Secure transactions occur when a user identifies themselves by presenting an agreed upon form of identification. This identification is then verified or authenticated to confirm that the person presenting the ID is who they say they are. Once authentication is established, an agreed upon communication standard or channel is established. This communication is generally encrypted so that the sensitive information can not be viewed by unauthorized individuals. After the transaction is complete, the channel is broken down and the session is released. You can tell you are setting up a secure on-line transaction when you go to a site that has https:// in front of it. You will also see a ‘padlock’ appear in your browser indicating that you have established a secure connection with the web server.
The process explained above seems easy enough; however, there is a lot that goes in to providing a secure transaction. In the first part of identifying and authenticating a user, secure transactions usually involve multi-factor authentication. Authentication in its simplest form is providing proof of someone’s identity. In the digital world, this is usually done by providing a username and password. Passwords are a weak form of security since these can usually be easily cracked. To increase security, multi-factor authentication is used.
There are normally three ways by which someone’s identity can be verified or authenticated. The first way that we have already touched on is by providing passwords. This is something that the authorized individual ‘knows’. Another way that someone can prove their identity is with something that they ‘have’. This is usually in the form of a security token. The last way that someone can prove their identity is with something that they ‘are’ like a fingerprint.
For multi-factor authentication to be effective, the system must have at least two of the three methods described above. A common multi-factor authentication system is with ATM cards. In this type of system, in order for an individual to access a bank account, the individual must have a card that is embedded with information pertaining to the card holder and a PIN number. This is something that you ‘have’, the card, and something that you ‘know’, the PIN.
Unfortunately in the on-line banking environment, there is a pseudo-form of multi-factor authentication that is utilized. In most of these systems, a user enters an account number, a PIN number, and provides an answer to a secret question to access their on-line account. In essence, all of these items are single factor in that they are just all something a user ‘knows’. In an attempt to prove that the system is multi-factor, the on-line service may load a ‘cookie’ or provide a security certificate to the local system. This, in essence, acts as a second factor authentication of something a user ‘has’. The fallacy or weakness in these types of systems are that it still only takes what the user ‘knows’ to prove their identity. And in some situations, the secret questions are the same question for all users such as “what is your mother’s maiden name?” or “what is your favorite pet’s name?” Unless there was another alternative method by which the ‘cookie’ or certificate was securely passed to the user or verified by other methods, this on-line banking system is not a ‘true’ multi-factor authentication system.
A secure channel is established once authentication is conducted. This secure channel utilized established through Secure Sockets Layer (SSL). You have seen this protocol being utilized when you go to a web site with an https extension. Secure Sockets Layer (SSL) was developed by Netscape to provide security over the Internet between clients and servers. This Internet Security protocol is compatible with many different encryption types such as RSA, IDEA, DES, 3DES, and MD5. It handles the client-to-server authentication and requires both server and the web browser to be compatible with each other. When SSL is utilized, it will protect the entire session created by the user request.
Special Note: Some Internet Security methods actually utilize ‘cookies’. Cookies are simple programs that are normally readily available through most programming languages and Internet browsers. They are usually used to track user activity on the Internet, but they can also be utilized in providing security. This is done by embedding session keys or other time stamping items to assist the users in maintaining a secure session while they are visiting a web page or web site. Unfortunately, users can manually disable these cookies and even transfer cookies from one computer to another. It is recommended that security mechanisms that utilize cookies not be used when sensitive information is involved.