A new state of security

Worried about Internet security? You should be. On the strength of recent evidence, the predicted problems of authenticity and transaction security have arrived, writes Dan Sabbagh.

Payment card group Visa recently confessed that in a survey carried out in 12 countries, 47% of the frauds and payment disputes identified were Internet-related.

Prior to that, an impressive stunt saw a fake web page purporting to be a news story from financial wire service Bloomberg claiming that US IT company PairGain was the subject of a billion-dollar takeover. PairGain shares prices rose 30% before the fake was exposed.

In other words, there are times on the Internet when you want to know you are dealing with a real person.

The question is, can these problems be solved? BT, the Post Office and now high street banks all think so, and are stepping in to offer Internet security services.

The Department of Trade and Industry (DTI) is planning a bill which is expected to set the legal framework for licensing of digital signatures.

Representatives of the DTI will appear at this week's InfoSecurity conference in London to brief the industry on their work.

What secure services can customers expect in the future?

John Curran, European vice president of public key infrastructure company Entegrity Solutions, says the security industry is moving away from the days when small companies offered point solutions to hacking and viruses, to a point where it can provide new services.

There are three principal requirements, all of which rely on the intricacies of public key cryptography. They are: confidentiality and integrity (preventing the interception and alteration of communications); authenticity (a proof of who you're dealing with); and non-repudiation (preventing either side from backing out of an agreed transaction).

Organisations can provide some of these services themselves, such as ensuring confidentiality through encryption. However, these are complex to administer and can be outsourced.

Those who do not want to build their own security infrastructure will seek trusted third party (TTP) bodies to authenticate an organisation, endorse genuine digital identification or signatures, and keep note of important transactions.

Organisations offering such services include BT and Verisign. Last autumn Verisign launched Trustwise, which focuses on business-to-business transactions.

The Post Office followed suit in March with ViaCode, a managed encryption and authentication system.

Three weeks ago, it emerged that five high street banks - Lloyds TSB, HSBC, Barclays, NatWest and Royal Bank of Scotland - had begun talks to develop common trusted third party service standards. Non-banking organisations may also participate in the discussions.

One week later, Barclays was one of eight global banks to announce Identrus, a global third party for secure transactions.

Identrus is designed to ensure that participating banks' cryptographic services are interoperable, creating a virtual international secure channel.

It's too soon to know which is the best bet, but customers should have plenty of choice.

Dave Birch, director of marketing at security consultant Hyperion, says companies are likely to segment their supplier bases, and will want different types of security depending on the transaction. 'I don't think banks or anybody will be able to control this market,' he says.

Fortunately, much of the technical complexity of services is likely to be concealed from the end user who buys a complete service. In theory, that should make it easy to change horses midstream and avoid lock-in.

It all depends on the competing services offering interoperability. Identrus acknowledges the principle, but the technical reality is harder to achieve. Businesses have to insist on it, or risk being unable to deal securely with customers using a rival TTP scheme.

The only loser is the government. Originally, it wanted to impose Draconian controls on the use of encryption, but appears to have backed down under industry pressure and is looking only to create a voluntary licensing scheme which aims to set service standards.

If there are no strings attached, the scheme will be influential, but your best guarantee of service quality will probably remain the contract with the trusted third party.