OnTheInternet Logo
OTI TextOTI Link

January/February 1998
Screen Version

Sound Bites and Document Bites Vs. Electronic Message Bytes
A Comparison of the Intrinsic Security of Media for Credit Card Transactions
By Lloyd Conklin

A Little Heresy

The message uses the medium, and the medium secures the message. All things considered, if the message contains my credit card number, then I feel the safest way to transmit it is via the Internet compared with the commonly accepted transmission methods. Heresy, you say? Read on and let me try to persuade you that my opinion is based largely on reasonable fact.

And the Medium Is the Message

The medium is the message, especially if the message is the security of the information being transmitted.

There is a pervasive fear in our culture that the Internet is inherently unsafe to use for credit card purchases. We see articles almost daily on the topic. The fear is so widely held that advertisements have been aired to allay the fears. And like most fears, the fear of using the Internet seems built on the same basis of most fears: the fear of the unknown and the unfamiliar. The fear of using the Internet for credit card purchases strikes deep because it involves our money. We don't want anything, or anybody, to mess with our money.

Real Fears: We've Had Them Before

Remember the introduction of the process that allowed our payroll checks to be deposited directly into our checking or savings accounts? Remember how hesitant we were when our employer asked us to enroll in the payroll direct deposit program? Remember saying, "I want that check in my hand, and I want to give it to the teller"? We didn't want to give up control of our money. What if something went wrong and the check wasn't correctly credited to our account? What if some unscrupulous payroll department employee actually withdrew money from our account? I'll admit it: I was paranoid enough to entertain those questions, albeit briefly. But I'm certainly glad I don't have to find the time to go to the bank on paydays anymore. Aren't you?

And aren't you glad there are automatic teller machines (ATMs)? Remember the fears we had to overcome when we first used an ATM? Remember the first time you slipped your ATM card into an ATM, punched a few buttons, and prayed you'd get your money? I don't know about you, but my heart was really pounding and it seemed to have relocated to my throat. And then we finally screwed up enough courage to use an ATM to make a deposit. That was a big, big step. We were entrusting a machine-not a person-to handle our money. Wow! We did it! When is the last time you were in a bank? Remember how much time you wasted?

I'll fess up if you will. I had many, many fears about what might go wrong. But won't you admit, along with me, that upon reflection, our fears about direct deposit and ATMs were silly and unfounded? Those fears are excellent representations of our fears about using the Internet for credit card purchases. A new technology, a new capability, a new process: all are working in combination to produce the unfamiliar and the unknown, the very foundations upon which basic fears are built. We now have a completely new set of fears to overcome. I predict that someday, in the not too distant future, we'll recall our fears of using the Internet for credit card purchases and upon reflection will classify them as unfounded and silly. But by then, we'll probably be working on a whole new set of fears.

Security of Transmissions

When compared with telephone transmissions and sending orders through the mail, transmissions of information over the Internet are inherently much more secure. The basis for this statement is founded on the following facts:

• The information traveling through the Internet is encoded and it can be encrypted. It is unrecognizable in its raw form.

• The format of the message traveling over the Internet is not publicly known.

• The message that flows over the Internet is parsed into several small pieces called packets.

• The nature of the Internet could cause the message packets to travel different paths to the destination.

Basically, if someone wanted to steal your credit card number from an Internet credit card purchase message transmission, the hurdles represented by the facts listed above would present nearly insurmountable obstacles to making the interception. It is much more likely that the criminal-minded individual would recruit a like-minded individual in the merchant's shop to steal credit card numbers for a bribe or a cut of the action. Let's consider the obstacles that bar the success of our potential Internet credit card account number interceptor:

The information traveling through the Internet is encoded and encrypted.

Sure, it's possible to use electronic devices to "see" transmissions, but please consider how many people will ever "see" the encoded information in the first place. These devices are likely to be far more technically challenging to operate than telephone tapping devices and certainly much more daunting than going through people's trash looking for credit card account statements in order to obtain the account number. The commission of a crime is usually directly related to the opportunity to proceed with the crime. Telephone conversation eavesdropping, telephone line tapping, digging through trash, and stealing people's mail all are much easier opportunities than intercepting Internet transmissions. Printed materials and conversations are not encoded or encrypted. And please consider that seeing the information in an Internet transmission has nothing to do with understanding it.

The format of the message traveling over the Internet is not publicly known.

OK. Let's assume for a minute that we have a technically able thief who is adept at using some sort of data sniffer and also has managed to decrypt the data. Now what? The thief must be able to discern the format of the message; that is, find the credit card number in the message. Where is it in the message? The only ones who know for sure are the system designers and programmers who work with the merchant's computer system. A program is executed in the merchant's computer system to process the incoming order. The program knows where to find the relevant information in the message it has just received via the Internet. If the message format contains a scrambled message, it would be difficult for our thief to discover a credit card number. Now consider the format of a stolen credit card account statement or that of an overheard spoken credit card number. In those instances, the credit card account number is instantly discernible. The format is well-known.

The message that flows over the Internet is parsed into several small pieces called packets.

Perhaps I should have listed this as the primary obstacle to a thief's purloining a credit card account number from an Internet transmission. It was proved long ago that the length of a data transmission is related directly to the chances that the transmission is subject to transmission errors. Shorter messages are better because they lessen the chance for errors and subsequent costly error recovery procedures. When we submit an order from our PC to a merchant using the Internet, our message is broken into smaller parts-called packets-before the message starts to wend its way through the arrayed networks. There are only two opportunities for an Internet interceptor to see our message. The first opportunity is on the phone lines between our PC and our Internet service provider. The second opportunity is on the phone line or local area network cable as the message comes off the Internet at the merchant's processing site. Needless to say, our credit card account statements or purchase slips and our telephone conversations are not broken up into smaller pieces, and they are much more accessible.

The nature of the Internet could cause the message packets to travel different paths to the destination.

Not only are our messages broken down into packets, but also they are apt to be sent along different paths through the Internet. The Internet protocol (IP) is the routing protocol for the Internet. It routes packets through the routers that compose the backbone of the Internet by examining the destination address--for example, the Internet address of the merchant to whom we are sending an order--that is in each packet. In networking parlance, each packet is called a datagram, and the IP is a datagram-routing service. So not only is the message that is our purchase order for the merchant broken into pieces, but also the pieces can travel down separate paths and typically arrive at the destination out of sequence. To reestablish the intact message, the packets are put in the right order by the transmission control protocol, which is implemented in the merchant's networking communications system. Of course our credit card paper trails and our telephone conversations are not snipped into smaller pieces, and they flow down the same path in one large block--or envelope.

Putting It Another Way

For our mail order or telephone order (MOTO) credit card purchases to have the same intrinsic security that is a natural consequence of using the Internet medium, the MOTO credit card process would have to be completely revamped.

What would have to be done to a credit card mail order to approximate what takes place when a credit card purchase flows over the Internet from our PC?

First, we'd have to use a foreign language, and then we'd have to encrypt it. The format of the order form would have the fields of the form mixed up so that they wouldn't be readily discernible. Next, we'd have to cut the order form up into several pieces--a document shredder would do a faster job than scissors--and then we'd have to send to the merchant each piece of the cut-up order in different envelopes. If we did that, we'd be replicating the process of using the Internet in order to make our credit card purchase by mail. Secure? You bet--just as secure as using the Internet. Feasible? Perhaps. The cost to process such an order? Prohibitive. Duplicating these events for a telephone credit card purchase is too far-fetched to write up.

Vulnerabilities Certainly Exist

Our computer systems, be they our personal computers or our enterprise servers, are under constant attack-or threat of attack-by hackers, crackers, or just plain thieves. Databases or file systems that contain personal information, including our credit card account numbers, can be illicitly accessed, with the information in them stolen and used for fraudulent purposes. But such vulnerability has nothing to do with Internet transactions or in fact how data flow from the point of purchase, including voice, mail, or person-to-person transactions. Some perceive it as an Internet vulnerability because the Internet is often used as the vehicle to effect the attacks or thefts. But it boils down to a computer system security issue rather than a networking security issue.

And eventually, even with the credit card purchase's being carried out via an Internet transaction, someone--usually an employee of the merchant--will see your credit card account number. When that event occurs, all credit card account numbers are equally vulnerable, equally unsafe, no matter how they were transmitted. It has been well documented that the majority of credit card account number thefts are carried out by people in the employ of the merchant from whom we are purchasing a product or service. This is the weakest point in security, and that weakest point is shared by all credit card transactions, no matter which medium is used for carrying the order.

But those vulnerabilities in security are soon to be candidates for elimination--using, of course, credit card purchases via the Internet. The secure electronic transaction (SET) protocols have been released, and they are ready to be used and applied. Jointly developed by VISA and MasterCard, SET protocols include a mechanism that prevents a merchant--or a thief--from seeing or discovering your credit card account number. This capability will firmly entrench credit card purchase transactions via the Internet as by far the most secure way to make credit card purchases--even more secure than the face-to-face transaction. That's the future. What about today? Our fears are very real.

Rest Easy Tonight

If you've just executed your first credit card purchase order via the Internet today, you should be persuaded by now that your credit card account number is safe. And if you also carried out a MOTO credit card purchase order today, the odds are that your credit card account number is safe in that circumstance too. But not quite as safe as the order placed via the Internet.

Even when equipped with all the facts, however, some of you are just plain worry prone. So let me suggest some things you might like to worry about: Somebody could have been listening in on your telephone conversation and stolen your account number. Somebody could be at the dump now looking at that credit card statement you threw away. Somebody could be planning to steal your mail. Maybe there's a tap on your phone line. And oh yes, there could be a genius somewhere who has just managed to lift your credit card account number from your Web transaction as it transits the Internet. I'll leave it to you readers to assign probabilities to those events happening.

I'm no statistician, but I think the odds are better that one of you will be struck by lightning rather than have your credit card account number stolen from an Internet transaction.

"The Only Thing We Have to Fear . . . "

The unknown and the unfamiliar immediately cause us to be suspicious and circumspect. Familiar processes are comfortable. Known risks can be dealt with--or at least rationalized. And when it comes to new processes and their perceived risks that involve money, even the most liberal minded edge toward a conservative leaning. "Let others go first," they muse.

Information and education change the unknown to the known, and the unfamiliar to the familiar. Only then do our fears subside and our comfort levels increase. Our intellectual side becomes more accepting of the new technology. Perhaps this article has helped you accept the new technology. Internet transactions for credit card purchases pose no great risk. In fact, they're intrinsically safer than either mail order or telephone order credit card transactions. What's the next step? Take the emotional step: make your next credit card purchase by using the Internet. Once you do that, like your first ATM card use, there will be no turning back. Do it. Do it without fear.

Join the Internet Society today: http://www.isoc.org