CERT mailing list archives
Cyber Security Tip ST07-001 -- Shopping Safely Online
From: US-CERT Security Tips <security-tips () us-cert gov>
Date: Tue, 7 Dec 2010 09:44:32 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Cyber Security Tip ST07-001
Shopping Safely Online
Online shopping has become a popular way to purchase items without the
hassles of traffic and crowds. However, the internet has unique risks, so it
is important to take steps to protect yourself when shopping online.
Why do online shoppers have to take special precautions?
The internet offers a convenience that is not available from any other
shopping outlet. From the comfort of your home, you can search for items
from countless vendors, compare prices with a few simple mouse clicks, and
make purchases without waiting in line. However, the internet is also
convenient for attackers, giving them multiple ways to access the personal
and financial information of unsuspecting shoppers. Attackers who are able
to obtain this information may use it for their own financial gain, either
by making purchases themselves or by selling the information to someone
else.
How do attackers target online shoppers?
There are three common ways that attackers can take advantage of online
shoppers:
* Targeting vulnerable computers - If you do not take steps to protect
your computer from viruses or other malicious code, an attacker may be
able to gain access to your computer and all of the information on it.
It is also important for vendors to protect their computers to prevent
attackers from accessing customer databases.
* Creating fraudulent sites and email messages - Unlike traditional
shopping, where you know that a store is actually the store it claims to
be, attackers can create malicious websites that appear to be legitimate
or email messages that appear to have been sent from a legitimate
source. Charities may also be misrepresented in this way, especially
after natural disasters or during holiday seasons. Attackers create
these malicious sites and email messages to try to convince you to
supply personal and financial information.
* Intercepting insecure transactions - If a vendor does not use
encryption, an attacker may be able to intercept your information as it
is being transmitted.
How can you protect yourself?
* Use and maintain anti-virus software, a firewall, and anti-spyware
software - Protect yourself against viruses and Trojan horses that may
steal or modify the data on your own computer and leave you vulnerable
by using anti-virus software and a firewall (see Understanding
Anti-Virus Software and Understanding Firewalls for more information).
Make sure to keep your virus definitions up to date. Spyware or adware
hidden in software programs may also give attackers access to your data,
so use a legitimate anti-spyware program to scan your computer and
remove any of these files (see Recognizing and Avoiding Spyware for more
information).
* Keep software, particularly your web browser, up to date - Install
software updates so that attackers cannot take advantage of known
problems or vulnerabilities (see Understanding Patches for more
information). Many operating systems offer automatic updates. If this
option is available, you should enable it.
* Evaluate your software's settings - The default settings of most
software enable all available functionality. However, attackers may be
able to take advantage of this functionality to access your computer
(see Evaluating Your Web Browser's Security Settings and the paper
Securing Your Web Browser for more information). It is especially
important to check the settings for software that connects to the
internet (browsers, email clients, etc.). Apply the highest level of
security available that still gives you the functionality you need.
* Do business with reputable vendors - Before providing any personal or
financial information, make sure that you are interacting with a
reputable, established vendor. Some attackers may try to trick you by
creating malicious websites that appear to be legitimate, so you should
verify the legitimacy before supplying any information (see Avoiding
Social Engineering and Phishing Attacks and Understanding Web Site
Certificates for more information). Attackers may obtain a site
certificate for a malicious website to appear more authentic, so review
the certificate information, particularly the "issued to" information.
Locate and note phone numbers and physical addresses of vendors in case
there is a problem with your transaction or your bill.
* Take advantage of security features - Passwords and other security
features add layers of protection if used appropriately (see Choosing
and Protecting Passwords and Supplementing Passwords for more
information).
* Be wary of emails requesting information - Attackers may attempt to
gather information by sending emails requesting that you confirm
purchase or account information (see Avoiding Social Engineering and
Phishing Attacks for more information). Legitimate businesses will not
solicit this type of information through email. Do not provide sensitive
information through email, and use caution when clicking on links in
email messages (see the paper Recognizing and Avoiding Email Scans for
more information).
* Check privacy policies - Before providing personal or financial
information, check the website's privacy policy. Make sure you
understand how your information will be stored and used (see Protecting
Your Privacy for more information).
* Make sure your information is being encrypted - Many sites use SSL, or
secure sockets layer, to encrypt information. Indications that your
information will be encrypted include a URL that begins with "https:"
instead of "http:" and a padlock icon. If the padlock is closed, the
information is encrypted. The location of the icon varies by browser;
for example, it may be to the right of the address bar or at the bottom
of the window. Some attackers try to trick users by adding a fake
padlock icon, so make sure that the icon is in the appropriate location
for your browser.
* Use a credit card - There are laws to limit your liability for
fraudulent credit card charges, and you may not have the same level of
protection for your debit card. Additionally, because a debit card draws
money directly from your bank account, unauthorized charges could leave
you with insufficient funds to pay other bills. You can further minimize
damage by using a single credit card with a low credit line for all of
your online purchases.
* Check your statements - Keep a record of your purchases and copies of
confirmation pages, and compare them to your bank statements. If there
is a discrepancy, report it immediately (see Preventing and Responding
to Identity Theft for more information).
_________________________________________________________________
Authors: Mindi McDowell, Monica Maher
_________________________________________________________________
Produced 2007, 2008 by US-CERT, a government organization. Terms of use
US-CERT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBTP5HgT6pPKYJORa3AQIaPQgAspiFCHXdC8pJRjRX4Z/dhk/xsjdoM1bg
0Dn3c25KScr1xYk1dVOnFBF1jOnXhSjU3Wy4nMxHSNOGCR/PlmH4mIGLLitULWHj
lRnYTSewT/BOdujrf0+y7GHal2TgXqD9rv8NolfVTdb7lUr56KUAXIjdwZ33KhLX
H1/Bop87+prQwsoCLf1v3VHBhDWS/6RD+nNG4XbdyPqyVbs8gmfUNwkgqA/bM2hU
WSQw0BiAL7YlYPtax+7mZOEOm6G4Fy5bj/fTz1MSc9LLZIxz0YS4/rwmxV+DbsKc
crvAmAYfy+Rpa+mq3aWUU1jnPjEWQX0Pv/md3bxSgSR7Mrw++FpWZw==
=egTT
-----END PGP SIGNATURE-----
Current thread:
- Cyber Security Tip ST07-001 -- Shopping Safely Online US-CERT Security Tips (Dec 07)