Other Ways To Connect

Wednesday, January 8, 2014

How Secure is that Website You're Logging Into?

With all the news recently in the headlines about a certain retailer's breach of security, we thought you might be very interested in a tool to check out your online service website's security. 




Granted, the security issue that recently made headlines was not online. It happened within the store, right at the cash register.  In reality, anytime you use a credit or debit card there's a risk.  Those magnetic strips on the bank cards are conveniently full of information. When that card is used in a point-of-sale scanner, like at the cash register,  all of the data on it is read.  Most of the time, that information is secured and is used only by the business you're purchasing from. But when a breach happens, it makes headlines. 

Security risks are a concern no matter how you use your card.  This article is about your online services: your bank, your credit card company, your broker, your insurance company or any website that requires you to log in.  This past holiday season, more purchases were made online than ever before in history!  It seems the trend will only increase.  So how secure are those websites you use and log in to? 


You can check one aspect of the security of those websites yourself and it's EASY!


Yep.  There's a tool you can use that will let you know in a few seconds how secure that website you're about to input personal information into is.  It's a free service from Qualys SSL Labs. Bookmark this site.




Simply go to their site, input whatever the web address (domain) you want to check in the space provided and press submit.  In a few seconds (depending on your internet speed), you will receive a report card on that website's level of security.  Based on their score you can then determine if you want to continue doing online transactions there.  The report gives you a breakdown of where the security issues are (if there are some) and although you may not understand those details, you will understand that there are risks and you'll appreciate the easy scoring system: A is good.  F is what you think it is.

Some websites don't really need to be all that secure because they are only for presenting information.  Take www.va.gov for example. It scored an F. Its certificate was not signed by a standard provider, so its integrity could not be verified. You would think that could be really bad except there's no input fields where they gather info, other than the optional email address to subscribe. So the F is really not all that important.  However, if you were relying on the site for some important information, you might want to get a second source to verify what you read on that site. Without a verified certificate, an attacker could pretend to be the www.va.gov site and present its own version of the data.

By contrast look at www.vabenefits.vba.va.gov.  It is a site where veterans apply for benefits and are required to input personal information, so it needs to be very secure. We're happy to report that that site and www.healthcare.gov, the Affordable Care Act website, both scored an A!

When you run this tool against a website, be sure you consider if that site is a place where you are required to input information or if the site itself is just informational.  Any site that has a "login" feature on it should be very secure. 

If you run this tool against your bank or other online service that requires your personal information to be entered, and the score is less than a B, we recommend that you contact them and let them know. If they are worth doing business with, they will appreciate that you took the time to notify them of the potential problem and will quickly address it.  I'm sure they'd rather hear of the risk from you than to be the next company in the headlines because of a security breach.


Useful, but not the whole story


Here is some technical stuff.  While a good grade from the Qualys tool is a good sign that the online service cares about security, it is not the whole story.  It is only examining the security of one piece of technology, the SSL configuration.  Most online services are made up of many technologies (e.g., scripts, databases, authentication, etc) and each of these technologies could have security vulnerabilities. If the SSL configuration is weak however, it is likely that the other parts have problems.  And so you should be wary.  But even if the SSL configuration is strong, there still may be problems with other parts of the system.

And In Conclusion...


Think about your online security the same way you think about driving.  The other drivers on the road should always be alert and careful.  But you know that's not always the case.  So do your best to avoid a problem, even if somebody else is the one who causes the problem.

Have a secure online day!
 

Show Comments: OR