Internet commerce is a riddle wrapped in an enigma. At once the biggest opportunity the computer and communications industries face in the latter half of the 1990s, it also represents their biggest risk. The upside is emblazoned on huge banners that fly above the floors of trade shows, touting new products for establishing a secure digital marketplace on the World Wide Web. The downside can be seen at places like the L0pht, a small, dank office well off Boston’s famously techy Route 128.
The L0pht is about what you’d expect in the way of headquarters for a motley group of twentysomething computer hackers with Internet names like Deth Vegtable, Brian Oblivion and Mudge. Towers of Sun workstations, networked by miles of duct-taped cable and wire, rise to ceiling height from a splintered wooden floor littered with empty Styrofoam coffee cups. The only Internet commerce going on here involves a small business selling CD-ROMs crammed with tips for breaking into computer networks and security products, plus a sideline as one of the world’s smallest Internet service providers. The income from these endeavors is just enough to keep the hackers in their real business:furiously typing away in search of the next big breakthrough in break-ins.
Mudge is very pleased today. He’s heard rumors that Bellcore, the Morristown, N.J.-based R&D arm of the Baby Bells, has come calling, eager to wine and dine him. Bellcore is apparently hoping to talk Mudge out of Web posting his latest tool kit for cracking its secure-key encryption technology before it gets a chance to do damage control. No one there wants a repeat of the headlines generated the last time Mudge caught the august R&D institution with its pants down, cracking its supposedly impassable Internet-password algorithm.
Mudge and his ilk of brilliant break-in artists believe they play an important role as the underground angels of Internet commerce, minding the gates to the new digital marketplace. The media portrays the Internet as an ort cloud, says Mudge, referring to a dark world portrayed in a popular science-fiction novel. “They see the Net as teeming with evildoers just waiting to abuse the unsuspecting average user. Corporations, on the other hand, are attempting to assuage fears by pandering crappy solutions and trying to market them as secure. This helps foster the image of bad hackers lurking behind computers when, in reality, it is simply bad business.
Eric Hughes agrees. As a co-founder of Cypherpunks, Hughes is part of a virtual band of code crackers spun out of the Advanced Computer Lab at the University of California at Berkeley, connected by a regular listserv-group e-mail that reports as many as 60 security breeches daily. The group’s raison d’etre, says Hughes, is “evaluating security in the interest of the user. His frank appraisal of the state of the art in electronic-commerce products is a tonic for the hyperbole of the public-relations machine.
I disagree with the characterization that electronic-security tools are in a high state of excellence, Hughes says. In fact, I consider the state-of-shelf quite poor and not economical to deploy. Until platform security is drastically improved, these kinds of problems correctly lead to some queasiness over the widespread use of PCs to keep secrets.Like it or not, the Web denizens like Hughes and Mudge hold the key to the future of electronic commerce on the Internet, and everyone in the industry knows it. After twice seeing headlines about hackers breaking in to its supposedly secure Internet-commerce software, Netscape Communications Corp. decided that if you can’t fight ‘em, join ‘em. The Mountain View, Calif., company that jump-started the Internet race with its Navigator browser has launched a program called Bugs Bounty, which rewards hackers with a token souvenir and public credit for uncovering flaws in its products.
Not all Internet companies are courting the cyber Robin Hoods, however. We’re trying to prove that cryptography is powerful and can make viable, attractive and commercial propositions, while at the same time protecting people’s privacy, says David Chaum, founder and chairman of DigiCash Inc., an Amsterdam company promoting a technology for conducting transactions with electronic money. The Cypherpunk approach is the opposite. It’s ‘We’re gonna make and break systems and we’re gonna debunk things by finding weakness in systems.Unfortunately, the threat facing Net commerce is deeper and broader than the relatively benign figures behind the L0pht and the Cypherpunks might suggest. Another group of hackers-those deserving the negative connotations this term has come to embrace-is at work, with goals ranging from ridiculing to ripping off the symbols of established authority as they emerge on the Net.
Illegal attacks on Pentagon computer systems soared as high as 250,000 last year, according to recent government estimates. The only comment the General Accounting Office could muster was either this is a multimillion-dollar nuisance or a serious threat to national security. For its part, the National Computer Crime Squad says it is inundated.In the past few months, the Web sites of the U.S. Department of Justice and the Central Intelligence Agency have been given the graffiti treatment, complete with Nazi-related profanity and pornographic pictures. Less than a year ago, Russian programmer Vladimir Levin became the cybercriminal of the century when he and his accomplices were caught (but just barely) tapping into Citibank’s vast financial network, from which they were transferring a whopping $10 million to various bank accounts around the world.
No wonder, then, that Citicorp chairman John Reed, in corporate press releases following the Levin debacle, characterized customers as scared to death that criminals will try to access their accounts on the Internet. Reed assured those customers that it will be 50 to 70 years before the majority of people do their business electronically, and that Citicorp considers the Internet off limits as a place to offer banking products until the security issues are solved.Credit-card giant Visa, which has not yet faced hacker onslaughts of either the benign or malignant variety, has put out its own warnings. Until the Secure Electronic Transaction technology it co-developed with MasterCard is deployed, perhaps starting late this year, Web surfers should keep their plastic in their wallets, Visa recommends. We discourage the use of credit cards over the Internet, reads current Visa policy. If you want to conduct business over the Web, please don’t transmit your card number. Use the telephone or the mail.
The potential for fraud and privacy breeches over the Internet is large, says Brian Ruder, who serves as Visa’s vice president of electronic commerce. It’s likely we’ll see more and more abuse.
Many companies are sitting on the sidelines, poised for electronic commerce but not yet into the game. For example, connector maker AMP Inc., based in Harrisburg, Pa., launched a division that will help companies put up Web-based product catalogs as part of its new eMerce Internet Solutions. The group will help create Web sites for sending data to customers, but it will not devise ways to actually make purchases.
Today’s level of capability on our catalog site only allows customers to identify a product and then be directed to a sales or product-information organization to actually order [off-site], says Jim Kessler, AMP’s director of Internet commerce. We have no firm plans to begin to take [credit-card] orders. We will first likely allow customers to order samples or literature over the Internet from our site, so we can then test the environment without high dollar exposure.
Even the leaders in electronic commerce admit they must live with fear in this new business environment. Virtual Vineyards, an upscale Palo Alto wine shop on the Web, kicked off with $300,000 in seed funds and expects to grow into a multimillion-dollar company over the next few years. But that growth will occur in the shadow of the hackers, says co-founder Robert Olson, who spent 20 years working in security with companies such as Hewlett-Packard Co. and Silicon Graphics Inc.
I’m well aware there’s a risk of people getting to my credit-card database, even for 20,000 numbers at a whack, says Olson, whose company uses Netscape’s Secure Commerce Server as the basis for Net transactions. We go way out of our way to protect that stuff, but I’m still extremely nervous.
The exposure to insider computer crime is also great, he adds. If you look at credit-card theft stats, about one-third of is due to insiders, Olson says. I mean, how hard is it to FTP a file over to your machine and then copy it onto a disk? What kind of authentication is there? What kind of protection? Zero.
If electronic commerce is, in effect, one huge security pothole plunk in the middle of the infobahn, plenty of companies are willing to risk their front-end alignments driving down that road. There’s no shortage of banks, software houses, virtual-storefront startups and electronic-payment clearinghouses on, or heading for, the Web, despite the dangers, real or perceived.
And why not? Killen & Associates, a Palo Alto market-research firm, says that by 2000, consumers, businesses, governments and educational institutions worldwide will use Internet commerce for 9 billion payment transactions a year, passing the equivalent of 300 billion digital dollars. In an industry that saw ATMs languish for a decade and credit cards for nearly three before their respective takeoffs, it appears that the Net is on the fast track.
The American Bankers Association says the number of medium to large banks (those with assets of $1 billion or more) offering PC-based transactions will jump from 11 percent to 42 percent by year’s end. Software companies like Intuit Inc., the Mountain View-based maker of the popular Quicken personal-finance program, are hand-holding dozens of institutions, including American Express and the Bank of Boston, in this migration. The technology pieces for Intuit’s Web-only program, OpenExchange, are expected to be in place by year’s end.
Others have their own setups. Security First Network Bank ( HYPERLINK http://www.sfnb.com), which bills itself as the world’s first Web-only bank, has customers set up accounts or personal-finance portfolios while wandering through a virtual bank lobby that has no physical counterpart. Similar cyberstorefronts already exist for bookstores http://www.amazon.com, music stores http://www.cdnow.com and wine shops http://www.virtualvin.com. All are pulling in customers by the tens of thousands, earning millions and pouring the profits back in, with the expectation of an even sunnier tomorrow. The most omnipresent businesses on the Web are established newspaper and magazine publishers, which project selling $240 million in virtual ad space by year’s end.
No standard way exists to transact electronic commerce today, no commonly accepted protocols or encryption requirements. But there’s no shortage of approaches to the task. For many would-be electronic-money handlers, the payoff comes in carving out a spot as a digital clearinghouse for transactions and collecting a toll for the security they provide.CyberCash Inc., based in Reston, Va., buffers credit-card transactions by acting as a virtual gatekeeper between the Net and the banks’ private networks. Users typically download a “wallet application that resides on their desktops. When they decide to buy something over the Internet, the merchant sends them a special invoice. The user enters a credit card number, which gets encrypted by the wallet app. The merchant returns it, along with a confirmation number-also encrypted-to a server maintained by CyberCash.
The server decrypts the data off-line and routes it to the merchant’s bank over private banking networks. The bank, in turn, sends the data to the customer’s bank or credit-card firm, which responds with an approval or denial code. The merchant’s bank passes the code to CyberCash, which passes it to the merchant. It sounds cumbersome, but the process supposedly takes just 20 seconds, and the merchant never sees the credit-card number.
CyberCash levies a fee of about 30 cents per transaction for this service. To expand its reach, it launched a related micro-payment service in September dubbed CyberCoin, aimed at small transactions of 25 cents to $20, which credit-card companies typically won’t handle.
Like CyberCash, First Virtual Holdings Inc., based in San Diego, has also set itself up as a clearinghouse for Internet payments, targeting individuals and small businesses that want to buy and sell on the Net but don’t want to set up their own infrastructure. More than 100,000 people have used First Virtual so far, paying an initial $2 setup fee and 29 cents per transaction plus 2 percent of the purchase value.
To shop via First Virtual, a customer applies for a confidential encrypted ID number, a virtual PIN. When ready to buy, the user e-mails the merchant this ID number and the merchant forwards the message to First Virtual for verification. The company then e-mails the user for confirmation of the purchase decision. If the user assents, a First Virtual agent gets on the phone to deliver the user’s credit-card number verbally. First Virtual says its rather low-tech method is more secure.
Although growing in popularity, the drawback of the CyberCash and First Virtual-style approach is that merchants know who customers are and exactly what they have bought. Most Net users would prefer to buy and sell anonymously, and DigiCash believes it has found a way to let them. The Dutch company is trying to create the electronic equivalent of money that users can spend over the Internet in virtual anonymity. This idea of untraceable electronic cash, though valued by many consumers, is a controversial notion with governments and some merchants as well.
In the DigiCash scenario, users first buy digital currency from a virtual bank, drawing on their checking accounts. The bank sends the customer an encrypted e-mail ID message that enables him to spend his electronic money on-line. The merchant who receives the payment sends the cybercash back to the bank, where the ID number is verified and the payee’s account credited. About 50 banks and merchants are using the DigiCash system so far. The company levies users a setup charge of $25 and a monthly fee of about $3.
Not surprisingly, Netscape and Microsoft Corp. are pushing their own payment protocols and installing them in their browsers and Web servers. Netscape’s Secure Courier scheme encrypts data and authenticates the identities of individuals and merchants using a technology dubbed Secure Electronic Payment Protocol (SEPP), co-developed with Visa and MasterCard. But joint development ended last year when Visa jumped ship to work with Microsoft on Secure Transaction Technology (STT) As MasterCard and Netscape continue noodling with SEPP, the card company is also forging ahead with Visa and other partners, including Netscape and Microsoft, on a next-generation specification:Secure Electronic Transaction (SET). The SET protocol for securing card-payment transactions is seen as the great plastic hope for the next phase of Internet commerce. Visa says that SET will make card holders feel as “comfortable using their cards in cyberspace as they do in the physical world. An initial spec is in market trials now; products supporting a final version will probably start appearing next year.
For their part, Microsoft’s STT and Netscape’s SEPP both provide digital signatures and user authentication for securing electronic payments. But STT claims it has stronger authentication controls for export overseas and more efficient protocols that require fewer calls to initiate a communications session. In any case, both technologies will probably fade fast if SET takes over.
A Crackable World
The more backers like Visa tout the impregnability of upcoming security technologies such as SET, the more they tempt hackers. SET’s okay, but it was designed by the card associations in their own best interests, says the Cypherpunk’s Hughes. One of the main problems with standards in this area is the paucity of experience that most designers bring to it. In short, he says, it would be a challenge to break their system. And it will be broken.
Indeed, the rule of thumb in electronic commerce is that you cannot build anything that cannot be cracked. In part, that’s because all wannabe security standards are built on sand. The two most popular encryption technologies currently in use are the public-key technique known as Digital Encryption Signature (DES) and the private RSA/PGP (Pretty Good Privacy) scheme from RSA Data Security Inc., based in Redwood City, Calif. DES has been widely used for over 20 years by financial networks such as Swift, the electronic network created by the Society for Worldwide Interbank Financial Telecommunications. RSA/PGP dominates the standards war on the Internet.RSA technology has been cracked several times, most notably in implementations of secure server software from Netscape. DES, though never cracked in a real-world network, has been brought down in theory by means of paper break-ins that assumed adequate time and computing horsepower were thrown at the problem. Thus, choosing a security strategy comes down to a matter of pick your poison, says Yobie Benjamin, an expert Java hacker and technology consultant at Cambridge Technology Partners, based in Cambridge. Mass. They’ve all been cracked, Benjamin says. One-hundred percent secure means your computer is not connected and you therefore derive zero profits from the Net.
Ultimately, in a world of insecure networks with less-than-perfect security tools, participation means taking a calculated risk. In that way, the virtual world mirrors the real one; after all, they rob banks, don’t they?
Chaum of DigiCash says nothing is as insecure as the way credit cards are handled at store checkout counters. There are those little plastic boxes that cost $100 and have a few hundred card numbers stored in them, he says, and those numbers are communicated over the phone line every evening by those boxes. So if you want to grab credit-card numbers, there are probably a lot of easier ways to do it than by hacking into the Internet. Hacker Mudge agrees:There are many more people picking credit-card receipts out of trash cans than sniffing communications lines or breaking encryption schemes.
Whenever I’m confronted with the question of Internet security, I always ask people how many are using cordless phones,says Kessler of AMP. The fact is they’re very insecure, especially the old analog ones. You can pick up the telephone and listen to your neighbor’s conversation. In the end, there is no security system that is 100 percent safe, says Visa’s Ruder. Rather, the goal is to make the cost of breaking the security more than the value of what is obtained.
Perhaps the most important question, then, is not whether people are actually safe but whether they feel they are. In the downtown bank with the steel vault and security guard, the answer is generally yes. But when surfing the Web?
The Internet has become a target for people to throw stones at, Kessler says. The occasional hacker gets a great deal of publicity, but on a per-use basis, the Internet is secure. It’s sort of like the airline tragedies:They get a tremendous level of visibility, but if you look at airline travel statistics, it’s actually far more safe than driving your car.
People’s fears are grounded in fact, and the fundamental fact is that the Internet is not secure and will never be 100 percent secure, says consultant Benjamin. However, that does not negate the ability to conduct Internet commerce. Benjamin’s model is like Visa’s. It suggests that value derived from the Internet must be greater than the associated risks.
Thus, commerce vendors have a responsibility not to blindly tout the security of their products but, rather, to create realistic expectations about a comfort zone of what is and what is not safe. Consumers will need to see global organizations like Visa say they believe it is safe to shop before people will feel comfortable with Internet commerce, says Visa’s Ruder.
Perception is security, says Cypherpunk Hughes. And the perception of safety can be cultivated, despite the fact there may never be true security in Internet commerce. In some small ways, it is already growing quietly, here and there, in a kind of spontaneous evolution. It’s obvious that there are technical means of attack which can break security down, says Olson of Virtual Vineyards. But what we’ve found is that once people place their first order with us, they come back. We get a lot of repeat customers.
Larry Lange is Internet editor of EE Times.