How secure are my secure internet transactions?

Yesterday I opened a mutual fund account. I’ve never been crazy about electronic transfers of money, at least not the kind where you hand your bank account number to the recipient and they “pull” money from your bank account. So I chose the option that allowed me to mail in a paper check. In spite of that, I filled the mutual fund account application online (name, address, SSN, etc.) online and submitted it electronically.

And suddenly I’m wondering, how secure is it to be sending stuff like this online? I used Internet Explorer version 8, whatever the default encryption level is. Assuming someone were actually eavesdropping on my internet traffic, what kind of computing power/time would it take to crack the encryption and extract sensitive info (like my SSN)?

Along the same lines, how secure is the e-filing of income tax returns? When I do my own taxes using tax software and then e-file, the info doesn’t appear to go through my web browser (unless the tax software is somehow using it in the background). I assume my e-filed return first goes to the tax software people, and then to the IRS. How secure are each of these steps? Are there documented cases where e-filed tax returns have been intercepted by identity thieves?

Short version: Brute force decryption will take forever. More attackable flaws exist, but they’re generally not a big deal. In day-to-day usage, HTTPS via a recent version of TLS is generally considered “safe enough”, to the point that it enables the vast majority of online commerce.

Nonetheless, there are many other methods by which your information can be stolen. You should exercise good online hygiene with respect to spyware, viruses, phishing sites, etc. And only deal with reputable, established organizations that would conceivably have good security practices in place on their end.

And sign up for a credit monitoring thing :slight_smile:

ETA: Third-party tax software, on the other hand, is more of an unknown as compared to browsers whose security features are tested daily by millions, attacked by hundreds, and reported by dozens. Still, one would hope they implement strong security practices…

Long version:

[spoiler]The answer’s complicated because there are different ways people could potentially steal your information.

  1. When you visit a secure site that uses HTTPS instead of HTTP (alternatively indicated by a padlock, a different-colored address bar background, etc.), the information you send is encrypted before being sent over the Internet. This encryption is usually considered too difficult to crack by today’s computers via brute-force approaches. I’ll leave the math to someone who understands it better, but Wikipedia seems to suggest that the universe will be old and gray by the time it succeeds.

(Bad analogy time: This is like you trying to decode a foreign-language conversation between Robert and Allison, without any guidance whatsoever, by blindly guessing the meaning of their sentences out of a possible 100 trillion trillion trillion combinations.)

  1. Browsers occasionally suffer from implementational flaws that may theoretically weaken their encryption methods, but those concerns have thus far been more academic than practical. Despite occasional bugs, the encryption provided by modern browsers is generally considered “safe enough” by the vast majority of people and companies – to the point that many (if not most) American banks are willing to subsidize online fraud as a cost of doing business and do not hold their customers liable for unauthorized online transactions (or, alternatively, hold them liable for only $50 max).

(Analogy: You discover that certain sounds are constantly repeated in their conversation and you manage to map out some vowels and simple words like “I”. This makes it somewhat possible to start to decode their conversation, but it still isn’t trivial.)

  1. A rare, but not unheard-of, situation is where a company’s website and/or internal servers get hacked after you’ve submitted the data to them. Attackers then have free access to the information, which may or may not remain encrypted.

(Analogy: You follow Robert home and steal his diary, in which he recorded the day’s conversations in plain English.)

  1. Similar to the above, sometimes you can simply weasel your way into a situation, “hacking” or social engineering the people instead of their computers.

(Analogy: You follow Robert home, pretend to be a new neighbor, get friendly with him and ask him all about Allison.)

  1. Phishers can make fake websites and get unsuspecting people to simply hand over their information.

(Analogy: You dress up like beautiful Allison and whisper sweet nothings to Robert until he tells you everything you want to know.)

  1. Spyware and viruses can record everything you type before it ever gets encrypted.

(Analogy: You sneak into Robert’s home and plant bugs everywhere and listen from outside. He speaks in plain English at home and you can hear everything he says.)


Outside the browser, such as with special tax software, it really depends on how the programs were written. If the programmers were smart, they’d use similar security methods as the browser (or perhaps even use the browser itself behind-the-scenes). I imagine any banking and tax apps from reputable vendors would have security as a pretty high concern. If you want to test them for yourself, a tool like Wireshark will let you see all the data going through your Internet connection.


In summary, I wouldn’t worry about #1, but I probably would about the other things.
[/spoiler]

What I would like to know is, how the sender and the receiver, get the “key” to unlock the encryption. If it is different every time, then they both need that info to decrypt. If it is not, then it will eventually be broken.

So that means to me that the “key” will be sent/received during the transaction, which puts it somewhere that a hacker has a chance to intercept. How do they protect the key?

Public key cryptography

A non-computer explanation of public key is this:

Suppose you have a box you want to send securely. You put two padlocks on it. One has a key you keep to yourself. The other has a key that anyone can use to open (“public”). You mail this to your friend.

Your friend opens the public padlock with his public key. He then puts his own private padlock in its place. Only he has the key. He sends it back to you.

You use your private key to open your own private lock. You put the public padlock on it. Now it has two locks: one public, and one with your friend’s lock. You send the box back to him.

He opens the box, using the public key and his own private one.

Having the public key isn’t good enough to open both locks. You need to have both keys if you intercept the box.

Of course, this is done with large numbers instead of locks, but the basic principle applies.

In computing, https is secure to protect data in transit. It’s much easier for people to attack the website that holds the data. Not only that, but you gain access to multiple accounts, not just one transaction. Thus, no one really tries to crack the https encryption – too much trouble for too little reward.

Thanks! I love that explanation :slight_smile:

I think it’s a slightly confusing explanation, because you don’t actually need the public keys at all in that scenario. You lock the box with your private padlock and send it to your friend. He then adds his own private lock and sends it back. You remove your lock and send it back to him. He removes his lock and opens the box.

Public keys work more like locks with two different keys. If you lock it with key A, only key B can open it, and vice versa. You keep key A private and make key B public.

Or even more straightforwardly, think of the public key as the open lock. You ask your friend to send you his open lock; you slap it on the box and now only he can open it when you send the box in the mail.

The bottom line to being safe is
[ul]
[li]Always check the pad lock next to your URL (locked = secure, unlock = not) before you log in or enter sensitive information like your SSN, credit card number, etc.[/li][li]Avoid using a wifi connection, especially a public one like a library or web cafe. The public wifis are usually unsecured and could be listened to.[/li][li]Do not allow sensitive information to be stored on your computer without encryption.[/li][li]Always run an Anti-Virus and Anti-Spyware.[/li][li]Pay attention to what you click. Watch the status line in your browser to see where a link will take you. The link could take you to a false site that harvests CCNs.[/li][li]Use common sense when on the Internet.[/li][/ul]

Also; according to irs.gov, “The IRS e-file system has never had a security breach”.

I will just add here that all you need to steal a check from the mail is a job at the post office. I prefer encrypted online transactions. (Once my mom sent me a Best Buy gift card for my birthday and it was stolen by a postal employee, who was later arrested after he was caught on video using the card.)

Add one more to RealityChuck’s explanation: Somebody has to be sniffing your packets at the exact moment of your transaction in order to apply the tools required, to break the encryption, to extract the details and rob you blind. Unless you’re a big name making it worth the effort, we’re talking ten of millions (and them some) packets to sniff and collect. Their ROI (return on investment) has to be sufficient to make it worth their while to attempt it in the first place.

Reply mentions keyboard sniffers which I think may be a big problem (although I have no statistics). I’ve wondered if many public-access or Internet-cafe machines have such sniffers installed, either by the owner or by a criminal customer passing through. Since these get your keystrokes before any encryption, they can get your typed cleartext, e.g. password.

I try something to foil such sniffers; I hope experts will tell me if it really works or not. When typing in my bank account password I introduce extra keystrokes by going to another window. For example if my password is “1234” I might type “1ab23c4”, where each “*” involves moving and clicking the mouse to change windows.

It depends on how the keylogger works. Some of them log only keystrokes; other record mouse movements as well. If they had all the same programs on their computer and simply played back everything you did, mouse included, they’d end up with the abcs in the other window and the 1234 in the password window, just as you did.

How does something logging mouse movements know where the pointer started its motion? I mean, mice say move up or left so many units, they don’t say go to a certain location. What the move should look like depends on where you start. AFor that matter it depends on how big the window is on your screen, and where it opened. And what the mouse preference settings are. And whether your system relocates the pointer during certain operations.

They can take screen shots every few seconds allowing you to see where the mouse pointer was most of the time, or what feild was filled out first.

Programs like Spector are very powerful and effective, I have seen them in action, its frightening, its literally like being able to read peoples minds seeing what they type when they think nobody else can see.

Yeah, screenshots like drachillix mentioned is one method. Some programs also just record “user switched to the window called INTERNET EXPLORER, then clicked on the form field called PASSWORD, then typed in 12, then switched to the window called NOTEPAD and typed in ab, then switched to INTERNET EXPLORER and typed 34”, etc.

The point is that while there are certainly things you can do to try and work around keyloggers, keyloggers can also try to adapt. Don’t enter your password on a system that you don’t trust.

You (and everyone else) is in a tough spot with security. Assuming you are talking about enough money to make the theft worthwhile to someone, they would steal your identity, intercept your network traffic, pretend they had lost the password (or key), get a new one, and take everything. If they intercept your physical mail as well along with your phone number, you won’t know you’ve been robbed, they’ll make you think you’re making a fortune if you keep sending more money, and grab that too.

And this is better/different how? What is it about mailing a paper check isn’t handing your bank account number to the recipient and they “pull” money from your bank account? You do know your bank account number is printed on your paper check, right? And that’s not to mention your bank routing number, current check sequence number, full name and address.

I agree with the other posters that the portion of the transaction between the cable coming out of your computer to the server on the other end of the Internet (assuming HTTPS) is the least of your concerns. The security of your PC (from trojan keyloggers) is likely the biggest security hole. And how well the data behind the server is secured is the second. For large financial institutions, or credit card processors, you should assume they will do a pretty good job (though lapses do happen).

And while ed malin’s post sounds a bit alarmist, there is certainly truth to it, but in an odd way, it actually adds to your individual security. If there are 100 houses in your neighborhood, all unlocked with the front door wide open, the fact that your house is unlocked but the door is closed makes your house the most secure in the neighborhood, relatively speaking. Criminals don’t like to work hard. They will take the low hanging fruit all day long. Just make sure you keep your fruit a bit higher off the ground. It doesn’t have to be unreachable - just a bit harder to reach than most everyone else’s.

I believe sending a paper check in the mail is significantly more risky.

I was going to make the same comment. I work for a company who provides online account opening and funding solutions (among other things) to financial institutions. The OPs line of thought just makes me chuckle. You feel safer putting a piece of paper which contains in clear text your name, address, account number and ABA/Routing Number, in the mail where it will be handled by multiple people you do not know and never see? Setting aside possible theft in transit, once it arrives at the financial institution it will be handled by more people working entry level jobs, who will facilitate the deposit transaction.

No, sorry but give me electronic and the security controls around that any day of the week.

MeanJoe

I think that you’ll find that you’re wrong. Horror stories abound about people getting their bank accounts cleaned out thanks to mistakes in an automated bill payment, and getting your money back after the biller has their hands on it is quite a difficult proposition.