The SmartSwipe Online Security, Shopping and Technology Blog

People often wonder how it is that we can release a secure credit card reader that encrypts (or scrambles) your credit card information as you swipe your card, but which also works at any website. Doesn’t the website need to be able to decrypt (or un-scramble) the information before completing the purchase? How is this possible?

It’s a good question. On the surface, it seems utterly impossible - hence the reason nobody has done it before. And, believe me, there were times in development where we did think it might be impossible, but either through insanity or genius (I’d like to think the latter, but probably a little of both), we forged on, believing we could solve a problem that people thought was unsolvable. Turns out that we did. And here’s how we did it:

Seems like Symantec themselves are saying that anti-virus software isn’t enough to protect against modern threats…

http://www.symantec.com/en/au/business/library/article.jsp?aid=a_closer_look_at_endpoint_security

Swiping your credit card at your PC. It’s so simple - why hasn’t anyone thought of this before?

Actually, they have been trying to do this for a long time. Dig hard enough and you’ll unearth the remains of a number of “secure credit card reader” devices for personal use, some dating back as far as 10 years ago. And they’re still trying to do it - there are dozens of companies out there trying to develop all sorts of neat little gadgets for secure online shopping (some of which are pretty dubious in terms of security). But nobody’s ever been able to make it fly. Why not?

Given that this is the SmartSwipe blog, I found it somewhat comical that there were no posts under the “SmartSwipe” section of our blog, so I’ve decided to take the first step and change all that.

For all those of you who are scratching your head wondering how the SmartSwipe works, this article is for you. In these articles, I plan on giving away the secrets of the SmartSwipe. Yep, that’s right. I’m putting them out there for everyone to see.

I’m less irked, but still irked nonetheless.

I’m talking about the frequent guarantees, usually in the form of snazzy-looking icons, that are plastered all over online shopping and banking websites. Things like “Guaranteed 100% Secure Transaction” , “Safe Shopping Guarantee”, and “Checked to be Hacker-Proof”. All wonderful little techniques designed to instill confidence in the online shopping process that the site is secure and it’s safe to shop or bank there. The problem is that they cannot make such a guarantee.

Being a security guy, I’m quite cautious about my internet usage.  I always run anti-virus software.  I never open email attachments or links.  I’ve got a keen eye for spotting scams and malicious software.  I never download anything off the net without running a comprehensive anti-virus scan on the file before touching it.  I always do my security patching, and I stay away from questionable websites.  I arrogantly assumed that I wasn’t the guy that would get infected with malware.  That happens to people with less expertise; with less training; with less diligence.  Boy did I get a rude awakening.

Well, the other day, I navigated to a perfectly legitimate website that, as I found out later, was hijacked.  I navigated to the site, and only a few seconds later noticed my hard drive was spinning with activity, which I found strange.  I hadn’t downloaded anything.  I hadn’t clicked on anything to cause such activity.  But something was happening, and I knew it wasn’t good.  A couple of seconds later, my fears were confirmed:  my anti-virus software popped up saying that it had detected a virus.  The problem is, it was too late. 

Yesterday I blogged about fake security products and scareware.  Today, I’m taking it a step futher and throwing down the gauntlet against useless security products.

As part of our competitive intelligence, we often stumble on to security products that claim to be designed to protect the home consumer from a variety of security problems.  I’m not talking about anti-virus software or security suites, which serve valid purposes and for which I have all the respect for in the world.  I’m talking about the gadgets and add-ons people can buy online or in their local stores that promise “security for online shopping” or “security for online banking” while providing nothing of the sort.  Well, I shouldn’t say “nothing” – they do provide protection against a very small subset of the attacks that are out there, but these attacks are typically quite rare, and these products are often quite vulnerable to all sorts of other attacks, many of which are far more common.  It’s like buying a fence where the boards are spaced too far apart.  They may keep out the tigers, but they won’t keep out the dogs.  And what are more common, dogs or tigers?  Personally, I’d rather have a fence that kept out dogs than tigers, because the chances of me running into a tiger are pretty slim.  And if the fence is marketed as a “fence that keeps out wildlife”, that’s when I have to take a stand.

Yesterday's post referred to an article that contained an interesting quote: "The sheer magnitude of the issue of data security has rendered antivirus programs obsolete and ineffective. As such, no single technology can successfully serve to safeguard the network from the multi-dimensional nature of the menace of cyber crime."

Anti-virus software ineffective? Isn't that a little bold? Well, believe it or not, it might actually be true.