Secure E-Commerce From First to Final Click
Feb 27, 2008 4:00 AM PT
What's most important to consumers when making a purchase online? Personal identity. Consumers are taking more notice of their individual online security after a string of recent identity theft cases made major headlines. According to a recent survey by the University of Southern California's Center for the Digital Future, 61 percent of adult Americans said they were "very" or "extremely" concerned about the privacy of personal information when buying online, an increase from 47 percent in 2006. Prior to 2007, that number had been decreasing for the past six years.
So where do we, as consumers, really stand in 2008? The shopping Web sites we frequent know who we say we are, but not who we actually are. Various industry verticals have minimized risk here to a certain extent; however, none of them can provide 100 percent assurance. Therefore, in the coming year we will see a continued focus by criminals on the theft of identity information. In the consumer market, we need to be continuously cognizant of how, when and where this theft of our personal information can happen.
This leads to the "how do we help ourselves" question. First we need to educate ourselves about the threats currently in play, as well as growing areas of personal security development; secondly, we can collectively take a few common sense steps to make big strides in keeping our data safe.
To begin with an example, physical devices such as laptops, PDAs (personal digital assistants), USB (universal serial bus) flash drives and MP3 players are often stolen for the content or identity contained within the device. We can look at malware as simply the cyber-version of this type of physical theft. Recent data breaches, such as the Kingston Technology compromise that left as many as 27,000 consumers' personal data vulnerable, and the now-infamous TJX debacle, demonstrate the fallout from this type of theft. These far-reaching security breaches also demonstrate that malware is becoming increasingly highly organized.
Cyber-criminals can target specific demographics, geographical locations or precise people and businesses -- and they are attracted to anywhere that holds potential access to personal information, including login credentials, account details and credit card information. In the past few years, malware was targeted through communication tools such as e-mail and instant messaging. Its targeted reach will only get worse during 2008 as the criminal element becomes better organized -- and as social networking and online gaming sites continue to thrive and attract greater numbers.
Some of the biggest threats to keeping our data safe online today are phishing scams. Phishing is an older form of cyber-crime that involves tricking a consumer into providing personal data information directly to a hacker through an unsecured Web site or redirected link. However, hackers also have a variety of ways of lifting personal information out of the "backdoor," such is the case with keylogger Trojans that collect keystroke information and transmit it back to an attacker.
For example, a Trojan on your computer can record the keystrokes of your bank login ID and password, and then potentially relay that information back to a hacker for criminal use. "Wardriving," another fairly recent phenomenon, has emerged as an additional way for hackers to trawl for personal data. Wardriving describes the act of searching for unsecured wireless networks to penetrate from a moving vehicle.
Encryption and ID Management
However, as malware and hacking schemes become increasingly creative and sophisticated, so too must our means to combat them. For example, two growing areas of personal security development are encryption and identity management services. Encryption will continue to grow in popularity for mobile and home-based devices, such as home network storage and personal file servers. The challenge is that encryption only protects stored data or data in motion.
What about daily life processes like shopping (online or in-person)? For these types of daily processes, we'll see a significant growth in the identity protection market with vendors allowing consumers to add layered identity security for a monthly fee. As online access from mobile devices grows and more personal data is encompassed on smartphones, we will also see mobile defense bulk up to include protection or lock-down mechanisms when devices are stolen. This is an increasingly vital area of protection amid recent estimations by John Pironti, chief information risk strategist for Getronics, that one New York-based financial services firm loses a laptop and five smartphones per day in taxicabs.
The bottom line today is that malware authors are far more organized, and they are in it for the money. Both the motivation and the capabilities of these organized units are much greater than even a few years ago -- so what are some practical ways we can keep our personal data protected in everyday life?
Simple Steps for Staying Safe
- First and foremost, always make sure you have a secure connection to the Internet. As tempting as it may be to sign onto an available WiFi connection -- whether it be your neighbor's or while stopping for coffee at the local coffee shop -- don't do it!
- Make sure your computer has the most up-to-date antivirus protection to make sure that hackers aren't stealing your passwords or credit card information through Trojans, etc.
- Check to see if the shopping sites you frequent are protected or hacker safe. Look for guarantees of protected shopping, where retailers are taking the initiative to have their sites scanned daily for network vulnerabilities.
- Avoid clicking on links from e-mails hawking products, and never send any credit card information or checking account numbers via e-mail. Make sure that you are on the actual retailer's Web site itself when you're buying, rather than navigating there through e-mail links that could lead you to a phony phishing page. Never respond to spam e-mails, as this will notify the senders that they have located an active account!
- Understand the dangers of pirated software and file sharing. In addition to downloading viruses that shared files could contain, you could be breaking national copyright laws. You could also be downloading spyware - which gathers personal information about you without your knowledge, giving hackers access to your personal files and programs.
While it's true that hackers are becoming more organized each year, this doesn't mean that we need to forfeit the conveniences online offers just in order to stay safe. By educating ourselves and using a bit of common sense, we can help ensure that from first click to final transaction, our private data actually stays that way.
Tom Bowers is senior security evangelist for Kaspersky Lab, a developer of Internet threat management solutions that protect against all forms of malicious software. He is president of the Philadelphia chapter of InfraGard and has also held senior management positions in IT and security at a variety of companies, including Security Constructs and Wyeth Pharmaceuticals.