Everyday Security Basics

The issues underlying security on the Internet are not that different from security issues we face when making everyday transactions. These issues are not just about monetary transactions that involve the exchange of money during purchases, but any transaction where there is dissemination of critical information such as social security or other uniquely identifying numbers, or of limited resources, such as money.

Transactions rely on a level of trust between the parties involved in the transaction. The person disseminating information must prove to the person receiving information that she is who she claims to be. The person receiving the information must also prove to the person disseminating the information that he will hold the information in confidence and use it responsibly and appropriately. In many situations, the second person may also have information to disseminate based on the received information. In this case, both parties must prove their identities to the other.

As an example, imagine that Person A is trying to get a Personal Identification Number (PIN) and password for using a calling card from Person B. Before issuing the PIN and password, Person B requests Person A's credit card number to which it will charge the cost of the calls. Before giving out the credit card number, Person A must be sure that Person B is who he says he is, e.g., a legitimate representative of the phone company. Person A must also prove to Person B that she is who she says she is and the legitimate owner of the credit card. Otherwise, if Person A is not the legitimate owner of the credit card, the credit card company may not release funds to the phone company even though Person A has used the calling card to make calls. Figure 8-1 illustrates this conversation between the two people and shows the importance of trust in the transaction.

Every transaction involves risks, whether the transaction is an online Internet-based transaction or a standard face-to-face interaction-based transaction. These risks can be classified into four broad categories:

• Identity risks: The party with whom you are transacting is not who he says he is; the party is an imposter. The imposter could be an individual or a retail merchant. A retailer may use the exact or similar name of a trusted brand to deceive its customers. Although this is more difficult to do (at least for very long) for merchants that have a physical presence (e.g., brick-and-mortar companies), it is easier and more prevalent with online, mail order, and telephone-based businesses.

• Information theft: The person to whom you gave your critical personal information uses it not only for the current transaction, but also for subsequent unauthorized transactions. A personal credit card number may be given to a retailer for a legitimate purchase. Later, the retailer may use the credit card number to make transactions on his own behalf that are unknown to and unauthorized by the credit card holder.

• Information interception: A person different from the person to whom you legitimately gave your personal information intercepts the information and uses it to his benefit. Interception of personal information such as credit card numbers can occur through others overhearing your telephone conversation with phone-based businesses, looking over your shoulder at checkout counters and automatic teller machines (ATMs), or by simply going through your personal mail.

• Negligence: A person who is both legitimate in his identity and to whom you legitimately provided your personal information may carelessly make that information available or easier to access by others. A call center operator of a telephone-based business may write down your name and credit card number on a piece of paper and then later enter the information into the computer for a legitimate transaction. She may negligently forget to destroy or shred the paper and instead simply discard it. A third-party may locate that piece of paper and use the information for his personal gain.

These categories of risks are all around us throughout our everyday lives. As some of the examples described, even if one were to completely avoid computers and the Internet, the potential for risk in doing transactions is very much present.

But, the increasing use of computers for electronic transactions increases the potential for security breaches. At the same time, electronic transactions provide more opportunities to identify, document, and trap security breaches. In the next section, we discuss the importance of looking at security from an end-to-end perspective, and not just a point-to-point one.