Harry Waldron - Corporate Security News

I've subscribed to Network World magazine for a number of years and also receive the newsletter.  This two part article by Steven Zeligman below is one of the best articles I've read related to e-commerce security.  Following these guidelines will help you stay safe while shopping online on the Internet.

ARTICLE:  Best practices for online shopping
Author:     Steven Zeligman, MSIA, MCP, CISSP
From:       Network World newsletter

QUOTE:

Best practices for online shopping

Online shopping does pose risks, but the risk can easily be reduced.

1. Eliminate malware

Before shopping online, clean your computers of malware (malware is MALicious softWARE).

2. Shop only at trusted online retailers

Use the same common sense when shopping online that you would use when shopping in the physical world. Be as vigilant when choosing online retailers as when choosing brick-and-mortar merchants. If you are uncertain about a particular Web site, check the Better Business Bureau’s ratings http://www.bbb.org .  Reliable online merchants provide a phone number where you can talk to a customer-service representative about security issues.  Look for third-party seals of approval such as BizRate http://www.bizrate.com/ , BBSOnLine http://www.bbbonline.org/ , VeriSign Secured https://seal.verisign.com/ , and HackerSAFE https://www.scanalert.com/ . Usually clicking on the symbol will bring you directly to the report for the Web site you are visiting.

3. Look for Web site security indicators

Although the following are by no means absolute indicators of security, they’re a start: 

A padlock in the browser window’s status bar (be discriminating - sometimes it’s a false indicator http://www.w3.org/2006/WSC/wiki/PadlockIconMisuse or even just a symbol placed on the Web page itself); URLs that start with “https” instead of just “http”; and The phrase “Secure Sockets Layer (SSL)” in the description of the communications protocol.  These are all indications that the online merchant may have taken measures to protect their customers’ private information in transit.

4. Safeguard your own personal information and records

Do not send payment information via e-mail. Unencrypted e-mail is not a secure method of communication. All information transmitted via e-mail is at risk of interception by bad people.  Any trustworthy online merchant uses encryption technologies to protect private information during a transaction on their Web site.

Keep records of all transactions, much as you keep paper receipts for physical “brick and mortar” purchases. An easy way to do that if you have full Acrobat is to print to an Acrobat file from your browser; alternatively, you can use the print function of your browser and send to a suitable printer or even take a screenshot and save the image file on disk. [MK adds: I keep records in folders labeled by vendor in a folder called “My Received Files.” I have a folder for software licenses, for example, one for DVDs, one for CDs and so on.]

Other methods of safeguarding e-commerce information include:

* Always conduct online transactions using a Web browser that has all current security patches and uses at least 128-bit encryption.
* Always use strong passwords that contain a combination of uppercase letters, lowercase letters, and special characters for e-commerce accounts.
* Never use obvious passwords such as family names, birthdays, pets’ names, etc. for e-commerce accounts.
* Always use passwords that contain six or more characters.
* Never share user names or passwords with anyone else.
* Never use the “one-click shopping” that stores credit-card information accessible through an online account password.
* Never perform online transactions on public computers.
* If you have an unsecured home computer, do not allow your browser to store user IDs and passwords for the online-shopping sites you use.

For more information on browser security and Web sites, see the following U.S. Computer Emergency Readiness Team (US-CERT) Cyber Security Tips:

ST04-022 --  “Understanding Your Computer: Web Browsers”
http://www.us-cert.gov/cas/tips/ST04-022.html

ST05-001 -- “Evaluating Your Web Browser’s Security Settings”
http://www.us-cert.gov/cas/tips/ST05-001.html

ST04-012 -- “Browsing Safely: Understanding Active Content and Cookies”
http://www.us-cert.gov/cas/tips/ST04-012.html

ST05-010 -- “Understanding Web Site Certificates”
http://www.us-cert.gov/cas/tips/ST05-010.html

5. Review the Online Merchant’s Privacy Statement

Sometimes online merchants call their privacy statements “Terms of Use,” “Terms and Conditions,” “Privacy Statement,” or similar titles. A trustworthy online merchant will always post details regarding the use of consumers’ personal and financial information on their Web site. Consumers should read this policy carefully to ensure that their private information won’t be sold to third parties.

Consumers should also be prudent about what personal and financial information they reveal to conduct an online transaction. It is usually necessary to provide a credit-card number. However, it should never be required to provide bank-account numbers or Social Security Numbers to conduct online shopping transactions.  There are many reliable online merchants; if you don’t like a merchant’s policies, choose a different one.

6. Summary

With a few precautions, you can usually take advantage of online shopping conveniences without significant risk. The essential point is that you have to think before you shop - but that’s true in all situations.

==========================

AUTHOR: Steven Zeligman, MSIA, MCP, CISSP, is the Network Security Manager at Dataline, Inc., and has more than 15 years of experience in information technology and security. His opinions are entirely his own and do not constitute the opinions of his employer. You are welcome to write to him at: steven.zeligman (at) gmail (dot) com  with comments on this article.