Practical guide for secure Christmas shopping

Practical guide for
secure Christmas
shopping
Navid
1
CONTENTS
1. Introduction……………………………………………………………………………………3
2. Internet risks: Threats to secure transactions…………………………………………3
3. What criteria should a secure e-commerce page meet?..........................................4
4. What security measures should users adopt?..........................................................5
5. Conclusions: Practical tips for secure transactions on the Internet………………..7
2
1. Introduction
More of us now look to the Internet to find that original Christmas present to give to friends or
family. The Web is now like one big department store where you can find everything you want
and often at the most competitive prices.
In Spain alone, online transactions during 2007 were worth 3,740 million euros, over 50 percent
1
more than in 2006 . For 2009, the Forrester consultancy forecasts worldwide growth of online
2
transactions of 12.2 percent .
Cyber criminals do not usually directly attack companies, but rather concentrate their efforts on
the weakest link of the chain: the user. It is easier to get confidential data from an individual’s
PC than to hack a server to steal a database or intercept communication which is often
encrypted.
Here we will look at the threats to users on the Internet and the security measures that online
businesses and users alike should implement to ensure maximum security for online
transactions.
2. Internet risks: Threats to secure transactions
Banker Trojans: These malicious codes are designed to steal users’ bank details. These
Trojans are often spread as attachments to emails, disguised as legitimate downloads in P2P
programs such as eMule or Ares, downloaded from Web pages, etc. Generally, they operate
silently and without affecting system functionality so that users are unaware that their computers
are infected. Then when users visit their online bank, these Trojans capture their login details,
passwords,
etc.
For
more
information
about
this
threat,
go
to:
http://www.pandasecurity.com/homeusers/security-info/classic-malware/trojan/
Spam: Spam is essentially junk mail, i.e, messages sent indiscriminately to our mailboxes from
senders we don't know. These messages normally advertise some type of product. No matter
how attractive the offer, the fact that it comes from an unknown source should arouse suspicion.
How can you know that the vendor is genuine? How do you know it is not a fraudster who will
never send the goods? Or worse still, what if the spam is designed simply to capture your bank
or credit card details? And even if you were to receive the products, they could be dangerous or
faulty.
Phishing: Another type of junk mail is phishing, which as a general rule will appear to have
been sent by banks or other financial entities. These messages often claim that due to some
kind of technical problem, you have to reconfirm your login details. According to the Center for
Interbank Cooperation Group (CCI)-IT Security, online bank fraud is currently increasing by
between 10 and 20 percent annually.
Fake Christmas cards: A classic ruse to spread malware over the Christmas period is the use
of fake greetings cards. These emails advise users that they can download an online Christmas
card supposedly sent by a friend. However if they do this, they will actually be downloading
some type of malware onto their computers.
Fake online stores: These are Web pages set up to look like genuine online stores. They may
advertise all types of products and generally offer highly competitive prices to attract users.
Once again, they are commonly used to steal the victim’s bank details. Needless to say, the
products are never delivered.
3
Spoof online auctions: Another, less frequent, technique used by criminals on the Internet is to
insert comments on auction sites such as eBay pretending to be legitimate vendors, selling
products and inviting users to visit a Web page from which they can buy the product. The aim,
yet again, is to steal users’ details.
3. What criteria should a secure e-commerce page meet?
Web pages for carrying out online
transactions must comply with a series of
technical requirements to guarantee users’
security. These are:
- They must guarantee that data entered for
the transaction is only accessible to the
parties involved. This can be done through
encryption.
- They must maintain the integrity of the
information throughout the operation, to
ensure it cannot be manipulated. This is
achieved with the use of digital signatures.
- Finally, the identity of both the buyer and
seller must be verified. Digital certificates
are emitted for this purpose.
To achieve this, e-commerce security protocols have been developed which comply with some
or all of these requirements.
3.1. Security protocols
A security protocol is a package of specifications developed to implement security in electronic
transactions, ensuring compliance with the requirements mentioned above. The parties involved
in this include the end user, the vendor, financial entities, the company administering the cards
and the credit card companies themselves.
The most widely-used system for secure transactions is currently based on the SSL (Secure
Socket Layer) security protocol. This encrypts the data entered and then decrypts it when it
reaches its destination. This ensures that even if a third party were to intercept the data, they
would not be able to access it without the corresponding decryption key. In this protocol, only
the vendor displays a digital certificate to verify its identity, but not the buyer.
3.2 Server certification
In addition to using a secure transaction system, any reliable e-commerce business will have a
security certification for its servers issued by a recognized security authority. In this sense, there
is not much difference between this and traditional sales outlets, as nobody in their right mind
would give their details to the first person that tried to sell them something, so neither should
you enter data in servers that do not have this certification. Similarly, companies should take
great care to ensure their servers are completely free from viruses and Trojans to guarantee the
integrity of the data stored on them. In fact, some of these viruses and Trojans are dropped on
IT systems with the specific objective of causing vulnerabilities in servers, thereby allowing
hackers to take a series of actions including stealing clients’ data.
The certificate authorities are responsible for verifying that the server is able to support the
security protocol. Similarly, they can issue digital certificates to companies or buyers.
4
There are several certification authorities; although Verisign is the most widely recognized
internationally.
4. What security measures should users adopt?
Firstly, make sure there are no active viruses on your PC before you shop or bank online.
The most common and also the most dangerous threats are banker Trojans, which lie in wait on
systems until users connect to certain bank pages, payment platforms or virtual stores, and then
capture information entered and send it to cyber-crooks.
For that simple reason, it is essential to have a fully up-to-date security solution installed. But
that’s not all, we are currently experiencing a new malware dynamic, in which criminals are
trying to surreptitiously circulate as many viruses as possible. The objective is to go unnoticed
by security companies, which will therefore not be able to neutralize the threats. For this reason,
there is a need to complement traditional security solutions with proactive technologies
that can detect threats simply by analyzing behavior, and with no need for prior
identification.
It is also a good idea to use ‘second opinion’ tools. Given the enormous volume of new threats
to appear every day, many security laboratories cannot cope, which means that all antivirus
solutions do not detect the same threats. Because of this, it is highly advisable to scan
computers with an antivirus that can detect more malware than other solutions. Panda Security
offers
a
free
tool
for
scanning
PCs,
Panda
ActiveScan,
at:
http://www.pandasecurity.com/activescan
Never pay any attention to spam messages. You should also ignore emails claiming to have
been sent by a bank, as they will invariably be attempts at phishing attacks. Remember that no
genuine bank will contact users asking them for personal or confidential details. In any case, if
you have any doubts, before entering any information contact your bank and confirm
that the message is genuine.
Of course, you should never click on any link that appears in these messages, as they will
take you to spoof pages, with no relation to your bank and with the sole aim of collecting your
confidential data.
Before buying from any online store, or from an online auction site, is a very good idea to
investigate the reputation of the site, using a search engine for example. This will help to
avoid any nasty surprises.
Keep your system fully up-to-date. Operating systems and many other applications can have
vulnerabilities which can be used by hackers to enter computers or install malicious code
5
without users realizing. It doesn’t matter what the application is: even a security problem in a
media player can be exploited by cyber-crooks.
The best way to stay up-to-date at all times is to use the update option often included with
applications or to stay up-to-speed on the most recent security news.
Never run files
that are not from
reliable sources,
such
as
attachments
to
suspicious emails
or
downloads
from
dubious
Web
pages.
Remember
you
could be installing
a virus on your
computer.
Never
pay
anything unless
you
are
completely sure.
Remember that
fraud
on
the
Internet is more
common than you
might think. You
wouldn’t be the
first person to buy a latest generation cell phone and receive a box of stones instead.
If bidding for an item on an auction site, beware of anyone that contacts you claiming to
be the vendor and making you an offer, with the excuse of speeding up the sale.
Never send confidential data via email. People believe that this is more secure than using an
online form, but this is totally false. Emails can be intercepted.
Trust your instinct. The appearance of a Web page is often a good indication that it is not
secure. If in doubt, search the Web for positive references. If you don’t find anything, either
good or bad, take it as a negative sign. Sometimes cyber-crooks create Web pages that are
short-lived, they are only up and running for the time it takes to defraud a few users.
And finally, remember that the idea that ‘no one will attack me, I’m just an ordinary Internet
user’, is exactly what the criminals want you to think. .
6
5. Conclusions: Practical tips for secure transactions on the Internet
- Check the security characteristics of
the page on which you are about to
operate
(secure
protocol,
security
certification)
- Keep your operating system and
applications up-to-date
- Make sure there are no active viruses on
your PC before you shop or bank online
- Never pay anything on the Internet
unless you are completely sure about the
vendor
- Don’t run files from dubious sources
- Complement your traditional antivirus
with proactive technologies that detect
threats with no need for updates
- If bidding for an item on an auction site,
beware of anyone that contacts you
through any channel other than the auction
site itself
- Use ‘second opinion’ tools to make sure
there is no malware on your PC
- Never send confidential data via email.
- Never pay attention to spam messages
that claim to come from financial
organizations and request confidential data
- Trust your instinct. The appearance of a
web page is often a good indication that it is
not secure
- Before buying from an online store look
for feedback about the reputation of the
vendor.
SUMMARY
With more people shopping online and having more time on their hands, Christmas has become
a dangerous period for Internet users, as cyber-crooks notably step up their activities at this
time of year. That's why it is wise to stay on the alert and take adequate security measures.
Otherwise, users will be risking having their banks raided by criminals on the Web.
1http://www.cecarm.com/servlet/s.Sl?METHOD=DETALLENOTICIA&sit=c,731,m,2627&id=208
74
2- http://www.forrester.com/ER/Press/Release/0,1769,1233,00.html
7