How to Shop and Browse Securely

Cyber Security, Pen Test, CASP+, CISSP, PMP

The internet has become so integrated into our lives that we can’t imagine functioning without it. The company Google, has become a verb, seemingly overnight. I’m actually surprised there are still librarians around. Nothing is without its fault though, and the internet is no different. It’s chock-full of criminals waiting to steal your money, identity and worse. To remain safe online, it’s important to exercise the same caution you would when entering any physical dwelling. Be mindful of your surroundings and keep your valuables out of sight!

The first step to securely browsing is to be mindful of your surroundings. Just as you would be apprehensive of walking into a shady looking building, a creepy looking website should give you just as much pause. Now, how does one spot a shady website? Start at the top of your browser and locate the URL (uniform resource locator). This is where you find the name of the site you’re viewing.

There are a couple parts of this address to pay attention to:

  1.  The protocol: which will either be http (hyper text transfer protocol) or https (hypertext transfer protocol secure)
  2. The domain name: this includes the www prefix and the domain suffix, .net, .com or even .fish

Most e-commerce sites (sites you shop on) use the https protocol. So, if you ever encounter an e-commerce site that doesn’t…run away! Having that extra ‘s’ in the protocol means the site owner went through the trouble of obtaining an SSL (secure socket layer) certificate. This encrypts all activity on the site you’re on, which is vitally important considering the type of information most users are entering. You can easily discern if a site has an SSL certificate as your browser will display a lock icon on the left of the URL.

Just because you see the lock icon, doesn’t mean you’re out of the woods yet. Pay close attention to the spelling within the URL. Some of the savvier cyber thugs create copies of popular websites and use domains that are only slightly different than the original. For example, you may encounter a site named bank0fmine.com, which looks dangerously similar to bankofmine.com. When you enter your username and password into bank0fmine.com, you can consider your account compromised as that login information has been sent to a hacker.

A couple of other things to look out for are misspellings, strange sentence structure and odd images. Most decent companies will run their content through a spell checker before posting anything. If you find multiple typos on a company’s website, it’s possible you’re looking at fake. Also, be on the look out for odd sentence structure. Some cyber criminals are based in countries where English is not the primary spoken language. To get around the language barrier, some cyber criminals use translation software and very poor translators tend to spit out poor English! In addition to the malformed text, distorted images can be the result of a cyber criminal attempting to copy images found on their target site’s pages.

You should also refrain from using simple, easy to guess passwords for your logins to various sites. I know it can be extremely frustrating to keep track of multiple passwords (hackers are also aware of this fact!). They actually count on you using short, dictionary words as passwords. Nothing makes a hacker happier than a simple password.

Common ways cyber criminals steal passwords are through social engineering and brute force attacks. The latter of which is quite simple in principal. The hacker simply runs a program with every possible combination of letters and numbers. They also employ what’s known as a “rainbow table” (not as nice as it sounds) to assist in cracking encryption. Since the brute force program iterates through every single possible combination, starting with dictionary words, your password will eventually be discovered.

To prevent this, use a non-dictionary word, over 12 characters that contains symbols and other characters. By the time the brute force software iterations crack a complex password, the user will be long dead (probably). Social engineering is a bit harder to prevent as it preys upon the weakest link in any network, the end user (YOU!…and me). Social engineering involves obtaining information from a user for purposes of uncovering valuable data from them like passwords and email addresses.

A popular social engineering attack is known as phishing.

FUN FACT: When the attack targets high ranking officials or company executives, it’s known as whaling.

This attack involves sending emails to potentials victims. The messages are sent with a friendly or sometimes threatening subject header. No matter the tone of the header or message, the content is designed to illicit a knee jerk emotional response from the reader. Cyber criminals do not want you to have time to think through what you are being asked.

The infamous “Nigerian Prince Scam” was a phishing attack that scammed people out of thousands of dollars. The email informed the reader that the sender was a wealthy Nigerian prince in need of a small loan and if the reader gave the prince the money, they would be paid back tenfold. As odd as this may sound, a great deal of people complied and sent tons of money to this “prince” only to find out they had been scammed days later. He was definitely no Prince Charming.

More subtle approaches to social engineering include:

  • Shoulder surfing – I’m sure this will be a dance my kids will be doing soon but it’s also a technique hackers use to sneak a perk at passwords and other valuable information. A hacker gains entrance to a building and casually passes by the employees at their workstation while taking glances at their screens whilst they type. To prevent this use a tint film over your screen.
  • Dumpster diving – It’s exactly what you think it is. People dive into garbage and try to recover sensitive information that was tossed out. To make a hackers dumpster diving useless, buy a high grade shredder or burn sensitive information.
  • Fake access points – This is similar to the phony site setup I brought up earlier. Hackers station an access point in a common area, like a coffee shop lobby and make their SSID (name of the access point) the same or similar to the business the intended victims are visiting. When you log into the fake access point all your activity will be seen by the hackers. To prevent this, avoid using open access points, if possible. If you do use one, use a VPN (virtual private network, encrypts your activity online)

Always apply the same level of scrutiny to any place you spend your money or expose sensitive data. Try to avoid websites that have any of the characteristics I mentioned above, and you should fine. Just listen to your gut, apply a little situational awareness coupled with the techniques you learned here, and those cyber thugs will have to look elsewhere for data to steal (or get a real job…really the best outcome).

1 thought on “How to Shop and Browse Securely”

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top