03

How secure is your online transaction?

There’s still something unreal about online transactions. We’ve all had those moments, even if a long time ago, that we’d frown upon the idea that we could manipulate our wallets with our computers. Humans have always had underlying trust issues. Couple that with our money induced drools, and you have a system whose early adopters must be credited with being some of the bravest (and from our guess, richest) men and women of the time. Still, it was done, and today we can see the effects – online transactions the world over have grown to some-crazy-number-that-we’d-rather-not-commit-to-print times a trillion dollars – you get the idea. Yes, Trillion – the one with a ‘T’.

HOW SECURE IS YOUR ONLINE TRANSACTION?

For you must know how safe your money is while navigating the maze of electronic commerce

There’s still something unreal about online transactions. We’ve all had those moments, even if a long time ago, that we’d frown upon the idea that we could manipulate our wallets with our computers. Humans have always had underlying trust issues. Couple that with our money induced drools, and you have a system whose early adopters must be credited with being some of the bravest (and from our guess, richest) men and women of the time. Still, it was done, and today we can see the effects – online transactions the world over have grown to some-crazy-number-that-we’d-rather-not-commit-to-print times a trillion dollars – you get the idea. Yes, Trillion – the one with a ‘T’. You might have contributed to it yourself a fair number of times. And you probably do it with the confidence that comes with having done something multiple times. Yet there might be lingering doubts as to how exactly does the darn thing go about. Because it’s not common knowledge, we expect that most of you would not be aware of the fine nuances of the working of digital transaction. We’re not happy to know that there is something that our readers do not know – that is something that just doesn’t sit well with us.

Here, we’ve taken it upon ourselves to throw enough information at you, in the hope that you understand the underlying process at work in any given digital transaction.

First things first, basically we’re banking on encryption here. So you must know what encryption is. Do not fret if you don’t know about it yet – read on...

Encryption

This is the core process of the entire ‘secure service’ that we are offered online. Encryption is the process of transforming the given data sequence, which is probably meaningful, and convert it into something that holds no possible meaning whatsoever, by the use of an encoding algorithm. The key to the uniqueness of the process (so as to ensure that every attack is isolated, and fallacies of one nod do not affect another), is funnily enough, called the ‘key’. It is the parameter without which the strongest of decryption algorithms, cannot decipher the data into its original, meaningful state. Unless, of course, they are run for an unrealistic number of times, or on an unrealistic number of machines, or both.

Some of you might have heard about hashing, though a lot might have not. In the interest of the forthcoming context, it would be good if we could introduce that here too.

Hashing

Mistaking hashing for an encryption technique is one of the most basic mistakes that people seem to make. What hashing is is basically a mapping of large chunks of data into tables that contain references to those chunks, thereby containing a virtual representation of all of the data that was initially provided. It, in no way, is related to any matter of encryption, even though there is abundant use of a ‘key’ here. Again – it bears no relation to the encryption key.Now, you might have heard about the encryption being considered as week, these days. Believe us, we’ve met “hackers” who think it’s a piece of cake to break the general encryption algorithms. To put such claims into some perspective, we’d take the liberty of putting up some tech folklore here.

There are times when you come across people claiming that encryption algorithms that are commonly used can be breached. We’ve long considered it a classic giveaway for shallow tech-hipsters. While it is true that some of the most ancient algorithms have their loopholes, any generalization here is basically a waste on the energy that was spent making that allegation. There are some rather credible schools of thought that their ‘weak’ algorithms were made deliberately, so as to ‘pass through all of the international export laws and establish a global base for a new protocol – 802.11’. Nope, even we don’t know how that makes sense. Never mind. So the legend says that if one were to attempt breaking such an encryption by the use of brute force technique (because no other technique holds any proof of its optimality), it would turn out to be a very, very difficult task. Simply fulfilling the memory requirements of such an attack would need a sizable number of terabytes of storage, coupled with a few thousand nodes to supply the resources. Incidentally, the record for the largest RC5 (Rivet Cipher 5) code broken is 64-bits, and that was about 10 years ago! A 128-bit code is much, much stronger than a 64-bit code that we just talked about – so much so the difficulty in cracking them is of the order of a few billion times over the 64-bit code.

 

Obviously, over time (as in, a few hundred years), the capacities of cracking systems will improve, and they might be able to shave off a number or two from those requirements, but by that time, it would probably not matter that you bought that plasma screen TV online, last diwali. So you can do all of that safe in the knowledge that by the time your information is breached, it would have been long useless. And here we’re only talking 128-bit cracking!

 

There’s data out there that would still need to be safeguarded after a few hundred years (government data, or corporate records spring to mind). For those, there’s always 256-bit encryptions. Just to give you a perspective of the kind of power that would need to be cracked open, 2256 is a lot more than the number of atoms – in the Universe!

So we now know two things here:

 

First, that encryption techniques are pretty awesome, and would take some beating. Some beating, indeed.

Secondly, and very importantly (for those who are/ hope to be in a technical field) -

“Hashing is not encryption”.

 

Words to live by.

Now let us shake some ground that we’ve laid out so confidently for you – encryption can, theoretically, be broken. And very easily, at that. All it would take is an implementation of something known as a quasi meltoromotoratron. Okay, not that, but just as sci-fi: quantum computer.

 

How a quantum computer would beat the living hell out of every encryption algorithm in the world

The science of the process of data encryption is known as cryptography. It is among the hot fields of research among scholars and corporates alike, as it pretty much has been. Among the reasons is how a downright simple method (to our awesome cognitive senses) is so freakishly hard for a computer to understand. As we know, 128 or 256 bit is considered sufficient in view of today’s threats. The reasons for this were just examined by us. But recently, there have come into existence theoretical methods that threaten to hold current encryptions by the scruff of the neck, potentially packing havoc for all the ‘belief’ that online transactions have garnered after years of rather faithful service.

 

Now, let us give you a basic idea of how exactly encryption works. The main principle of working here is the exponentially difficult nature of some problems in computer science. A common example is the factoring problem – where a number needs to be divided into its prime factors. While it may seem easy for you to do, but then, as we’d told you some time back, you are probably one of the foremost supercomputers in existence. For the run-of-the-mill, everyday hackers, we don’t expect them to go anywhere beyond mainframes. And for systems of such limited power, the problem of factoring is notoriously difficult. So difficult, in fact, that they call it one of the ‘hard’ problems in computer science (no seriously, that is the word – hard problems). And with that, the difficulty in solving increases exponentially with every new bit (which is why we talked about 2256 when talking about 256-bit encryptions). With every new bit, the difficulty increases by a factor of 2.

 

But all of this can potentially change, if we can somehow pull a quantum computer out of the bag. They are revolutionary devices, which would pretty much change the fact of computing as we know it. The exact and detailed explanation for this is really, really difficult to cough up in this tiny space (we might do it in a dedicated FastTrack someday!), but here’s what you need to know. While everyday computers work on 0s and 1s, a quantum computer works on 0s, 1s, and a mixture of 0 and 1. And that is why it is difficult for people to wrap their heads around the idea – not to mention scientists, who’ve yet to create anything that can call itself a quantum computer without a smirk. But, if a manifestation does see the light of day, here’s what it promises to establish – the vast majority of the problems that computer science thinks are hard, because of the exponential nature of problems, can theoretically be converted into classical, polynomial sets. So instead of 2256, we get 2*256. And we can confidently vouch for the fact that it is much, much less than the number of atoms in the Universe. Which is why it would take anything between 10-20 seconds for one instance of such a computer to bring the entire cryptography system to its knees, safety and security online would be a lie.

 

Hold your horses there, soldier! You don’t need to march to the bank to withdraw your hard-earned cash just yet. There are no quantum computers in existence, as of yet. At least none that we know of (though you never know with CIA). In fact, the furthest that people have been about it, is barely past the start line. So you probably have nothing to worry about. For now, that is. If you ever hear of a quantum computer being built, you know what you need to do.

 

Now that the groundwork for generic model of online transactions has been established, we should get you started on acquainting yourself with some of the real world implementations for this. Starting off, we think you’ve probably heard of...

PayPal

PayPal is, as it has been for some time now, the world’s favourite “middleman” in online payment market (yeah, it’s a market – a huge market, so to speak). It bases its working model on trust. And to be honest, having been around for so long, all the trust that it gets is fairly commanded. PayPal works by pairing an e-mail id with an account information. So these are the two requirements that are to be fulfilled to set up your PayPal account – straightforward as they come. The system is essentially one where the two parties will never need to know each other’s financial details, with the entire transactions taking place between the two mail ids. So far, so good. But how safe is it? Considering how easy all of this seems, it’s easy to assume that PayPal lacks safety measures. It is, in fact, one of the most secure payment systems in the world. In addition to multiple anti-fraud teams and super secure checks, payment insurances and a few more assurances, we can safely say that if you just have to trust someone/something, you might as well trust PayPal with it. Some praise, that.

And you’re most definitely aware of...

MasterCard

It forms a layer of interfacing between the accounts of the payer and payee. Essentially, that is about it. When you purchase goods or services from somebody (in person or online), and provide your details, the merchant’s bank ‘buys’ the transaction from him at a discounted price – only after your details have been authenticated by the server, that is. Then, this bank (Bank A) calls upon MasterCard’s interfacing service to ask for funds from the consumer’s bank, say Bank B. Bank B then proceeds to check the request, and pays MasterCard on Bank A’s behalf. MasterCard then pays off Bank A, minus the settlement fee. Everybody’s happy. Except, maybe the banks – because surcharge is only good if it’s paid to you.

Visa

Everything is precisely the same as above here – just Visa in place

of MasterCard.

And here’s India’s domestic answer to that...

RuPay

RuPay was started by National Payments Corporation of India as a domestic alternative to the MasterCard/Visa duopoly. Being an in-house initiative, it undercuts both of those on processing and transaction charges, which basically means it’s cheaper for you. Also, with the start of this initiative, the Reserve Bank of India has slashed the charges levied on sellers for facilitating debit card payments. SBI, Bank of Baroda, Union Bank of India and Bank of India have already joined the bandwagon, and more are expected to follow. In a few years, a 40% decrease in market service charges is expected. With the project still in a very early stage (released earlier this year), expect more development on this front. And with RBI in the game, expect reliability. Keep in mind, though that the system is geared towards making the debit card rates better, with the makers themselves admitting to it.

Another popular method of digital transaction is the (in)famous credit/ debit card system. Here’s how things go down in that world...

Credit cards

These are one of the most sinister inventions of the modern era. They are basically borrowing tools that will buy stuff for you on the promise that you will pay them back later. But one thing that they do pretty well, is securing the card from completely external influences. At the heart of this is the magnetic strip of the card.

There are three tracks on the magstripe. Each track is about one-tenth of an inch wide. The ISO/IEC standard 7811, which is used by banks, specifies:

Track one is 210 bits per inch (bpi), and holds 79 6-bit plus parity bit read-only characters.

 

Track two is 75 bpi, and holds 40 4-bit plus parity bit characters. Track three is 210 bpi, and holds 107 4-bit plus parity bit characters When the acquirer company gets the credit-card authentication request, it checks the transaction for validity and the record on the magstripe for:

Merchant ID

Valid card number

Expiration date

Credit-card limit

Card usage

After the authentication, the PIN is needed to begin the transaction. It might be coded onto the card, or stored remotely by the bank’s server.

 

So yeah, with the multi-step checking in place, the most probable reason you will lose money is if you lose your card – to a crook, or your wife, or children. No kidding. Identity thefts are really the overwhelming majority of all credit card frauds. And because you’re feeding off borrowed money, there’s theoretically no limit to the exact amount you can lose. Or spend. Which will eventually be bad either way. And knowing the amazing spectacle of speed that is Indian judiciary, we suggest you watch your back.

Debit cards

They are sort of the yin to credit cards’ yang. Everything works almost exactly the same way, its just that here the provider is just a gateway, and all the money that you use is essentially what you own. Therefore, you are not relying on your future income to bail you out of the stuff that you’re getting into now. The technical details being essentially same, the chances of fraud are also the same as credit cards. The plus-point here is that because the spending is limited by the amount of money that you currently have in your connected account is the limiter on the order of the fraud that can be committed by misuse of the card. Still, with the huge perks on offer, debit cards being the lesser of all of the previous evils, we give it a more than fair shot here in India.

Now, there are another couple of methods that are all the rage.

Internet banking

Internet banking is basically passing the control of your account over to you. Every relevant detail of your money is laid bare in front of you. You can do most of whatever you do at a bank at this terminal, except maybe chatting up the receptionist. Your bank provides you with a login user id, and a bunch of passwords, and you need to always use those for your service, simple as that. In terms of safety, there’s usually an impressive portfolio present. So how is it that we come across so many cases of fraud in this space?

Taking a deep look into such cases usually reveals one common culprit – humans. There’s sizable human error in most of such accounts. Be it ignorance to phishing, or insufficient secrecy about your details, whatever else it might be, the core idea is that you yourself provide all that a crook needs to rob you of your last penny. And this cannot possibly be blamed on anything internet banking does, and not something it can probably rectify. Anyone who thinks he/she can handle it properly, should have an eye to look out for fraud – phishing, pharming, keylogging or otherwise. Otherwise, in terms of interceptability, secure HTTP is pretty solid.

Mobile banking

The logical progression to internet banking, it was never not coming. And now it’s here, proper. What started out as simple pulling of relevant data from your account (balance/transaction info/ whatever), has slowly become a pretty impressive suite of stuff that you can accomplish. Right from shopping to paying bills and shopping, mobile banking promises to bring a whole new level of portability to your money. And they’ve implemented a host of security layers too. You need two level authentications to go through with any transactions (usually your password, along with the PIN). If the amount to be serviced is larger than a cut-off a third password is sent to your registered number for a one-time authentication.

Ultimately, it is again the human error of judgement that is the biggest potential loophole in the service, because catching all of the other information on the fly is probably too big an ask from today’s technology.

 

In the context of digital payments, you might’ve also heard of...

NFC

Now here is another sci-fi addition to your digital payment arsenal. Gone are the days of “tap to pay your bills” meaning learning to tap-dance professionally. Now you can literally pay your bills with a tap of your phone. Near Field Communication is super-short range radio based transmission. It was built to allow communication upto a few centimetres, but the implementation in mobiles (obviously) worked towards optimizing upon the ‘tapping’ novelty. Smart move, too – we all know how Infrared was perceived. Now this might be a bubble, as we’ve witnessed with so many new technologies (not necessarily of this particular field of service). But NFC sure does show a lot of promise.

Visa seems to have got on the bandwagon early, with the release of it payWave user interface SDK, for participation in the potential release of NFC enabled applications. payWave is an attempt to make all transactions contactless, be it your everyday card, phone, or some other device that turns up someday – because there is no contact, the carrier might not matter anymore in the future. That is the vision, anyway. Not to be left behind, MasterCard has gone on the release it PayPass interface, that would solve a similar purpose.

As for the security of the system, it is surprisingly low. As with the regular credit/debit cards, there is only an identifier in the form of the RFID chip (similar to the magnetic strip on the regular cards). The difficulty with NFC is that here, since you do not hand over your card/phone at any time, any sufficiently close receiver (maybe that heavily jacketed guy who just bumped into you) can instruct your item to, in the worst case, surrender all control. It is difficult to reverse engineer such systems to extract value from

this, but it is very possible. It is still a relatively new medium of handling money. Give it time, and we hope that things should change.

 

There it is, then. When you started with this chapter of the FastTrack, you probably did not know much about online transactions. Together we worked hard and tackled loads of jargon, so that you understand everything that went down behind that “your payment is being processed, please do not refresh your browser” message. You are in the loop. You’re in the brotherhood of knowledge. To up the cliche value of the piece, we’d point out that knowledge is power. And liberating as it might be, we all know that with great power comes great responsibility (<3 Spiderman).