Anorak News | Shopping For Fraud On The Internet

Shopping For Fraud On The Internet

by | 10th, August 2007

 IN Legislation cannot stop people being born idiots, Dizzy looks at shopping on the web and online crime:

I was rather disappointed to see a bit of opportunism this morning in the Times. The article is about a report by the House of Lords about how tremndously dangerous the Internet is for fraud etc and how “something must be done!” by the Government. James Brokenshire, a Conservative home affairs spokesman, is quoted as saying

“This report underlines the Governments complete failure to appreciate or address the extent of crime committed online. There is little coordination, leadership or urgency sending out a message that this country is a soft touch on e-crime.”

This is I think nonsense, lots is being done to tackle crime online, the problem is that people are stupid and the Government, whichever party controls it, can do little to rectify that. Some of the recommendation of the report are also quite quaint.

For example, it criticises the Government for taking the stance that security is a matter for the individual. There is nothing wrong with that stance though, it’s true. Does the Goevrnment legislate to ensure that we keep our personal belongings on our person? No. Do we have laws requiring us all to have keys or wallets on a chain connected to us. Of course we don’t. Who is repsonsible for the security of our homes? The locks in our doors? Whether we leave the window open or closed? It’s not the Government, it is individuals proeprty owners. Individuals acting online are no different and equally responsible for their security.

When you get that email from the “bank” telling you to click a link and login to confirm your details, if you do it then you’re an idiot and deserve to be fleeced. If someone knocked at your door and said “I’m from the bank, can you give me your cash card and confirm your PIN number please?” what would you say? Exactly. You’d slam the door in their face whilst probably telling them to go away in the anglo-saxon vernacular.

The Lords report also says it wants to “establish a kitemark for secure internet services”. This already exists. It’s called a Secure-Socket Layer certificate and the use of a functioning brain that can read a URL. That little padlock you see when you buy something online means you have created a 128bit encrypted tunnel with the remote server from your browser. It’s not beyond the realm of possible that someone could penetrate the tunnel, but the length of time it would require to do so compared to the length of time the tunnel is up makes it unlikely.

Double-click the padlock next time it appears as well. You’ll get to read the certificate details. You will see the name of the signing authority, and deatils about the company that purcahsed the certificate, as well as how long the certfiicate is valid for. If you ever get a certifcate warning error when you’re browsing a site then you’re taking a risk about whether it is valid. The tunnel will still be encrypted, but you have no knowledge about the validity of the server you’re connecting too.

Of course, even if there was some new kitemark it won’t serve to mean very much if your machine has already been compromised. This is true for an SSL connection too. If your machine is compromised then the tunnel becomes meaningless anyway. The same is true if the remote server is compromised, and it’s worth remembering that a good hacker is likely to own a system for a while before it becomes clear to the sysadmin that it is compromised. Being rooted is an occupational and general hazard online, just like being burgled is in the real world.

The Lords report also mentions the compromising of credit card details. Technically speaking, if a business plans to have a payment gateway and store credit card details then VISA and Mastercard will want massive audits done and extremely aggressive security protocols on the data. Numbers will be encrypted for a start and if you fail an audit the authorising houses for credit card transactions will simply remove a companies right to accept those payments anymore. A large number of banks are already implementing extra security protocols as well. Natwest Bank has introduced a secondary layer of password security for card purchases with partnered sites like Amazon.

Yes, the Internet is the Wild West, but security of your information online is a matter for individuals and/or businesses. Legislating in the UK won’t make a blind bit of difference to when you purchase from elsewhere. Banks as well cannot be held responsible for fraud committed against their customers when it is the customers own stupidity that has caused the fraud to occur. Stupid people will always get conned and ripped off, and the Government can’t legislate to stop people being born idiots.

Posted: 10th, August 2007 | In: Reviews Comment (1) | TrackBack | Permalink