E-Commerce: Verisign

By Joe Burns

September is security month at Earthweb and I was asked if I could write something dealing with e-commerce. Since I had just finished the process of getting my own VeriSign certificate, I was fairly familiar with what needed to be done to start accepting credit cards over the Web. If you're thinking of starting an e-business, or if you just want to attempt to understand how your credit card is kept safe while you are using it on the Web, read on. This should help you a great deal.

I will never give my credit card number to
anyone on the Web! It's not safe!

Ah, but you'll tell your credit card number to a complete stranger at a mail order company over the phone, or give it to a waiter who then waltzes out of the room with it, or hand it to a person behind a counter who makes a paper swipe of the number.

Now that I've been through the process of actually implimenting a server ID and Secure Socket Layer (SSL) on a Web site, I can honestly say that of all the methods of delivering a credit card number, I personally feel safest using the Web.

Contrary to popular belief, your card number does not simply go out into cyberspace for anyone with a computer to steal. It does not (or should not, if the company does it correctly) sit in a file just waiting to be hacked. Plus, and this is the real kicker, you know exactly who is getting the card number. Once that waiter leaves the room, any one of 1,000 different people can get the number. If the waiter is crooked, one phone call later and his buddy has your number and is selling it around town.

I don't mean to alarm people, but I know someone who had exactly that happen to her.

So, how is shopping online safer?

First, I'll place the concern upon the buyer. You wouldn't hand out your credit card number to just anyone on the street, would you? No, you wouldn't. At least I hope you wouldn't. You hand your credit card number to people whom you feel confident are who they say they are and will process your card only for the reason you offered it.

It is the same on the Web. Let the buyer first beware of the seller. If the seller has done what he or she is supposed to, you should be able to see the results right on your browser. For example, let's say you are going to buy a book online. Once you choose your book, place it in your "shopping cart," and go to check out, do you notice if you move into a secure server?

Often, your browser will pop up a little box explaining that you have moved into a secure server. If you have disabled that little box, then you'll have to be a little more observant. Look at two places:

  • The address of the site should now read "https://"
    See that "s" after the http? That stands for secure.

  • The little padlock image on your browser should be closed. If it is open, or if it isn't there, then your information is not being encrypted and you should offer nothing to the site. In fact, you should leave.

There are still sites out there that use a simple "mailto" form to accept your credit card number. If you attempt to buy and cannot find any proof that your information is being encrypted, do not offer any numbers. Text entered to a basic HTML form is as easy to intercept and read as a telephone party line.

OK. I see the padlock, now what?

You can be darn sure that your information is being encrypted. That means that even if someone did intercept it (which is very unlikely), he or she couldn't decipher the numbers. It is statistically impossible to decipher encrypted information with today's encryption rates.

But be warned: SSLs and encrypted directories are very easy to set up. Do not simply take the fact that the padlock is closed as proof you are dealing with the site you think you're dealing with. Click on the padlock. You should get a small box that opens, displaying what's known as a server certificate. That certificate is a document provided by a third party that guarantees the site you're dealing with.

You mean, I'm somewhere else?

It's not often that it happens, but it does. A bad person sets up a site with a name similar to a university, business, or organization and starts to collect money from people who think they are dealing with the real deal. The bad guy set up the site and the SSL so that it all looks legit. This is a process known as "spoofing."

If the users click on the padlock, they would see the site is not what they think it is. So, even if you're sure, check it out. Click on the padlock and read the certificate.

Where do businesses get the certificate?

There are different places, but the most common is a from a company named VeriSign Inc. VeriSign is what's known as a certificate authority (CA).

VeriSign makes its living by issuing these certificates to companies that can prove they are what they say they are. The bad man who wants to set up a spoof site would have a very difficult time providing the information required to get a certificate.

When my wife and I applied for a VeriSign certificate, we were checked at multiple levels:

  • We had to provide proof that we own the domain name.
  • We had to provide a business license in the town where the domain is registered.
  • We had to list and prove our identity with Dunn and Bradstreet. They then gave us what's known as a DUNS number. It's equal to a business social security number.
You may be wondering about the employees of VeriSign. Well, the company site is at a single location, employees undergo background checks, and the company uses five levels of security.

So, I start to buy something...

I log in, check for the "s" and the padlock, click the padlock, and verifiy I am dealing with my party. Now, how am I sure my information is secure?

Once you've entered into the SSL, the server sends out a digital ID. That's a huge, long number, encrypted at either a 40- or 128-bit level. That's how your browser knows this is a secure area. You see, all of this happened before you even were allowed to click on the little padlock.

Your browser responds to the ID by verifying that ID against the certificate. If they match, then the server sends a "session key." That key is another long encrypted number that will be used for this, and only this, transaction. If you leave the SSL and come back, the entire process is done once again.

Each browser that connects to the SSL uses the same client ID to verify the server. Past that, each browser receives a different session key. That way, each session is encoded differently from every other one. That makes it near to impossible to crack the code--and even if you do, you've only cracked one. Each session is encrypted separately. It's just not at all profitable to attempt to crack individual transactions.

But my number is sitting on a server

Some sites used to store card numbers unprotected directories on their servers. Hackers rolled in and stole the numbers. That was a very dumb move on the site administrator's part and, hopefully, won't happen again. Any Web developer with half a brain houses submitted credit card numbers in a secure directory.

At the end of a business day, the numbers are retrieved through the use of a password system.

How does the business draw funds?

Once you have entered in your card and the business takes it from the server, the process works much like any other business that accepts credit cards. Either the business itself or a company built to handle large volume numbers makes an electronic transaction with the bank, and funds are transferred from the card to an account.

Some businesses even have systems set up so that the transfer is done automatically. No person ever sees the card number.

In my case, we do it by hand, connecting directly to the bank that holds our account. The transaction is encrypted and immediate. The session last no longer than the time required to make the transaction. Once I get the validation number, the server kicks me off.

So, it's perfectly safe?

No, there's no such thing as perfectly safe. There are still steps where the number could be grabbed, but not from the server during the transaction. What I wanted to point out here are the steps businesses take to ensure your transaction is as safe as can be.

Now that you've read the basic process, I think you'll agree that out of all the methods of delivering credit card numbers for purchase, giving a card online is easily one of, if not the, safest out there.



  • Web Development Newsletter Signup

    Invalid email
    You have successfuly registered to our newsletter.
Thanks for your registration, follow us on our social networks to keep up-to-date