agree with your bean counter, and ,as you say, you have not been able to find convincing proof to the contrary?

Cheers

[maxim_86ualb2]

at the present time the Net isnt safe for $$$$$$$ ...... that is my say at this topic.... it is like walking on Ice & hoping not to fall throu...... so it is better ..... to do bankig the traditional way...... or get a direct line with 256-bit encription...with ur bank....that can be broken 2.... better make it a 1024-bit.. with a code shange every 1min..by a 10G algorisme...throu a Super comp....

[nate_k9]

lol, I don't trust the internet for making purchases barely, let alone banking. I use to use Integra' Banks Anytime online banking. But I just don't like the thought of that kind of information going through wires....

[infernon]

I'm not an expert on this subject, but wanted to add something regarding the 'lil' lock'.
I always click to find out which company is signing the certificate when I'm buying something from a new site, etc. If I don't see the biggies listed (Thawte, Verisign), I hit the road.
That's just me though
nihil> Thanks for the idea. Never thought of using a low-limit credit card for web purchases, but it makes perfect sense.

[Juridian]

I've worked with e-business and e-commerce for years. It is safe enough to deal with but you should do your research/due dilligence in making sure your transactions are safe (checking digital certificates, verifying privacy policy and terms of use are to your liking, etc).

If you are paranoid about using a card for a purchase online I hope you never use your cards to purchase things in say....stores, restraunts, etc. It is 1000 times easier to get a job or a plant (someone on the inside to feed you information) in a store or restraunt and start swiping credit card numbers, cvv2 codes, address info, etc in one of these areas than to break alot of e-com sites that may or may not actually store the data.

And giving your card to the guy at Wendy's/McDonalds to pay for your meal? He may not flick a booger in your food but go on a lil spending spree at e-bay.

[nihil]

Juridian makes some good points.

I NEVER give anyone my card to take away. I have three. One is my main access card to my bank account...up till recently that would have given access to a reasonable proportion of my loot (technically it is a debit card).

I have a regular credit card, and a small one for internet transactions. I gues that I am pretty safe, as I do not actually sign for the small transactions. I use a credit card as well as the debit card for another reason. Over here we have a law called the "Consumer Credit Act".....if I use my debit card, and the company goes bust...I lose.......if I use the credit card, the credit card company loses They also give me a one year warranty and three months theft insurance...which can be worthwhile I suppose.

I have no problem with internet purchases.......not banking...............I mainly kept them apart because it could take up to two weeks to sort out a major problem....that would be a long time without beer

My conclusion is that the net is ok for purchasing stuff, but I am yet to be convinced it is secure enough for more heavy duty applications?

Cheers

[catch]

The web is sufficiently safe for banking.

Digital certs are required for the data transfer. The systems themselves should be either Windows NT 4/5 front end with any decent multi level secure (MLS) operating system as the back end, or an MLS all the way through. An MLS database should also be used.

If you don't understand this, or question why you'd want Windows, I strongly suggest you hire a good security consulting firm.

The question of calling in or surfing over... does the call in use a dial back system? If not, the digital certs offer greater assurance,

catch

[Fana]

Well, i don't know much about this but there are few things that i can say: -
Firstly KFISHER you said "The best thing I've been able to find is "look for the little lock symbol at the bottom of the screen," but that doesn't feel like a professional IT response I'd want to give to Finance. "

This doesn't really mean that the webserver you are accessing is secure, the best example that comes in my mind about this is HOTMAIL.com.

Depending on the policy of your orgranization I mean how much they can spent over this issue you can implement lots of techniques:
1) You can ask ur partners about the tunneling. PPTP
2) Encryption.
3) Digital signatures and certificates. You can go for verisign for this.
4) The best protocol for you scenario is using SET protocol i.e. Secure Electronic Transaction Protocol.