6.3 Authentication of information
When I watch TV news, listen to the radio or buy a newspaper I never think to question whether I really am watching ITV, listening to Radio Five Live or getting the Guardian. In each of these cases it is theoretically possible that they are not who they say they are, but the practicalities of performing the masquerade are so complicated that the possibility can be discarded.
With emails and websites it is a very different matter. Indeed, in recent months I have received several emails apparently coming from organisations, such as Microsoft and NatWest bank, which I know were fake. They looked entirely authentic, with the correct graphics, and the first time I received one of these – apparently from Microsoft – at first sight I was taken in. However, from other sources of information I learned that 'scams' such as these were in circulation and Microsoft and the major banks have said that they will never use emails to ask for personal information.
The authentic appearance of the emails was meaningless, since it is almost trivially easy to copy images from websites and paste them elsewhere, such as into emails. Incoming telephone calls are equally suspect, and again there have been cases of scams whereby a caller claims to be from somewhere they are not.
Letters with official documents have in the past been more reliable, since it was difficult to reproduce headed notepaper accurately. It is still possible to generate official documents that are hard to imitate (through the use of watermarks or embossing, for example) but the availability of high-quality colour printers has made it easier to produce official-looking documents.
Suppose you are contacted by email, telephone or letter and you want to check whether the communication is authentic. What could you do?
If you already have a contact number for the organisation that has contacted you, you could call them and ask about it. This only works, of course, if you already have the number which you know is correct. Email scams often contain a phone number, but that number is, of course, bogus.
A personal signature on a letter changes the situation, provided you know the signature, can recognise it and it isn't a photocopy. The signature is the authentication of the letter. Similarly, recognising the voice of someone on the telephone authenticates the call. Authentication of emails is also possible by the use of digital signatures. A digital signature is a special piece of data which is added to a message. Software on the recipient's computer can analyse the message and the signature and determine whether the message is authentic. Digital signatures only work if your computer already 'knows' about the sender.
The technology of digital signatures can be used to authenticate websites as well as emails. In this case, your web browser checks the certificate of the site. This is usually done automatically, with your browser reporting to you if there is a problem.