News24

E-commerce security flaw found

2012-02-16 14:00

San Francisco - Researchers on Wednesday revealed a flaw in the way data is scrambled to protect the privacy of online banking, shopping and other kinds of sensitive exchanges.

A program used to generate random number sequences for encrypting digital information worked properly 99.8% of the time, meaning that two out of every 1 000 "keys" wouldn't thwart crooks or spies, the report warned.

"We found that the vast majority of public keys work as intended," said a report based on work by a team of US and European researchers led by Arjen Lenstra of Ecole Polytechnique Federale de Lausanne (EPFL).

"A more disconcerting finding is that two out of every 1 000 RSA moduli that we collected offer no security."

Online rights champion Electronic Frontier Foundation (EFF) supplied key data for the research, and said that Lenstra's team found tens of thousands of keys that essentially failed to guard data in supposedly encrypted online sessions.

"The consequences of these vulnerabilities are extremely serious," the EFF's Dan Auerbach and Peter Eckersley said in a blog post.

"In all cases, a weak key would allow an eavesdropper on the network to learn confidential information, such as passwords or the content of messages, exchanged with a vulnerable server."

Hackers could also pose as trusted websites, such as an online bank, in what are referred to as man-in-the-middle attacks, according to the EFF.

The non-profit EFF said it is working "around the clock" with EPFL to warn operators of computer servers using encryption keys offering no protection.

Comments
  • ludlowdj - 2012-02-16 14:31

    Well this is nothing new, I have been told by leaders in the encryption industry that very few systems on the international scene are really as good as they are said to be, The FBI and CIA were both apparently involved in the release of the original 128 bit encryption system which was dumbed down at their instructions so that they would be able to intercept and decrypt encoded information.

  • Mark - 2012-02-16 15:35

    "Hackers could also pose as trusted websites, such as an online bank, in what are referred to as man-in-the-middle attacks, according to the EFF." - Please learn what Man-in-the-middle attacks are before you confuse it with phishing.

  • Brainbow Gold - 2012-02-17 04:06

    If there is a door it exists and can therefore be opened...

  • pages:
  • 1