Sunanda Creagh June 24, 2012
A few security basics can help online buyers thwart increasingly canny and well-equipped fraudsters.
Internet users have long been told there's a golden rule for shopping and banking online: click on the left-hand side of the internet address bar and check if a padlock symbol pops up. Or look for an ''s'' after ''http'' in the web address.
The padlock - which also often appears on the bottom right-hand corner of secure web pages - and the ''s'' mean the site has a Secure Socket Layer (SSL) certificate. This means private details - such as the information you enter in an online form - sent to that site are encrypted in transit to stop hackers eavesdropping. SSL certificates are also supposed to guarantee that a website is what it purports to be and not a phoney lookalike.
However, new hacking techniques and revelations last year that hackers infiltrated one of the world's top SSL certificate-issuing companies have exposed vulnerabilities in the padlock system, highlighting that no tech trumps common sense when shopping online.
Online shoppers risk losing their credit card and bank account details to hackers, who sell them in batches on websites that occupy what's known as the cyber underground or the deep web - sites almost untraceable by search engines. Reusing usernames and passwords compounds the risk significantly because stolen credentials can then be used on more than one site successfully.
''Unfortunately, still the easiest way for [people] to be compromised is by a weak username and password,'' Chris Gatford, of IT security company HackLabs, says.
Online shoppers could use password-safe software such as 1Password, which creates and stores strong passwords for several accounts in a secure file and lets users access them by entering a single password. When creating a password for an account with a specific site - Hoyts, for example - don't pick the name of a loved one, first school, address or favourite place, Gatford says.
''Take a sentence you know and take the first letter of each word, throw in an exclamation mark or a dollar sign at each end of the website name.
''So, using 'quick brown fox jumps over the fence', try '!QBFJOTF?Hoyts' and you have a better password.''
Gatford says online shoppers should still check for the SSL padlock but warns that some disreputable companies selling certificates will award them to anyone willing to pay.
''To be honest, it's all a bit of a marketing ploy,'' he says. ''Several of the places that supply SSL certificates, including VeriSign, have been publicly compromised in the last couple of years.''
Gatford adds that data-loss disclosure laws are urgently needed so customers can be told when companies holding their private details have been hacked.
Sean Kopelke, of security software company Symantec - which acquired part of the VeriSign business - says sites with a certificate are still far safer than those without and that his company undertakes careful checks before issuing SSL certificates to buyers.
However, a hacking technique called ''man-in-the-browser'' allows fraudsters to view data sent via SSL-protected websites, even though it is encrypted.
Kopelke says online shoppers should make sure their antivirus software is up to date, avoid clicking on suspicious links in unexpected emails, and know a bank will never request a customer's online username or password.
''I think there could be a massive amount of improvement just by going through the basics, making sure the passwords are good and not just written on a sticky note next to the computer,'' he says.
Websites displaying the VeriSign Trust Seal are scanned daily for malicious software that may be lurking on that website's server, he adds, reducing the risk of exposure to botnet malware. Botnet malware can allow hackers to take over and use an online shopper's computer as part of a network of compromised computers. These can then be commandeered by botnet masters to distribute spam or more malware, or even attack a website in what is knows as a Denial of Service (DoS) attack.
Associate Professor David Glance, the director of the University of Western Australia's centre for software practice, says online shoppers should use a service such as PayPal where possible and research an unfamiliar site on forums before buying from it. A PayPal account can be linked to a credit card or bank account to bypass the need to enter credit card numbers online.
The consumer group Choice recommends online shoppers avoid using public computers, such as those in libraries and internet cafes, for online shopping; to consider carefully if the product advertised is a fake; and consider using a separate credit or debit card just for internet purchases.
SSL Secure Socket Layer, information submitted on the page will be encrypted in transit.
http Hypertext Transfer Protocol, allows internet traffic to transfer and connect to web pages.
https the secure version of http
URL uniform resource locator, or a website's unique address.
Browser software that allows internet browsing, such as Internet Explorer, Firefox and Chrome.
Browser address bar the field at the top of the page where website addresses are entered.