2010/01/17

Things to consider when shopping on line

I've just been asked by a member of my family for some advice regarding security when shopping on line and having written it, I thought it might be worth sharing publically even though there are lots of other sources out there with similar advice already. Is there anything I've missed in the advice you'd give people?:

There are 3 things to consider when shopping on line:

1) your computer
2) the site your buying from
3) the connection between them

Any of these can be a route through which your credit card and other personal info can be obtained by the bad guys.

Your computer needs to be "clean" or else it might already be running invisible malicious software just waiting for you to visit a web site and put in your credit card details and it'll send them off to its masters - usually the Russian mafia for credit card fraud (different countries bad guys tend to specialise in different crimes).

So, your machine should be running up to date anti-virus software, it should be regularly fully patched (not just the operating system but also any software on it - in particular recently Adobe Acrobat has been used as an infection vector into peoples machines). Ideally you'd also have a firewall running, but if you're connection to the Internet is via a router, it's likely its acting as a NAT (network address translation), and providing a degree of firewall type protection.

The site your buying from has various things to consider in itself:
A) is it a legitimate company
B) is the web address your using the real address for the genuine company
C) are they trustworthy
D) Do they take the security and privacy of your data seriously
E) What is their customer service like if things go wrong
F) What delivery provider do they use and are they any good

Taking those in turn, A - there are a lot of "store front" web sites out there intended to sucker people into providing their details to the bad guys. These can look very legitimate as a fancy web site costs very little. Always check the company has a real physical existence too - if they're not well know (like Amazon etc) I always check the domain name registration details (use a Whois service and put in the web address). This tells you the details of the person or organisation that registered the domain name and when. If it's only been registered recently, or if the location details don't match the details provided on the web site or anything else rings alarm bells, I walk away.

B is related to this - bad guys often create "look alike" web sites with very similar web addresses to catch people typing the address in wrong, or they send out spam/Phishing e-mails to socially engineer people to click on links to their site believing you've gone to the real company pages. Always type addresses in yourself for a site you're going to put your credit card details into and check and double check you've typed it correctly. The same goes for online banking, perhaps even more so.

C - is really the key. There are lots of genuine companies out there but many of them sell rubbish to grow their profits. Always check the web for reviews and opinions of other people to get a feel for their trustworthiness. I usually do a Google search for the company name and review in Google and spend some time getting a feel for other people's experiences before I deal with any company for the first time online. There have been many I've decided to walk away from as a result. Its amazing how many ways some companies find to make a mess of things!

D -this is tricky to be sure of, but they should at least have both a security and privacy statement of policy on their site. Take time to read it. Some companies do make a little extra money by selling on your details to other companies and are often up front about this in their TOS. This is also worth a Google search to see if security experts have written anything about a company having particularly lax policies or procedures. Ultimately though, any company can be a problem with this as even some big names have managed to mess up sometimes, in some cases allowing the credit card details of millions of people to be stolen in one hit.

E - again, you want to check previous customers comments. What are they like if you need to return things? Do they provide a phone number to contact them on the web site? If so, try calling it before you order anything to see if it's genuine and also to see how long it takes to get to speak to someone.

F - this is one of my pet peeves. Some delivery companies are a real pain to deal with, refusing to arrange alternative delivery times or arrangements and it can end up adding significant costs to an order. I had one company who I bought something costing £20 from, and because the delivery company was awful, it ended up costing me an additional £10 to actually get the thing delivered in the end. Again, check which company they use and then check the web for reviews from real people.

So, the last thing to consider is the connection between your computer and the web site. In many ways, this is actually the easy bit. Before you put any credit card details into a site (after all the checks above), make sure your web browser is showing a padlock for the pad your viewing. The exact look of this varies by browser - in IE8 it shows up at the end of the address bar as a yellow padlock. The web address should also start "https://", this shows the site has established an SSL (secure socket layer) connection between you and the server and that all communication back and forth is being encrypted. This stops a "man in the middle" type attack on the data from an eavesdropper.

Last point, not directly related to buying online but relevant - if you're using wifi to connect to the Internet then ensure your using an encrypted signal and that it's using at least WPA encryption and not WEP. With no encryption on the wifi, someone up to a few hundred yards away could eavesdrop every web page you visit (except if it uses SSL), everything you type into them etc. With WEP encryption only, it takes a few minutes snooping and then they can eavesdrop. With WPA encryption, few people will be able to crack it, and it'll take them a good few hours at least even if they try.

So, having said all that, I generally stick to the bigger companies like Amazon, who do accept credit cards.

Hope that helps.

No comments:

Post a Comment