Tuesday, May 8, 2007

Protecting Consumer Data Online

Over the past few months, we've been keeping a close eye on some of the widget releases from security and financial firms, and some of the web forms associated with account acquisition as well.

We've come across several widgets that feature architectures that are vulnerable to trivial modifications from malware. One of the widgets, a login widget produced by a major financial services company, loads its login URL from a location in a text file.

Modifying the URL is easily accomplished - with the result that a hacker could send consumers to a fake login site and easily steal credentials.

We called the company responsible and showed them the issue and they understood the problem and were very responsive to our suggestion they hash this information and check the integrity of it using a combination of client-side and server-side technologies.

The issue of what to do about protecting data collected and submitted via web forms is equally in need of a security makeover.

As I pointed out in my recent blog about the FTC's poorly conceived identity theft report process (FTC Identity Theft Form a Keylogger's Paradise), the idea of using a web form to aggregate social security numbers and names and addresses and other personally identifying data from consumers needs to be reviewed by financial services firms - and, now that tax time has come and gone - by online tax filing companies.

What can be done to improve data collection processes and protect consumer data? Authentium has developed a technology that enables data collected via a web form, such as tax or financial information, to be aggregated using a normal browser and submitted safely to the target database, without threat of interception or "man in the middle" attacks, or attacks from keyloggers.

It may take an attack of some size, or simply the reaching of a tipping point for this technology to become mandated but the facts are clear: there is a growing problem, a better technology is available to protect consumers than the processes currently in use, and consumers deserve better protection for their data.

1 comment:

Anonymous said...

I think this technology should be used in home anti-keylogging products like the one listed on anti-keylogger.org to exlude the possibility of being being robbed with the help of keyloggers...