People who buy things online may be familiar with the closed-lock padlock in the bottom right hand corner of their screens. While this is meant to provide a sense of security, how many Internet shoppers actually know what it refers to? In fact the padlock is there to show that at that particular time i.e. on the current web page communications with that site will be secured using encryption based on a protocol called SSL - or Secure Socket Layer (see explanation). In an ecommerce transaction, SSL achieves two things. It authenticates to the user the identity of the organisation responsible for the site in question and ensures that any information transmitted between the purchaser's web browser and the merchant's web site is protected from potential eavesdroppers or hackers listening in from anywhere on the Internet. . . .
Despite the rapid increase in online commerce, it is estimated that some 85% of transactions are still cancelled at the final 'confirm and buy' page. While some of these aborted purchases are simply down to people changing their minds, many are due to concerns about security and a reluctance to dispatch credit card details and other personal information across the unknown Internet. Maybe this is not surprising given the amount of publicity generated by new cases of Internet hacking and fraud.

People who buy things online may be familiar with the closed-lock padlock in the bottom right hand corner of their screens. While this is meant to provide a sense of security, how many Internet shoppers actually know what it refers to? In fact the padlock is there to show that at that particular time i.e. on the current web page communications with that site will be secured using encryption based on a protocol called SSL - or Secure Socket Layer (see explanation). In an ecommerce transaction, SSL achieves two things. It authenticates to the user the identity of the organisation responsible for the site in question and ensures that any information transmitted between the purchaser's web browser and the merchant's web site is protected from potential eavesdroppers or hackers listening in from anywhere on the Internet.

But sometimes all is not what it appears to be. 'Spoofing' or 'phishing' is the latest type of Internet fraud, where fake websites are set up that mimic well-established companies and persuade those who visit them to part with credit card details and other valuable financial information.

Many of the biggest names in the .com world have been victims, including Amazon, AOL, Ebay and PayPal as well as a number of high-street banks. In one recent case a gang of Nigerian fraudsters set up a fake version of NatWest's online service and used it to con two Canadians out of more than £100,000. The website was identical to that of the real bank but had an additional 'the' at the beginning of the web address.

In another recent case, The US Federal Trade Commission charged an unidentified 17-year-old boy with producing a look-alike web page for AOL and conning hundreds of people out of their credit card information. The teenager produced emails that told the recipients they needed to update their AOL billing information by clicking on a link marked 'AOL Billing Centre'.

They were then diverted to a phony website that looked identical to the real thing and instructed to enter credit card numbers, billing addresses and other details including AOL screen names and passwords.

Establishing Trust

The proof of a website's authenticity is in its digital certificate and the security foundations of digital certificates are the 'private' SSL encryption keys used by the web server. If an attacker has the private key, then they can spoof a website not only with look-alike pages but also with outward proof - the digital certificate - that the impostor site is the real site. Furthermore, they will also be able to decrypt all the traffic that is going to and from that site.

The link for this article located at net-security.org is no longer available.