Internet code deemed vulnerable to hackers

ATLANTA (Reuter) -- The new security protocol for safeguarding credit-card transactions on the Internet may have to be changed because the underlying cryptography is too easy to decode and too difficult to upgrade, an expert said Wednesday.

Steve Mott, senior vice president of electronic commerce and new ventures for MasterCard International, said it could take hackers as little as a year to break the industry's standard encryption code, which is supposed to render credit-card numbers unreadable to outsiders on the Internet's World Wide Web.

For that reason, the consortium of technology companies and creditors that has spent two years developing the Secure Electronic Transaction (SET) protocol may switch to a faster encryption system called Elliptic Curve, which is produced by Certicom Corp.

The first complete version of SET, known as SET 1.0, will be available to software makers June 1 with core cryptography provided by RSA Data Security, a unit of Security Dynamics Technologies Inc.

MasterCard has been helping put together merchants with its own member banks for SET pilot projects in Denmark, Japan, Taiwan, South Africa and the United States.

Mott told a news conference at the Internet Commerce Expo that the Elliptic Curve encryption system would make a better encryption core. In fact, he said, it would have been chosen in the first place if developers had been known about it.