IF YOU have ever bought anything online or used an Internet bank, you might have been running more of a risk than you bargained for. That鈥檚 the conclusion of a new report which found that one in five e-commerce websites claiming to be secure is actually vulnerable to hackers.
The study, carried out by Cambridge-based electronic security company N-cipher, examined 137,000 of the 140,000 websites purporting to use 鈥渟trong鈥 encryption to make either online transactions or remote access to company computers secure.
The report found that 19 per cent of them were using short encryption keys, which can be broken relatively easily. In Britain, just under a quarter are using short keys, and things are even worse in France: 41 per cent use short keys. In the US, the figure is 15 per cent, but this still means more than 12,000 sites there are insecure.
Advertisement
Making a transaction or checking your bank balance online on an insecure site makes confidential information vulnerable to hackers. 鈥淭his sort of attack is particularly pernicious because you can鈥檛 tell when it鈥檚 taken place,鈥 warns Nicko van Someren of N-cipher.
Generally speaking, the longer the key, the more difficult it is to break, says van Someren. His definition of 鈥渟hort鈥 in the study is anything less than 900 bits, but in fact most of these sites are using keys of 512 bits or less. Among them are Barclays Capital, Royal Bank of Scotland, British Airways Travel Shops, the US First National Bank and Trust, and Royal Bank of Canada.
Just a few years ago, 512-bit keys were safe and could only be broken using supercomputers. But processor speed has improved so rapidly that this can now be done using off-the-shelf machines. 鈥淎ll you need is access to a network of a few PCs or an Itanium chip,鈥 says van Someren.
He recommends that organisations switch to 1024-bit keys. But why haven鈥檛 they done that already? He blames it on apathy, and the assumption that these sites must be safe. 鈥淧eople operate on the basis, 鈥業f it ain鈥檛 broke, don鈥檛 fix it鈥.鈥