Publication Date: November 8, 1996

Related article - Wells Fargo: Pulling the Team Ahead with Internet Banking

Security Expert Says Internet Is Safe for Commerce

By Sue Mellen

Allan M. Schiffman, chief technical officer of Terisa Systems Inc., likes to use real-world analogies to make his point that the Internet is "already secure enough for most commercial transactions."

"Through 10,000 years of civilization we’re still being robbed and mugged. The real world is not a very safe place to be, but that hasn’t stopped us from conducting commerce over these last 10,000 years. In the same vein, security concerns won’t stall commerce on the 'Net now that the ball has started rolling. In fact, it’s actually much easier to secure commerce in the controlled, digital world than it is out there in the real world," he says.

Schiffman should know. He has been directly involved in the design and implementation of a number of the tools that are helping to make the Internet a secure marketplace.

SET for Business on the Web

Schiffman's employer, based in Los Altos, Calif., is an industry leader in building tools and applications for Internet security. Recently, Schiffman was one of the players in the creation of the new Secure Electronic Transactions, or SET, protocol jointly adopted by MasterCard International, Inc.; Visa International, Inc., and their member banks. He helped to integrate existing security standards and business practices into the new protocol, which allows secure communication among the five parties in a payment card transaction: the card provider, cardholder, cardholder's financial institution, merchant, and merchant's financial institution.

The SET work group created a system that improves the previous browser-to-server encryption method by encrypting access to credit card information throughout the entire processing network, thereby reducing exposure to online theft. Using the SET protocol, merchants are able to read only the data directly related to an order itself, without ever seeing a customer card number. The merchant's only reference point to the customer is the approval code the merchant receives from the bank. Customer card numbers remain safely under "lock and key" in the bank’s database, without ever venturing into online territory.

According to Schiffman, the credit card giants "have been the driving force toward enabling secure financial transactions over the Internet. They had been working for some time to expand secure worldwide electronic commerce, with SET the next logical step. Now we can all sleep a little better at night."

One More Security Blanket

Actually, Schiffman wasn’t losing any sleep over Internet security; even before development of SET. Existing protocols, including Secure Sockets Layer (SSL) and Secure Hypertext Transfer Protocol (S-HTTP) have been doing a pretty good job of guarding the Internet, he says.

SSL is designed to provide channel security; that is, the ability to keep the channel, or connection, between two parties private once the connection is established. To continually authenticate the channel, the system employs a method similar to public-key encryption using technology developed by RSA Data Security, Inc. of Redwood City, Calif. SSL also provides a reliability check to make sure the message transport remains intact.

S-HTTP, which is being used on some Web sites, is basically HTTP with message-related security enhancements. S-HTTP complements such security protocols as SSL, sitting atop the base protocol. So, even if a hacker is able to break through SSL and capture data making its way to and from sites, he or she still has to break the security on the specific message with the desired information. Schiffman was a co-designer of S-HTTP while chief technical officer at Enterprise Integration Technologies (EIT), prior to the 1995 formation of Terisa Systems.

On top of all this, there is Internet message encryption provided through transport, often through a method called PGP, or Pretty Good Privacy. PGP is a program written by Philip Zimmerman in 1991. It is a public-key system that is used to encrypt files or messages or to create an unalterable "digital signature" on e-mail.

"If you’ve taken reasonable steps to secure your site, you’ll discourage most thieves. It’s like a burglar facing a house with an alarm system. Rather than trying to get past the alarm system, he’ll go on to the next house," Schiffman says.

If you’re about to establish a commercial venture on the Internet, Schiffman suggests using only secure software that has been outfitted with SET or other security add-ons. "We should punish companies that aren’t making secure software by not buying their products," he says.

Finally, he says, get expert advice. "It takes time to learn to think in terms of security. You ought to be willing to spend some money to protect your assets, in the same way you might invest money to protect your home."

---

  Sue Mellen writes from Tyngsboro, Mass.

---

Allan Schiffman is a featured speaker at DCI's Business Online Conference. Please see our latest online brochure for program and registration information.

---

Explanatory note: In cryptography, the "key" is the code used to scramble and unscramble text. In conventional cryptography, the keys used for encryption and decryption are the same. In public-key cryptography, they are distinct.

For a more detailed explanation, see the Beginner's Guide to PGP and Internet Privacy.

---