This is the second in a series of articles focused on online security written by the team at Floating-Point.
Online contact forms are not a new thing. But how secure are they really? Do you ever wonder if your data, transmitting from the website form you just filled out, is reaching a secure end point? Most times it isn’t secure, because many companies haven’t invested in securing the entire process of transmitting your private data and focused on securing the data entry process only.
Let me explain. Most companies already have an SSL certificate (a good start) to encrypt the data you are entering into their online form (which is great if you are sitting on public WIFI at Starbucks and really need the encrypted entry). Unfortunately this doesn’t protect the actual transmission of the data itself which happens via email submission. The submission is sent in a plain text format from the web server to the recipient’s email account. And yes, that is completely insecure due to the ability for someone nefarious to intercept the message based on the network the recipient is using.
Unfortunately that won’t cut it these days.
In summary on this point, you absolutely need SSL to encrypt the actual entry of customer data and if you don’t have that installed we recommend doing that right away as customers definitely expect this at this point in the game. What we are more concerned about though is the next wave of crime that see hackers hijacking online forms to carbon copy or intercept the transmission of the data as it moves from the server in plain text.
How do they do that? Well, it is called a “man in the middle attack” and predicated with a compromised online form and sometimes even including a fake SSL certificate to give the user false confidence. The form collects a customers’ information and then transmits to the actual recipient as well as the bad guys to be used for nefarious purposes. Mainly to steal their identity or potentially gain access to more of their online accounts. They can also learn an awful lot about how to further compromise the customer, their family and their friends in the future, once they have access to more of the online accounts they maintain.
Not something they are going to be very happy about if this happens to them. Especially if a digital forensics trail tracks back to your corporate contact form.
There is hope though and that comes via PGP technology (most companies have never heard of this). This new security technique allows end to end encryption of email communication from a website form, to a secure end point in Microsoft Outlook or other certified email software. The implementation involves a private set of keys (so to speak) placed at each end point they can “unlock” the encrypted message once transmitted.
In fact once the web server and the authorized email recipient are configured to handle the secure transaction (with the private keys), they are the only two end points that can ever read the message at all. If you tried to open the email file with any type of software, it would look something like the embellished image below:
So unless Neo and Morpheus are around (see The Matrix), no one is reading this information but you and the customer you are receiving the secure data from.
Now that is some peace of mind but how do I implement this?
It’s easy and we can start with a simple shopping list:
- Purchase SSL certificate and have your web developer install this
- Implement 2 way PGP Encryption on all online forms
These two checkmarks on your security list will position your website to securely interact with your customers’ data in the days of growing cyber crime. The more knowledgeable and savvy your customer becomes, the more they will expect this to be in place and protecting their data on a daily basis. We are happy to assist with the installation of both SSL and PGP encryption technologies and you can get the ball rolling on this by contacting Clair Kimmett (Sales & Marketing Director) using our convenient form below.