So is online shopping safe?
So is online shopping safe?
Using the Internet to buy goods or services can be extremely convenient, but it can also be
dangerous. You are being asked to make a transaction, transfer money or personal details over a
very public network, so there are a few precautions you'll need to take.
Is the web server secure?
• Does the server have a security certificate?
• Is SSL being used (look for the https://)?
When you connect to a web server, the information you send to it is normally transferred as plain
text, and as such it is potentially readable by anyone it passes on its journey. To secure your data,
Is your browser secure enough?
103
you should only send sensitive information where the web page is secure-where the information
you send will be encrypted. You can check whether a page on a server is protected in this way
by looking at the padlock icon in the URL address bar of Firefox (or bottom right in Internet
Explorer). If the padlock is closed, then the page is encrypted. If it is open, or if there's no icon
at all, then data will be sent in plain text, unencrypted.
Is your browser secure enough?
• Use 128-bit encryption or better
• If not available, upgrade your browser
Until relatively recently, due to the US Government's policy on exporting encryption software
(they consider it to be munitions, and therefore a potential threat to US security in the hands
of its enemies), the encryption built into UK and International versions of browsers has been
relatively weak. If your browser has this weaker encryption (known as 40- or 56-bit, usually
indicated in the help/about info), you may want to consider upgrading your browser to stronger,
128-bit encryption, even though it's probably secure enough for most data. To do this, you could
download an updater program from http://www.fortify.net/ which will give you
full-strength encryption.
However, most of the latest versions of popular browsers now incorporate the stronger standard,
so you could just download a more recent copy. This is highly recommended, as this will also
fix any security flaws that may have been discovered in your older browser. You can check the
level you are using by accessing a secure page, then choosing Tools ® Page Info in Firefox,
View ® Document Info in Netscape/Mozilla, or File ® Properties in IE6, or Page ® Security
Report in IE7.
Do you trust that the site is who it says it is?
• Don't trust domain names just because they match the company name
• If in doubt, look them up
It can be easy to masquerade a web site as belonging to a reputable company when it does not.
Internet domain names are allocated on a relatively arbitrary basis-there is no guarantee that, for
example, www.lloyds.co.uk points to either Lloyds Bank, or Lloyds of London. In fact,
it belongs to an anonymous third party, who is probably holding on to it until one of the other
companies offers them enough money to buy it...! [update - it has now been bought by Lloyds
Computers].
You can usually check the domain name of the site with a WHOIS search; this looks up the
resgistrant's details as logged by the domain registry. For example, for UK addresses, you can
use Nominet's WHOIS service [http://www.nominet.org.uk/other/whois/faq/].
There are schemes that give you some measure of confidence that the website is bona fide; if it
is a secure site, then you can view the certificate for the site, which is signed usually by a trusted
agent such as VeriSign (www.verisign.com). Another guide to trust is word-of-mouth: do
you know people who have used the site to order goods, or read in the press that the site is
trustworthy?
Do you trust the site not to disclose your details?
In a recent incident, a cyber-pornography web site published the names, addresses and full credit
card details of all its customers on a public bulletin board-an open invitation for others to use
them fraudulently. Whilst this type of public disclosure is rare, you should still weigh up whether
your personal details will be used for purposes other than you intend, such as junk mailing lists
or market profiling.
Does your credit card offer you guarantees?
Credit card companies agree that fraudulent use of cards over the Internet is increasing at a
significant rate. Many are now considering withdrawing the normal guarantees they offer where
a transaction is made online, though others are making this a selling point in their advertising.
It's as well to check the small print before you sign up!
Identity Theft
Case study: Sarah Palin's Yahoo! Mail
BBC News report [http://news.bbc.co.uk/1/hi/technology/7624809.stm]
Discussion
• What value do you place on your personal data?
• How should personal data be treated in organisations/government?
• How can systems be designed to protect personal data?
• How does connecting data together increase its value?
_________________________________________________________________________________
• Server security
• Browser security
• Site integrity
• Company privacy policies
• Guarantees against fraud
Using the Internet to buy goods or services can be extremely convenient, but it can also be
dangerous. You are being asked to make a transaction, transfer money or personal details over a
very public network, so there are a few precautions you'll need to take.
Is the web server secure?
• Does the server have a security certificate?
• Is SSL being used (look for the https://)?
When you connect to a web server, the information you send to it is normally transferred as plain
text, and as such it is potentially readable by anyone it passes on its journey. To secure your data,
Is your browser secure enough?
103
you should only send sensitive information where the web page is secure-where the information
you send will be encrypted. You can check whether a page on a server is protected in this way
by looking at the padlock icon in the URL address bar of Firefox (or bottom right in Internet
Explorer). If the padlock is closed, then the page is encrypted. If it is open, or if there's no icon
at all, then data will be sent in plain text, unencrypted.
Is your browser secure enough?
• Use 128-bit encryption or better
• If not available, upgrade your browser
Until relatively recently, due to the US Government's policy on exporting encryption software
(they consider it to be munitions, and therefore a potential threat to US security in the hands
of its enemies), the encryption built into UK and International versions of browsers has been
relatively weak. If your browser has this weaker encryption (known as 40- or 56-bit, usually
indicated in the help/about info), you may want to consider upgrading your browser to stronger,
128-bit encryption, even though it's probably secure enough for most data. To do this, you could
download an updater program from http://www.fortify.net/ which will give you
full-strength encryption.
However, most of the latest versions of popular browsers now incorporate the stronger standard,
so you could just download a more recent copy. This is highly recommended, as this will also
fix any security flaws that may have been discovered in your older browser. You can check the
level you are using by accessing a secure page, then choosing Tools ® Page Info in Firefox,
View ® Document Info in Netscape/Mozilla, or File ® Properties in IE6, or Page ® Security
Report in IE7.
Do you trust that the site is who it says it is?
• Don't trust domain names just because they match the company name
• If in doubt, look them up
It can be easy to masquerade a web site as belonging to a reputable company when it does not.
Internet domain names are allocated on a relatively arbitrary basis-there is no guarantee that, for
example, www.lloyds.co.uk points to either Lloyds Bank, or Lloyds of London. In fact,
it belongs to an anonymous third party, who is probably holding on to it until one of the other
companies offers them enough money to buy it...! [update - it has now been bought by Lloyds
Computers].
You can usually check the domain name of the site with a WHOIS search; this looks up the
resgistrant's details as logged by the domain registry. For example, for UK addresses, you can
use Nominet's WHOIS service [http://www.nominet.org.uk/other/whois/faq/].
There are schemes that give you some measure of confidence that the website is bona fide; if it
is a secure site, then you can view the certificate for the site, which is signed usually by a trusted
agent such as VeriSign (www.verisign.com). Another guide to trust is word-of-mouth: do
you know people who have used the site to order goods, or read in the press that the site is
trustworthy?
Do you trust the site not to disclose your details?
• Does the company have a privacy policy?
• Would you trust them with your details offline?
In a recent incident, a cyber-pornography web site published the names, addresses and full credit
card details of all its customers on a public bulletin board-an open invitation for others to use
them fraudulently. Whilst this type of public disclosure is rare, you should still weigh up whether
your personal details will be used for purposes other than you intend, such as junk mailing lists
or market profiling.
Does your credit card offer you guarantees?
• Check the small print
• Shop around for an e-friendly card
Credit card companies agree that fraudulent use of cards over the Internet is increasing at a
significant rate. Many are now considering withdrawing the normal guarantees they offer where
a transaction is made online, though others are making this a selling point in their advertising.
It's as well to check the small print before you sign up!
Identity Theft
Case study: Sarah Palin's Yahoo! Mail
BBC News report [http://news.bbc.co.uk/1/hi/technology/7624809.stm]
Discussion
• What value do you place on your personal data?
• How should personal data be treated in organisations/government?
• How can systems be designed to protect personal data?
• How does connecting data together increase its value?
_________________________________________________________________________________
So is online shopping safe?
Reviewed by Internet blogger
on
08:28:00
Rating:
Reviewed by Internet blogger
on
08:28:00
Rating:
No comments:
Post a Comment