The technology that makes online shopping and banking secure is under increasing assault by hackers, criminal gangs and spy agencies, threatening the $680 billion-a-year global e-commerce market.
Security specialists warn that consumers soon may no longer be able to trust the padlock icon in browsers, known as the Secure Sockets Layer (SSL), that signals a secure Internet connection, meaning they would no longer be able to shop or bank online with confidence.
SSL relies on special electronic certificates issued to a secure website, but each kind of Web browser validates certificates in a different way, according to security specialist Mary Landesman of the technology firm Cisco Systems.
“The average user has no good way of verifying that the server certificate really is valid and thus that the site is really valid,” said Ms. Landesman.
Earlier this year, a pro-Iranian hacker broke into the computer systems of at least two security companies, among the thousands worldwide that issue SSL certificates.
After taking control of the companies’ computers, the hacker issued fraudulent certificates for dozens of websites, including Google, Yahoo, AOL, Facebook, Skype and the public home pages of the CIA, MI6 and Mossad.
Before the hack came to light last month and the false certificates were revoked, the fakes could have been used to impersonate those websites. The victims’ computers would have appeared to have been in secure, encrypted sessions with their email or Web service provider.
In fact, the victims’ computers would have been in contact with a fake site, where hackers could eavesdrop on communications and steal log-in information and passwords.
The hacker, using the alias “Comodohacker,” made several public Internet postings in which he provided evidence he was behind the hacks, said Ronald Prins, owner of Foxit, a security software company that investigated the breach.
“He was very clever,” Mr. Prins said of Comodohacker. “He did something that only the person with the key the hacker stole could do. That proves it was him, or someone he gave the key to.”
SSL is the backbone of e-commerce — the guarantee that a Web user’s login and password, and credit card and bank account details are safe during Internet shopping or banking. And SSL is vital to privacy, keeping users’ email and social media accounts secure.
“What is good is that the security community is aware of the threat. They know it could jeopardize e-commerce and they won’t let that happen,” said security specialist Dave Jevans of Iron Key, an online data security firm.
Online shopping is increasing annually and accounted for $145.2 billion in retail sales in 2007, about 4 percent of the $3.6 trillion retail sale total for that year, according to the Census Bureau.
In addition, a 2011 survey conducted for the American Banking Association found that 62 percent of bank customers prefer to perform transactions via the Internet.
According to the FBI Computer Crime Survey, more than 5,000 computer security incidents were reported in 2005 and most of those intrusions originated in the U.S., China, Nigeria, Korea, Germany, Russia and Romania.
Claiming to be a 21-year-old Iranian patriot, Comodohacker has said in a series of boastful tirades that he targeted “spies” and “enemies of Iran and … Islam.”
He has threatened Iranian opposition groups, saying their members “should [be] afraid of me personally — As I live, you don’t have privacy in internet, you don’t have security in digital world, just wait and see.”
In one message, he used the signoff “Janam Fadaye Rahbar,” which means “I will sacrifice my soul for my leader” in Persian, an apparent reference to the Iran’s spiritual leader, Ayatollah Sayyed Ali Khamenei.
Mr. Prins said the same phrase was used in some code in the hacks: “He left fingerprints,” apparently deliberately.
Some security specialists have surmised that Comodohacker was a front for an Iranian spy agency or turned over some of his forged certificates to Iran’s intelligence services.
If an intelligence agency was behind the hack, it would not be the first time a nation-state had used fraudulent SSL certificates. One was used in the Stuxnet computer worm, which attacked Iran’s nuclear program in 2009 and came to light last year. Stuxnet is widely believed to be the work of a national intelligence agency, possibly the United States.
But the real threat to SSL comes from the proliferation of techniques and technology developed by nation-states, individuals like Comodohacker, criminal gangs and hacker/activist groups.
“The copycat effect is very concerning,” said Mr. Jevans. “The next step is the Russian crime syndicates will use it” to drain bank accounts.
Part of the problem is that Web browsers referring to lists of revoked certificates is as outmoded as shopkeepers checking printed lists of stolen credit car numbers, he said.
“There’s no person or service or company searching for fraudulent certificates,” Mr. Jevans. “Browser manufacturers need to get their act together — until then, consumers will be at risk.”
Ms. Landesman predicted that “the vast majority of users engaged in e-commerce will be unaffected and will continue to buy and sell online.”
Mr. Jevans agreed. “E-commerce is so big — it’s unstoppable,” he said, but cautioned “individual people are at risk, individual businesses are at risk.”
© Copyright 2013 The Washington Times, LLC. Click here for reprint permission.
By Douglas Holtz-Eakin
The young drop coverage to avoid higher premiums
Independent voices from the TWT Communities
A mother of three and a passionate conservative, Shirley Husar changes the game.
Join the Communities and submit your column in response to one written, or on something totally new and unique. We want to hear from you
An advocate against sexual trafficking and for victims, Holly Smith speaks out.
Health care reform, organized medicine, physician practice management, and patient care--a real time look at the challenges facing doctors and patients in America today.
Benghazi: The anatomy of a scandal
Vietnam Memorial adds four names
Cinco de Mayo on the Mall
NRA kicks off annual convention
California wildfires wreak havoc