How secure is secure?

[nkped 1,207]

We are all familiar with secure web sites--https--and they seem to work. But if they can be accessed by anyone who can get on the internet, how unbreakable is the encryption, really?

[gimmble 144]

 

Point being?

[Wannabe 2]

I have been using credit card, PayPal, and other online ways to pay companies through the internet for many years. This goes back as far as I can remember, in fact. I have either been very lucky, or the security is pretty good. I do make it a point to keep PAID for internet security software, including two firewalls, updated. (This doesn't include the hardware firewall in my router.) Do not let this give you a false sense of security, though. I always make it a point to change passwords, and call my financial institutions for verifications of payments, balances, etc., concerning my accounts.

 

With that said, I imagine most (secure) sites are encrypted pretty well (128 bit, or better?), which, I imagine, would be no walk in the park to crack. Of course, an easy way around that, for a hacker, is to have one little key logger installed on your computer, which would possibly ruin your entire day.

 

EDIT: I have one online bank site that requires two (2) sets of numbers to be typed in, at least one (1) challenge question after that, and, finally, a (lengthy) password to be entered. This is just to log onto the site. A password must be entered again, to make any changes, or to move from one part of the site to another.

Edited January 18, 2012 by Wannabe

[frostfire 1,272]

Its secure... but not foolproof.

 

For instance, if the computer you are using has a keylogger installed on it, your password can be seen easily by whomever gets the keylogger reports.

 

What a secure connection means is that the information transferred over the internet (once it leaves your computer) is secure. The average encryption strength right now is 128 bit, and at 128 bit it would take a CRAY supercomputer over 100 trillion years to brute force the key used to encrypt the data. Even using a distributed brute force system with thousands of computer (like SETI@HOME uses), would take hundreds of years.

 

To put it very plainly, if the information you are sending is not compromised before its sent (like with a keylogger), it is very secure.

 

I had to re-new one of my secure certificates about a month ago, and the smallest key size they would accept was 2048 bit... so security is becoming even stronger... am sure most banks and stores will be updating to that before too long.

 

You should also know that the more powerful the encryption (e.g. the longer the encryption key) the slower the website will be, since the "data" sent gets larger and larger with the increased size of the encryption key... which is one reason most websites still opt for 128 bit even tho you can get up to 4096 bit with most major certificate suppliers right now.

[joekicker 53]

What a secure connection means is that the information transferred over the internet (once it leaves your computer) is secure. The average encryption strength right now is 128 bit, and at 128 bit it would take a CRAY supercomputer over 100 trillion years to brute force the key used to encrypt the data. Even using a distributed brute force system with thousands of computer (like SETI@HOME uses), would take hundreds of years.

 

I've always laughed at this, and I laugh again. Excuse me. hahahahahaha

 

Just like any guessing game, it takes a Cray computer as long as it takes. The very first guess COULD be correct. The chance that the first attempt in a millionth of a billionth of a second would be correct is exactly the same as the chance that the very last guess would be correct, the one in 100 trillion years. Who thinks up this nonsense?

 

That said. The main number to watch is what the banks themselves use. They have been use a 128-bit encryption system for quite a while now and are not even THINKING of changing it. All the money transfers in the world are done with this single system, and no one is much worried about it.

 

Very simply put, and if anyone wants to be less simple, fine: In 2004, the international (and most national) banking systems went from DES, which is effectively a 56-bit system, to AES which is normally 128-bit but can be a maximum of 256-bit. This was done after a hellaciously long period of public and peer exams and comment and hard work to break every useable system around. Please note: up to today, no one has shown a *working* break-in for the previous 56-bit DES system. There have been proof-of-concept demos using very, very controlled systems, but no one has broken the old 56-bit DES banking system in the real world.

 

I don't personally claim to know there is *not* some flaw in the currrent 128-bit system but a 2048-bit system for working with money on the Internet is showing off, without real effect, like the claim it would take eleventeen gazillion years to break.

 

Today's in-use security is VERY secure, but no cryptography is known that is unbreakable except for the so-called one-time pad which is unuseable on a day to day commercial basis.

 

.

[2 slices short 10]

The point that everyone seems to miss here is that the cryptography is not the weak point.

 

Joe I'm surprised that you even have an opinion, I thought Wikipaedia was off-line/on protest today. Use google instead did you?

 

Having spent most of my working life designing and testing cryptographic systems (mostly gambling and financial transaction related) the strength of the algorithm is totally irrelevant. If someone gets hold of the appropriate key you can have 64kbit encryption and it takes a matter of microseconds to decrypt the datastream.

 

As for online use of sensitive data, dont put anything onto the 'ether' that you cant afford to become public.

 

The primary risk with eCommerce related sites that collect eg credit-card information is that the data is frequently stored in unencrypted form where anyone with access to the database storing the information can access it. Hacking into a server is (for some) a not so difficult task in many instances.

 

If you are transmitting financial details ONLY do so to someone you trust (your bank for example) and ensure that you are sending that information to the bank and not some nefarious group in Russia, Israel or Nigeria. This is the most useful part of the SSL in that it gives you some assurance that the site is indeed the one that it says it is.

 

As an additional protection always record any online transactions that you make and screenshot the site. Should you be defrauded by a site carrying an SSL certificate you may well be entitled to compensation from the issuer of the SSL certificate. Most carry assurance for $10000 (USD) and EV certificates carry far more. If the site doesn't have SSL simple - DONT SEND ANY SENSITIVE DATA as they obviously dont care about security.

 

BTW Dave, WHM, the most popular hosting manager for *nix platforms now only supports 1024 and 2048 bit key generation and many SSL providers will only accept 2048 bit (512 byte) request when purchasing a certificate. Done 7 in the last week. 1024 bit (128 byte) has been unavailable for at least 6 months from all of my suppliers.

 

After spending many years in the business I can guarantee the safest way to protect information is to lock it in a high quality safe and bury it, then forget where you put it.

 

Cheers : Admiral Ken

Edited January 18, 2012 by 2 slices short

[joekicker 53]

As for online use of sensitive data, dont put anything onto the 'ether' that you cant afford to become public.

 

Seems a lot of people ignore that expert advice learned in years of hands-on experience. Amazon for example seems to do okay taking credit cards and issuing refunds.

 

I don't even GET this alleged advice. Tens of millions of people put stuff "in the ether" that they really can't afford to become public. They buy insurance, they make mortgage payments, they cash money at the ATM (14K dial-up modem ATMs, too). They buy stuff at Amazon and Pantip.com and sell stuff on eBay.

 

Like almost all people, I absolutely cannot afford that my credit cards, ATM cards, tax ID numbers, social security numbers, medical access information, car payment methods, tax filings and much, much more become public. CANNOT afford that. Yet like tens.... no, like hundreds of millions of consumers and businesses, I put such sensitive data "in the ether" (love that, haven't seen it for decades).

 

What are you recommending exactly. Not to me, but in general?

 

Joe I'm surprised that you even have an opinion, I thought Wikipaedia was off-line/on protest today. Use google instead did you?

 

Well, there you go! I'm surprised you thought I was writing an opinion. I wasn't. Any reason you didn't refute a word of what I wrote?

 

Yes. Yes, there's a good reason. Isn't there?

 

.

Edited January 18, 2012 by joekicker

[frankie8 21]

thailand has the highest credit card fraud in the world,be careful in any transaction.

last year i lost 250 usd from eating at mac donalds paying with a card....

[joekicker 53]

thailand has the highest credit card fraud in the world,be careful in any transaction.

last year i lost 250 usd from eating at mac donalds paying with a card....

 

But Thailand shares the lowest credit card cryptography breaks in the world with, well, almost all the other countries.

 

Protecting your credit card and the details on/in it has approximately nothing to do with breaking the (heh-heh) "in the ether" security of the card. Two different subjects entirely.

 

The OP wants to know (among other things) if it is safe -- and how safe, and how dangerous -- to use your credit card to buy things on the Internet. And the answer is that it is pretty darned safe to give your name and credit card details on a "https" website because the encryption is quite secure, although not 100% -- because NOTHING about cryptography is 100%. Call it 99.99999999999999999999999% though.

 

You are telling us at the same time that we need to guard our credit card number in situations that do NOT involve encryption and you are so correct, but an entirely different part of the problem.

 

.

Edited January 18, 2012 by joekicker

[js007 795]

The day I found a key logger program on my PC is the day that I unplugged it, wiped the hard drive, and went to the local computer store to buy a Mac.

 

I'm not sure how a key logger was installed on my computer, but it was there. Scary stuff.

[joekicker 53]

The day I found a key logger program on my PC is the day that I unplugged it, wiped the hard drive, and went to the local computer store to buy a Mac.

 

I'm not sure how a key logger was installed on my computer, but it was there. Scary stuff.

 

I've often thought that the reason Mac owners get ripped off so darned often is that they just trust Apple stuff. And these are the "open" and "honest" keyloggers. Please resume your previous Windows-style alertness that found the keylogger, because your keystrokes can be stolen on any computer, any time.

 

.

[js007 795]

I've often thought that the reason Mac owners get ripped off so darned often is that they just trust Apple stuff. And these are the "open" and "honest" keyloggers. Please resume your previous Windows-style alertness that found the keylogger, because your keystrokes can be stolen on any computer, any time.

 

.

 

I'm not a computer guru by any means, but they say that the only way an application program can be installed on a Mac is with the owner's permission..

 

Anyway, I occasionally run a virus check on my computer, but all that ever turns up is a few "heuristic fishing" emails.

[joekicker 53]

I'm not a computer guru by any means, but they say that the only way an application program can be installed on a Mac is with the owner's permission..

 

Pretty much like Windows. It's usually done these days by social engineering."Click here to see pussy" except a little more subtle -- and if it's not a little more subtle, it is WAY more subtle. But in the end, you are the one that installs the keylogger, yep. Even when you don't know you've done it. Really. Seriously. Stay alert. Mac and Linux aren't all that more secure, they're just attacked less frequently. But Apple stuff is getting really popular - with everyone. Including bad guys. The best hardware protection is what your parents gave you between the ears. Use it a lot.

 

Anyway, I occasionally run a virus check on my computer, but all that ever turns up is a few "heuristic fishing" emails.

 

First half of sentence, good. Second half of sentence, gooder. Don't be lulled. Ever.

 

.

[nkped 1,207]

 

Point being?

It's the internet. Since when does there need to be a point?

[2 slices short 10]

But Thailand shares the lowest credit card cryptography breaks in the world with, well, almost all the other countries.

 

Protecting your credit card and the details on/in it has approximately nothing to do with breaking the (heh-heh) "in the ether" security of the card. Two different subjects entirely.

 

The OP wants to know (among other things) if it is safe -- and how safe, and how dangerous -- to use your credit card to buy things on the Internet. And the answer is that it is pretty darned safe to give your name and credit card details on a "https" website because the encryption is quite secure, although not 100% -- because NOTHING about cryptography is 100%. Call it 99.99999999999999999999999% though.

 

You are telling us at the same time that we need to guard our credit card number in situations that do NOT involve encryption and you are so correct, but an entirely different part of the problem.

 

Another potentially good thread, fucked by the resident know it all. Give it up Joe, this time you're WAY out of your depth.

 

You asked me before why I didn't refute your comments - reason: most of them, like usual, don't actually say anything. Your posts are the equivalent of verbal diarrhea, there is no information there other than a set of random points that frequently don't even coalesce into an idea and on many occasions express multiple points of view so you can later come back and choose which side of your own argument that you wish to support in your (self appointed) role as antagonist.

 

By the way, look up 'ether' on your search thingy and try to read what I write. Actually try to read what the OP wrote too.

 

We are all familiar with secure web sites--https--and they seem to work. But if they can be accessed by anyone who can get on the internet, how unbreakable is the encryption, really?

 

... and your translation of this becomes ...

 

The OP wants to know (among other things) if it is safe -- and how safe, and how dangerous -- to use your credit card to buy things on the Internet.

 

I dont see any mention of credit cards, nor danger, nor safety actually none of what you write is related to the OP.

 

My response was partially in respone to the 'unbreakability' part of his question (ie it's not relevant because the unencrypted data is normally readily available) and in response to some of Frostie's comments.

 

The bottom line is that the encryption is 'irrelevant'. The 'weak points' in the system have nothing to do with encryption. The weak points are where the data is stored or where the data is used and the weak links are the people responsible for the storage of the data.

 

I must admit I got a chuckle out of the following:

 

because NOTHING about cryptography is 100%. Call it 99.99999999999999999999999% though

 

This just proves that you have no bloody idea whatsoever. Cryptography is a science, based in pure mathematics. Data is fed in one end of an algorithm and spat out the other end. For any given algorithm the output for the same input data will ALWAYS (ie 100% Joe) be the the same, not your fictitious 99.999... figure. Cryptography actually IS about everything being 100%, if it weren't then the output would not always be the same and the output would be useless.

 

As general advice, if you use credit cards on the internet always assume that at some stage the integrity may be compromised. Limited value or low limit cards are a good way to avoid having large sums of money taken from you. If you need to make a large purchase with one of these cards then transfer money into the card and use it. Similarly internet enabled debt cards can save you considerable heartache by keeping a low balance on the account and only transferring money to the card just before completing a transaction. If there is nothing on the card to take then it's safe to allow the thieves access to the details.

 

Finally, the one off theft of information is very rare on the internat, mainly because there are so many easier ways to collect shit loads of data without going through the time consuming 'packet snatching' and 'decryption' process for one set of details. Deal with reputable businesses and ensure that if someone does get your information that when the time comes for them to steal your precious money the 'cupboard should be bare'. Hard to steal something that's not there.

 

Cheer : Admiral Ken

 

PS Joe you've just managed to become the first and only person I have ever placed on 'ignore' in all my years using the internet. Congratulations. It should make what little content on this board is left much quicker to read through each day, and far more enjoyable.

[joekicker 53]

The bottom line is that the encryption is 'irrelevant'. The 'weak points' in the system have nothing to do with encryption. The weak points are where the data is stored or where the data is used and the weak links are the people responsible for the storage of the data.

 

I think we're not talking about the same things. You're talking about a "good" encryption system and what you write is totally correct.

 

I'm talking about someone getting the encrypted stream and attempting to break it. The chances of success on encryption used on the Internet and similar are NOT zero, and the strength is NOT 100%. Both -- in real-world use of encryption -- are close, but not exactly 0 and 100. That was what I understood the OP was asking.

 

Here's an example of what I mean. The encryption used by banks, the so-called "double DES" or AES, the standard 128-bit system. The encryption HAS BEEN BROKEN, but it has not been broken while in use. That is: AES is used, for example, for me to send 1,000 baht to your bank account. The transaction takes a little time, typically a few seconds, let's say an hour. If a bad guy gets (intercepts or whatever) the *encrypted* information, and he has he proper equipment, knowledge and so on, he WILL break that encryption. But it takes him too long at the moment, you have the 1,000 baht safe in your account long, long before he can actually break it.

 

DES has actually been broken in controlled tests, but the US State Department (among many others) continues to use it for certain traffic because it's all they need for those certain messages which are unclassified but not entirely public either.

 

So there is a proof of concept that AES can be broken *in the real world* but no one thinks it can actually be done. So AES remains in use. Like DES it will eventually be discarded by banks of course, mainly because bad guys are getting too close to breaking the encryption in the real world.

 

And again, what you write is entirely true -- that what my banker sends to your banker is 100% reliable. But the question was: Could someone get between them and steal the encrypted stream and break it? And the answer is "yes" it COULD but only in theory at the momentm, and not under today's real-world conditions at the moment.

 

And you are entirely correct as I also wrote that people become theft victims for just about every reason *except* encryption - from those key loggers to identify theft to the guy at McDonald's swiping your card twice, and lots more.

 

However. Saying "never" and "100 per cent" and similar about breaking encryption is a mug's game and horribly insecure and wrong. EVEN one-time pads, which can be horribly flawed in the setup. The Nazis weren't the first or the last to find out you never should say "never" but Enigma is still the best-known story.

 

EDIT in: Whoops, forgot. Your advice on self-protection is very good, can't be repeated enough. These days, there are two big threats -- that you give the bad guys your money with really bad decisions, or that bad guys steal your identity from someone else, such as the so-called "hacker break-ins" at banks and big companies which store your info in unencrypted form.

 

.

Edited January 19, 2012 by joekicker

[jacko 8,578]

Pretty much like Windows. It's usually done these days by social engineering."Click here to see pussy" except a little more subtle -- and if it's not a little more subtle, it is WAY more subtle. But in the end, you are the one that installs the keylogger, yep. Even when you don't know you've done it. Really. Seriously. Stay alert. Mac and Linux aren't all that more secure, they're just attacked less frequently. But Apple stuff is getting really popular - with everyone. Including bad guys. The best hardware protection is what your parents gave you between the ears. Use it a lot.

 

 

 

First half of sentence, good. Second half of sentence, gooder. Don't be lulled. Ever.

 

.

Joe, I clicked there several times and nothing happened!!!!

[Adela 0]

I've often thought that the reason Mac owners get rippedoff so darned often is that they just trust Apple stuff. And these are the "open" and "honest" keyloggers. Please resume your previous Windows-style alertness that found the keylogger, because your keystrokes can be stolen on any computer, any time.

 

.

That's true. Only yesterday did I find out my dad put the so called safe keylogger in my MacBook Pro to keep his eye on me. That is so annoying. Any way to by pass that or disable it without his notice?

Edited September 19, 2012 by Adela

[Kev 158]

Out of interest how would one find out if there was a keylogger on your computer?

 

Sorry just realised that programs like Spybot (which I have) finds shite like this.

Edited September 19, 2012 by Kev

[bigdelta 46]

Really?

The OP asked a question.

 

 

Point being?

Edited September 19, 2012 by bigdelta

[bigdelta 46]

HTTPS is always a good start.

[Gary 4,066]

I am of the opinion that NOTHING on the Internet is truly secure. Anyone who comes up with the encryption system leaves holes and there is always someone who is smarter than the author who can get around it.

 

As far as the average user, is is likely that we have nothing valuable enough to steal.

[tomcat76 327]

That's true. Only yesterday did I find out my dad put the so called safe keylogger in my MacBook Pro to keep his eye on me. That is so annoying. Any way to by pass that or disable it without his notice?

 

 

Your dad? And you're not in a position to remove it if he'll notice?

[Grandpollo 364]

We are all familiar with secure web sites--https--and they seem to work. But if they can be accessed by anyone who can get on the internet, how unbreakable is the encryption, really?

 

Depending on what you mean actually very assuming nobody is using a keystroke capturing device (which you can see) or you are on an insecure network and are visiting non SSL site or not using a VPN. Or are dumb enough to use an internet cafe and go to any secure sites you need to keep secure (because they might have hardware or software keyloggers).

 

For my office we use a VPN connection with two factor authentication so the 2nd password is good for one minute and then goes away forever.

 

SSL, AES and similar encryption, WPA PSK wifi protection are for all intents and purposes unbreakable with a proper password.

[js007 795]

Let's face it, any hackers out there probably won't waste their time trying to hack into the account of a typical consumer. Why would they do that when they could try for Citibank?

 

I do worry about key loggers, though. One time I found one on my computer and I have no idea how it got there. I shut the thing down, re-formatted the hard drive, and went to the local computer store to buy a Mac.