E-Commerce

Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. In short, phishing is a scam in which the attacker sends an email purporting to be from a valid financial or eCommerce provider in order to obtain username, passwords and other important details.

Examples

PayPal and eBay were two of the earliest targets of phishing scams. In the example below, it shows how the attacker does the phishing through link manipulation.

This PayPal phishing scams tries to trick recipients by pretending to be some sort of security alert. Claiming that someone 'from a foreign IP address' attempted to login to your PayPal account, the email urges recipients to confirm their account details via the link provided. In fact, as with other phishing scams, the victim is directed to visit a fraudulent site and any information entered on that site is sent to the attacker and thus, he can manage the recipient’s PayPal account.

Example of phishing email in attempting to get credit card information using the name of CitiBank

Example of phishing using the name of eBay

Example of phishing using the name of Yahoo

Example of phishing email in attempting to get credit card information

Besides that, phishing through link manipulation, the attacker can also phishing through website forgery. Some phishing scams use JavaScript commands in order to alter the address bar. An attacker can even use flaws in a trusted website's own scripts against the victim. These types of attacks (known as cross-site scripting) are particularly problematic, because they direct the user to sign in at their bank or service's own web page, where everything from the web address to the security certificates appears correct.

Moreover, Phone phishing is also one type of phishing methods. Messages that claimed to be from a bank told its users to dial a phone number regarding the problem with their bank accounts. In fact, the phone number is owned by the attacker. Therefore, data of the users can easily be obtained as they are requested to enter their account numbers and PIN once the phone number is dialed.

Prevention

Tip 1

It is important that you must learn to recognize all types of phishing emails. You should make yourself aware that if you receive a message which needs you to take immediate action with regard to any of your personal accounts then you should contact your financial institution immediately via phone or in person. Most phishing emails will be addressed to either “Dear Valued Customer” or “Dear Sir/Madam”, while any legitimate emails from your bank or Credit Card Company will be addressed to you by name. It is important to know that the phisher who has sent the email in the first place is after your personal information in order to use it for fraudulent purposes.

Tip 2

Never ever send any kind of sensitive personal information using an email. Emails are not the most secure form of communication available for people to use on the Internet. Certainly many scammers are quite capable of producing an email that looks legitimate and so will be easily able to forge such a document and then gain your information in this way.

Tip 3

If you do have to transmit any personal information over the Internet then ensure that the site you are providing it to is completely secure. The best way for a person to identify if a site is secured or not is by looking at the site address. All websites which are considered to be secured should start with “https://” and not “http://”. Also if you look in the browser status bar you will see the lock icon being displayed.

Tip 4

If you ever receive an email from someone you do not know and it contains a link within it then do not click on it. Rather what you should be doing is opening up a new browser page and then typing in the address which you know to be the authentic website. Alternatively, you could call the person or company directly if you have had dealings with them and have spoken with them by telephone before.

How do you safeguard your personal and finance data when you make an online purchase? Do you think using online financial services is safety or risky? Have you done a proper safeguard for your data? Nowadays, computer and internet are very common to everyone. We will rely on computer to save our personal data and using online financial services to do financial transactions such as online banking in order to safe time and more convenient. Therefore, do you think the safeguards that you make are sufficient enough to protect your confidential data?

Nowadays, many companies prefer to collect personal information from their customers through internet, especially when customer purchase item through internet, because it is an easy way for the organization to simplify the whole buying process. Commonly, when consumers make some online purchase, company will record consumer’s personal information such as names, addresses, phone numbers or bank and credit card account numbers. Is it security to protect consumer to avoid embezzled by other people? Do you know that if you do not take basic steps to protect your information, your identity may be theft by someone and become a victim of fraud.

Many people do not have enough knowledge on their personal information and financial data that are store in the web server and all of this is the internet criminal's target. As Internet criminals increasingly, it is difficult to keep our personal information safe and also hardly to prevent from stealing. Do you know what “Personal Financial Information” is? It is means any record containing a customer of a financial institution whether in paper, electronic, or another form, that is handled by behalf of the institution or its affiliates.

Ways to stay safe on your personal and finance data:

1. Be cautious on your information.
   Personal information can be as dangerous as financial information. Therefore, do not give your financial information or personally identifying details to organizations you do not know before. You can just simply give something as simple as date of birth and mother's maiden name

2. Keep credit cards to a minimum level. If the credit card you use for purchases has a low credit limit, it can avoid dishonest sales clerk to use your credit card information when you are away. If really steal by someone, at least thieves cannot be able to rack up many bills.

3. Protect computer's security. Many data stored in computer, therefore, we should use as many tools as you can to guard your computer information from the virus such as anti-virus software, spyware, and firewalls. If failing to protect computer is as bad as leaving your door unlocked.

4. Do not reveal any personal information or passwords to anyone. never write down the information regarding our password or carry it in wallet or briefcase in order to avoid using password that are easy for someone to guess such as the name of your favorite pet or your date of birth.

5. Be cautious accessing financial information in public. After using services like to check Bank balance on a public computer such as in a public library, school computer lab or Internet cafe, must remember to log out and close the browser window properly. In case, give a chance to other people to access your data or reading your personal information and mail, if there are share information with another user.

6. Pay attention when using an ATM. Keep your eyes are observed for anyone who have interested in your transactions. Use your free hand to shield the keypad when entering PIN code.

7. Backing up your data externally. By using many forms of media, such as DVDs and CDs to prevent some unfortunately local backups that are subject to unexpected events like fire and robbery.

Third party is called Certification Authority (CA) who is responsible for vouchsafing the identity of users and issuing them with certificates that bind the public key to their identities. They also will issue digital certificate to provide verification that your website does indeed represent your company and they must take steps to establish the identity of the people or organization to which they issue the ID. Authenticity is ensured when certificate is issued once establishes with its organization’s public keys and signs with Certification Authority’s private key.

Third-party certification is a process by which a product or service is reviewed by a reputable and unbiased and independent third party to verify that a set of criteria, claims or standards are being met. It is a kind of certification which gives confident to customers to surf the website due to the increased in phishing and spoofing attacks on the internet. This is because they are afraid of their personal information such as ID number, passwords, credit card numbers and etc will be sent to those companies which do not exist in this real world. Furthermore, they can provide e-mail protection and validation, secure online shopping carts and more services in order to avoid being spammed, hacked and attacked by the macilious software such as virus, trojan horse and worms. One of the third party certification is MCS Trustgate.com Sdn Bhd.

MCS Trustgate.com Sdn Bhd is a licensed CA in Malaysia which was established in 1999. They offer complete security solutions for individuals, organizations, government, and e-commerce service providers by digital certificates, encryption and decryption. For example, MCS Trustgate.com Sdn Bhd has provided security solutions and trusted services to help companies build a secure network and application infrastructure for their electronic transactions and communications over the network. Besides that, they are committed in delivering high quality services which has brought their recognitions with the enterprises, government, and many leading e-commerce sites, and service providers' digital certification services, including digital certificates, cryptographic products, and software development both locally and internationally which has achieve their objective. Their objective is to secure the open network communications from both locally and across the ASEAN region.

Furthermore, MCS Trustgate.com Sdn Bhd is a licensed under the Digital Signature Act 1997 (DSA) which is a Malaysia law that sets a global precedent for the mandate of a CA. And as a CA, MCS Trustgate.com Sdn Bhd core business is to provide digital certification services such as digital certificates, cryptographic products, and software development. Some of the their products and services are SSL Certificate, Managed PKI, Personal ID, MyTRUST, MyKAD ID, SSL VPN, Managed Security Services, VeriSign Certified Training and Application Development. Their vision is to enable organizations to conduct their business securely over the internet, as much as what they have been enjoying in the physical world.

MCS Trustgate.com Sdn Bhd provides Public Key Infrastructure (PKI) to assist all the companies in conducting their business over the Internet. PKI Technologies is designed to secure intranet, extranet, and Internet applications by combining maximum flexibility, performance, and scalability with high availability and security. The service allow enterprise to quickly and cost-effectively establish a robust PKI and Certification Authority (CA) system with complete control over security policies and enables faster deployment and lower operating costs while providing an open platform that integrates with off-the-shelf solutions. As a result, it allows enterprise to easily deploy a PKI while relieving itself from the high expense of designing, provisioning, staffing, and maintaining its own PKI backbone. It helps the organizations to enhance the security of the data and manage identification credentials from users and organization. It also helps to secure by based on the exchange of digital certificates between authenticated users and trusted resources. The E-Commerce users can design their own PKI to meet the preferable security and technical requirements of their organization such as confidentiality where PKI users will use it to encrypt data that is stored or transmitted.

MyKad is designed by government with PKI capability that allows its holder to conduct online transaction with government agencies and private sectors. And MCS Trustgate.com Sdn Bhd has provided MyKey which is the PKI solution that allowing you to authenticate yourself online and to digitally sign documents or transactions. Besides that, MCS Trustgate.com Sdn Bhd is the prime PKI developer and integrator for MyKad which has offered various MyKey (MyKad PKI) modules for developer who wishes to develop MyKad applications such as MyKey Application Programming Interface (API), Signing module, Verification module and MyKad Client Kit.

VeriSign SSL Certificates is the public encrypted key that Webmaster sends to CA which is a standard part of most web server and web browser packages when works in conjunction with the Secure Sockets Layer (SSL) technology. It is the leading Secure Sockets Layer (SSL) Certificate Authority under MCS Trustgate.com Sdn Bhd which enables the security of e-commerce, communications, and interactions for Web sites, intranets, and extranets. It means that VeriSign is used to enhance the server security for your website. It provides security solutions to protect an organization’s consumers, brand, Web site, and network and also gives confidence to customer in communication and online business transactions. This is because with the increased phishing and spoofing attacks on the Internet, customers want to make sure that they are dealing with trusted parties when they conduct business through online. They need to ensure that their information traveled over the Internet has reaches the intended recipients and is safe from intruders. For example, most of the banks in Malaysia will show their verified certificate on their online banking website to avoid phishing.

Besides that, VeriSign SSL Certificates helps a growing number of organizations and individuals to communicate and conduct commerce with confidence as it offers a wide spectrum of solutions for financial services, consumer product and retail companies, healthcare and life sciences, and the public sector.

Furthermore, VeriSign is the trusted provider of Internet infrastructure services for the networked world because the ability to know and trust the parties with which you do business and communicate has become critical in the networked world. It allows companies and consumers to engage in trusted communications and commerce. For more than 10 years, VeriSign Internet infrastructure has been at the very heart of the Internet, enabling key transactions and protecting valuable data. This is because VeriSign has facilitates as many as 50 billion authoritative Domain Name System (DNS) queries a day, and has been providing this service since 1998 with 100% availability. It also plans to increase capacity of the .com and .net DNS by 10 times by 2010 to provide the security and stability required for global Internet-based transactions. It has issued over 2 million VeriSign® Identity Protection (VIP) credentials to consumers for strong authentication on a network of leading Web sites so that consumers will feel confidence when the having transaction through internet.

There are two types of server certificates provided by MCS Trustgate.com Sdn Bhd which are Secure Server ID and Global Server ID. Secure Server ID is the 40-bit Server ID and it enables visitors to verify the site's authenticity and to communicate with it securely via state-of-the-art SSL encryption, which protects confidential information from interception and hacking. While Global Server ID is the 128-bit Global Server Certificate which ensures that the Web site visitors will receive powerful 128-bit SSL encryption. It means that Global Server ID is supported by many major platforms, while Secure Server ID is supported by a much longer and more comprehensive list of platforms. Both of it strengths have to depend on the length of the "session key" generated by every encrypted transaction. The longer the key, the more difficult it is to break the encryption code. Global server ID is the world's strongest as it would take a trillion-trillion years to crack using today's technology.

Moreover, Verisign will protects your Web site and makes it easy for your Web site visitors to trust you because it enables encryption of sensitive information during online transactions and each of it contains unique, authenticated information about the certificate owner. After that, Certificate Authority will verify the identity of the certificate owner when it is issued. Besides that, digital certificate is usually attached to an e-mail message or an embedded program in a web page which verifies that user or website is who they claim to be. The common functions of it are user authentication, encryption and digital signatures. User authentication will provides other security that using username and password. While encryption will make the data transmission secured by using the information encrypted. Therefore, recipient of the data is the only person to receive the message. Digital signatures are like the hand signature in the digital world which can ensure the integrity of the data. As a result, by using the digital certificate, the users will be able to make transaction through internet without fear of having the personal data being stolen, information contaminated by third parties, and the transacting party denying any commercial commitment with the users. Further, the digital certificates can assist the development of greater internet based activities. Therefore, applying the 3rd party certification is more secured for online shopping and customers can shop safely.

The threat of online security

Nowadays, computer is useful to everyone as people use it to store and exchange information. But how safe is our data? Hence, it is very important for computer users to be aware of online security threats since they are one of the biggest challenges on the Internet today. The threats that computer users are facing now including mail client, spyware and Trojan horses.

Mail client

Attackers can use the mail client on a computer to spread worms or viruses by including them as attachments in emails. Once the users read their emails, their computers will be attacked by virus and thus their data on computer may be destroyed. This can be prevented or limited by configuring your mail server properly so that you can block suspicious attachments or files.

Spyware

Spyware attacks are something that we are probably all familiar with, as they are the most common online security threat faced by Internet users. It is simply a computer program that is designed to steal information from your computer without your knowledge. The software will typically be installed on your computer without you even knowing it, and then it will send your personal information such as documents, passwords, credit card numbers, and many others to another source. Common spyware includes Trojan horses, key loggers, dialers, and adware programs.

Trojan horses

On the other hand, a Trojan horse is a program that hides within or looks like a legitimate program. Although they seem to be harmless, they may however be triggered if certain condition is certified. The example of Trojan horse is Trojan Xombe which is the mask as email from Microsoft. The hackers will access to the computer and steal the passwords.

Related links:

http://www.wisegeek.com/what-are-the-primary-online-security-threats.htm
http://www.tech-faq.com/online-security-threats.shtml