Webtrends Tracking Code
 
UK Home >  OUT-LAW News >  News Archive >  2004 >  March 2004 >  Protection against web site spoofing

Protection against web site spoofing

OUT-LAW News, 05/03/2004

The problem of web site spoofing or phishing is an increasing one. Here, Richard Moulds of nCipher explains how e-commerce providers can deliver a higher level of trust by extending the reach of their secure technology.
Richard Moulds of nCipher takes a look at the problem of web site spoofing and explains how e-commerce providers can deliver a higher level of trust.

Despite the rapid increase in on-line commerce, it is estimated that some 85% of transactions are still cancelled at the final 'confirm and buy' page. While some of these aborted purchases are simply down to people changing their minds, many are due to concerns about security and a reluctance to dispatch credit card details and other personal information across the unknown internet. Maybe this is not surprising given the amount of publicity generated by new cases of internet hacking and fraud.

People who buy things on-line may be familiar with the closed-lock padlock in the bottom right hand corner of their screens. While this is meant to provide a sense of security, how many internet shoppers actually know what it refers to? In fact the padlock is there to show that at that particular time i.e. on the current web page communications with that site will be secured using encryption based on a protocol called SSL – or Secure Socket Layer (see explanation below). In an e-commerce transaction, SSL achieves two things. It authenticates to the user the identity of the organisation responsible for the site in question and ensures that any information transmitted between the purchaser's web browser and the merchant's web site is protected from potential eavesdroppers or hackers listening in from anywhere on the internet.

But sometimes all is not what it appears to be. 'Spoofing' or 'phishing' is the latest type of internet fraud, where fake web sites are set up that mimic well-established companies and persuade those who visit them to part with credit card details and other valuable financial information.

Many of the biggest names in the .com world have been victims, including Amazon, AOL, Ebay and PayPal as well as a number of high-street banks. In one recent case a gang of Nigerian fraudsters set up a fake version of NatWest's on-line service and used it to con two Canadians out of more than £100,000. The web site was identical to that of the real bank but had an additional 'the' at the beginning of the web address.

In another recent case, The US Federal Trade Commission charged an unidentified 17-year-old boy with producing a look-alike web page for AOL and conning hundreds of people out of their credit card information. The teenager produced e-mails that told the recipients they needed to update their AOL billing information by clicking on a link marked 'AOL Billing Centre'.

They were then diverted to a phony web site that looked identical to the real thing and instructed to enter credit card numbers, billing addresses and other details including AOL screen names and passwords.

Establishing trust

The proof of a web site's authenticity is in its digital certificate and the security foundations of digital certificates are the 'private' SSL encryption keys used by the web server. If an attacker has the private key, then they can spoof a web site not only with look-alike pages but also with outward proof – the digital certificate – that the impostor site is the real site. Furthermore, they will also be able to decrypt all the traffic that is going to and from that site.

Therefore a web site's identity and the integrity of on-line transactions cannot be truly trusted unless the SSL private keys are kept absolutely secret. The problem is that many sites still store their cryptographic keys in the memory of their web servers. But because of the inherent very random nature of the data that makes up these keys, a quick memory scan will easily identify where they are stored – making them vulnerable to attack. The most effective means of protecting private keys therefore is to store and process them in a secure hardware device or hardware security module (HSM) that will ensure that private keys are always protected from compromise.

The tamper-resistant security modules integrate directly with a web server and store all the private keys and host all cryptographic functions. The most secure devices – such as nCipher's nShield HSM – are validated to FIPS 140-2 Level 3, the most widely recognised security benchmark for secure cryptographic modules.

The importance of securing keys in hardware has also been recognised by VeriSign, the world's leading provider of digital certificates. For the first time a commercial SSL certificate has been created specifically for organisations that wish to protect their web site with hardware.

VeriSign and nCipher have joined forces to counter the threat of web site spoofing and on-line data theft with a new premium grade VeriSign SSL certificate that is protected in a FIPS 140-2 certified HSM throughout its lifecycle.

Companies implementing VeriSign's Hardware Protected SSL Certificate will be able to display a distinct VeriSign Secure Site Seal on their web sites that will giver users greater confidence in doing business on-line.

Beyond the web server

With hardware security, SSL is capable of authenticating the web site and securing data as it travels between a browser and a web server - but what risks lay beyond the web server? After all, if an SSL session is terminated on a web server and sensitive information – such as a password and PIN for example – is unencrypted and left exposed, the point of weakness is simply shifted. This is in fact a common scenario, as authentication information often needs to be stripped and compared with data stored in a back-end database for validation.

The challenge, therefore, is to extend the security provided by SSL deeper into the web site infrastructure in order to protect data behind the firewall from internal as well as external attacks. As the concept of perimeter security, relying solely on creating a secure network boundary around an organisation, becomes outdated it becomes even more important to protect sensitive information wherever it flows, inside or outside a corporate network. To achieve this, the same tamper-resistant hardware protected environment used to store SSL keys can now be used to terminate SSL sessions, process unencrypted data and pass traffic securely on to other back-end applications.

SSL has come along way and the encryption protocol is now being widely adopted as a major industry standard. What lies behind the simple padlock is a complex technology that underpins the security of the internet. Providing that it is deployed correctly, which typically includes the use of a dedicated HSM for any organization handling sensitive information, SSL delivers the all important level of trust that is vital if more of us are going to have the confidence to buy and do business on-line.

nCipher is exhibiting at Infosecurity Europe 2004, which takes place at London Olympia from 27th to 29th April, 2004.

The event brings together professionals interested in IT security from around the globe with suppliers of security hardware, software and consultancy services.

See: www.infosec.co.uk

What is SSL?

The SSL protocol was developed in 1994 by Netscape – one of the early internet browser pioneers – for securing web transactions and messages over the internet and today is included in all standard browsers along with most web server products. SSL uses a process of public key encryption to secure the connection between your web browser and a remote web server.

Public key encryption uses a pair of asymmetric keys for encryption and decryption. Each pair of keys consists of a public key that anyone can know and a private key that is never distributed and always kept secret. Data encrypted with the public key can be decrypted only with the private key. Conversely, data encrypted with the private key can be decrypted only with the public key.

When a customer uses a web browser to connect to an online store to carry out a purchase or visits their online bank, the SSL protocol causes the vendor's web server to present its public key in the form of a digital certificate to the customer's web browser, to identify and authenticate itself. The customer's web browser then creates and encrypts a 'session key' using the public key information stored in the digital certificate. This session key is returned to the vendor's web server, where it is unencrypted using the web site's own and hopefully secret private key.

Only the correctly matching private key can decode the message, so the communication between the two parties is secured with a single shared secret key. Secure communication can then take place between the vendor's web server and the customer's web browser.

 

 

OUT-LAW Recommends

Data Protection training
We offer training courses on Data Protection and Freedom of Information laws

Winner at 2008 Webby Awards

OUT-LAW star: link to the home page
Disclaimer | Privacy | Site Map | Accessibility
Disclaimer: This was printed from OUT-LAW.COM, a service of international law firm Pinsent Masons. We hope you find this content useful. However, please note that nothing in this document constitutes specific legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter. Any questions, please email info@out-law.com.