Cyber Security Tip ST07-001 Shopping Safely Online

Cyber Security Tip ST07-001 Shopping Safely Online

Online shopping has become a popular way to purchase items without yhe hassles of traffic and crowds. However, the Internet has unique risks,so it is important to take steps to protect yourself when shopping online.

Why do online shoppers have to take special precautions?
The Internet offers a convenience that is not available from any
other shopping outlet. From the comfort of your home, you can search
for items from countless vendors, compare prices with a few simple
mouse clicks, and make purchases without waiting in line. However,
the Internet is also convenient for attackers, giving them multiple
ways to access the personal and financial information of
unsuspecting shoppers. Attackers who are able to obtain this information may use
it for their own financial gain, either by making purchases themselves
or by selling the information to someone else.

How do attackers target online shoppers?

There are three common ways that attackers can take advantage
of online shoppers:
* Targeting vulnerable computers – If you do not take steps
to protect your computer from viruses or other malicious code,
an attacker may be able to gain access to your computer and all
of the information on it. It is also important for vendors to
protect their computers to prevent attackers from accessing
customer databases.
* Creating fraudulent sites and email messages – Unlike traditional
shopping, where you know that a store is actually the store
it claims to be, attackers can create malicious web sites that
mimic legitimate ones or create email messages that appear to have
been sent from a legitimate source. Charities may also
be misrepresented in this way, especially after natural disasters
or during holiday seasons. Attackers create these malicious sites
and email messages to try to convince you to supply personal
and financial information.
* Intercepting insecure transactions – If a vendor does not
use encryption, an attacker may be able to intercept your
information as it is being transmitted.

How can you protect yourself?

* Use and maintain anti-virus software, a firewall, and
anti-spyware software – Protect yourself against viruses and Trojan horses
that may steal or modify the data on your own computer and leave
you vulnerable by using anti-virus software and a firewall
(see understanding Anti-Virus Software and Understanding Firewalls
formore information). Make sure to keep your virus definitions up
to date. Spyware or adware hidden in software programs may also
give attackers access to your data, so use a legitimate
anti-spyware program to scan your computer and remove any of these files
(see Recognizing and Avoiding Spyware for more information).
* Keep software, particularly your web browser, up to date -Install
software patches so that attackers cannot take advantage of
known problems or vulnerabilities (see Understanding Patches for
more information). Many operating systems offer automatic updates.
If this option is available, you should enable it.
* Evaluate your software’s settings – The default settings of
most software enable all available functionality. However,
attackers may be able to take advantage of this functionality to access
your computer (see Evaluating Your Web Browser’s Security Settings
for more information). It is especially important to check
the settings for software that connects to the Internet
(browsers,email clients, etc.). Apply the highest level of
security available that still gives you the functionality you need.
* Do business with reputable vendors – Before providing any
personal or financial information, make sure that you are interacting
with a reputable, established vendor. Some attackers may try to
trick you by creating malicious web sites that appear to be
legitimate,so you should verify the legitimacy before supplying
any information (see Avoiding Social Engineering and Phishing
Attacks and Understanding Web Site Certificates for more
information). Locate and note phone numbers and physical addresses of vendors
in case there is a problem with your transaction or your bill.
* Take advantage of security features – Passwords and other
security features add layers of protection if used appropriately
(see Choosing and Protecting Passwords and Supplementing Passwords
for more information).
* Be wary of emails requesting information – Attackers may
attempt to gather information by sending emails requesting that
you confirm purchase or account information (see Avoiding
Social Engineering and Phishing Attacks for more information).
Legitimate businesses will not solicit this type of information
through email.
* Check privacy policies – Before providing personal or
financial information, check the web site’s privacy policy. Make sure
you understand how your information will be stored and used
(see Protecting Your Privacy for more information).
* Make sure your information is being encrypted – Many sites
use SSL, or secure sockets layer, to encrypt information.
Indications that your information will be encrypted include a URL that
begins with “https:” instead of “http:” and a lock icon in the
bottom right corner of the window.
* Use a credit card – Unlike debit cards, credit cards may have
a limit on the monetary amount you will be responsible for paying
if your information is stolen and used by someone else. You
can further minimize damage by using a single credit card with a
low credit line for all of your online purchases.
* Check your statements – Keep a record of your purchases and
copies of confirmation pages, and compare them to your bank
If there is a discrepancy, report it immediately (see
Preventing and Responding to Identity Theft for more information).

Authors: Mindi McDowell, Monica Maher

Produced 2007 by US-CERT, a government organization.

Note: This tip was previously published and is being re-distributed

to increase awareness.

Terms of use


This document can also be found at


Posted in News.