SSL Alone Is Not Enough to Protect You

By Joseph Moran | Posted May 11, 2007

Stories about the theft of personal financial data are constantly in the news these days. This seems to most often involve credit card numbers, as was the case recently when theft of tens of millions of them from TJX, the company that owns the TJ Maxx and Marshall's chains (among others) made headlines.

Most of us don't think twice when handing over a credit card to a waiter or store clerk, but there are still some people who are wary of making online purchases or avoid online shopping or banking entirely due mainly to concerns about security. The TJX incident and others like it illustrate, however, that you don't necessarily need to shop online to be vulnerable to data theft -- after all, TJX operates only brick-and-mortar chains (they have Web sites, but you can't buy anything on them).

Unless you're willing to pay cash for all your purchases and forgo many of the benefits of a modern society and economy, there's no guaranteed way to guard against your credit card information falling into the wrong hands. (It doesn't help that retailers often retain this information much longer than they need it.) But unlike at the neighborhood store, there are some steps you can take to keep your account information safe when you're conducting business online.

Protecting Credit Card Information Online
You probably already know to look for the presence of an SSL "lock" icon in your browser when shopping online. SSL is a security technology that encrypts a connection to prevent eavesdropping, and it's used at the checkout stage or anywhere that personal data will be transmitted. In the unlikely event you encounter an online merchant that isn't using SSL, don't touch that site with a 10-foot pole.

But while SSL is a good start, it's not the end of security. In fact, the presence of SSL can often lead to a false sense of security because while it protects your data from being intercepted while in transit from your computer to a merchant's site, it can't do anything to safeguard it after it reaches its destination.

For example, most retailers offer the option to store credit card account info on their servers to save you the trouble of having to re-enter it every time you make a purchase. That's certainly convenient, but it's not a good idea from a security standpoint because once your credit card info is stored by a merchant you're at the mercy of whatever security measures are in place on its network. Although merchants usually store customer financial data behind layers of security (usually involving masking and encrypting the numbers), as we've seen many times in the past, you can't assume those measures will necessarily keep your data safe.

To be sure, keeping credit card numbers on file with a merchant is sometimes necessary (for example, when you need to make recurring payments for a subscription-based product or service) but aside from that scenario you should generally avoid the option. While the risks may be somewhat limited when you store your data at, say, a single heavily frequented merchant, they grow considerably if you do that with multiple vendors around the Web.

"Virtual" Credit Cards
If you just don't like the notion of using your credit card over the Web, you may want to look into the availability of so-called "virtual" credit cards offered by some banks and card issuers (Bank of America calls its program ShopSafe, while Discover dubs theirs DeskShop). They let you shop online use specially generated and unique numbers that are only valid for a single purchase, a limited time, or a fixed dollar amount, allowing you to keep your plastic card safely holstered.

You may be wondering if protecting your credit card numbers using the methods described above is worth the added effort given that liability for fraudulent charges is often limited (usually to $50 and in some cases you don't have to pay anything). That decision comes down finding your own happy medium between convenience and security, two things usually at odds with one another.

One thing to keep in mind is that even if you're not liable for much (or any) money, there is still the hassle of having to file fraudulent charge claims, get new account numbers and so on, which can be a frustrating and time-consuming process.

Adapted from PracticallyNetworked.com, part of the EarthWeb.com Network.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!


Comment and Contribute


     

    Get free tips, news and advice on how to make technology work harder for your business.

    Submit
    Learn more
     
    You have successfuly registered to
    Enterprise Apps Daily Newsletter
    Thanks for your registration, follow us on our social networks to keep up-to-date