Online transaction security: Tips for staying safe

The online economy is massive, with billions of dollars changing hands every single day. Online shopping has brought consumers lower prices, incredibly diverse choice and an ease of buying that simply can't be matched in the physical world.

At the same time, however, it's not without its perils. Any time that much money is changing hands on a regular basis, there will be sharks circling trying to snap off a chunk of cash. Consultants QPR recently released a report into credit card fraud in which they estimated the cost of fraud where credit cards weren't present in Australia (which logically includes all internet-based transactions) was a problem worth $71,578,908 in 2008, a rise of 33 per cent over the previous year. Or, in other words, ouch.

So, online buying presents challenges to keeping your money safe, but if you're smart, they're challenges that aren't too hard to overcome.

Online banking

Banks love online banking; it's cheaper for them to deliver than over-the-counter services, and the convenience of being able to check your balances, transfer funds and pay bills online make it a real winner for consumers as well. The Commonwealth bank, for example, is reported to have at least 2.6 million active online banking customers, with a take-up rate of 60,000 more each month.

In order to access your online banking, you typically need your account number and a password. Needless to say, it's a very bad idea indeed to write your password down somewhere that somebody might find it. That doesn't have to be the end of your banking security, however.

Some banks extend their security with additional measures, which range from floating on-screen keyboards (which stop automatic attacks that rely on the position of the entry field being absolute) to the ability to have a secondary code automatically generated, either via a security dongle the bank supplies, or even by having the code sent via SMS to your mobile phone.

Picking a secure password

There's a balance between picking a multi-character, multi-case password with many numbers in it that's as secure as possible and utility. Too long, and you'll never remember it and lock your own money away from you. Too short and it's too easy for hackers to crack. Never choose a dictionary word or a password made up from your personal details (like street or pet names), as it's trivial to run a check against those from any PC. This doesn't mean you can't use some personal information to generate a memorable password that's still sufficiently tough to crack. Just don't use it in an easily identifiable way. Instead of using your last name, use a single letter from it, along with a large amount of other personal information, as an acronym.

Imagine your name was John Smith, and at one time you lived at 123 Evergreen Terrace (but you don't any more), you were born in 1972 and you have a cat called Fluffy.

The basic acronym from that could be JS123ET1972F. Not bad, but with a bit of mixing of order and cases, and you can get Js123eT1972F, which is better, and not exactly obvious to anyone — but you.

Many browsers — and the add-on portion of security suites such as Norton's 360 — offer the ability to store long complex passwords away in a password protected area, so that you don't have to remember too many long incomprehensible strings.

You can take the software approach and generate passwords that way, although we'd then advise you to use a program to store those passwords safely, as they can be near impossible to remember!

Two-factor authentication

Just knowing a password for a service (along with perhaps a name or account number) is what's referred to as single factor authentication — because you know something used to secure that bit of information. A more secure approach is two-factor authentication — either knowing two bits of information, which is weaker security (but better than single factor), or having access to another security measure, whether it's an SMSed password, token generator or biometric authentication measure. That way, a payment gateway authenticates something you have and something you know, lessening the risk if only one of those bits of information gets into the hands of financial hackers.

Shopping online

Having access to your bank accounts is handy, but how do you keep the other side of the equation — spending the money — as safe as possible?

The standard for online security is HTTPS (Hypertext Transfer Protocol Secure), an encrypted version of the standard hypertext protocol that delivers normal web pages. There's two dead giveaways that a site is using HTTPS. Firstly, the URL presented in your web browser's address bar should include HTTPS as its primary prefix. Secondly, your browser should display a lock symbol in the lower left-hand corner. Clicking on the lock symbol should bring up the site's verification details; make sure these match the site you're using, and your details (including credit cards, addresses and so on) should be secure between you and the vendor.

If you make a lot of online purchases, it may be worthwhile checking with your financial institution to see if you can get a secondary credit card with a low limit, or a debit card that draws only on your available funds. That way, even if the worst does happen, you won't end up owing large sums on a compromised card.

Another non-credit card option is to use BPAY for your online purchases, although this is typically more limited as you've got to have both vendor and bank support for it.

PayPal — is it your best option?

Outside credit card options, PayPal is one of the most widely accepted payment mechanisms online. Owned by auction giant eBay, it trades on consumer convenience and the promise of security for sales, including some consumer protection if a sale doesn't go through. On the consumer side, PayPal can be very convenient, although if you're buying goods from overseas keep in mind that you may incur additional duty or foreign currency conversion problems.

It is worth keeping in mind that while PayPal isn't a bank by Australian definitions, it is a member of the BFSO (Banking & Financial Services Ombudsman), so if you do encounter genuine problems that PayPal cannot or will not resolve, you can always appeal to the ombudsman.

Understanding common traps

Keyloggers and screen recorders
Many pieces of malicious software (malware) are designed to capture your personal details to enable digital fraud. Keyloggers capture all the keystrokes made on your keyboard — which could include your name, address details, credit card numbers and so on — while Screen recording programs deliver a visual representation of what's on your screen — which could include the bank you use, any on-screen keyboards that try to fool keylogging programs, as well as any visible on-screen details.

The best defence against keyloggers and screen recorders is to ensure that the machine you're using is secure with current antivirus and security software. For your own machine, this is a matter of keeping your security software up-to-date. It's also worth avoiding using public terminals, such as internet cafes, for any kind of financial transactions, as their public availability and wide variety of users make them an ideal target for scammers.

Phishing schemes
Ever received an email telling you your bank account details needed updating, even if it's not from a bank you use? Welcome to the world of phishing, where scammers try to get personal details from you via authentic looking emails and fake websites designed to look like the portal or shop you'd intended to visit.

There's a couple of key ways to check the authenticity of any email you get. Typically, scammers try to panic consumers with warnings to act swiftly, and with a supposedly real-looking link within the email for you to click. Within most mail clients, if you hover your mouse over the link, it'll show the final URL of the link itself. Read the whole thing out, and you'll spot a lot of fakes — there's a world of difference between www.bank.com.au and www.bank.com.au.thisisactuallyascammer.za, for example.

A lot of phishing email is also very poorly written, either due to secondary language issues, or the fact that the phishing scammers spread a very wide net. If the email doesn't get your name right — or is a guess based on your email address — it's almost certainly a fake. Why wouldn't your bank know exactly who you are?

If you're at all concerned with the contents of an email that do appear genuine, do your own research. Open a fresh browser session and type in the URL of your bank or online merchant, and log in that way. If the concern was genuine, you should see a message from them there corresponding. If there's no message — you've just dodged a phishing attempt.

When online met real world scamming
A very large percentage of online fraud starts in an offline manner, especially when it comes to password procurement. If you get a phone call from your banking institution asking for personal details, there's a very good chance it's a scam. Politely (because it could indeed be your bank) enquire as to the nature of the problem, and then offer to call the bank back on your own line.

Don't use a "direct" number offered to you by the person on the phone — they could suck you back into the scam pretty easily that way — and call your bank directly to check as to the nature of the problem. If it's genuine, you'll still deal with any financial emergency, but if it's fake and designed to panic you, you won't hand over details that could then be disseminated online even before you've finished the phone call.

Security tips

Web browser privacy mode
If you're running Internet Explorer 8, Google Chrome, Safari 2.0 or Firefox 3.5, you've got a tool in your arsenal to keep you safer online — privacy mode. Privacy mode in browsers sets up a separate browser window that (in theory) keeps data only as long as the browser window is open. Once you close it, the cache clears, keeping your private data out of the public domain. While privacy modes aren't perfect — there are reported issues with how some browsers clear the cache, as well as some issues with Adobe Flash — they do offer a good option for when you're using a highly public computer, especially in net cafes.

Keep your browser and AV software up-to-date
Internet Explorer has been the public whipping boy for security issues, at least in part because it's still the predominant browser in use today. IE8 is better than IE7, and the same is true of every other browser out there. Security holes are patched in updated versions, and running older browsers opens you up to exploits that might be ancient history in newer versions.

Likewise, most malware targets identity information — either for straight up fraud or identity theft. Keeping your AV software up-to-date will stop the inadvertent installation of keyloggers, screen capture utilities and other security-beating applications. It's not enough to just install an antivirus and firewall application — you have to keep them up-to-date.

Disable Autocomplete/Password storage in-browser
Browsers keep a cache of your sites and will, on prompting, offer to save passwords for you. This is both a convenience and security issue; if you disable it you'll have to enter passwords and URLs constantly, but keep your data secure if your PC were stolen or compromised. Keep it enabled and you'll have a slightly easier — but potentially poorer life.

Passwords — make them complex, change them frequently
We've already discussed ideal password length, but it's a point worth re-stating. Any password that's easily guessed, or a dictionary word, is worse than no password at all. You wouldn't hand your bank account details out to a random stranger in the street, and a poor password is the online equivalent of just that. Likewise, sticking to a single password, especially across multiple sites is a very bad idea. If just one of them is compromised (an action that might have nothing to do with your own actions) then all your accounts could quickly be compromised. Ideally, you should have a distinct password for each online service you use, and change those passwords at least a couple of times per year.

That's a lot of work to do, but there are tools to make it easier for you. Many security suites include a password storage feature locked behind a single password, and in the stand-alone application world, programs such as RoboForm, 1Password or KeePassX perform the same kinds of functions. Bear in mind that if you lose your key password for these applications, however, you'll be totally lost.