Practical guide for secure Christmas shopping
Transkrypt
Practical guide for secure Christmas shopping
Practical guide for secure Christmas shopping Navid 1 CONTENTS 1. Introduction……………………………………………………………………………………3 2. Internet risks: Threats to secure transactions…………………………………………3 3. What criteria should a secure e-commerce page meet?..........................................4 4. What security measures should users adopt?..........................................................5 5. Conclusions: Practical tips for secure transactions on the Internet………………..7 2 1. Introduction More of us now look to the Internet to find that original Christmas present to give to friends or family. The Web is now like one big department store where you can find everything you want and often at the most competitive prices. In Spain alone, online transactions during 2007 were worth 3,740 million euros, over 50 percent 1 more than in 2006 . For 2009, the Forrester consultancy forecasts worldwide growth of online 2 transactions of 12.2 percent . Cyber criminals do not usually directly attack companies, but rather concentrate their efforts on the weakest link of the chain: the user. It is easier to get confidential data from an individual’s PC than to hack a server to steal a database or intercept communication which is often encrypted. Here we will look at the threats to users on the Internet and the security measures that online businesses and users alike should implement to ensure maximum security for online transactions. 2. Internet risks: Threats to secure transactions Banker Trojans: These malicious codes are designed to steal users’ bank details. These Trojans are often spread as attachments to emails, disguised as legitimate downloads in P2P programs such as eMule or Ares, downloaded from Web pages, etc. Generally, they operate silently and without affecting system functionality so that users are unaware that their computers are infected. Then when users visit their online bank, these Trojans capture their login details, passwords, etc. For more information about this threat, go to: http://www.pandasecurity.com/homeusers/security-info/classic-malware/trojan/ Spam: Spam is essentially junk mail, i.e, messages sent indiscriminately to our mailboxes from senders we don't know. These messages normally advertise some type of product. No matter how attractive the offer, the fact that it comes from an unknown source should arouse suspicion. How can you know that the vendor is genuine? How do you know it is not a fraudster who will never send the goods? Or worse still, what if the spam is designed simply to capture your bank or credit card details? And even if you were to receive the products, they could be dangerous or faulty. Phishing: Another type of junk mail is phishing, which as a general rule will appear to have been sent by banks or other financial entities. These messages often claim that due to some kind of technical problem, you have to reconfirm your login details. According to the Center for Interbank Cooperation Group (CCI)-IT Security, online bank fraud is currently increasing by between 10 and 20 percent annually. Fake Christmas cards: A classic ruse to spread malware over the Christmas period is the use of fake greetings cards. These emails advise users that they can download an online Christmas card supposedly sent by a friend. However if they do this, they will actually be downloading some type of malware onto their computers. Fake online stores: These are Web pages set up to look like genuine online stores. They may advertise all types of products and generally offer highly competitive prices to attract users. Once again, they are commonly used to steal the victim’s bank details. Needless to say, the products are never delivered. 3 Spoof online auctions: Another, less frequent, technique used by criminals on the Internet is to insert comments on auction sites such as eBay pretending to be legitimate vendors, selling products and inviting users to visit a Web page from which they can buy the product. The aim, yet again, is to steal users’ details. 3. What criteria should a secure e-commerce page meet? Web pages for carrying out online transactions must comply with a series of technical requirements to guarantee users’ security. These are: - They must guarantee that data entered for the transaction is only accessible to the parties involved. This can be done through encryption. - They must maintain the integrity of the information throughout the operation, to ensure it cannot be manipulated. This is achieved with the use of digital signatures. - Finally, the identity of both the buyer and seller must be verified. Digital certificates are emitted for this purpose. To achieve this, e-commerce security protocols have been developed which comply with some or all of these requirements. 3.1. Security protocols A security protocol is a package of specifications developed to implement security in electronic transactions, ensuring compliance with the requirements mentioned above. The parties involved in this include the end user, the vendor, financial entities, the company administering the cards and the credit card companies themselves. The most widely-used system for secure transactions is currently based on the SSL (Secure Socket Layer) security protocol. This encrypts the data entered and then decrypts it when it reaches its destination. This ensures that even if a third party were to intercept the data, they would not be able to access it without the corresponding decryption key. In this protocol, only the vendor displays a digital certificate to verify its identity, but not the buyer. 3.2 Server certification In addition to using a secure transaction system, any reliable e-commerce business will have a security certification for its servers issued by a recognized security authority. In this sense, there is not much difference between this and traditional sales outlets, as nobody in their right mind would give their details to the first person that tried to sell them something, so neither should you enter data in servers that do not have this certification. Similarly, companies should take great care to ensure their servers are completely free from viruses and Trojans to guarantee the integrity of the data stored on them. In fact, some of these viruses and Trojans are dropped on IT systems with the specific objective of causing vulnerabilities in servers, thereby allowing hackers to take a series of actions including stealing clients’ data. The certificate authorities are responsible for verifying that the server is able to support the security protocol. Similarly, they can issue digital certificates to companies or buyers. 4 There are several certification authorities; although Verisign is the most widely recognized internationally. 4. What security measures should users adopt? Firstly, make sure there are no active viruses on your PC before you shop or bank online. The most common and also the most dangerous threats are banker Trojans, which lie in wait on systems until users connect to certain bank pages, payment platforms or virtual stores, and then capture information entered and send it to cyber-crooks. For that simple reason, it is essential to have a fully up-to-date security solution installed. But that’s not all, we are currently experiencing a new malware dynamic, in which criminals are trying to surreptitiously circulate as many viruses as possible. The objective is to go unnoticed by security companies, which will therefore not be able to neutralize the threats. For this reason, there is a need to complement traditional security solutions with proactive technologies that can detect threats simply by analyzing behavior, and with no need for prior identification. It is also a good idea to use ‘second opinion’ tools. Given the enormous volume of new threats to appear every day, many security laboratories cannot cope, which means that all antivirus solutions do not detect the same threats. Because of this, it is highly advisable to scan computers with an antivirus that can detect more malware than other solutions. Panda Security offers a free tool for scanning PCs, Panda ActiveScan, at: http://www.pandasecurity.com/activescan Never pay any attention to spam messages. You should also ignore emails claiming to have been sent by a bank, as they will invariably be attempts at phishing attacks. Remember that no genuine bank will contact users asking them for personal or confidential details. In any case, if you have any doubts, before entering any information contact your bank and confirm that the message is genuine. Of course, you should never click on any link that appears in these messages, as they will take you to spoof pages, with no relation to your bank and with the sole aim of collecting your confidential data. Before buying from any online store, or from an online auction site, is a very good idea to investigate the reputation of the site, using a search engine for example. This will help to avoid any nasty surprises. Keep your system fully up-to-date. Operating systems and many other applications can have vulnerabilities which can be used by hackers to enter computers or install malicious code 5 without users realizing. It doesn’t matter what the application is: even a security problem in a media player can be exploited by cyber-crooks. The best way to stay up-to-date at all times is to use the update option often included with applications or to stay up-to-speed on the most recent security news. Never run files that are not from reliable sources, such as attachments to suspicious emails or downloads from dubious Web pages. Remember you could be installing a virus on your computer. Never pay anything unless you are completely sure. Remember that fraud on the Internet is more common than you might think. You wouldn’t be the first person to buy a latest generation cell phone and receive a box of stones instead. If bidding for an item on an auction site, beware of anyone that contacts you claiming to be the vendor and making you an offer, with the excuse of speeding up the sale. Never send confidential data via email. People believe that this is more secure than using an online form, but this is totally false. Emails can be intercepted. Trust your instinct. The appearance of a Web page is often a good indication that it is not secure. If in doubt, search the Web for positive references. If you don’t find anything, either good or bad, take it as a negative sign. Sometimes cyber-crooks create Web pages that are short-lived, they are only up and running for the time it takes to defraud a few users. And finally, remember that the idea that ‘no one will attack me, I’m just an ordinary Internet user’, is exactly what the criminals want you to think. . 6 5. Conclusions: Practical tips for secure transactions on the Internet - Check the security characteristics of the page on which you are about to operate (secure protocol, security certification) - Keep your operating system and applications up-to-date - Make sure there are no active viruses on your PC before you shop or bank online - Never pay anything on the Internet unless you are completely sure about the vendor - Don’t run files from dubious sources - Complement your traditional antivirus with proactive technologies that detect threats with no need for updates - If bidding for an item on an auction site, beware of anyone that contacts you through any channel other than the auction site itself - Use ‘second opinion’ tools to make sure there is no malware on your PC - Never send confidential data via email. - Never pay attention to spam messages that claim to come from financial organizations and request confidential data - Trust your instinct. The appearance of a web page is often a good indication that it is not secure - Before buying from an online store look for feedback about the reputation of the vendor. SUMMARY With more people shopping online and having more time on their hands, Christmas has become a dangerous period for Internet users, as cyber-crooks notably step up their activities at this time of year. That's why it is wise to stay on the alert and take adequate security measures. Otherwise, users will be risking having their banks raided by criminals on the Web. 1http://www.cecarm.com/servlet/s.Sl?METHOD=DETALLENOTICIA&sit=c,731,m,2627&id=208 74 2- http://www.forrester.com/ER/Press/Release/0,1769,1233,00.html 7