Social-networking sites like Facebook and Twitter can expect more attention from cybercriminals in 2010, according to a new report (PDF) released Tuesday by McAfee Labs. Also at risk are users of Adobe Systems products including Acrobat Reader and Flash. And move over Microsoft; the security firm predicts that Google's Chrome OS will "create another opportunity for malware writers to prey on users."
The company also anticipates smarter and more dangerous Trojans that "follow the money," as well as a "significant trend toward a more distributed and resilient botnet infrastructure that relies much more on peer-to-peer technologies."
In a recorded interview (scroll down for audio) David Marcus, McAfee Labs' director of security research and communications, said that he expects "an explosion of Facebook and other services targeted by cybercriminals." In addition to malware like Koobface that spreads among Facebook users' friends list, Marcus expects an increase in rogue Facebook applications.
"When you click yes to 'do you want to allow this application to access your Facebook account,' you're giving that application access to all the data in your Facebook account," he said. Facebook vets the third-party applications that it distributes, but rouge developers are finding other ways to get people to install unauthorized apps.
"A lot of the spammers and scammers will send fake Facebook application requests to users' inboxes," he said. Marcus recommends that you only install apps from within Facebook by clicking "browse more applications" in the Facebook application installer."
Twitter vulnerabilities
According to McAfee, Twitter is vulnerable mostly because of URL-shortening services like bit.ly and tinyurl.com. There's nothing wrong with Twitter or these services, but when you click on a shortened URL you have no idea where you're going until after you get there. I would like to see a URL-shortening service that vets each URL for security and rejects those that are potentially dangerous. Twitter, according to the McAfee report is "also serving as a control vehicle for botnets."
Criminals are now being more surgical in their attacks, singling out individuals and corporations as targets. The report points to the 10-month investigation of "GhostNet," which McAfee Labs describes as a "network of at least 1,295 compromised computers in 103 countries" that "primarily belonged to government, aid groups, and activists." The malicious code was delivered by e-mail with subject headings related to the Dali Lama and Tibet, according to the report.
The report also sites "a very targeted wave of attacks against the management of major companies," as well as attacks carried out against "journalists from various media organizations, including Agence France Press, Dow Jose and Reuters based in China."
Adobe products and Google Chrome vulnerable
Adobe products, especially its Acrobat Reader and Flash, are likely to replace Microsoft Office as the No. 1 software target, according to McAfee. It's nothing they've (Adobe) done wrong," Marcus said. "The bad guys go where the masses go" and because of the increasingly widespread use of Adobe products, "that tends to be what the bad buys will start looking to exploit. It really is nothing more sophisticated than that."
Criminals are infecting PDF files and leveraging exploits in the opening of PDF documents, according to Marcus.
"Instead of viewing a PDF you're actually taken to a website that downloads some type of malware to your machine." Adobe plans to patch a critical hole in Reader and Acrobat on January 12.
There is also concern about Google's Chrome operating system, which is expected to be officially released in 2010. Chrome, which will run Web-based applications, is likely to be vulnerable to attacks in HTML 5--the newest version of the hyper-text markup language that, says the report, "holds all the promises that today's Web community seeks--primarily blurring and removing the lines between a Web application and a desktop application."
McAfee also warned of banking Trojans with "new tactics that went well beyond the rather simple keylogging-with-screenshots" that were used earlier. Trojans now use rootkit techniques to hide on a victim's system to disable antivirus software.
"Often the victim's computer becomes part of a botnet and receives malware configuration updates," the report said.
For more on the threats on Facebook and Twitter read "Using Facebook and Twitter safely" on CNET.
Cause for optimism
The report did end with some optimism, calling 2009 a good year for law enforcement. In November 2009, the U.S. Department of Justice indicted nine individuals "from Russia, Moldova, and Estonia who were allegedly responsible
for $9 million in customer payroll data compromises at RBS WorldPay."
The year also "saw the conviction of the infamous "Godfather of Spam," Alan Ralsky of Michigan, and his criminal syndicate, which was responsible for generating a significant portion of the world's unsolicited e-mail," McAfee said.
"You started to see that not a lot of resiliency was built into some of those botnets, they were taken down, and poof they disappeared for very long periods of time," Marcus said. He said he thinks "the bad guys will learn from that and build in some redundancy," but he remains optimistic. "The good guys and regular users are getting tired of getting exploited and we're finally starting to see more offensive and aggressive take downs of botnets...we're starting to see people wanting to take back the Internet."
Listen to Larry's interview with David Marcus.
Listen now: Download today's podcast
Facebook last Wednesday announced new privacy settings that give users some additional control over what information they share, while taking away the ability to hide a few pieces of information from the general public.
One particular piece of publicly available information--users' friends lists--caused a bit of an uproar from a number of sectors, including business people who don't necessarily want to expose their professional networks to the public and their competitors. It is also a concern to some parents who might not want their kids--or a list of their kids' friends--to be widely available.
Facebook quickly backtracked. A day later, the company announced on its blog that users can now uncheck the "Show my friends on my profile" option in the Friends box on their profile so that your friend list won't appear on your publicly viewable profile.
Unfortunately, they weren't very clear on exactly how you make the change. ... Read more
Sites owned by Yahoo, AOL, and Google have joined Facebook and MySpace in expelling New York sex offenders from their rolls.
New York Attorney General Andrew Cuomo announced Thursday that Google's Orkut.com, AOL's Bebo.com, and Yahoo's Flickr.com are among 13 additional social-networking sites to use sex offender data available through New York's Electronic Securing and Targeting of Online Predators Act (E-Stop) to find and disable accounts associated with registered sex offenders.
Other companies that have agreed to cooperate include BlackPlanet.com, Classmates.com, Flixster.com, Fotolog.com, hi5.com, MyLife.com, Stickam.com, and Tagged.com.
New York Attorney General Andrew Cuomo
(Credit: NY Attorney General's Office)There are still some holdouts. Cuomo called on other sites, including Friendster.com, Buzznet.com, eSpin.com, Habbo.com, and LiveJournal.com, "to commit to using the list." He urged parents and children to consider not using sites that haven't complied.
On December 1, Facebook and MySpace deleted the accounts of more than 3,500 sex offenders based on the New York law.
By comparing this data with their own user roles, Facebook was able to identify and delete 2,782 registered sex offenders. MySpace deleted 1,796 accounts.
In addition to deleting the accounts of any known registered sex offenders, the companies will turn over information about the accounts to law enforcement officials.
In a statement, Cuomo said: "It is no secret that sexual predators abuse social networking websites to find and manipulate victims and to insinuate themselves into their victims' lives."
The E-Stop law, which was passed in 2008, requires registered sex offenders from New York to disclose their online identities to officials. Information must include e-mail addresses, instant-messaging screen names and social-networking account names. The law also requires the state's Division of Criminal Justice Services to release state sex offender Internet identifiers to social-networking sites and other online services so that they can prescreen or remove individuals who match the list. It also imposes restrictions on sex offender's use of the Internet if the victim was a minor and if the Internet was used to commit the crime. Restrictions include banning the offender from social-networking sites, as well as prohibiting access to online pornography or communicating with anyone with the intention of promoting sexual relations with a minor.
Cuomo is one of several state attorneys general who have expressed concerns about the danger of Internet predators. In 2008, Cuomo and 48 other attorneys general entered into an agreement with MySpace that resulted in the Internet Safety Technical Task Force, whose report concluded that the actual threat of predators is less than many had feared and that kids are far more likely to be harmed by bullying and harassment from other youth. I served on that task force as a representative of ConnectSafley.org, a nonprofit Internet safety organization I help operate.
Facebook users are about to see an unfamiliar screen when they sign on to the service--a request to configure their privacy preferences. But it's not really a request. It's a requirement.
"As far as we know, it's the first time in the history of the Internet," said Facebook spokesman Simon Axten, "that so many people have been required to make affirmative decisions about their privacy."
The company on Wednesday provided details of the changes that CEO Mark Zuckerberg blogged about last week. These include eliminating regional networks and giving users more granular control over who can see individual pieces of content while making some basic profile information available to everyone. Also, Facebook is simplifying what this blogger and others have criticized as overly complex privacy controls, but it is also requiring members to make some information available to the public.
All Facebook users will be asked to configure privacy settings
(Credit: Facebook)
Controversial privacy history
Over the years, Facebook has been the subject of criticism, lawsuits, and threatened federal action over various changes to its privacy policy.
In 2007, Facebook announced its Beacon advertising service, which broadcast member activity on partner sites to their Facebook friends. If you bought a movie ticket on Fandango, for example, all of your Facebook friends would immediately know about it. The Beacon program unleashed a campaign from consumer advocacy groups including MoveOn.org as well as a class action law suit that was settled this September. As part of that settlement, Facebook agreed to shut down Beacon and to donate $9.5 million to an independent foundation to "fund projects and initiatives that promote the cause of online privacy, safety, and security."
In February of this year, Facebook found itself at the center of another privacy storm after it announced a change in its policy that would give the company seemingly perpetual control over user-supplied content. That prompted the Electronic Privacy Information Center to threaten filing a complaint with the Federal Trade Commission and also led to the formation of a Facebook group called People Against the new Terms of Service that attracted nearly 150,000 members protesting the changes. The uproar caused the company to rescind those changes and resulted in CEO Mark Zuckerberg holding a press conference where he announced that the company would create "a new approach to site governance" so that its decisionmaking would be more transparent.
Mandatory privacy settings
All users will soon be confronted with a "privacy announcement" informing them that they must configure their settings. Initially, you will be able to "skip for now" but you will later be required to go through the steps in order to continue using the service, according to Axten.
To encourage people to share information, Facebook has set the default to "everyone," but you can later go back to set more restrictive settings. You can also keep your old settings. If you're not sure what they are, you can display them by hovering over the radio button.
New Facebook privacy setting page
(Credit: Facebook)In the final step, Facebook displays your settings and gives you a chance to change them. At this point or at any time in the future you will be able to adjust any of your settings
Final stage verifies new settings.
(Credit: Facebook)The Facebook settings will be based on four basic levels: friends, friends of friends, everyone, and customize. If you belong to a network, you will also have the setting friends and networks. As before, you will also be able to customize settings to include or exclude specific friends or groups of friends.
Some information must be publicly available
Some information--including name, profile picture, gender, current city, networks you belong to, friend lists, and pages you're a fan of--will be available to everyone. The only way to keep that information from the general public is to not include it as part of your Facebook profile. Users also have the ability to limit what can be found via a search on Facebook and what information Facebook will make available to search engines like Google and Bing.
According to Axten, that information is being made publicly available to make it easier to find people using Facebook search, especially people with common names. If you locate a "John Smith" in a Facebook search, seeing his picture and knowing where he lives can make it easier to pinpoint the right person. Though not mandatory, Facebook, according to a spokesperson, is encouraging people to make other information public such as where they went to school or where they work. However Axten added that if a user had previously configured their privacy settings, they should keep what they already have.
While adults have the option of making content available to everyone, the maximum exposure available to users under 18 will be friends of friends or school networks.
Control over who gets to see your posts
The most important change is that you will now be able to specify who can see each piece of your content including status updates, photos, and videos. Each time you add content, you'll be able to determine whether it can be seen by everyone, friends and network, friends of friends, only friends, or a custom setting. Customized settings allow you to include or exclude individual people or lists of people. For example, one could share last night's exploits with his fraternity brothers but not with his fellow church members or office mates. The list feature, which has long been available, allows you to divide your friends into groups. For example, as a journalist, I encourage readers to "friend" me at Facebook.com/larrymagid, but I also maintain a list of "real world friends."
Third-party application settings
As in the past, you will have some control over the information that can be seen by operators of third-party Facebook applications. Facebook has added the ability to fully block an application from accessing any information but, in most cases, that will disable the application.
Facebook's Axten said that application developers will have access to all publicly available information, but can only access other information with the user's permission. Applications are also required to only access user information that is essential for them to run. The company, said Axten, has an enforcement squad to ensure compliance.
Facebook is also launching a new Privacy Center that will offer "a comprehensive guide that helps users understand and control how they share information."
Disclosure: Facebook is one of several companies that provides support to ConnectSafely.org, a nonprofit Internet safety organization I help run.
Cell phones and the Internet are great ways for romantic partners to stay in touch, but based on a recent survey of 14- to 24-year-olds, they're also being used to spy and harass significant others.
My report on the Associated Press and MTV study about youth digital abuse focused mostly on sexting and how youth respond to cyberbullying. But there was also some interesting data on how technology is being used for "dating abuse."
One of the findings of an MTV/AP youth survey
(Credit: AThinLine.org)The study (PDF) found that 22 percent of youth involved in a romantic relationship say they feel like their significant other uses a cell phone or goes online to check up on them too often. The study also found that "more than 1 in 4 say their boyfriend or girlfriend has checked the text messages on their phone without permission," and more than 10 percent of the young people said that a boyfriend or girlfriend has demanded that they give them their password.
Whether by coercion or not, 26 percent said they had shared an online password with someone. Females (31 percent) are more likely to share passwords than males (22 percent). And though there isn't necessarily a causal relationship, 68 percent of those who have shared passwords report having been a target of digital abuse compared with 44 percent of those who hadn't.
Not surprisingly, a significant minority of the youth (12 percent) said that a boyfriend or girlfriend call them names, put them down, or say really mean things to them on the Internet or cell phone.
And about 1 in 10 said that a significant other demanded that they unfriend a former boyfriend or girlfriend on social networks.
The survey, conducted for The Associated Press and MTV by Knowledge Networks interviewed 1,247 people between the ages 14 and 24 in what was described as a nationally representative survey.
Teen dating violence subject of CBS Evening News report
(Credit: CBS Evening News (via CBSNews.com))This data comes just as there is increased attention on teen dating abuse. CBS Evening News anchor Katie Couric reported last week that 29 percent of America's teens "say that they were emotionally, sexually or physical abused by their boyfriends and sometimes even girlfriends last year." Though technology doesn't cause nor necessarily play a role in teen dating violence, it clearly can amplify the problem, especially if a partner in the relationship is using a cell phone or computer to harass, stalk or spy on their partner as the AP/MTV survey has shown. Technology can also be used by partners to embarrass their significant others by making it possible for partner to details or their relationship online. One of the biggest downsides to "sexting" is the possibility of a partner sharing those images with others.
Marriage and family therapist Marty Klein is less concerned about kids sharing intimate photos with their partners than he about how some are misusing those images. "Take the sex out of sexting and what you have is a betrayal of trust," Klein said. The Internet, he added, "more clearly and sometimes more dramatically focuses our attention on problems that people have struggled with forever." In other words, the Internet and mobile technology don't cause these problems (that exist in offline relationships) but they can amplify them.
Couric also reported that calls and online chat to the National Teen Dating Abuse Helpline went up nearly 600 percent from March 2007 to March 2009. The Helpline's Web site has advice for teens including a section on helping to determine if you're being abused.
In conjunction with the release of the digital abuse survey, MTV launched A Thin Line, a Web site that provides resources to help youth deal with sexting, constant messaging, spying, digital disrespect, and cruelty.
A study conducted by the Associated Press and MTV pretty much confirms what many Internet safety experts have been saying for the past several months: Young people are far more likely to experience problems online from their peers or from their own indiscretions than from adult predators.
But that's hardly to say that there's no need for concern. The AP/MTV study (PDF), released Thursday, found that 50 percent of 14- to 24-year-olds have experienced some type of digital abuse.
MTV launches "A Thin Line" initiative to empower youth to stop digital abuse
The study also found that 30 percent had either sent or received nude photos on their cell phones or online, a practice known as "sexting." Just 10 percent had actually sent such messages, which is in line with a previous study done by Cox Communications.
The AP/MTV study interviewed 1,247 teens and young adults in what the authors call an "online panel that is representative of the entire U.S. population." Respondents were recruited from KnowledgePanel. Details about the study and a campaign to empower youth to stop digital abuse are available at AThinLine.org.
The study's definition of digital abuse includes writing something online that wasn't true, sharing information that a person didn't want shared, writing something mean, spreading false rumors, threatening physical harm, impersonation, spying, posting embarrassing photos or video, being pressured to send naked photos, being teased, and encouraging people to hurt themselves.
As have previous studies, this one points to the need for educating young people on how to empower and protect themselves. While parental and educator involvement is crucial, young people themselves need to embrace and "own" digital safety messages--taught not as "Internet safety" lessons but as part of a larger worldview on how to thrive in the digital age. (For more on this, see Online Safety 3.0: Protecting & Empowering Youth from ConnectSafely.org, a nonprofit group I help run.)
Bullies and passwords
More than two-thirds (69 percent) of the respondents said that digital abuse is a serious problem for people their age, but only half (51 percent) said that they had thought that "things they post online could come back to hurt them later." Only 25 percent said that they considered the possibility that they could get into legal trouble. Some prosecutors have charged teens with violating child pornography laws for taking, possessing or distributing child pornography.
There was some good news on the cyberbullying front. The AP/MTV study reported that 78 percent of the respondents said that "it is always okay to report it when someone harms another person physically," and 55 percent said that "if they witness someone being picked on by a group of people, it is always okay to report it to an authority." Sixty-two percent said they are likely to ask the bully to stop if they themselves are victims of abuse or harassment, and 59 percent said they would ask a friend for help.
The sharing of passwords can lead to someone being impersonated or having their online identity stolen, yet 26 percent of the study's respondents admit that they have shared passwords online. Girls (31 percent) are more likely to share passwords than boys (22 percent). The study found that youth who shared passwords were more likely (68 percent) to be victims of digital abuse than those who didn't (44 percent).
Showing off via sexting
Females are slightly more likely to share a naked photo of themselves (13 percent) than males (9 percent), while youth who are sexually active are more than twice as likely to send such photos as those who aren't (17 percent versus 8 percent). Perhaps more disturbing is the finding that 17 percent say they've passed the image to someone else, and just over 9 percent have distributed the images to more than one person. Remarkably, 29 percent of respondents who shared a naked photo of themselves report that they shared the image with someone whom they had never met in person and knew only online. That represents about 3 percent of the total sample.
The study reported that "61% of those who have sent a naked photo or video of themselves have been pressured by someone else to do so at least once," but it's not clear from the study how many of these young people actually sent photos to people who pressured them.
Reasons for sending "sexts" include "the assumption that others would want to see them (52%), a desire to show off (35%), and boredom (26%)." The study also found that about 30 percent of teens have shared sexts as a joke or to be funny.
Online risk mirrors offline risk
The study didn't conclude that there was any causality between online and offline risk activities, but like previous studies, it did find some significant correlations.
Youth who have been the target of digital bullying were twice as likely (13 percent versus 6 percent) to report having received treatment from a mental health professional and are more than twice as likely to have considered dropping out of school (11 percent versus 4 percent).
Those who reported smoking a cigarette, drinking alcohol, using illegal drugs, or stealing/shoplifting in the past seven days were more likely to have been the target of digital abuse (60 percent versus 48 percent). Sexually active youth were also more likely to have been victims (62 percent of those who have had sex in the last seven days have been targets, compared with 49 percent of those who hadn't had sex).
This data is consistent with a 2007 report (PDF) from the Crimes Against Children Research Center, which found that youth who engage in "aggressive behavior in the form of making rude or nasty comments were 2.3 times more likely to suffer from interpersonal victimization. Those engaged in "frequently embarrassing others" were 4.6 times more likely to be victimized.
A version of this post also appears on CNET's sister site CBSNews.com.
New York Attorney General Andrew Cuomo announced Tuesday that more than 3,500 sex offenders from his state have been purged from Facebook and MySpace.
Both companies have long had policies against registered sex offenders using their services, but the implementation of New York's new Electronic Securing and Targeting of Online Predators Act ("E-Stop") has made it easier for the sites to identify perpetrators from the Empire State.
Facebook, according to Cuomo, was able to identify and disable the accounts of 2,782 registered sex offenders. MySpace deleted 1,796 accounts.
Cuomo has long been concerned about predators on social-networking sites. In January 2008, New York was one of 49 states that entered into an agreement with MySpace that resulted in a set of principles to combat harmful material on MySpace and other sites. In October 2007, Cuomo's office said Facebook could face a consumer fraud charge for misrepresenting the site's safety for minors, but two weeks later Cuomo and Facebook Chief Privacy Officer Chris Kelly held a joint press conference to announce a "cooperative effort."
The E-Stop law bans many registered offenders from using social-networking sites while on parole or probation and requires all registered offenders to disclose their e-mail addresses, screen names, and "other Internet identifiers." That data is provided to social-networking sites to run against their roles.
The state of New York, according to Facebook spokesman Barry Schnitt, "built its database with the idea of social-networking companies running it against their user base." He said the way it was coded, made it a lot easier to find matches. Other states, said Schnitt, "sometimes just fax over a list. Their databases are designed to help people find out if there is a sex offender living on their street. This is a very different use case."
Sex offender data is collected by states and there is no currently official federal database. The federal Adam Walsh act calls for such a database but it hasn't been funded. In 2006, MySpace contracted with Sentinel Safe to build a national and searchable registered sex offender database.
While praising Facebook and MySpace's cooperation, Cuomo said that "many other social-networking sites remain slow at adopting available new protections against sexual predators online." He said his office "sent letters urging them to take action now to similarly purge sex offenders from their sites."
As always, it's important to put this news into perspective. It only involves registered sex offenders, which, of course, is a good start, but it only includes people who have been caught and convicted. And, while the companies do their best to ferret out registered offenders who try to hide their identity, there is no way to know how many people succeed in eluding them.
Also, we know of very few children who have been sexually molested by someone they met on social-networking sites or any Internet sites. The vast majority of child sex abuse victims know the offender from the real world. I'm not aware of any cases of a pre-pubescent child being harmed by someone he or she met online and it's even rare among teens.
And, based on conversations with security officials at social-networking companies, I am not aware of any cases where a registered sex offender has been convicted of using the site to aid in harming a child he or she met on that site.
"There are still zero cases reported of any registered sex offender who was booted off MySpace being prosecuted for illegal contact occurring on MySpace," said Hemanshu Nigam, chief security officer for MySpace parent company News Corp.
In January, the Harvard Law Berkman Center's Internet Safety Technical Task Force issued a report that children and teens are less vulnerable to sexual predators than many had feared, though that report was initially met with some skepticism from some attorneys general.
Shopping online does carry some risk, but so does shopping at brick-and-mortar stores. At least online shoppers don't need to worry about fender-benders in the parking lot, pick pockets at the mall, or getting the flu from all those fellow shoppers.
But the nice thing about shopping online is that by following some basic guidelines you can be reasonably sure you'll have a safe experience.
Secure your PC: The first thing you need to do is be sure your computer is secure. Trend Micro's education director David Perry, says that "bad guys these days are operating by planting a keylogger on your system that listens in, surreptitiously waiting for you to use your credit card or your bank password so that they can steal your money." So, even if you're dealing with a legitimate merchant, you're at risk if your computer is infected. Your best protection from these attacks is to keep your operating system and browsers updated and use a good and up-to-date security program. If you're getting or giving a Netbook or other PC for the holidays, make sure that security software is installed right away. Most security companies offer a free-trial version that will tide you over for a month or so, but be sure to subscribe so you get ongoing protection.
Click with care: You're going to be getting a lot of offers via e-mail this holiday season. While they might be legitimate, there is the possibility of some offers coming from criminals trying to trick you into giving your password to a rogue site or visiting a site that can put malicious software on your computer. Your best protection is to not click on any links--even if the message looks legitimate--but to type in the merchant's URL manually.
Know the merchant: : If you're not familiar with the merchant, do a little research like typing its name (and perhaps the word "scam") into a search engine to see if there are any reports of scams. Look for user reviews on sites like Eopinions.com. Look for seller ratings if you locate the merchant through a shopping search engine like Google Shopping . Google doesn't certify the integrity of the sites that come up in its searches, but if you see lots of seller ratings that are mostly positive, that's a pretty good sign. You're generally pretty safe with sellers that are affiliated with shopping aggregators like Amazon.com, Yahoo Shopping, Retrevo or BizRate. Microsoft's new Bing search engine offers a cash-back program with affiliated merchants.
Look for trust seals, but verify they're legitimate
(Credit: BBBOnline)It's a good idea to look for seals of approval from Truste or Better Business Bureau Online, but remember that a seal is only a graphic. It can be counterfeit. To be sure, visit the certifying agency's site to look up the merchant.
When you're about to enter your credit card, make sure you're on a "secure "site. The URL should have an https at the beginning (s for "security") and there should be a small gold lock in the lower right corner of the browser. This isn't an iron-clad guarantee, but still worth looking for.
If you're still not sure, look for a phone number and call them. Aside from eliminating the chance of a keylogger grabbing your information, you may get a little more assurance talking to a human being.
Pay by credit card: Credit cards offer you an extra level of protection including the right to "charge back" if you feel you're a victim of fraud. The credit company will investigate your claim and permanently remove the charge if fraud can be proven.
Also some credit card companies offer extra protections including extended warranties and protection against loss or theft. Federal law limits your liability for misuse of a credit card to $50 but many credit card companies will waive that limit. Unless you're very sure about the merchant, don't provide them with a checking account number and never disclose your social security number to online merchants.
It's also a good idea to check your online credit card statement frequently. Most credit card companies will display recent charges online within a few days of the actual transaction. While you're on your credit card company's site, check your interest rate. Credit card companies have been known to "adjust" rates (usually upward) for a variety of reasons.
Know the real price: Be sure you understand the actual cost of the item, including shipping, handling, and sales tax. That can have an enormous impact on the final price. Many merchants are offering free shipping during the holidays and some merchants that have both online physical stores will let you pick up the item in the store for free. In most states if you do business with a merchant that has a physical presence in your state, the merchant is required to collect state sales taxes. Although it's tough to enforce, some states expect you to self-report all of your online purchases and pay sales taxes when you file your state income tax return.
Happy returns: Be sure you understand the merchant's return policies including the deadline for returns and what documentation you'll need. In most cases, they won't refund the shipping charges and you'll have to pay to ship it back. Always keep your packing until you're sure you're not going to return it.
Read the privacy policy: The policy, according to the American Bar Association's Safeshopping.org, should disclose "what information the seller is gathering about you, how the seller will use this information; and whether and how you can "opt out" of these practices."
Enjoy the holidays: By paying attention to these tips, the odds of your being victimized by online fraud are pretty low --another good reason to be cheerful during the holiday season.
Retailers aren't the only ones gearing up for the holiday season. Criminals are also out in force.
To highlight the increased crime during the holidays, security company McAfee has come up with the "12 Scams of Christmas" ranging from bogus electronic greeting cards that deliver malware instead of cheer to fake charities that steal your money and your identity.
It's especially important to be extra careful this time of year, says McAfee's David Marcus. "The bad guys know people are spending more time online, they're paying more bills online so [the criminals] stand a chance of being a bit more successful this time of year.
In a podcast interview (scroll down to listen), Marcus counted down the 12 scams of Christmas starting with:
- Charitable phishing scams: Marcus warns consumers to be wary of e-mails that appear to be from legitimate charities. Not only will they take your money and deprive charities of needed funds, but they will also steal your credit card information and identity.
- Fake invoices from delivery services: During this period, scammers will send out fake invoices and delivery notifications appearing to come from Federal Express, UPS, the U.S. Postal Service or even the U.S. Customs Service saying that they were unable to deliver a package to your address. They ask you to confirm your address and give them credit card information to pay for delivery.
- Social networking friend requests: Bad guys take advantage of this social time of year by sending out authentic looking friend requests via e-mail. Marcus recommends that you not click on those links but sign into Facebook and other services and look for friend requests from the site itself. Clicking on a link could install malware on your computer or trick you into revealing your password.
- Holiday e-cards: Be careful before clicking on a holiday e-card, especially if it's from a site you haven't heard of. This is a way to deliver malware, pop-ups, and other forms of unwanted advertising. Some fake e-cards will look like they come from Hallmark or other legitimate companies, so pay close attention and make sure it's from someone you know. If you're going to send an e-card, be sure you're dealing with a reputable service lest you risk infecting yourself and your friends.
- Fake "luxury" jewelry: If you see an offer for luxury gifts from companies like Cartier, Gucci, and Tag Heuer at a price that's too good to be true, it probably isn't true. These links could lead you to malware and take your money or merchandise that will probably never arrive (or be fake if it does). Some of these sites, according to McAfee, even display the logos of the Better Business Bureau.
- Practice safe holiday shopping. Make sure your wireless network is secure and be sure you're shopping on sites that are secure. Though it isn't an iron clad guarantee, you should look for the lock icon in the lower right corner of your browser and make sure the Web page starts with https. The "s" stands for "secure."
- Christmas carol lyrics can be dangerous: Bad guys know that people are searching for holiday related sites for music, holiday graphics, and other festive media. During this time, they create fraudulent holiday related sites.
- Job search related scams: With the unemployment rate at 10.2 percent, there are plenty of job seekers looking for work. Beware of online offers for high paying jobs or at-home money making schemes. Some of these sites ask for money up front, which is a good way for criminals not only to steal your "set up fee" but misuse your credit card too. Marcus said that some "get rich quick" sites are all about money laundering, asking you to accept an inbound financial transfer and pay them.
- Auction site fraud: McAfee has observed a rise in fake auction sites during the holidays. Make sure you're actually going to eBay or whatever site you plan to deal with.
- Password stealing scams: Criminals use low-cost tools to uncover passwords, in some cases planting key logger software to record keystrokes. Once they get your passwords, they gain access to bank accounts and credit card accounts and send spam from your e-mail accounts.
- E-mail banking scams: A common type of phishing scam is sending out official looking e-mails that appear to come from your bank. Don't click on any links but type in your bank's Web address manually if you need to access your account.
- Files for ransom: Hackers use malware to gain control of your computer and lock your data files. To access your own data you have to pay them ransom.
Listen to Larry's interview with McAfee's David Marcus
Listen now: Download today's podcast
Google's new SafeSearch page
(Credit: Google)Google has long allowed parents a SafeSearch filtering setting that keeps kids from using the search engine to find inappropriate sites like those with explicit sexual images or text.
The problem was that kids could easily change those settings.
Starting Wednesday, however, the company is allowing parents to lock those settings to make it harder (though not impossible) for kids to bypass the settings.
To change the settings, the parent will have to log into his or her Google account and enter a password. Once the settings have been changed, the Google search engine will change in appearance to indicate that it's locked. The new page will have large balls in the upper right corner so that parents can see from across the room that their kids are on the safe search page.
The settings, which places a cookie on the machine, must be configured for each browser the child uses. If you set them only for Internet Explorer, for example, they won't restrict access from Firefox, Chrome, or other browsers. Also, according to a Google representative, the child can get around the settings by using the private browsing feature that is now built into the latest versions of Firefox, Internet Explorer, and Chrome. So, while this will keep kids from accidentally using Google for inappropriate searches, it will not deter tech-savvy kids who are determined to bypass the filters.
As I've said in other posts, filters are never a foolproof way to keep "tweens" and teenagers from inappropriate content. There are always ways to get around them, including using a different machine or mobile phone. Filters are effective for keeping young children from stumbling onto disturbing Web sites and they can be a deterrent to somewhat older kids who might have a momentary or casual interest in looking at material that their parents wish to block.
With all filters and controls, it's important for parents to think about how you use them to help teach your child to exercise self-control and critical thinking so that, eventually, they can safely use the Web without filters or adult supervision. Also, for very young children, say 5 and under, its remains a good idea to be with the child while he or she is online. Tools like Google's SafeSearch are helpful, but they are no substitute for close parental supervision, especially with young children.
Listen to Larry's interview about Google SafeSearch with Google's Scott Rubin
