My wife is a little timid when it comes to paying those utility bills online. And I'm like, "I work for a company that deals with internet security, and I know all about it. I will do that transaction over internet." And I do most of my transactions online.
So what is it that makes me feel safe even as I transact finance over the Internet?
While I'm accessing a free wi-fi internet at Bangalore International Airport, I decided to jot down those itsy bitsy items that are playing in my mind, while I'm transacting over the net. At the same time, I've struck out the items that relate to general computer security like anti-virus, PC firewall, and software security.
The frame of reference is of an Internet user who has to ensure his peace of mind while transacting on the net, and not that of an application architect discussing about a secure Web site design.
It's important to understand that the username and password is your identity over the net. I am taking the case of a bank Web site for login, but it essentially applies to any Web site where you want to protect your identity -- stock brokerage, online shopping, et al. I play by these five simple rules:
Rule # 1
I know who I'm dealing with. The first question asked is: Is this the correct web address of my bank, or am I browsing a camouflaged Web site? I carefully inspect the Web site address in the address bar, and save it in my browser's bookmarks. For future visits to this site, I rely on the bookmark. I would never ever visit my bank by clicking on "a link" that came as a part of an email or a Web site.
Remember that a link can steer you to a spoofed Web site. The security guys call this as phishing email or a phishing Web site. Further, I would click on the padlock icon to verify the identity of the Web site. I click on the padlock to view the certificate issued to the Web site. The certificate is like a passport issued by an authority, that tells me if the Web site belongs to the same business entity that I'm expecting, or is it something else.
Rule # 2
I ensure that my identity is passed over the wires only through HTTPS protocol. The information that is passed over the net is clear text and is readable by those prying eyes. HTTPS protocol ensures that any data that is transferred between my computer and my bank's site is encrypted. There are a lot of agents involved that participate in the data transfer from my computer, till it reaches the bank's Web site. But none of them would be able to comprehend the data, if it is encrypted. I ensure that my bank's login page has an address that starts with https://.
This is all the more important when I'm on a public network, like a free wi-fi offered at airport. In our jargon we call it an un-trusted network.
Rule # 3
I never forget to logout, and then close the browser window.
Rule # 4
Using a public computer is the extreme case of caution for me. This almost always involves a public network, as those paid internet booths are always on an un-trusted network. In my lingo, it's an un-trusted machine. My identity can be very easily compromised. I take all the care stated in points above, but still wild thoughts keep playing in my mind.
What if the public computer has a malware (virus) to record my keystrokes? Even HTTPS encryption won't help me in this scenario. In such situations, I would never ever transact with sites that rely on password alone. Password is easy to be compromised. My bank provides me a second factor authentication. I have been provided a "One Time Password" generating device.
OTP is a password that complements my login and password, and that keeps changing every few seconds. At any given point, my bank asks for this OTP before it can log me in. And since this is generated using a physical device, that is in my custody, I'm well. This also avoids what we call as the "replay attack". No one can record and replay my actions at computer or network level.
Unlike a static password, the OTP changes and safeguards from logins even if the password is compromised. Browser's usually cache or store certain information for improving general performance. But this reduces security on a public computer. I never forget to clear personal history from the browser.
Rule # 5
I do a lot of shopping online. And I've to reveal my credit card number, expiry date and the three-digit CVV to the shopping sites. So here is my strategy: I make sure that I'm at the correct Web site. This is usually done by clicking the padlock and verifying the certificate. I also convince myself by checking the reputation of the Web site.
Usually, I won't put a big money on risk with a shopping site on my debut visit. But this is not enough. What if my credit card details are leaked in some way to someone, and after a year, I see that the card is misused from other corner of the world. I would never be able to trace back what went wrong. So I use the virtual credit cards for online shopping. These are one time use virtual cards that are based upon my credit card.
I can conveniently create a virtual card from my bank's Web site. I can specify a amount limit on this card. These cards are fundamentally one time usage cards, and are disabled by the bank after they have been used once, or after a certain time has passed. I would ask you to contact the bank to find out more about virtual cards. There are other things which are equally safe like sites that redirect to my bank for a payment, but again this demands care of ensuring that I've been redirected to my bank's site only, and not one of those camouflaged sites.
A bunch of other items:
It's essentially these simple tactics that I've been hiding from my wife, to flaunt as a geek.
The author is senior staff engineer, R&D department, VeriSign India Pvt Ltd.