Know Your Vendor

Before we venture into the finer technical points, let's talk about web-based commerce in general. As with many technologies, the Internet boom, and the introduction of the web, has created a vast number of new "store fronts" from which goods may be obtained. The barrier to entry for these companies is quite low. When all other things are equal, you should do business with a vendor that you know to be honest and reliable. If you decide to do business with someone you don't know, use the same kind of common sense you've always taken when you're dealing with a new vendor: check references, check terms and conditions, check the Better Business Bureau, and so forth.

A number of groups are starting to offer guidelines for web commerce, and some professional organizations are preparing to "stamp" various websites as bona fide. One of these groups is the American Institute of Certified Public Accountants (AICPA). The AICPA provides a WebTrust Seal of Assurance to any website that meets established criteria based on a review by an AICPA-licensed accountant. More information regarding the AICPA WebTrust Seal of Assurance is available at the AICPA website. It is still too early to say how such approvals will sort out. In order to rely on a seal or logo of approval, you must first understand what criteria must be met in order to receive this designation. Nevertheless, for the near term, when shopping on the web, we suggest you look and ask for vendors' proof of their ethical, secure and well-managed business practices.

Passing Information to Vendors

In any kind of purchase, you provide a variety of information to the vendor. This is still true when you buy something on the web. For many web purchases, you are asked to use a fill-in form on the vendors' website. Increasingly, vendors allow you to send some information via the fill-in form, and to phone in the more sensitive information, in our case, the Procurement Card credit card number. At the point of purchase, you will usually only need to supply the last four or five digits of the credit card number to verify your identity.

Whenever you buy something in the conventional manner, or on the web, the vendor stores all of the information you provide in a database somewhere at their end. Sometimes the vendor will keep your credit card number on their system in case you want to make additional purchases, and you don't have to re-transmit it. The systems that these vendors use are invisible to you, but they are part of the risk equation for web commerce. When dealing with a new, unknown, or "shaky" vendor, it might be worth asking the vendor how they ensure that the information collected about purchasers is maintained in a secure fashion. If they don't have a pretty good answer for this question, you might want to shop around.

Current Technical Approaches to Safer Web Purchasing

The one thing you can say about the risks of web purchasing, and the techniques you can employ to counteract those risks, is that whatever exists today will be very different in three months, six months or a year.

One approach that many vendors have adopted for safer communication on the web is using Netscape's Secure Socket Layer (SSL) technology to encrypt all data that is transmitted from you to your vendor, and back again. This requires an investment at the vendor's end, but it also requires that you run one of many SSL-capable Web browsers. As of today, IS recommends Netscape's Navigator 3.0 or higher, or Microsoft's Internet Explorer 4.0 or higher. One subtle advantage of SSL is that it lets the browser know that the server it's going to is really the server you said and not "the man in the middle." Both ends must be secure, or the conversation will be open to spying eyes. Without end-to-end encryption, Internet sniffers can steal your credit card numbers, or other sensitive information, and use it against you in some way. Neither the MIT network, or the larger public Internet, is physically secure. In fact, electronic eavesdropping is both easy and relatively common in today's environment, especially around MIT. Among the most common threats today are "packet sniffing" tools, which are widely available and impossible to detect. These tools let snoopers capture user IDs, passwords and any other data transmitted across a network. Snoopers can then gain unauthorized access to accounts and files or use your credit card to buy goods.

For some purchases, MIT has established a tighter relationship with a vendor, for example, Office Depot for office supplies or GovConnection for desktop computers. Such partner relationships allow for additional security for purchases by requiring the use of an MIT-authorized web certificate to complete purchases. This gives the vendor additional assurance that the buyer is truly authorized to buy goods with MIT funds.

For more information, see MIT's use of certificates.

Summary

• Whenever practical, use an MIT partner that uses certificates for authentication.
• If you must use a non-partner vendor, patronize vendors who use SSL on their website. If you're using Netscape Navigator, look for a gold key on the blue background in the lower left corner of your browser window. If you're using Microsoft's Internet Explorer, look for the padlock in the lower left corner of your browser window.
• Patronize sites that display a known and accepted logo like the AICPA, but be sure to understand what that logo represents and not just accept it at face value. If the site has not been given some acceptable seal of approval, then be sure to check that they are taking all of the safeguards for keeping customer information safe. Ask if there's a way for you to control how much information is maintained about you and your credit card at their site. Some vendors allow you to delete credit card information after you've completed your purchase.
• If your vendor uses some other form of authentication (plain text username and password, for example), realize that your password can be easily compromised by snoopers using packet sniffers.
• Whenever possible, don't send your whole credit card number over the web. Using SSL reduces the risk of misuse if you must send your credit card number.