So is it OK to shop online? Honestly, there are risks associated with any sort of commercial transaction, real or virtual, and taking measures to mitigate the risks is the smart thing to do. Security related to online shopping begins with online retailers. Christiaan Beek, principal architect, IR & Forensics, Foundstone Services EMEA, a division of McAfee, advised that security-design must be a big part of setting up a Web shop, not considered afterward, like whipped cream on a cake.
Arab News asked one Saudi Web shop what they were doing in terms of security and the business replied, “We continue to have multiple vulnerability tests performed on our servers daily. We are upgrading our SSL to an EV SSL. We are in the process of getting our trustmarks approved from both McAfee and VeriSign. In 2012 we will be PCI certified and we plan on hiring more certified security professionals.”
“Secure code design, filtering for characters, encryption of customer data and keeping credit card details separate from the user table in the database are some of the examples that must be considered,” Beek advised. “Vendors should have their online operations tested regularly by executing penetration tests. Actually, the security points mentioned by the Saudi online retailer should be the foundation of information security, which every company should have in place.”
Even if an online retailer is running a secure operation, consumers must understand that criminals can attack in other ways.
“One example is using e-mails to redirect people to fraudulent websites in order to trick people into submitting their credentials,” said Beek. “Other ways are to attack in specific vulnerable Web-browsers or vulnerable computers or to intercept transaction traffic.”
There are some basic rules a consumer should follow before shopping online:
• Keep computer software up-to-date, specifically the Web-browser.
• Only shop from a computer with an up-to-date anti-virus/anti-malware program.
• Check the reputation of the online vendor through a site such as www.resellerratings.com.
• Read the privacy policy of the online vendor, usually found at their Website. How do they handle your information and what do they do with it?
• Check if the online retailer uses encryption “https” instead of “http,” including the padlock icon.
Even if a consumer does everything right in relation to online shopping, there can still be catastrophes. In the real world there are sophisticated pickpockets and thieves, and in the virtual world criminals are always trying new strategies. Last week, the online shoe shop Zappos suffered a massive data breach that exposed user accounts for about 24 million users, although full credit card details were not exposed. The company took action quickly forcing the store's shoppers to change their account passwords and cutting off access to the website to users from outside the continental United States. They are also cooperating fully in the criminal investigation of the data breach.
Even though complete credit card details were not lost, consumers who shopped at Zappos are being advised to re-issue their credit cards and to be on the alert for identity fraud. Any Saudi shopper should consider using a special low limit credit card issued by Saudi banks specifically for online purchases. Notifications for any spending on credit cards should be sent to an active mobile phone number and the method for canceling the card in case of fraud should be written down and kept accessible in several locations, so the instructions can be quickly referred to if fraudulent transactions occur.
