Best practices for online shopping, Part 2
- — 23 August, 2007 08:17
Here are some more tips and practical suggestions for improving the security of shopping online from former graduate student Steven Zeligman:
Safeguard your own personal information and records
Do not send payment information via e-mail. Unencrypted e-mail is not a secure method of communication. All information transmitted via e-mail is at risk of interception by bad people. Any trustworthy online merchant uses encryption technologies to protect private information during a transaction on their Web site.
Keep records of all transactions, much as you keep paper receipts for physical "brick and mortar" purchases. An easy way to do that if you have full Acrobat is to print to an Acrobat file from your browser; alternatively, you can use the print function of your browser and send to a suitable printer or even take a screenshot and save the image file on disk. (MK adds: I keep records in folders labeled by vendor in a folder called "My Received Files." I have a folder for software licenses, for example, one for DVDs, one for CDs and so on.)
Other methods of safeguarding e-commerce information include:
- Always conduct online transactions using a Web browser that has all current security patches and uses at least 128-bit encryption.
- Always use strong passwords that contain a combination of uppercase letters, lowercase letters, and special characters for e-commerce accounts.
- Never use obvious passwords such as family names, birthdays, pets' names, etc. for e-commerce accounts.
- Always use passwords that contain six or more characters.
- Never share user names or passwords with anyone else.
- Never use the "one-click shopping" that stores credit-card information accessible through an online account password.
- Never perform online transactions on public computers.
- If you have an unsecured home computer, do not allow your browser to store user IDs and passwords for the online-shopping sites you use.
For more information on browser security and Web sites, see the following U.S. Computer Emergency Readiness Team (US-CERT) Cyber Security Tips:
- ST04-022 "Understanding Your Computer: Web Browsers"
- ST05-001 "Evaluating Your Web Browser's Security Settings"
- ST04-012 "Browsing Safely: Understanding Active Content and Cookies"
- ST05-010 "Understanding Web Site Certificates"
Review the Online Merchant's Privacy Statement
Consumers should also be prudent about what personal and financial information they reveal to conduct an online transaction. It is usually necessary to provide a credit-card number. However, it should never be required to provide bank-account numbers or Social Security Numbers to conduct online shopping transactions.
There are many reliable online merchants; if you don't like a merchant's policies, choose a different one.
With a few precautions, you can usually take advantage of online shopping conveniences without significant risk. The essential point is that you have to think before you shop - but that's true in all situations.
Steven Zeligman, MSIA, MCP, CISSP, is the Network Security Manager at Dataline, and has more than 15 years of experience in information technology and security. His opinions are entirely his own and do not constitute the opinions of his employer. You are welcome to write to him with comments on this article.