Can You Bank On I Way Security?

When you fire up Microsoft's Windows 95, the computer starts by demanding a password. The security looks impressive, but a computer-literate 13-year-old could get at all the files on the hard drive.

Windows NT boots up with a very similar log-in screen. But NT's protection against unauthorized access is good enough to pass stringent government security tests. How are you supposed to know what is secure and what is not?

The unfortunate answer is that you cannot. The latest reminder came when two University of California students discovered a relatively easy way to decrypt credit-card numbers and other supposedly secure messages sent out by Netscape Communications Corp.'s popular World Wide Web browser software. Netscape moved swiftly to plug the hole, and the company's high-flying stock only swooned briefly.

"NOVICE ERROR." I suspect, however, that the incident will have longer-lasting repercussions for the infant business of online commerce. People's willingness to engage in online transactions requires "a perception of security," says Scott Randall, general manager of NECX Direct, which sells computer hardware and software over the Internet. Today, that perception doesn't exist, and Netscape and others building online bazaars will have to work a lot harder to create both a sense--and the reality--of safety.

Knowing that security was the key to Web commerce, Netscape made the right start by licensing technology from RSA Data Security Inc., the acknowledged leader in the field. But programmers made what Purdue University security specialist Eugene Spafford calls a "novice error." One of the keys to Netscape's encryption and decoding process was the time of day of the transaction. Figuring that out enabled someone armed with the right software to crack the code in minutes.

Netscape is hardly the only computer company to be tripped up by a security blunder. For example, Sun Microsystems Inc. once shipped workstations with microphones set up so that when the workstation was connected to the Internet, some Net surfers could listen in on office talk. And numerous software companies have spread viruses to their customers through program-distribution disks.

Netscape is determined not to repeat its errors. It made details of the repaired Navigator available for public inspection, a step that might well have avoided the original problem. Navigator 2.0, to be shipped by yearend, incorporates both stronger encryption and a provision for digital signatures, which allow the recipient of messages to be certain that the sender is who he or she claims to be. Such "authentication" is vital to the growth of Net commerce, especially riskier forms such as online banking and business-to-business exchanges of information.

"There's no such thing as a completely safe computer or service," says Spafford. "All you can do is develop an appropriate level of trust." Developing that trust will take hard work by software companies and Net merchants, and the comfort level will rise with experience and the passage of time. Only then will online sales climb above the low-seven-figure business it is today.

WILY WAITERS. A few years ago, many people were reluctant to buy from catalogs by giving out credit-card numbers over the phone. Even today, there are probably riskier places to use your credit card than the Net: You could, for instance, hand it to a clerk or waiter who is part of a fraud ring. Either way, your liability for fraudulent use is limited by federal law to $50.

It's perfectly reasonable, however, for consumers to be hypercautious. Personally, I'll be willing to try a few credit-card transactions after the new Netscape Navigator goes through its initial shakedown. But I'll need a lot more convincing before I'll expose my bank account to online perils. Right now, you won't be missing much if you let online commerce get started without you.

Before it's here, it's on the Bloomberg Terminal.