VeraSafe’s Consumer Privacy, Web Security and Safe Shopping Guide (Part II)

In part one of VeraSafe’s Consumer Privacy, Web Security and Safe Shopping Guide we explored the concepts of basic privacy awareness, web browser privacy settings, and offered some computer software safety tips. In part two, we’ll look at email privacy concerns and identity theft protection tips, rules for safe online shopping, and social media safety tips.

Keep this article bookmarked as a handy reference when shopping online, and don’t forget to share it with your friends!

(Continued from Part I)

4. Email Privacy Concerns and Identity Theft Protection Tips

Spam Email

In the United States, companies can generally send you commercial email without your prior consent, however they must provide you with an opportunity to opt out of receiving such emails in the future. Email that is sent for commercial purposes should contain an “opt out” link or mechanism that you can use to exercise your op-out rights.

If you receive a commercial email from an unknown source that does not contain an “opt out” mechanism, consider:

1. Forwarding the email to the US Federal Trade Commission at [email protected]. Be sure to include the complete email message.
2. Flagging the email as a spam message in your email client, if your email provider offers this feature (most do).

Email Scams

Email scams have emerged as a major threat on the Internet. These scams include:

1. phishing attacks that solicit personal information by posing as a trustworthy organization;
2. social engineering attacks that attempt to gradually solicit personal information by gaining your trust or posing as someone you know;
3. bogus “charity” scams that exploit current events, such as natural disasters, health scares or epidemics, or political elections to solicit a “donation” from you;
4. discount software offers that advertise “too good to be true” prices on popular software titles;
5. “419 advanced fee” fraud schemes that attempt to convince potential victims of a bogus plot to acquire and split a large sum of cash (these scams are often perpetrated by individuals located in West Africa and these emails frequently contain spelling and/or grammatical errors); and
6. bogus “get rich quick” business opportunities that promise large profits with very little effort.

To protect yourself from such email scams, the United States Computer Emergency Readiness Team says it best:

“When [an] email arrives in your mailbox promising you big money for little effort, accusing you of violating the Patriot Act, or inviting you to join a plot to grab unclaimed funds involving persons you don’t know in a country on the other side of the world, take a moment to consider the likelihood that the email is legitimate.”

Additionally, using an email service with an effective spam filter (such as Gmail^TM) and treating all unsolicited email with extreme caution will help protect your privacy and your financial security.

Use a spam-friendly email account

Maintaining two email accounts—one closely guarded address to use for correspondence with friends, family, known business contacts and other trusted entities and a second one to share with less familiar parties—can help you identify email scams and reduce the nuisance of spam emails. This practice can run the risk of violating the Terms of Service/Terms of Use of your email service provider, so be sure to read all applicable terms and ensure that your secondary email account does not break any applicable rules.

5. Rules for Safe Online Shopping

Check for HTTPS and SSL Warnings

When you shop online, say at Amazon.com, and enter your personal information into the website, including credit card information, all of that information is being sent from your computer to the physical location of the Amazon.com web server. The data travels over a variety of routers, switches and backbone data cables that neither you nor Amazon® have control over. The data can be intercepted along its journey from your computer to the Amazon web server, however in the case of Amazon.com (and almost all reputable websites) your data is encrypted with a very secure encryption technology known as Secure Socket Layer (SSL). This makes it nearly impossible for anyone other than you and Amazon.com to read the data you sent.

It’s easy to tell if a checkout page, web form or login page uses this very important SSL technology. In the address bar of your web browser, the URL of a secure web page will always begin with https:// instead of http://  This may seem like a minor detail that would be easy to miss, but many modern web browsers will have more user-friendly visual indicators to help you identify secure and non-secure webpages. Modern web browsers typically have 3 to 4 types of visual indicators to help you identify secure pages:

1. “EV-SSL Green Bar” indicators that will show a prominent green bar or box in the address bar of the web browser indicating that the web page is secured with high-assurance SSL technology that not only secures the transmission of data to/from the web server, but also assures you of the identity of the organization operating the website. (Visit https://verasafe.com/register to see this in action)
2. Lock icon indicator in the address bar, which indicates that the web page is secured with a standard SSL certificate that assures you that the connection to the web page is private and reliable.
3. A Mixed Content Warning is sometimes shown, which is displayed as the lock icon indicator mentioned above, but with a red “X” mark superimposed over the lock. This indicates that some of the content on the page comes from a web server(s) that doesn’t use SSL and therefore using the web page could pose a risk to your privacy.
4. A Degraded Lock Icon will soon be shown in the address bar of some browsers when a website is using an older, less secure version of the SSL algorithm. Websites using this older version of SSL (called SHA-1) still offer some level of security and privacy for your data, but are not as secure as they should be.

Check for Trust Marks and Always Click to Verify

Organizations such as VeraSafe^TM, TRUSTe^TM and the Direct Marketing Association^TM have developed “self-regulatory” codes of best practice business conduct that companies can pledge their adherence to. When such companies make this commitment to the code of conduct, they are reviewed by the seal issuing organization for quality, and are issued a trust mark or trust seal to indicate this commitment to their customers. If the company fails to abide by the code of conduct, the company has breached a legally binding contract, as well as their public commitment to the code of conduct. This breach would be considered a violation of federal law and can invite enforcement action from the Federal Trade Commission.

While such seal programs do have limitations, they provide a level of accountability that otherwise does not exist on the Internet. Genuine trust seals and trust marks always have a ‘Click to Verify’ feature—when you see a trust seal on the internet, always click on it to ensure that the seal is linked to a genuine verification page provided by the seal program that correctly identifies the web page you’re visiting.

Also, beware of “trust seals”, such as those provided by Trust-Guard^TM, that provide a functional, clickable seal, but don’t correspond to any enforceable code of conduct, and therefore provide very little value to consumers.

Use Secure Passwords

When creating user accounts across the web, always follow these best practice rules for strong passwords:

1. passwords should contain at least 8 characters (or as many as the system will support if fewer than 8);
2. a combination of upper case letters, lower case letters and at least one special character (such as *, &, %, #, etc.) should be used in every password;
3. change your passwords every 30 days or as often as you can, particularly for financial websites like your bank, online trading account and credit card account website; and
4. don’t use passwords that are easy to guess (like 12345), are associated with obvious personal information (like your name) or are simple words found in a dictionary.

Using a password management application such as DashLane^TM or LastPass^TM can be a tremendous help in creating a secure password scheme as described above. DashLane and LastPass are browser plugins that store your passwords in a secure way and can generate very secure passwords for you as you register for new online services. These systems have certain drawbacks, but their benefits generally significantly outweigh their potential risks.

Enable Two-Factor Authentication If Possible

In a typical user account login scenario, you enter your username and password and are then logged into your user account. Two-factor authentication provides an additional layer of security. Google’s spam guru, Matt Cutts, put it best:

“two-factor authentication is a simple feature that asks for more than just your [username and] password. It requires both “something you know” (like a password) and “something you have” (like your phone). After you enter your password, you’ll get a second code sent to your phone, and only after you enter it will you get into your account. Think of it as entering a PIN number, then getting a retina scan, like you see in every spy movie ever made. It’s a lot more secure than a password (which is very hackable), and keeps unwanted snoopers out of your online accounts.”

More and more websites are offering this important security feature, but they will require you to manually enable and configure this feature, which you should absolutely do. Some popular websites that currently offer two-factor authentication include:

• Dropbox®
• Gmail^TM
• Apple® ID
• eBay®
• PayPal®
• Yahoo! ® Mail
• Outlook.com
• E*TRADE®

Crowd Sourced Reputation Sites

In recent years websites have cropped up that allow anyone to write online reviews of websites in an attempt to help people identify which websites are safe to use, have good customer service practices, quality products, etc. These systems have major flaws and can’t be used to reliably determine whether a website is reputable or not. A dishonest company can write dozens of positive reviews about their own website and similarly leave dozens of negative reviews about their competition. If you’re unsure if a website is safe to use, instead of using such flawed systems, ask your friends or other trusted sources, look for genuine trust seals or trust marks and use this guide to help you determine whether or not a website is safe to use.

6. Social Media Safety

The Risks

Identity thieves, scam artists, debt collectors, stalkers, governments, corporations looking for a market advantage and employers are all using social networks to gather information about people without their knowledge.  Companies that operate social networks are themselves collecting vast stores of data about their users, both to personalize their services but also to sell information about you to advertisers. This data generally falls into 4 categories of information you might disclose when using a social network:

1. your personal information, such as your name, where you went to school, and where you work;
2. your location, such as where you live or where you are on vacation;
3. your acquaintances, such as friends, family and business contacts; and
4. your interests, including networking groups you belong to, and your political opinions.

Someone attempting a social engineering attack may find it valuable to know these types of information about a target before attempting to solicit further information. Knowing the risks of sharing information widely across social networks and knowing how to control who can see your social media profiles and activity will help protect your privacy, the privacy of your family and your financial security.

Facebook® Privacy Settings

To learn about Facebook account privacy settings visit the Facebook help page here:  https://www.facebook.com/help/325807937506242

Facebook allows you to control who can see information you share, who can find and connect with you and lets you review posts and pictures that other people tag you in before these items become visible to others.

The “Privacy Checkup” feature in Facebook lets you review and adjust your privacy settings. The “Audience Selector” tool lets you decide whom you want to share information with. “The tool remembers the audience you shared with the last time you posted something and uses the same audience when you share again unless you change it.”

Twitter® Privacy Settings

Twitter allows users to decide who can see your posts and how people can locate or see your Twitter profile.

Google+^TM Privacy Settings

When you register for Google+, your name and profile picture are always made public and you have no option to prevent this, which is a concern for privacy-minded individuals. Other parts of your profile can be hidden from public view and made visible only to some people.

General Social Networking Tips

1. Don’t allow your birthdate to become publicly available information, particularly if you have a US Social Security Number. Prior to 2011, these important national identification numbers were issued serially and in relation to your place of birth (for natural-born citizens), making them surprisingly easy to predict using this simple combination of information (i.e. birthdate and place of birth).
2. Be sure to use an incognito/private browsing session if accessing your social media accounts from a public computer and always log off when you’re finished.
3. Check up on your account privacy settings often, as the privacy options and the methods to control them change frequently.