Don’t Trust the Padlock with Your Identity

Many of us have been taught that when we’re making purchases online, we should always look for the little padlock icon on the browser’s address line.

The padlock is supposed to indicate that the site is secure and we can send the merchant our sensitive information with peace of mind, since our personal information is secure. Our browsers, too, go to great lengths to alert us when there’s something wrong with the certificate (which is what enables encryption and results in the padlock being shown); if nothing menacing popped up during the transaction, we can rest assured everything is in order.

But, despite the fact that almost all merchants use encryption (when was the last time you bought something and the padlock wasn’t there?), identity thieves and hackers still manage to conduct major credit card breaches from online merchants. So, what does that mean about the trusty padlock? Is it not doing its job?

The Padlock ≠ Assurance

There’s nothing technically wrong with the padlock. Rather, our expectations of the padlock are simply misguided.

The padlock indicates that information moved from the client’s computer to the merchant’s server is encrypted. That’s a good thing. As information passes between the two machines over the Internet—across potentially dozens of routers and links and other networking devices—without encryption there’s the dangerous possibility that someone sitting on the communication lines can read the traffic and easily steal our data. Using SSL (Secure Socket Layer), the method represented by the padlock that’s used to encrypt communication, ensures that even intelligence agencies would find it very difficult to obtain decrypted data while sitting on the communication lines and reading the traffic. However, and here lies the issue, once the information reaches the merchant, it gets decrypted. And that’s to be expected, since without decrypting the information the merchant wouldn’t be able to use it. But from that point on, it’s up to the merchant to properly handle and secure it.

If the merchant saves our sensitive information (which most do, so they can do things like issue a refund if needed, or make our future purchases easier and quicker), and if that data is saved in an unencrypted fashion (which it shouldn’t be, but often times is), all a hacker needs to do is hack into the website and steal the information which will be waiting for him in a decrypted, easy-to-read fashion. In this scenario, which unfortunately happens quite often, the padlock shown on the website didn’t help us much. Yes, the information was transferred securely, but the padlock can’t secure our data if it gets leaked from the merchant. Since most cyberattacks focus on what’s stored on servers rather than communication, the padlock has very little ability to truly protect our information. That’s why, in many ways, the padlock icon can be misleading.

So, what can we, as online consumers, do to ensure that the merchant’s we purchase from are relatively secure, and that they’re storing our data in a responsible manner?

PCI DSS Certification

The best indication that a merchant is secure is PCI DSS compliance. PCI DSS is a standard defined by the payment industry. Being PCI DSS compliant means that the merchant has a system in place to issue proper patches to vulnerabilities, ensuring that the chances of getting hacked in the first place are smaller. It also means that all sensitive data is stored in an encrypted manner, using strong encryption. So, even if the merchant’s site does get hacked, the stolen information would be most likely useless to the hacker.

PCI DSS compliant sites often (but not always) add badges to enhance trust. The badge looks like this:

Beware that there are many other security badges merchants often put on their sites. These cover a variety of security issues and do not necessarily refer to the proper storing of sensitive data. For that reason, they may be misleading, just like the padlock.

We’re not suggesting you only purchase from sites with a PCI DSS badge. But, as an online consumer, there are things that you can do to reduce the chances of your information being stolen—especially considering how recent incidents have shown us that many organizations can’t be trusted to protect it.

Want to see more content like this? Subscribe to get a weekly roundup from BlogDOG.

Take Control of Your Online Security

Perhaps now more than ever, it’s crucial to take a hands-on approach regarding your privacy and the security of your personal data and online accounts (Gmail, Facebook, Dropbox, etc.). Fortunately, you can use a number of freely available tools to help better protect your personal information. Here are a few suggestions:

Get an antivirus solution for both your PC and phone. Check out these recommendations for the Best Free PC Antivirus Software and Top 5 Android Security Apps. Never reuse the same password across multiple online accounts, and always make sure you use strong passwords that include letters, numbers, and at least one symbol. To keep track of your passwords and keep them safe and secure, use a password manager like PasswordBox. Use two-factor authentication on all of your accounts to enhance security. Get LogDog, a free anti-hacking app for Android. It protects your personal data and valuable accounts (Gmail, Facebook, Yahoo and more) and alerts you to any suspicious activity so you can take control of your account before a hacker does. The service can be used across all devices and OS’s, so you’re always being protected. Here’s the Android and iOS links for you to check out.