A friend of mine told me this week that she would never store personal information online because "she heard" that someone might gain access to her information and steal her identity. She also was 100% convinced that she should never order anything online because "it isn't safe." When I asked her where she obtained these warnings, she admitted that she did not remember but that she "heard it someplace."
I’m afraid my friend has been living under a rock.
In fact, many governments and almost all financial institutions safely and securely move billions of dollars online every day. Your bank moves perhaps millions of dollars online every day, unless it is a very small bank. Stock brokers do the same. Hundreds of thousands of web users place orders online every day. None of them ever lose a penny due to online data transfers. How can they do that?
One word: encryption.
There are now about a dozen or so online backup services that will store your information for you and make it available if you ever have a computer disaster (crashed disk drive, fire, flood, hurricane, etc. or even an "Oops" moment when you accidentally delete something). If your data is stored on an online backup service, you can retrieve it at any time you wish. Most of these services have never had a bit of data stolen. On most of these services, even the company's employees cannot see your information even though you can retrieve the information quickly and easily. How can they do that?
One word: encryption.
Even the email you send and receive could be secure, although many people don't know that and don't do that. Both the sender and the receiver have to be set up for secure email. Secure email is relatively simple to implement. How can they do that?
One word: encryption.
Encryption is the one thing that allows computer users, financial services, and even governments to securely move information around the Internet and store it.
Perhaps the biggest encryption users of all are the military services. What can be more sensitive than storing a country's war plans, a list of proposed targets, troop movements, and even intelligence obtained about the enemy's plans? Can you imagine anything more sensitive than military plans and intelligence? Yet the military transfers billions of bytes per day across their own networks without concern of enemy interception.
Admittedly, military organizations usually have their own networks. They do not move information across the public Internet. However, civilian agencies of the U.S. Government routinely move sensitive information across the public Internet with no risk of interception. Such agencies include the Internal Revenue Service, the Social Security Administration, and the Federal Reserve System. How can they do that?
One word: encryption.
If the government trusts its military secrets to encryption, you can do the same for your "secrets:" your credit card numbers, your checking account information, your brokerage account data, horse racing bets sent to your bookie, and love letters to a girlfriend. Properly implemented, encryption provides a safe and secure method to store and transfer your data. Even the FBI cannot (easily) decode your data. Luckily, a "proper implementation" is easy to create.
The Roman Legions had a method of encrypting their written messages. Most military organizations have done the same ever since. The U.S. military used encryption during the Civil War, possibly earlier. These were all encryption methods generated by hand.
The U.S. Government has been using machine-generated encryption since before World War II. I was a crypto technician in the U.S. Air Force during the Viet Nam War and still remember in detail how we secured both voice and digital data at that time with high-speed, computer-generated encryption. Secure (encrypted) web protocols have been available to everyone for about fifteen years now and are commonplace. Safe and secure email has been available for nearly as long, although very few people use it outside of the military.
So why do some people think that online data is inherently unsafe? Apparently, these "urban legends" remain even years after they are no longer correct. Sophisticated technologies have prevented the theft of transmitted data for years now.
Encryption in a web server uses Secure Sockets Layer, or SSL. SSL has recently been renamed Transport Layer Security (TLS). However, most people still refer to it by the old name: SSL. For anyone interested in the technical details of how SSL/TLS works, I'd suggest you read the article at http://en.wikipedia.org/wiki/Transport_Layer_Security.
For those who do not care for the technical mumbo-jumbo, I will offer this quick quote from the beginning of the Wikipedia article:
The TLS protocol allows client/server applications to communicate across a network in a way designed to prevent eavesdropping and tampering. TLS provides endpoint authentication and communications confidentiality over the Internet using cryptography.
Focus on those words, "TLS provides endpoint authentication and communications confidentiality over the Internet..." In other words, you know what web server you are connected to, and you also know that no one else is able to "eavesdrop" on the data you send to that web site or receive from that web site. When connected in SSL/TLS mode, you can safely enter credit card numbers or other personal data. You know that it will only be stored on that one web site.
If you operate a web site, you need SSL security if:
- you have an online store or accept online orders and credit cards
- you offer a login or sign in on your site
- you process sensitive data such as address, birth date, license, or ID numbers
- you need to comply with privacy and security requirements
- you value privacy and expect others to trust you.
When connected to a site in SSL mode, you will see an icon of a closed padlock, probably in the lower right corner of your web browser. You will also note that the web site's address displayed near the top of your web browser starts with "https://..." The letter "s" after "http" indicates that you are in secure, or SSL, mode.
I would never hesitate to enter credit card information into any known web site that displays the closed padlock and also shows a web address beginning with "https..." Likewise, I often access my online bank account, a web-based stock brokerage, PayPal, and many other web sites. I always look for the padlock and the address beginning with "https" before entering private information. Again, I only enter and display my private information on web sites I know and am familiar with, such as my bank or brokerage service or PayPal.
NOTE #1: It is not necessary to have all web pages encrypted. The only time it is important is when you are on a web page that asks you to enter private information.
NOTE #2: We sometimes read about “hackers” breaking into merchants' computer systems and, unfortunately, such attacks are real. However, they have nothing to do with sending data across the Internet. These attacks are focused on obtaining stored information from computers, regardless of where the information originated. In the recent theft of credit card data from one major U.S. retailer, most of the information stolen had never traveled across the Internet. It was data entered by other sources within the company, then later stolen by thieves. Sending data across the Internet does not increase or decrease the threat of someone later stealing your information from a merchant's insecure computers.
The threats are the same whether you use a credit card on the web, in person, in a store, by mail order, or by telephone orders. Once the information is stored on a merchant's computers, we are all at the mercy of that merchant's security policies. Luckily, most merchants have excellent security and are audited often to make sure that security is maintained. We only read about the exceptions.
A note about email
One statement I have heard thousands of times is, "Don't send credit card numbers or other personal information through standard email." I agree strongly with that statement, although I will emphasize the words "standard email." In fact, there are a number of safe, high-security email systems available today. The problem is that most people don't know about them and don't use them.
Some of the better secure email systems include HushMail at http://www.hushmail.com, 4SecureMail at http://www.4securemail.com, Comodo SecureEmail at http://www.comodo.com/home/internet-security/secure-email.php, S-Mail at http://www.s-mail.com, and others. Hushmail even offers free secure email. Details may be found at http://www.hushmail.com/services/hushmail. The exact details will vary from one secure email provider to another, but most of them require the use of special software at both the sending and the receiving computers. The software might be installed on each computer's hard drive, or it might be web-based (open up a web browser and go to the service specified). In almost all cases, the sender and receiver must have exchanged "secret keys" in advance of sending the email message(s).
A simpler method is to create encrypted files containing your messages and then send those files to the recipients as attached files to normal email messages. You can find many different utilities to create encrypted files, and most of them are available free of charge. Again, both the sender and the recipient must know the secret encryption key in advance.
Even the popular ZIP format has the capability to create encrypted files. ZIP's encryption format is rather simple and can be broken by sophisticated decryption techniques. However, ZIP encryption will still lock out perhaps 99.9% of the people who might see the message. That may or may not be enough security for you. If not, find a higher-security product, such as PGP (which stands for "Pretty Good Privacy") at http://www.pgp.com/. PGP is so good that it was once banned by the U.S. government. However, the government later relented, and PGP is now legally available to all U.S. citizens.
NOTE #3: Encryption programs are banned in some other countries, notably France. Check your local laws before using encryption. U.S. citizens are allowed to use encryption and are even encouraged to do so.
NOTE #4: Voice calls made between computers that use the Skype service on both ends of the connection are always encrypted. Skype conversations between computers is always more secure than normal telephone calls. However, be aware that this is true only for computer-to-computer Skype connections. If you call a regular, old-fashioned telephone by using one of Skype's optional services, or if you receive calls on Skype from regular telephones, at least part of that path is unencrypted. Skype is only guaranteed to be secure on Skype-to-Skype connections.
Whatever method you choose, secure email keeps prying eyes away from your messages. And, yes, you can safely send credit card numbers in secure email messages, but never in normal email.
My paranoid friend will probably never believe it, but sending information on the World Wide Web can be done safely and with assurance that your data is secure. You do have to pay attention to a few basics, however. You wouldn't send confidential information through regular mail in an unsealed envelope. In a similar manner, you shouldn't send confidential information electronically via unencrypted means.
By paying attention to these security issues, you, too, can safely send sensitive information across the World Wide Web.
