Tuesday, December 16, 2008

You're [In]Secure Online

Thinking of going shopping online this holiday season? Think again.

Between the scammers, spammers, and security gaffes out there it's just not the type of environment you want to enter your credit card into. What's worse, your browser may be out to get you too! With all that risk... let's look at the real problems with transacting online this holiday season, or any other time...Link
  1. Obviously credit card companies (even the PCI certified ones) just suck at security (see this blog entry for a start: http://holisticinfosec.blogspot.com/2008/12/online-finance-flaw-american-express.html)
  2. This isn't the first article to say online shopping is going to be like running blind through a mine-field (see here: http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=212200731)
  3. Your browser (if it's IE) is going to get you hacked and you won't even know it! (see here: http://news.cnet.com/8301-1009_3-10120341-83.html or google it)Link
  4. LinkBanks certainly don't seem to care all too much about security, as they have huge flaws themselves that'll allow their users to be phished or scammed (see here: http://holisticinfosec.blogspot.com/2008/12/online-finance-flaw-us-bank-national.html or google for yourself)
So with that... why would you want to take your shopping or browsing online? Go to the stores, hit the mall, tell online retailers and your credit card companies that you refuse to be the victim in their pathetic attempt to evade having to implement good security. Take a stand!

OK, that may be a bit over-the-top, I know... but it gets my point across. Here are some simple tips for keeping yourself relatively safe online this season... (or when-ever)
  • Never, ever, ever follow a link you get in an email - if you get an email from your bank telling you to "click here to continue/login to your account" DON'T. Go to your bank's website or call their 800 number and report the incident!
  • User one-time credit card numbers - your credit card company, if they're of any value, will have this available somewhere on their website. Generating a one-time credit card number means that you're safe even if someone steals the entire database of card numbers from the PCI Certified merchant you're buying online from...
  • Never use your debit card online - ... because unlike with a credit card, your money is gone instantly ... without the ability to dispute, etc
  • Never use your debit card w/PIN - online or at a store, never, ever use your PIN number at a merchant (even at a brick-and-mortar store) because who knows how good their security is, and again (see point above) once your PIN is lost, you're hosed!
  • Stop using Internet Explorer - while this is just a good rule to follow every-day (because no good can come from using ActiveX) now it's even more critical with the serious flaw Microsoft refuses to patch (and yes, there are exploits out there right now for it)
  • Be aware - Be smart and aware of what's going on. If something doesn't seem right, close the browser (ALT + F4) and don't go back to that page...
  • Update your anti-virus - although anti-virus doesn't help much these days, make sure you're at least updated. If you want advice on the best one out there to use... Kaspersky is what I trust my (Windows) PC to... and I visit some seriously icky sites...
That's it... that's the best advice I can offer, and hopefully you'll pass this along to friends, family, and co-workers. It's vital that we stay vigilant against stupidity, companies that don't care, and foreign threats.

Merry Christmas.

No comments: