US-CERT Cyber Security Tip ST07-001 -- Shopping Safely Online

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                            National Cyber Alert System
                            Cyber Security Tip ST07-001

Shopping Safely Online

   Online shopping has become a popular way to purchase items without the
   hassles of traffic and crowds. However, the internet has unique risks, so it
   is important to take steps to protect yourself when shopping online.

Why do online shoppers have to take special precautions?

   The internet offers a convenience that is not available from any other
   shopping outlet. From the comfort of your home, you can search for items
   from countless vendors, compare prices with a few simple mouse clicks, and
   make  purchases without waiting in line. However, the internet is also
   convenient for attackers, giving them multiple ways to access the personal
   and financial information of unsuspecting shoppers. Attackers who are able
   to obtain this information may use it for their own financial gain, either
   by making purchases themselves or by selling the information to someone
   else.

How do attackers target online shoppers?

   There are three common ways that attackers can take advantage of online
   shoppers:
     * Targeting vulnerable computers - If you do not take steps to protect
       your computer from viruses or other malicious code, an attacker may be
       able to gain access to your computer and all of the information on it.
       It is also important for vendors to protect their computers to prevent
       attackers from accessing customer databases.
     * Creating  fraudulent sites and email messages - Unlike traditional
       shopping, where you know that a store is actually the store it claims to
       be, attackers can create malicious websites that appear to be legitimate
       or  email messages that appear to have been sent from a legitimate
       source. Charities may also be misrepresented in this way, especially
       after natural disasters or during holiday seasons. Attackers create
       these malicious sites and email messages to try to convince you to
       supply personal and financial information.
     * Intercepting  insecure  transactions  -  If  a vendor does not use
       encryption, an attacker may be able to intercept your information as it
       is being transmitted.

How can you protect yourself?

     * Use and maintain anti-virus software, a firewall, and anti-spyware
       software - Protect yourself against viruses and Trojan horses that may
       steal or modify the data on your own computer and leave you vulnerable
       by  using  anti-virus  software  and a firewall (see Understanding
       Anti-Virus Software and Understanding Firewalls for more information).
       Make sure to keep your virus definitions up to date. Spyware or adware
       hidden in software programs may also give attackers access to your data,
       so use a legitimate anti-spyware program to scan your computer and
       remove any of these files (see Recognizing and Avoiding Spyware for more
       information).
     * Keep software, particularly your web browser, up to date - Install
       software  updates so that attackers cannot take advantage of known
       problems  or  vulnerabilities  (see Understanding Patches for more
       information). Many operating systems offer automatic updates. If this
       option is available, you should enable it.
     * Evaluate  your  software's settings - The default settings of most
       software enable all available functionality. However, attackers may be
       able to take advantage of this functionality to access your computer
       (see Evaluating Your Web Browser's Security Settings and the paper
       Securing  Your Web Browser for more information). It is especially
       important  to check the settings for software that connects to the
       internet (browsers, email clients, etc.). Apply the highest level of
       security available that still gives you the functionality you need.
     * Do business with reputable vendors - Before providing any personal or
       financial  information,  make sure that you are interacting with a
       reputable, established vendor. Some attackers may try to trick you by
       creating malicious websites that appear to be legitimate, so you should
       verify the legitimacy before supplying any information (see Avoiding
       Social Engineering and Phishing Attacks and Understanding Web Site
       Certificates  for  more  information). Attackers may obtain a site
       certificate for a malicious website to appear more authentic, so review
       the certificate information, particularly the "issued to" information.
       Locate and note phone numbers and physical addresses of vendors in case
       there is a problem with your transaction or your bill.
     * Take advantage of security features - Passwords and other security
       features add layers of protection if used appropriately (see Choosing
       and  Protecting  Passwords  and  Supplementing  Passwords for more
       information).
     * Be wary of emails requesting information - Attackers may attempt to
       gather  information  by sending emails requesting that you confirm
       purchase or account information (see Avoiding Social Engineering and
       Phishing Attacks for more information). Legitimate businesses will not
       solicit this type of information through email. Do not provide sensitive
       information through email, and use caution when clicking on links in
       email messages (see the paper Recognizing and Avoiding Email Scans for
       more information).
     * Check  privacy  policies  - Before providing personal or financial
       information,  check  the  website's  privacy policy. Make sure you
       understand how your information will be stored and used (see Protecting
       Your Privacy for more information).
     * Make sure your information is being encrypted - Many sites use SSL, or
       secure sockets layer, to encrypt information. Indications that your
       information will be encrypted include a URL that begins with "https:"
       instead of "http:" and a padlock icon. If the padlock is closed, the
       information is encrypted. The location of the icon varies by browser;
       for example, it may be to the right of the address bar or at the bottom
       of  the window. Some attackers try to trick users by adding a fake
       padlock icon, so make sure that the icon is in the appropriate location
       for your browser.
     * Use  a  credit  card  - There are laws to limit your liability for
       fraudulent credit card charges, and you may not have the same level of
       protection for your debit card. Additionally, because a debit card draws
       money directly from your bank account, unauthorized charges could leave
       you with insufficient funds to pay other bills. You can further minimize
       damage by using a single credit card with a low credit line for all of
       your online purchases.
     * Check your statements - Keep a record of your purchases and copies of
       confirmation pages, and compare them to your bank statements. If there
       is a discrepancy, report it immediately (see Preventing and Responding
       to Identity Theft for more information).
     _________________________________________________________________

   Authors: Mindi McDowell, Monica Maher
     _________________________________________________________________

   Produced 2007, 2008 by US-CERT, a government organization. Terms of use
   US-CERT

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBTP5HgT6pPKYJORa3AQIaPQgAspiFCHXdC8pJRjRX4Z/dhk/xsjdoM1bg
0Dn3c25KScr1xYk1dVOnFBF1jOnXhSjU3Wy4nMxHSNOGCR/PlmH4mIGLLitULWHj
lRnYTSewT/BOdujrf0+y7GHal2TgXqD9rv8NolfVTdb7lUr56KUAXIjdwZ33KhLX
H1/Bop87+prQwsoCLf1v3VHBhDWS/6RD+nNG4XbdyPqyVbs8gmfUNwkgqA/bM2hU
WSQw0BiAL7YlYPtax+7mZOEOm6G4Fy5bj/fTz1MSc9LLZIxz0YS4/rwmxV+DbsKc
crvAmAYfy+Rpa+mq3aWUU1jnPjEWQX0Pv/md3bxSgSR7Mrw++FpWZw==
=egTT
-----END PGP SIGNATURE-----


[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux