The upside and downside of online wallets - News - Business

To print: Select File and then Print from your browser's menu

--------------------------------------------------------------
This story was printed from ZDNet Australia.
--------------------------------------------------------------

The upside and downside of online wallets

By Jennifer Lee, 0
December 11, 2000
URL: http://www.zdnet.com.au/news/business/soa/The-upside-and-downside-of-online-wallets/0,139023166,120107505,00.htm

Find out how online wallets can increase consumer security, but also put users at risk of privacy violations.

The holiday season is almost upon us, and many companies are rolling out their best products online. While you're surfing the Web at work or at home, you may feel temptedÃ¢â,¬"but hesitantÃ¢â,¬"to order gifts because you've heard all the horror stories about online fraud and identity theft.

In some sense, your online fears are justified. As some Web sites have yet to provide completely secure connections, third parties could gain unauthorised access to your credit card number. In fact, some major Web sites do not validate user input, opening the backdoor to hackers in search of your consumer data. As a result, no Web site is truly safe.

To address your concerns, Yahoo!, Microsoft and AOL have released wallet applications that make online shopping more secure. These online wallets use Secure Sockets Layer (SSL) protocol, the industry standard in authenticating and encrypting messages between clients and servers. Online wallets operate by ensuring that purchasing activities only occur on servers with an SSL connection. However, keep in mind that they can only offer a relatively higher degree of security.

So if you're a wary user looking to shop safely on the Web, online wallets may help you stop Grinchish hackers from stealing Christmas this year. You may even relish the convenience of online wallets when making several purchases on the Internet. After all, no one wants to worry about sending credit card information to an insecure site, or undergoing the hassle of registering multiple times into separate e-commerce sites.

But be forewarned: The security and privacy problems with online wallets may outweigh their benefits.

SSL protocol

Typing in your credit card information into any Web site can be intimidating, knowing that malicious users are lurking around the Internet.

SSL protocol, originally developed by Netscape, remedies this security issue by encrypting, authenticating, and messaging the codes exchanged between the client and server. These codes prevent outside parties from obtaining confidential user information (i.e., credit card numbers).

To ensure a secure shopping session, use a browser that supports SSL, such as Netscape or Internet Explorer. If connected to a secure site, its URL should begin with "https." In newer browsers, you should see a locked key or solid key symbol at the bottom of the page.

SSL Session
What happens during an SSL session? When a user visits a secure Web site, an SSL session begins with a "handshake": The server authenticates its identity to the client. To do so, the Web site's server sends a digital certificate from a trusted third-party organisation to verify its identity. It also sends over cipher settings to communicate privately with the client during the session for added security.

After receiving the digital certificate and cipher settings, the client can authenticate the serverÃ¢â,¬"if authentication fails, the user is notified that the connection is insecure. If authentication is successful, the client sends an encrypted message back to the server using information from the server's digital certificate. Only the server can decipher this message and generate a master secret, which will be used by both parties to encrypt and decrypt messages during the session.

The handshake is complete once both the client and server use the master secret to create session keys, which will monitor closely the date, time, and connection between both parties. Monitoring these activities helps validate the identities of the two parties throughout the duration of the session.

Secure transactions -- with a tradeoff

Online wallets add a layer of security by ensuring your purchasing activities only occur on SSL-enabled Web sites.

In addition, some wallets offer extra security features, which may or may not stop the most persistent hackers. For example, Yahoo! Wallet restricts consumer purchases to its secure.yahoo.com domain and protects your account with a personal security password. AOL Quick Checkout also limits your shopping to its secure domain.

Using online wallets for increased security, however, may force you to give up consumer privacy. Microsoft Passport alone has an estimated 100 million consumers in their database, including their names, credit card numbers, and e-mail addressesÃ¢â,¬"valuable information to any e-commerce site (or worse, hackers). While your username and password won't be shared with Passport-affiliated sites, your e-mail address will be shared whenever you log in to a Passport site.

Microsoft's privacy policy claims members control their identities by choosing which sites they log in to, as well as choosing what information to divulge in their Passport profiles.

In addition, Microsoft admits that sending e-mail on the "behalf of participating Web sites" is fair game. Microsoft also states that it will occasionally send out members' demographic information, reporting the average age, gender, and other statistics, to its participating Web sites. And according to its fine-print, Microsoft can rightfully send you promotional e-mails from their merchant sites as part of its service.

Microsoft also sneakily shares your Passport profile with all of its owned sites. If you enter any part of Microsoft's MSN network, you will be automatically signed in, and your Passport profile (excluding your wallet information) will also be shared with each area of MSN. Imagine the worst case scenario where a Passport user unwittingly traipses through Expedia for airline tickets, then Money Central for retirement planning tips, and finally, to Slate for the latest politics headlines. Your Web surfing habits, future potential plans, preferences, and profile are now compiled into a large information network managed by, of course, Microsoft.

Even if you are outside of Microsoft-owned sites, choosing the automatic sign-in option to Passport will share your profile with every Passport-affiliated site you visit. Microsoft claims it's up to you to check out every site's privacy policy before choosing the automatic sign-in to Passport.

Are online wallets worth the risk?

AOL and Yahoo! Wallet pose less of a risk in privacy, since their wallets work only on their online stores.

AOL stands behind its consumer privacy policy, and offers digital wallets as a consumer benefit. However, privacy is still an issue with all three wallets, because they connect your personal profile with your shopping habits.

When shopping, keep in mind that online wallets offer a level of added security. No Web site, even a secure site, is impervious to hackers. In addition, your privacy is also at risk when you shop on the Internet, even while using an online wallet: Regardless of whether you actually purchase an item or not, your fingerprints are on everything you "touch" online.

By using an online wallet to manage your online shopping, you may actually be putting yourself at more risk of privacy violations.

More information on online wallets:

How to use AOL Quick Checkout
Secure your shopping through AOL Quick Checkout even if you're not a member of AOL

How to use Microsoft Passport Wallet
Avoid the hassle of signing in to separate e-commerce sites with Microsoft's Passport Wallet

How to use Yahoo Wallet
Make online shopping a cinch with Yahoo Wallet's security and convenience features.