Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
According to new research conducted by University of Massachusetts - Amherst computer scientist Kevin Fu, a confluence of factors, including the widespread use of cookies and demand for quick and easy transactions, results in websites that are often insecure.
"Much web security rests on illusion and hope," said Fu. He noted that most web users have heard of cookies that web servers send to a browser to identify the user at a later date, but warned that few understand the security risk they can pose.
"Cookies are insecure, no matter what you do," said Fu. He went on to concede that cookies "aren't that dangerous" when used for things like storing preferences on personalized web pages, but argued that their use to authenticate online shoppers can be much more problematic.
It's these so-called "authentication cookies" that are often exploitable, said Fu. The academic's research finds that someone who has accessed a series of cookies on a hard drive can look for a pattern and then backtrack to come up with the algorithm that generated them. "It's the kind of thing a bored teenager could do in a few hours," claimed Fu.
Fu believes that the best login methods do not employ cookies, but use client certificates in SSL. But, according to the academic, retailers do not use SSL technology as they want to offer quick, easy shopping. "Cookies get the most sales in the shortest time, and if no one is attacking, they work just fine", he argued.
Despite these reservations Fu said he shops online himself: "There isn't much of an alternative for consumers. Even if you shop by phone, the attendant often enters your data on the same web page you are trying to avoid."
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.