Generate Success » Fraud

How to Check Web Shops for Basic Security

MJ Ray — Tue, 18 Nov 2008 18:44:19 +0000

I just had a very nice chat on the phone with a man whose first attempt at online shopping seemed to have resulted in a fraudster using his card to buy mobile phone top-ups. I don’t understand why he called us (it wasn’t one of my web shops), but I hope I did the right thing by directing him back to his credit card company’s fraud department.

While I was talking to him, I was checking the shop he had problems with. I wouldn’t have bought from it. Here’s how I checked it:-

1. Check the Page

Open the front page of the site in one browser window and then use another window to get to a page that ought to be secure (the payment/checkout page is my usual one). Look at them both. Do either of them show any logos from well-known payment (Barclays, RBS, Protx, …) or security-checking services (thawte – who else?)? That’s not entirely reliable, but it’s usually a good sign because those companies attack people using their marks without permission.

Look at the payment/checkout page – does the address in the address bar start “https”? If so, is the padlock in the browser status bar (usually bottom right) closed? That usually means it’s encrypted with a Secure Sockets Layer (SSL) certificate.

2. Check the Certificate

Open the certificate details. In Firefox-based browsers, double-click the padlock, then click the “View Certificate” button. Then pick “Subject” in the second list box. Usually, it looks like this:-

Basic Certificate Screenshot

in that case, as long as the “CN” (common name) is the webserver you thought you were using and the “O” (organisation) and country code (C) make sense, then there’s nothing wrong.

Some shops now use Extended Validation certificates and give a bit more information. Here’s one from a train company:-

Extended Validation Screenshot

In addition to the CN and O, it shows Organisational Unit (OU), Location (L), State (ST) and also other address parts and company number that Firefox doesn’t display neatly. This is a bit more reassuring, but also a lot more expensive for the shop owner (around 20 times more, last I checked), so I don’t blame shops for not using them.

3. Check the Registrations

By this point, the payment processing and actual transaction are looking pretty good. Finally, I check the recipient. Find the business details on the web shop. Does it include a geographic address? If it contains a company registration number, look it up on the Companies House website.

Then I find the business details on the domain names – you can use CoolWhois to look up domain names. If any of the addresses or numbers don’t match (Website, SSL Certificate, Whois), then I call them to ask why their website says they’re based in Bristol but their domain name is registered to Bolton. If they don’t answer messages, or – worse – the domain name says “Non-trading Individual” and the address has been omitted from the public listing, I give up on them and look for another shop. There’s no point securely paying someone that you can never reach if there’s a problem.

4. Buy Stuff and Check the Statements

All being well, I then buy stuff and check my credit card statement each month before I pay it. I think any web shop owner (or webmaster – I help some people with this sort of thing) should be taking care of the basics above. Do your shops measure up?

Despite the above checks, I can only remember not buying something online once in the last year. A couple of times, I’ve worked through the above steps and it’s changed which shop I bought from – and I’m pretty sure it saved me from losing £400 on one purchase.

Spammers Silenced by Service Suppliers

MJ Ray — Fri, 14 Nov 2008 13:51:49 +0000

Maybe, like me, you’ve noticed that you’ve had less junk email this week and you’ve been wondering why. News sites are reporting that a large spammer-friendly hosting service in California has been disconnected by its service providers after they were sent evidence about its activities. (Check out the “Next” links on the report to see how the story develops.)

For the technically-minded, Changes in Spam Levels this week Posted by simonw illustrates the level of disruption and may grow an interesting discussion from server managers – it seems the reduction is less than the 75% reported in some news services, but still significant.

This is great news for all good internet users. It’s disappointing if the spam hosting service won’t have to pay any of the costs they’ve inflicted on other computer users in some way. The only practical negative that I’ve noticed so far is that much of the stopped spam was pretty easy to identify and filter out, so the reduction in spam reaching my “unsure” mailbox hasn’t been anything like 50%. Still, less spam hitting the filters means less computer power used, which means less electricity and network data transfer used, which means lower costs for us. Yippee!

And finally, I smiled at this comment over on the WebmasterWorld discussion:-

“Our spam email has dropped so much in the past 2 days that I was beginning to wonder if there was something wrong with our email accounts.”

BT Yahoo! Upgrade Email Security

Terry Lane — Wed, 21 May 2008 10:14:37 +0000

BT have upgraded email security for their BT Yahoo! Mail accounts. The security upgrade is to help in their continued fight to prevent fraud and spam.

Anyone who uses a BT Yahoo! Mail account should have received an email from BT explaining that, as an account holder you will need to make some changes to continue sending emails from alternate addresses.

BT are asking that all customers verify the mail accounts so that they can be passed as safe email addresses. If you don’t verify the mail addresses your outgoing emails may be blocked and you might get an Error 553 message.

For more information visit www.btyahoo.com/verify.