≡ Menu

Secure your Web Experience and Prevent Online Identity Theft

This is an article by regular columnist Clark. Although perhaps a bit off topic, it’s very relevant to readers.

With the use of the Internet for many tasks these days, a primer on securing your web experience would not be out of place. Please note that this article deals only with web browsing security and if your computer is already a hub of malware (short for malicious software) like trojans, worms, viruses, etc., then the system is compromised, no matter your measures to secure the web experience. If you suspect that your system may be infected with malware, use one of the free antivirus tools given below to scan and remove them.

  1. Microsoft Security Essentials
  2. AVG Free Edition
  3. Avast Free Edition

Any antivirus application is useful only when it stays updated. The above tools have automatic update features included; just ensure that they are turned on, so that they get updated on a daily basis. It is prudent to schedule periodic automatic scans of your system to utilize those automatic updates.

Web Browsing Security

Any bank, discount broker, insurance, shopping or email account website that you access must use atleast a 128-bit Secure Socket Layer (SSL) protocol (it is the predecessor to Transport Layer Security) for transmitting data over a network. SSL has a two-fold benefit:

  1. It verifies the authenticity of the website to which you are connected and
  2. It protects your personal information (name, address, credit card details, SIN, username, password, etc.) by encrypting them and providing a secure end-to-end transit medium. It can only be decrypted by the receiver, which would be your intended target website.

A screenshot of the Gmail login page when using Internet Explorer 8 is shown below with key points highlighted.

browsersecurity

If the website you are connected to starts with https:// but missing the padlock symbol, then it indicates that the website connection is only partially encrypted. It could mean that the transit data is encrypted but the identity of the website owner cannot be verified. So, if the owner of the website is unknown, then how could one trust that the data they receive and decrypt is not being misused? SSL certificates issued by third-party Certificate Authorities establish authenticity.

Most of the websites that use your personal details for providing their service will have this SSL protocol enabled. While many bigger companies like Amazon and eBay are no slackers when it comes to data security, certain smaller online shopping providers do not offer the required security. It could be due to a lack of awareness by the system administrator or negligence to data protection. An astute consumer will pay attention while browsing and logging into websites – it is your data (identity) and money (credit history) after all!

Some tips worth remembering…

  1. Keep your computer(s) and browser(s) updated.
  2. Bookmark the websites that you visit regularly – especially ones that utilize your personal information (banks, utility companies, shopping sites, brokerage accounts and others that you can think of!). Do not click on links in emails (not just phishing ones but even from legitimate sources, if you can identify them) and use your bookmarks (favorites) to check the site.
  3. Always keep an eye to check if websites requiring logins are fully encrypted; the missing padlock symbol is a giveaway that the SSL has holes.
  4. Block ads on websites (you can always allow ones on websites that provide value to your bottomline!); InPrivate Filtering that accomplishes this task. Firefox users have the Adblock Plus extension that banishes ads and the NoScript extension that prevents JavaScript, Flash and other plugins from running automatically. Alternately, you can try the Google Chrome browser that runs in a sandbox offering an extra layer of security along with the AdBlock extension to get a similar reprieve from ads.
  5. If you are buying from a relatively unknown shopping website, look out for the encryption criteria mentioned above. If you suspect a problem, conduct an Internet search to see if others have reported similar issues and decide if you still want to buy from that site.
  6. If PayPal is not accepted, buy prepaid credit cards to use on questionable sites (though I wouldn’t recommend giving your business to a company that does not use the necessary encryption). This way, the liability is limited to the value of the card ($25, $50, etc.) in case your credit card details are misused by the company or stolen during transit.
  7. Avoid doing important transactions (including checking account balances) on unsecured WiFi networks (coffee shops, airports, etc.). There are workarounds such as using a virtual private network but they are beyond the scope of this article.

And, please upgrade from Internet Explorer 6 to version 8, if you are still using it!

Have you got any other tips to share for securing the user’s browsing experience and preventing online identity theft?

About the Author: Clark is a twenty-something Saskatchewan resident employed in the manufacturing sector. He repaid around $20,000 in student loans and has been working to build his investment portfolio as a DIY investor (not trader) while nurturing plans to retire early. He loves reading (and using the lessons learned) about personal finance, technology and minimalism.

-> If you would like to read more articles like this, you can sign up for my free newsletter service below (we will not spam you).

About the author: Clark works in Saskatchewan and has been working to build his (DIY) investment portfolio, structured for an early retirement. He loves reading (and using the lessons learned) about personal finance, technology and minimalism. You can read his other articles here.

{ 10 comments… add one }
  • Chris June 29, 2010, 2:59 pm

    Something I’m surprised I don’t hear about more are password databases.

    The idea is that it’s insecure to use easy to guess passwords (dictionary words even if sprinkled with caps and numbers), or the same password at more than 1 site.

    What a password database allows you to do is generate passwords to any complexity you’d like and then save them to you local password database. That database of passwords is encrypted and protected with 1 ‘master password’; which as you’d imagine, should be something you can remember but still very secure.

    When it comes time to log in to any given website, you put in your “master password”, pull out the username and password for your given site, paste it in, and that’s it.

    You can use complicated and unique passwords for every site that might ask for one. You only have to remember 1 password.

    I’ve had good luck with KeePassX:
    http://www.keepassx.org/

  • Elbyron June 29, 2010, 3:29 pm

    Another tip to ensure you are on the REAL website and not a look-alike fake: get in the habit of allowing websites to save your username. That way, if you come to the site and don’t see the username already loaded, you should be suspicious, and should re-open it using your bookmark. When a website offers to save your username (not the browser), and you check the “remember me” box before logging in, it will store that info on your computer in a cookie file, which can only be accessed by that same website (a fake one cannot read it). Usually the info in the cookie is also encrypted, so even if you have a virus on your computer that’s looking for your logins it won’t be able to make sense of the data. So it is safe, and a good idea, to save the username. You can also save your password if you like, but be aware that not every site encrypts the cookie data and a local virus could steal that information. That’s why Clark put so much emphasis on keeping your computer secure!

    When the browser offers to save your username and password for a website, you can also accept this, again provided that your computer is secure. The browser saves the data in an encrypted file, but the encryption key is also on your computer and thus a clever virus could still steal the information.

  • Brad Trivers June 29, 2010, 4:13 pm

    If a website accepts payment via PayPal then does it really matter if it has an SSL certificate? PayPal does of course, and that is where the sensitive information is stored.

  • Clark June 29, 2010, 5:14 pm

    Thanks for the comments.

    @Chris: I love KeePassX and it is a hassle-free approach to secure your login details. The fact that you can use keyfiles along with the master password and attach other files offers greater peace of mind.

    @Elbyron: Good suggestion! However, I don’t let cookies stay on my computer beyond that browser session and don’t mind entering the username again. For ease of use and safety, letting the cookies stay on would be a sound choice as long as the computer is free of malware and not used by strangers.

    @Brad Trivers: Good question! If PayPal is accepted, then the buyer would be protected by PayPal and the personal details would not be divulged to the seller (except for the shipping information). So, I’ll have to say that the acceptance of PayPal relaxes the need for encryption on the seller’s site, though I wouldn’t be surprised if PayPal required encryption on the shopping site to offer their services.

  • Elbyron June 29, 2010, 6:19 pm

    KeePassX sounds like a great way to keep track of all your different passwords, which can be tough if you use different randomly generated ones everywhere. But personally, I don’t see the need for going to those lengths, as most websites prevent brute-force password hacks by locking your account after a few incorrect guesses. That doesn’t mean I use “password” as my password; I do still have a randomly generated ones that I use for my bank and credit card. But I only have to remember 3 or 4 different ones, and use a relatively unsecure one for most websites that I don’t care about (like forums). Having strong password security has its place, but for me, it’s not worth the hassle of having to use a program to look up the right password every time I need it. Also, using KeePassX doesn’t protect you from phishing, and is still vulnerable to some malware, especially key-loggers.

  • Ms Save Money June 29, 2010, 6:54 pm

    Currently using Avast and it seems to be working pretty well. I always try to take precautions when shopping online. I generally won’t shop on a site that seems/looks shady in any way shape or form just because I wouldn’t want to risk that.

  • Cam Birch June 29, 2010, 7:01 pm

    Very interestingly IE6 is actually more secure than most people realize:
    http://www.theregister.co.uk/2010/06/28/chase_ie_6_dumps_chrome_opera/

    From the standpoint of actual communication to a secure server you will find that IE6+ will ensure your data is better encrypted and less snoopable than other browsers.

    On the other hand if you are looking for an all around solution like not being easily hacked by a virus, IE 6 is a bad option. Upgrade to IE 8 and become safer (safty = aka less likely to be hacked) but no more secure (secure = less chance of a program not on your computer of stealing your data).

    Unfortunately security really starts with people not being so easily fooled. With all the advanced computer technology the most likely reason why your information will be stolen is because someone asked for it and you gave it to them without thinking. Over 80% of data loss is still caused by “user error” where you give over access rather than the evil virus.

    The generic solution is be a little less trusting and verify first, and only then allow things to occur. This goes for almost everything from installing applications (most viruses are installed by users saying yes to a security prompt now), to making sure you only give your credentials to the correct website. The same rules and scams that telemarketers and door to door salespeople have been using for years are now online and we are still falling for the same old tricks.

  • Clark June 29, 2010, 7:07 pm

    @Elbyron: It is true that most institutions lock your account after a few incorrect tries or offer a password recovery solution. But, people tend to use weak answers to a security question to recover their passwords – easy enough to guess! Your method would work if one is reasonably web-savvy.

    KeePassX will not protect from phishing or screen loggers but one can use a tool like Neo’s SafeKeys to prevent the logging concern. I wonder how many people will fall prey if the “tab nabbing” type of phishing attack takes off!

  • Clark June 30, 2010, 12:04 am

    @Cam Birch: Interesting move by Chase! It looks more like a measure to cut costs than due to genuine lack of minimum security features. I use Opera as my backup browser along with Firefox and have been impressed by both (of course, Firefox’s extensibility is unmatched yet).

  • Elbyron June 30, 2010, 1:07 pm

    @Clark: When I first heard of the “tab nabbing” attack a few weeks ago, I was very surprised that browsers would allow that behavior. Hopefully it will be addressed quickly in security patches, but it may be a while until we’re safe from this. Unfortunately, had I not known about this attack, I would have easily fallen prey to it, as I often keep the same tabs open for a long time (sometimes for weeks).

Leave a Comment