As more and more people do their banking online, a common question asked by consumers is how they know that the transactions they do online or from their mobile web devices are secure. While most banks assure us that the security technology that is set in place to protect digital banking make it just as safe, if not safer, than banking at your local branch, recent discoveries demonstrate that some online banking may not be quite as secure as banks once thought.
A Loophole in SSL
Secure Sockets Layer communications, or SSL, is a technology used on many website where security is necessary, from PayPal to Chase online banking, and secures your data by using a “handshaking” procedure. It works like this: A client connects to a SSL server, requesting a secure connection. The client presents a list of supported ciphers, of which the server chooses the most secure, and sends the client its digital certificate, ensuring that it is who it says it is. Only after this certification handshake process is complete does any secure information pass over the connection. You can tell that you are on a SSL website if the web address begins with “https://” rather than just “http://”.
If this seems complicated, it is, and that is a good thing, as you want there to be absolutely no doubt as to who your sensitive information is being sent to. However, recently a company called PhoneFactor discovered a hole in the technology that allows hackers to intercept communications by posing as a “middle man” between the server and the client, allowing them to inject malware into information that is transferred over the connection. It was discovered accidentally by an engineer who posted the flaw on a message board before realizing how serious it was.
Patching up the Secure Connection
It will take some time to fix the flaw, and so customers using SSL should be wary of whether or not the secure websites they use are susceptible to hackers. Fortunately, there are many “white hat” hackers who have been exposing these holes to companies so that they can fix them before someone with malicious intent discovers the flaws. The large online security companies like VeriSign have assured the public that they are working on the problem, and that the hole is something that should worry large website operators rather than the general public using these sites. However, it seems like more and more of these SSL holes have been popping up lately as more people use secure sites for their evryday secure transactions, including banking, which makes some banks worry that SLL hackers could become the bank robbers of the 21st century.