Comment Articles

Outsmarting the hacker

Maggie Williams AnchorDesk

Published: 02 Feb 2001 11:35 GMT

There's a fine line between making it sufficiently easy for genuine site visitors to get to the information that you want them to see, and letting the world and its wife root around uninvited in the underwear drawer of your network.

Most Internet users are doubtless fine, upstanding members of the community, who want to do nothing more than buy a book online or pay their gas bill, but security concerns are putting off many of them.

Credit card companies have tackled consumer concerns by offering insurance against misuse of cards online, but this merely shifts the focus to compensation instead of prevention. Although these concerns often have little basis in fact, the example set by Microsoft -- both in terms of its site configuration, and its openness to a bunch of bored New Zealanders -- can't have done much to reassure the more conservative of Internet users.

Those in charge of site security must ensure that their systems remain easy to use. At present, user IDs and passwords provide the most common method of identification, which has the advantage of being a process we're all familiar with.

However, this is far from being a secure solution, for reasons both human and digital. The shorter a password, the easier it is to break but, in general, human beings are not good at remembering passwords of more than seven digits unless it's a word they've selected themselves. Selecting your own password may be a more straightforward solution, but there's a limit to the number we can keep in our heads, never mind remembering which is associated with what service.

If an online service really wanted to make your dealings as secure as possible, it would also prompt you for your password and ID at regular intervals throughout the transaction. But few people would tolerate this, so trade-offs start to creep in between site usability and data security.

In the future, the use of digital signatures with smart tokens or smartcards will be one way around this, enabling sites to continually authenticate users behind the scenes, and offering a far more robust form of identification than a PIN or password. However, online retailers and banks will still have to convince users that it's worth their while to invest in technology such as smartcard readers.

Whatever form of security you put in place, someone will find a way around it eventually. As attacks become more sophisticated, intrusion detection systems will need to become equally adept at spotting them, all of which requires innovation and investment. Just ask Microsoft.

Customer-facing sites will have the added challenge of making sure that all of this remains transparent to end users, while still managing to reassure them that their data is safe.

To have your say online click on TalkBack and go to the ZDNet forums.