SSL Encryption My Mother Was Hacked? I received a frantic email a week or so back from my mother. While this wasn’t unusual, this wasn’t the typical motherly report of which sibling did what stupid thing. She’d been hacked, or so she claimed. While I found it unlikely that she was hacked in any manner that I define the word, my curiosity was piqued so I gave her a call to find out exactly what happened.

Electronic Debit Card Theft

As it turns out, someone had filched her debit card number and was using an ISP in the former Soviet Union to sign up for several “singles” websites. Unfortunately, the way she found out was discovering a negative balance in her checking account. To her credit, she had already contacted her bank and had the card frozen. She had also contacted the websites involved and was in the process of resolving the debts with them.

Knowing the details, I was comfortable that my mother hadn’t been hacked, but someone with whom she has done business with had their customer data compromised in some way. Not wanting to ignore my familial and professional responsibilities, I gave her computer a once over. It came up clean with the exception of the typical doubleclick and adserver cookies. Taking it a step further I decided to dig up a couple of “Tips for secure web surfing” links for her perusal.

Debit Cards, A Direct Link To Your Money

I have to admit I was somewhat disappointed in the results of my search. While there was plenty of good advice available there were two things I found troublesome. The first was while most sites highly recommended using credit cards exclusively for online purchases; only one site stressed the danger of using debit cards. A debit card is a direct link into your checking or savings account. Unlike a credit card, where a fraudulent charge can be disputed and the issuer will place a hold on the debt, once you reach the point of disputing a debit card transaction, the money is already gone.

My second concern was the high emphasis on the use of SSL, more commonly known as “the little lock in your web browser”. The Federal Trade Commission lists it first in their “Shop Online Safely” bulletin which, in my opinion, overemphasizes its weight.

Once upon a time, SSL certificates were expensive and there was a relevant vetting process involved in having one issued. This has created a false belief that an SSL certificates contribute to a website’s legitimacy. In reality, a SSL certificate can be had for as little as five dollars by anybody who has a telephone number. An expensive Thawte or a Verisign issued certificate provides no more or less security than their cheaper counterparts. In fact, they don’t provide any more security than a “bad” certificate either. An expired or un-trusted certificate is equally effective at encrypting data as a premium cert. Many security and IT professionals work with these “bad” certificates everyday with full confidence that they are serving the purpose they need them to.

SSL Encrypts Online Web Communications

For the most part, SSL serves one function only; it secures the communication between your web browser and the vendor’s web server at the time your data is transmitted. In reality, even this isn’t necessarily true. I’ve recently become aware that some SSL implementations have the option to set the encryption cipher as “plain text”, meaning that in spite of the presence of the lock, no encryption actually takes place.

Conclusion

In a nutshell, technology is not a substitute for due diligence. The presence of SSL should never be a weighing factor in deciding to purchase from a vendor, although the lack of it should be an immediate red flag to take your business elsewhere.

Useful links:

Shop Online Safely (US Federal Trade Commission)

Online Shopping Tips (Privacy Rights Clearinghouse)

SSL’s credibility as a Phishing Defense is Tested (Netcraft)