Stay safe when shopping online!

Online shopping may seem like an easy option for Christmas, but there are dangers. Dr Colin Walter, Director of MSc Information Security, offers some tips on how to stay safe when buying online
Person using laptop
Online security: stay safe when internet shopping
As you browse your machine may give you an alert that it has detected a virus and advises you to download the latest anti-virus software to remove it. Don't!

By Dr Colin Walter, Programme Director of MSc Information Security

Most of us will now be frantically trying to sort out the last of our online Christmas shopping and perhaps having to pay extra for next day delivery. The main worry might be whether the goods will arrive at all if we don't know the seller. But that's just the tip of a rather large slippery iceberg.

Legal or not, lots of organisations out there are monitoring your online activity trying to target you with advertisements. However, some are trying to obtain your credit card and bank details, and yet others are trying to download malware [wikipedia] onto your machine. The cheapest source of the latest DVD may not be the most reliable. Is it cheap because the seller has no security for handling your personal information?

More than a secure connection

There are at least two immediate indicators that you should check. Firstly, the address in the browser should start with "https://". This doesn’t usually happen until you reach the payment stage. All your browsing of products has been open to your service provider to read. Once you are paying, only the https connection will guarantee your credit card number is sent to the retailer confidentially. This is really important if you're ordering from your mobile since anyone can listen in to wireless connections. Of course, at home the communication between your wireless router and laptop is encrypted, isn't it? It is only encrypted if you set it up that way and only secure if you picked a strong password. Student using a mobile phoneBy default, it's all unencrypted, intelligible, plain text. Usually that’s the case in a wireless hotspot where the person drinking coffee at the next table could have listened in to all your emails and browsing until you reached the https connection.

However, secondly, https is no guarantee that your credit card details are secure once they reach the seller. They may then be stored in a database on a server that can easily be hacked, and may even be readily accessible to every employee of the retailer. You need the trust which depends on the desire of the seller wishing to retain a good reputation. There's no technological means of providing that, and the small retailer who is only online can easily change his name.

Up-to-date Software

What about the security of your own machine? We have already noted the need to encrypt your WiFi connection. As you browse the many sites offering a DVD of “Tinker, Tailor, Soldier, Spy”, your machine may give you an alert that it has detected a virus and advises you to download the latest anti-virus software to remove it. Don't! You have just run a phishing script which is preying on your fears to persuade you to download some malware. Close the window, check the state of your own AV software and trust only it to tell you if there is malware present. Needless to say, you should always have all your software up-to-date to guarantee that known security issues have been patched. That includes every application, not just the firewall and anti-virus, which should both be running.

"A special offer apparently from your favourite online store may invite you to click on a spoof website, or your bank may contact you claiming unusual transactions on your account."


Now is a peak time for the spam and phishing [wikipedia] emails when you have the least time to check things thoroughly. A special offer apparently from your favourite online store may invite you to click on a spoof website, or your bank may contact you claiming unusual transactions on your account. Perhaps both are genuine, but you always need to verify their identity before proceeding. Never identify yourself first. You wouldn't buy from a door-to-door salesman or someone cold-calling. Treat all online contacts with the same suspicion. For example, you need to look very carefully at the address in your browser and compare it with what you know to be correct. Has "bank" been added or deleted from the URL, or the correct "" been changed to ".com"? You might not notice. Even more subtle, could "" come with a digit "1" instead of the alphabetic character "l" and a zero "0" instead of the character "o"? The authorities which provide the digital certificates that enable you to have a secure connection with a merchant may do very few checks. They don't guarantee that you are buying from a respectable store, but only the one with the "1" and the "0" in the website address given by the attackers. The spoof websites are equally able to buy the right certificates and appear legitimate.

Student studying on a laptopUsernames and passwords

Many stores require you to register with them before you can buy products. In this way they can spam you for evermore. It is important to have a different username and password for every such registration because the dodgy websites may try the same details on your bank account. You should certainly also use different email addresses at least for different purposes (social networking, banking, personal, business, shopping, etc.), even if you can’t manage a different one for every site, as well as using different passwords. In that way you can help separate legitimate emails from spam and phishing, and you can also tell who is spamming you.

You need to store all these registration and login details somewhere. Perhaps pen and paper is the best way – one copy of everything, you know where it is, it is easy to keep securely, and few people are interested in stealing bits of paper. Mobile devices, in particular, still have relatively low levels of security for holding data but are easy to lose and highly desirable to steal. Keep the absolute minimum of such data there and assume it will be compromised at some point. At least make sure your devices are password protected with a "strong" password or Santa may be delivering more than his fair share of second hand electronic goods.

Follow these rules and have a Happy Christmas and safe shopping!

Dr Colin Walter is Director of the distance learning MSc Information Security, developed by the Information Security Group at Royal Holloway, University of London.