cl-nz logo
Story image

Securing ecommerce in 2011

01 Feb 2011

The world is now finally finding an escape from the purchasing drought of the recent GFC. Consumers are flexing their wallets via the internet to satisfy their shopping needs.The increasing use of smartphones, tablets and other mobile technology, coupled with the introduction of Wi-Fi capable areas, is in the line of sight of cyber criminals looking to siphon your personal data. In 2011, new and resolute Trojans and other malicious software are on the horizon. Consumers need the education that simple authentication isn’t complete security when transacting online. Precautions need to be taken to secure exposure to the global epidemic of compromised ecommerce.Mobile use continues to growThe advancement of smartphone technology, from Androids to iPhones, provides a valuable opportunity for cyber criminals. The prevalent use of this technology poses a growing risk to enterprises and end-users, many whom do not have the tools or knowledge of real-time security to address these potential risks.The exponential short-term growth of mobile banking and shopping has seen limited security offerings available, making them more susceptible to attack. To combat the lack of security on mobile devices, ensure your computer has the latest internet security suite updates and firewall installed, that it has them switched on and that the latest operating system updates are installed. This includes your PC, Mac, iPad or mobile device including iPhone, Android, Nokia Phone or Windows Phone and even the set top box at home, such as Xbox or Wii, as most are connected to the internet these days.During a transaction, beware that if you pay via debit card rather than credit card, you should be conscious your funds may not be protected if compromised. However, if your details are compromised when using your credit card and you do lose money, you have greater protection through your credit card provider, bringing a greater chance of your money being returned. Be aware when on the goAs Wi-Fi capable areas increase in urban hot spots such as your local coffee shop, consumers are finding more convenient locations to transact online. However, when making transactions via public Wi-Fi, you should be wary these transactions could be potentially dangerous if those sites were exposed to hacking or data manipulation by criminals. Sending personal details via any public Wi-Fi site is unsafe and can put you, your device and your personal details at risk. In addition when connecting to a closed Wi-Fi site, check you are connected to the correct portal and SSL is enabled on your browser otherwise you can still be susceptible to an attack.For further protection, check the certificate of the website. EV-SSL certs (Extended Validation Certificates) make it easier to do this because the browser will show the owner of the certificate and the Certificate Authority alternating.Most transactions will send you a follow up email. Be aware that if you use the default settings of Microsoft Outlook, your email password is sent in clear text and can be seen by anyone sniffing your connection in a public Wi-Fi network.Adept trojans increase in sophisticationMalware today has developed some very sophisticated capabilities and techniques to enable it to evade detection and be able to manipulate computer users’ private and personal details. Some forms of malware may not actually exist as a physical application, but run in your computer memory as a virtual application. This form of attack is designed to send personal and private data collected via various means to a third party in real-time, which in turn manipulates an unsuspecting consumer’s details for unscrupulous means. This is often an automated procedure and often reaps massive reward for the criminals.Criminals may use social engineering to trick consumers into giving personal and private details. They inject additional fields into a genuine website to gain further key personal and private details. These practices employed by criminals are often referred to as phishing or pharming.One of the most popular threats is ‘cross site scripting’ that enables malicious attackers to inject client-side script into web pages viewed by consumers. All types of information can be gained via this method, from personal information, to credit card numbers, to gaining access to a remote web server. Pages of the online shopping portal could be changed or faked to retrieve this kind of information.Trojans like Carberp or Zeus will modify the Online Banking page in real-time while being served from the secure banking application. Online shopping portals can and will be attacked in the same way as online banking sites. No SSL or EV-SSL will prevent this attack because the magic happens after the content has been decrypted.Authentication isn’t complete securityWe often come across authentication logins, questions and passwords on a variety of transactional and online shopping websites. This can range from paying a bill, transferring money or even buying a bunch of flowers online. However the vast majority of online authentication does not provide complete security to the user. A few simple reminders are to never give out private details like birth date, mother’s maiden name, and bank account details to a website, especially retail websites or untrusted websites. Never use the same password for shopping sites as you do with online banking (especially sites of a less known reputation).If making purchases where your identity or the gift recipient’s details are requested, you should check the privacy policy of the website. Ask yourself what the website owners intend to do with your personal or private information? Where are the details stored? Is the online business or online shop Payment Card Industry Data Security Standard (PCI DSS compliant)?In the end we are now in a world where security is vital, but with adequate protection and precautions we can all enjoy online innovation.  Always remember though, if an offer sounds too good to be true, it most probably is!