Investing, Confidentiality, and Internet Security

Investing internet security

There are several good articles that talk about various technical aspects of Internet security, including PGP, the Clipper Chip, and other topics. I will supply some pointers to those resources as is appropriate. But the main point of this article is to discuss why as an investor you should be concerned about privacy, what you can do today, and what you should beware of today.

Internet Security – What to Protect?

Your Credit Card Numbers – Everyone is a bit paranoid about sending credit card numbers over the Internet. It is common knowledge that anyone with a network sniffer can read any clear text messages and save them if they want. This is probably the most widespread concern. A bigger and more likely risk is that some hacker will break into a mainframe computer and steal not just one credit card number but thousands. But this could never happen could it? Tell it to America On-Line, who recently had their main billing computer penetrated by someone who downloaded tens of thousands of credit card numbers!! A minimum wage store clerk copying your number off a charge slip, or adding a few of his own purchases to your charge, is a bigger risk than sending your card number in clear text over the Internet

In the United States, if your card is stolen, you are liable for at most $50 of charges. You are not even liable for that amount if you report it stolen before it is used (or within 24 hours? I forget the details of the rules now…). The onus is on the merchant accepting your card to verify it’s correct use, and verify the correct address for mail order goods.

Other risks you need to be concerned about, now or soon, are listed below.

Your Bank Account Number – You don’t have any of the protection normally associated with credit cards. In theory, a high tech thief could enter his own transactions directly against your bank account (like those automated monthly amounts you have transferred to mutual funds). And when you discover and challenge it, it can take a long time to unravel it (if ever). You can’t refuse to pay the charge. They already got the money!!!

Your Investment Transactions – Once you start doing investment transactions on-line, it is more difficult to authenticate that you are you. Someone could do all kinds of mischief inside your brokerage account, or even have money transferred to another firm, and possibly into his account. Most safeguards are pretty good today, but as we go to faster and faster settlement, this type of theft will start to appear.

Your privacy – Okay, you just read the above risks and said, “Those are not a big deal! What’s the big deal?” The big deal is PRIVACY. In the United States today, your odds of being sued are approximately 1 in 1 over your lifetime. That is, there are so many lawyers with nothing to do that eventually everyone will be involved in at least one lawsuit at some point during their lifetime. Now, hopefully some of the more frivolous claims will never make it to court. If the person suing you cannot afford an attorney, today they will be unlikely to get one to work on commission (they call it contingency, just to confuse the issue). But imagine if the local ambulance chaser can punch in a few keys, or look up in their private database to see the balances on your bank account, mutual funds, mortgage balance, and just about every other aspect of your life. It will become increasingly difficult to get these people to go away. And they will sue you for what they think they can get.

On a less paranoid note, you don’t use postcards for all your regular mail, do you? Most people put their letters inside an envelope, so that the mailman or anyone else is prevented from casually reading it. Of course they could steal the envelope and open it, but most of the time it is not worth the trouble, and they can’t know if it is worth the trouble without stealing it…Your electronic files and email deserve the same care.

Your business – Competitive information needs to be closely guarded. If you are in business, you need to protect every communication that goes over a computer line. Pricing details, inventory positions, even the names of your customers are all pieces of information that will let existing or new competitors move in to your area. If you use email in your business, you need to be encrypting it today!!!

Internet Security – Encryption

Fortunately, there are some very elegant forms of encryption available to most computer users today. The most widespread of these is something called PGP (Pretty Good Privacy). PGP can encode any file, including graphics, engineering drawings, and binary program files. There are also several other more proprietary techniques out there, many of which are based on RSA.

The best systems are called public key or dual key systems. When you set up your system, the program generates two very long numerical keys, that work together as a team. One key is kept very confidential, and ideally only you should have access to it. The other is given out to everyone, and is called your public key. See my public key. When a message is encrypted with one part of this key pair, the other part is the only key that will decrypt it to make it readable again.

When someone wants to send you a message, they get your public key and use it to encrypt the message. See a sample text message. Once it is encrypted, they can send it to you over the Internet, and anyone looking at it will just see a tangle of random characters. When you get the message, you use your private key to decrypt it and it is put back to normal. The interesting thing about this system is that even though many people have your public key, they cannot read your messages. The encryption only works in one direction, and once encrypted, the other half of the key pair is needed to decrypt the message.

An even more interesting byproduct of this system is called authentication. If you use your private key to encrypt a message or a signature line, anyone with your public key can decrypt it. But the only way your public key could work on the decryption is if your private key was used to encrypt the message or signature. In this manner, although anyone can read your message or signature (if they have your public key) only you could have sent it!!!

The signature algorithm uses the message or file data as input. What this means is that once a file is “signed”, the verification step at the other end will fail if it is altered in any way. This is used today to verify computer programs as being untampered with by hackers after the software leaves the writers hands. It can also insure that any file has not been altered by anyone but the person who signed it. See our sample in clear text, but signed.

It is also possible to combine these two features, so that you can use someone else’s public key to send them a message, and use your private key to sign the message. When they get the message, they use their private key to decode the message, and your public key to verify that you were the originator of the message. In this manner, only they can read it, and only you can send it.

As a side note, there are sites on the Internet where you can register your public key, and get other public keys as well.

Internet Security – Pretty Good Privacy (PGP)

PGP was developed by Phil Zimmerman, and he initially made it available to anyone who wanted it. He made the source code available to the computer community, and everyone worked on beating it so it could be improved. The latest version is still available as freeware for non-commercial use on the Internet today. But it has some absurdly ridiculous restrictions on its propagation. There are United States versions and “the rest of the world” versions. If you live or work outside the United States, you are not supposed to download the US versions. You can not use the international versions if you are a U.S. resident. And the U.S. government is still trying to get this software eliminated, as a “threat to national security”. Their alternative is the Clipper Chip, which is about as effective as a secret decoder ring. What they mean is that this software is too good, and the U.S. government feels that depriving you of your privacy is critical to remaining a free nation. Even though the rest of the world has the software, they seem to be more concerned about U.S. citizens getting communications secure from government eavesdropping. King George would have been proud. Doublethink at its finest.

If you use PGP, you can send and receive messages with a high degree of confidence that they will be confidential. This includes your secret chili recipe, marketing strategies, discussions of confidential business negotiations from your salespeople, and instructions to your Swiss Banker. If you can arrange for authenticated keys (keys that you know without a doubt belong to the person you think they belong to), you can also be sure that you are getting messages from that person, and not some impostor (or con-man).

Since there are international versions of PGP available, this represents a good way to communicate with people in other countries. You could be pretty sure that only the person who you send the message to can read it, not some government officials (outside the U.S. of course) who were bribed by your competitors. You use the US version, and your correspondents use the international version. Yes, they are compatible!!!

Leave a Reply

Your email address will not be published. Required fields are marked *