Shopping online does carry some risk, but so does shopping at brick-and-mortar stores. At least online shoppers don't need to worry about fender-benders in the parking lot, pick pockets at the mall, or getting the flu from all those fellow shoppers.
But the nice thing about shopping online is that by following some basic guidelines you can be reasonably sure you'll have a safe experience.
Secure your PC: The first thing you need to do is be sure your computer is secure. Trend Micro's education director David Perry, says that "bad guys these days are operating by planting a keylogger on your system that listens in, surreptitiously waiting for you to use your credit card or your bank password so that they can steal your money." So, even if you're dealing with a legitimate merchant, you're at risk if your computer is infected. Your best protection from these attacks is to keep your operating system and browsers updated and use a good and up-to-date security program. If you're getting or giving a Netbook or other PC for the holidays, make sure that security software is installed right away. Most security companies offer a free-trial version that will tide you over for a month or so, but be sure to subscribe so you get ongoing protection.
Click with care: You're going to be getting a lot of offers via e-mail this holiday season. While they might be legitimate, there is the possibility of some offers coming from criminals trying to trick you into giving your password to a rogue site or visiting a site that can put malicious software on your computer. Your best protection is to not click on any links--even if the message looks legitimate--but to type in the merchant's URL manually.
Know the merchant: : If you're not familiar with the merchant, do a little research like typing its name (and perhaps the word "scam") into a search engine to see if there are any reports of scams. Look for user reviews on sites like Eopinions.com. Look for seller ratings if you locate the merchant through a shopping search engine like Google Shopping . Google doesn't certify the integrity of the sites that come up in its searches, but if you see lots of seller ratings that are mostly positive, that's a pretty good sign. You're generally pretty safe with sellers that are affiliated with shopping aggregators like Amazon.com, Yahoo Shopping, Retrevo or BizRate. Microsoft's new Bing search engine offers a cash-back program with affiliated merchants.
Look for trust seals, but verify they're legitimate
(Credit: BBBOnline)It's a good idea to look for seals of approval from Truste or Better Business Bureau Online, but remember that a seal is only a graphic. It can be counterfeit. To be sure, visit the certifying agency's site to look up the merchant.
When you're about to enter your credit card, make sure you're on a "secure "site. The URL should have an https at the beginning (s for "security") and there should be a small gold lock in the lower right corner of the browser. This isn't an iron-clad guarantee, but still worth looking for.
If you're still not sure, look for a phone number and call them. Aside from eliminating the chance of a keylogger grabbing your information, you may get a little more assurance talking to a human being.
Pay by credit card: Credit cards offer you an extra level of protection including the right to "charge back" if you feel you're a victim of fraud. The credit company will investigate your claim and permanently remove the charge if fraud can be proven.
Also some credit card companies offer extra protections including extended warranties and protection against loss or theft. Federal law limits your liability for misuse of a credit card to $50 but many credit card companies will waive that limit. Unless you're very sure about the merchant, don't provide them with a checking account number and never disclose your social security number to online merchants.
It's also a good idea to check your online credit card statement frequently. Most credit card companies will display recent charges online within a few days of the actual transaction. While you're on your credit card company's site, check your interest rate. Credit card companies have been known to "adjust" rates (usually upward) for a variety of reasons.
Know the real price: Be sure you understand the actual cost of the item, including shipping, handling, and sales tax. That can have an enormous impact on the final price. Many merchants are offering free shipping during the holidays and some merchants that have both online physical stores will let you pick up the item in the store for free. In most states if you do business with a merchant that has a physical presence in your state, the merchant is required to collect state sales taxes. Although it's tough to enforce, some states expect you to self-report all of your online purchases and pay sales taxes when you file your state income tax return.
Happy returns: Be sure you understand the merchant's return policies including the deadline for returns and what documentation you'll need. In most cases, they won't refund the shipping charges and you'll have to pay to ship it back. Always keep your packing until you're sure you're not going to return it.
Read the privacy policy: The policy, according to the American Bar Association's Safeshopping.org, should disclose "what information the seller is gathering about you, how the seller will use this information; and whether and how you can "opt out" of these practices."
Enjoy the holidays: By paying attention to these tips, the odds of your being victimized by online fraud are pretty low --another good reason to be cheerful during the holiday season.
TrendMicro last year introduced its cloud computing strategy to deliver security to desktop PCs. Now the security software vendor, according to CEO Eva Chen, is taking cloud security a step further by protecting the cloud itself.
An update to its Deep Security product, introduced Monday, offers protection for the "entire server," including the operating system, network, and applications layers, according to the company.
So is why there a need for yet another layer of server protection. Don't servers already have an enormous amount of protection?
She acknowledged that servers are typically protected by a firewall, an intrusion detection system (IDS), and an intrusion prevention system (IPS). "But now people are doing virtualization," Chen said. "And once you do virtualization, the server can move from one network center to another network center or move from your own data center to a public data center, and therefore the server is not just behind the firewall all the time. It needs to protect itself."
Another issue is the changing nature of servers. In the past, they mostly were used to serve up data. But with cloud computing, applications run on the server and that makes them vulnerable to hackers. "In last two years an enormous amount of Web servers were attacked by cybercriminals. They just insert SQL injections or a malicious link in your site or serve up malicious content from your site," Chen said.
Initially, TrendMicro's product is aimed at the enterprise but, long term the company plans to develop services to support small Web sites and blogs.
As a small site owner, I understand the need. SafeKids.com, which is a WordPress blog I maintain, was attacked a couple of years ago due to a security flaw in a template I was using. The attacker embedded hidden links to sites that offered male enhancement products. I discovered the problem when I was embarrassed by Google Viagra ads appearing on my site. I don't have anything against Viagra, but the ads weren't appropriate for a site that focuses on Internet safety for children. Google, which places ads that are related to the site's content, was fooled into thinking that my site covered male enhancement rather than children's safety. Chen said that TrendMicro is exploring technology that could protect sites like mine by alerting owners to potential problems as soon as they occur.
In a partnership with RSA, the company is also working to protect financial sites against phishing attacks. It has software that looks for phishing sites that mimic legitimate ones and warn the legitimate site owners who can then take action against the impostors.
Listen to Larry's interview with TrendMicro CEO Eva Chen.
Listen now: Download today's podcast
A recent phishing scam resulting in usernames and passwords of Microsoft's Hotmail, Google's Gmail, and possibly accounts of AOL and Yahoo users being posted online is cause for concern for anyone who uses any of those services. Rather than panic, though, there are simple ways to avoid becoming a victim or being further victimized, if your account has already been compromised.
Microsoft and Google said the compromised information likely came as a result of a phishing scam, through which millions of people are sent e-mail (often warnings about a fake security breach), asking them to click on a link to take them to a Web site so that they can enter their correct information.
When phishing attacks first became prevalent, the fake sites were often crude imitations of the real things, but these days, they can look exactly like the legitimate site, typically of a bank, a payment service such as eBay's PayPal, or another financial company. When the user logs in with a username and password, or provides credit card numbers and other confidential data, that information is captured by the e-mail senders, who can use it to impersonate the victims.
In addition to someone being able to read your messages, a risk of having your e-mail account compromised is that many sites will send a lost password to an e-mail address, so if criminals can access your e-mail, they might be able to use it to get passwords from other sites, including financial accounts.
Audio
Podcast
Symantec's Marian Merritt on
how to avoid being a victim.
Download mp3
BBC News is reporting that it has seen lists containing more than 30,000 names and passwords, some of which "appear to be old, unused or fake," but "many--including Gmail and Hotmail addresses--are genuine." To put this into context, Gmail and Hotmail sites had more than 84 million unique visitors in July. Yahoo Mail had more than 156 million unique visitors, according to ComScore.
Here's some advice that can help you avoid becoming a phishing victim.
Change passwords regularly
Even if this particular breach hadn't occurred, many experts recommend that you change your password about every three months. This is as good a time as any to do just that. It's also a good idea to avoid using the same password on multiple sites, but if you're one of the many people who have done that, be sure to change your password elsewhere. Gmail asks users to provide them with an alternate e-mail address, so be sure to change the password for that account as well.
As I pointed out in this post about password security, consider using a password manager like LastPass (free) or RoboForm that can generate and manage strong passwords.
Click cautiously
If you get an e-mail that appears to be from legitimate site with a request that you click on a link to visit the site for any reason, including updating your security information, think before you click. It might be taking you to a rogue site that captures that information for possible identity theft or other crime. It's safer to just type in the URL yourself. Be extremely wary of any requests to provide Social Security numbers or credit card information, unless you're absolutely sure that you're dealing with a legitimate site. When visiting a site, make sure that the URL is that of the organization.
Look for secure sites
If you're asked to provide sensitive information such as a credit card number, be sure that the URL begins with "https" (the "s" stands for "security") and that there is a padlock icon, typically in the lower-right corner of the browser.
Use a phishing filter and good antimalware software
The most recent versions of most browsers, including Microsoft's Internet Explorer and Mozilla's Firefox, help filter phishing sites, as do security suites from McAfee, Symantec, TrendMicro, and other companies. Security software also helps protect you against malicious software that can log your keystrokes, or otherwise jeopardize your privacy and security. Make sure that your security software and your operating system are up-to-date.
Think critically
If something seems too good to be true, it's almost invariably too good to be true. Think about what you're about to do on any site you visit, especially if it's a site you don't already trust. Never use the same password on an unknown site that you use for e-mail, banking, or other sites where security is essential.
The U.S. Department of Homeland Security's National Cyber Alert System has additional tips to help you avoid phishing and other social engineering attacks, and ConnectSafely.org has tips to create an manage strong passwords.
One of the best ways to protect your online security is to have strong passwords that you change periodically. But that's easier said than done. Coming up with hard-to-guess passwords is hard enough, but it's even harder to have separate passwords for different sites and to remember new ones after you change them.
One way to create a password that's hard to guess but easy to remember is to make up a phrase. You could type in the entire phrase (some sites let you use spaces, others don't) or you can use the initials of each word in the phrase, for instance, "IgfLESi85" for "I graduated from Lincoln Elementary School in '85." An even better one would be "MbfihswE&S" for "My best friends in high school were Eric and Steve." You get the idea--upper case numbers, letters, and symbols that are seemingly meaningless to everyone but you. Microsoft has an excellent primer on passwords and a password strength checker.
But even if you do come up with a clever and hard-to-remember password, don't use it for every site. Since lots of people do that, there's the risk that a sleazy site operator--or a sleazy person who works for a legitimate site--could use it to break into your accounts on other sites.
Password managers
One solution is to use a password manager. There are several available programs and Web storage services, but the ones I'm most familiar with are RoboForm and Lastpass. These programs can generate passwords for you and remember them so you don't have to. Both programs are, themselves, password protected, though you have the option of running RoboForm without a password or having Lastpass remember its own password on your PC. That's OK as long as no one else has access to your machine. I recommend that you manually enter your master password on a laptop that could more easily fall into the wrong hands.
RoboForm has a free trial version that's limited to 10 passwords after the trial ends. Lastpass is free.
RoboForm has been around for a long time, but Lastpass is a relatively new offering. Company CEO Joe Siegrist describes the program as a hybrid because it stores your passwords and usernames both on your machine and on the Web. You can download the browser plug-in to a PC or a Mac to work directly with Firefox on either platform or Internet Explorer on Windows, but there are also ways to use it with Safari and Chrome. Because it has a Web interface, it can work with any Web-enabled device, but the plug-ins for IE and Firefox make it easier to use.
On Firefox and IE, Lastpass records your usernames and passwords when you first enter password-protected sites and then enters them for you automatically for subsequent visits. Passwords are stored in a "vault," which is actually a Web page stored on your PC, as well as the company's servers, so you can access it from any device, including a borrowed machine. The password vault on your machine is automatically synchronized with the server, so you don't have to worry about synchronizing or backing up your data.
Password data, according to Siegrist, is encrypted on the PC and on the servers. He said that no one--himself included--can decrypt them without the master password that only you know. Assuming the encryption is as good as he says it is, this should protect your security even if their servers are compromised. The company provides a lot of security information on its FAQ.
There are also versions for Blackberry, iPhone, Windows Mobile, and Android as well as a Web site for phones and browsers that aren't supported directly.
For a lot more on this password management, see CNET News reporter Elinor Mills' post, "Facing the pain of passwords."
- prev
- 1
- next
