Scott Hanselman

What geeks need to tell our parents about shopping online safely and securely

April 04, 2012 Comment on this post [18] Posted in Musings
Sponsored By

Creative Commons "StopHerJones" on FlickrMom and Dad, it's a dangerous Internet. You like it and you use it but you don't understand it. I totally get that. I don't understand plumbing. I know that the sink drain goes into the bendy thing and then into the wall. After the pipe hits the wall, as far as I know, it's turtles all the way down. I assume the Internet feels about the same to you.

I don't want to condescend or imply that the web is a series of tubes. You're not interested in knowing all the details and I'm not a plumber, but there's a minimum amount of stuff you should know to be safe. You don't need to memorize this stuff, but it's nice to know generally where the pipes go and when to call a plumber. Or me.

Looking up web addresses

When you type in an address www.amazon.com in your browser, your computer queries the Internet's Yellow Pages and tries to find out exactly where amazon.com is. These yellow pages are called DNS (Domain Name Services). This is just like me taking your home address and getting a latitude and longitude location on a map, then going there. 

Just like it's easier to remember an address like "6 Main Street" than some numbers like latitude and longitude. It's easier to remember "amazon.com" than it is to remember a number like 194.105.56.3. An address is a convenience.

However, do you trust the Yellow Pages? One day a book showed up on your doorstep, you reference it and it tells you where stuff is. What if an evil-doer dropped pretend Yellow Page books on everyone's doorstep and folks who wanted to go to the store were sent somewhere evil? Hopefully at some point you'd "feel wrong" about the directions you were given and you'd question yourself.

For the most part, you're usually OK, but if you ever type an address and go somewhere that feels wrong, ask someone. There are toolbars and weird little evil bits of software (called malware or adware or spyware) that can "hijack" your browser. They deliberately give your browser incorrect directions in order to get you to go to their site.

It'd be like calling the operator and asking for directions to the Safeway Market and having the operator give you directions straight to Thriftway. You didn't know you couldn't trust the operator!

Develop your Internet Street Smarts

If I tell you to go to www.amazon.com you should usually feel OK about that.  If someone tells you to go to www.payments-secure-amazon.com you should think that smells fishy. Keep your head up and protect your neck.

See the picture below? It looks like a link to amazon.com and I'm about to click on it, but see the down at the bottom there's a little window that shows a different website. The blue link is under evil guy's control and can say anything, but the one at the bottom is a hint from your browser that something is fishy.

Totally Not Amazon.com

The browser you use might show this in a different way, but the idea is the same. If someone gives you a link that smells fishy, use your judgment. Develop a healthy - but not paralyzing - suspicion. Everyone in the world isn't out to get you, but pickpockets do exist.

Totally Not Amazon.com

Here's some hints on what to look for. Try to think about not as a scary computer thing but rather use the common sense you've developed in the real world. When you go to Macy's to shop, does it look and smell and feel like Macy's? How do you know it's not a fake Macy's façade that someone put up with cardboard?

Does the address match the logo?

Take a look at this screenshot. Is this a real Abercrombie & Fitch store? The logo says it is, but that address is kind of smelly, don't you think?

Fake - Shop Abercrombie & Fitch UK Online - Discount Abercrombie and Fitch Clothing Sale

Lets say I start shopping at this fishy site anyway. When I start putting things into my shopping cart and giving a store money OR my personal information, a reputable site should change our conversation to a secure line.

Just like in spy movies we hear the lead say "Is this phone encrypted? Don't call me from an insecure line, do you want to get us all killed!?!" you want to think in the same terms.

A Private Conversation

Is your conversation with a website private? Here's the fake site on the left and the real one on the right. See how a little lock appeared? That means the conversation we're having with that site is private.

Now, please, read this part carefully, Mom and Dad. The lock says the conversation is private, but the lock doesn't say I should trust them. You can have a private conversation with a bad guy. There are bad sites with this little lock.

HTTPS (SSL) doesn't mean "I can trust this site," it means "this conversation is private." You still might be having a private conversation with Satan. - Scott Hanselman

Trust and Privacy are different things. "Do I trust this person" and "Is our conversation private?" are different questions. You want to answer yes to both questions before you give a company your credit card number.

A fake site and a real site, side by side

I can click on the lock at the https://www.abercrombie.com website to see a bunch of techie stuff. That techie stuff is not as interesting as is the other locks and information. There's two green locks assuring me of the privacy of our interaction, but more importantly I can see I've never visited this site before.

But what if I know I have visited the site? What if I visit this site every day and now here it is saying I don't? This is a good time to look around and make sure I am where I think I am. Check the address again, just like you would in real life before you ring the doorbell.

Clicking on the SSL Lock gives more information

Compare this to Amazon, a site I do visit all the time.

Clicking on the SSL Lock gives more information

A Trusted Conversation

If you're going to do some online banking, you should expect to see that lock as soon as you get to the bank's site.

Large, reputable banks should use a special lock on their sites. See this https://www.bankofamerica.com site in three different browsers below? The address bar has turned green. This means that not only is our conversation private but that a company has checked to make sure it's really Bank of America. This means I can trust them AND our conversation is private. These are called "high assurance" or "extended validation" certificates if you want to tell your local credit union or community bank to get one.

Just like Scully and Mulder check other agent's IDs before talking to them, you should be checking the identification of websites you talk to.

EV SSL Certificates are high trust

Questions to Ask

Ask yourself these questions when you start giving away your name, address or credit card online.

  • Does the address for this website look correct?
  • Does the site look real? Have I been here before?
  • How did I get to this site? Did I use a bookmark or did I click on an email from a stranger?
  • Is there a lock in the address bar?
  • For banks or finance sites, is the address bar green? What does it say when I click on it the lock?

What can Techies do to help our parents?

Consider setting Mom and Dad up with OpenDNS. It's not only a trusted DNS Service (That's Yellow Pages, Mom, if you're still here) but OpenDNS can block inappropriate sites for the whole family no matter what browser you use.

If you (or Mom) had the Web of Trust installed, this is what you would have seen when visiting an evil site like this. I'm installing this free tool on Mom's machine today. It's a browser plugin that uses other people's experience to augment yours!

web of trust

Related Links

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Hosting By
Hosted in an Azure App Service
April 04, 2012 22:40
Sorry, this is exactly why Apps are to Browsers what the GUI was to the Command Line.
Joe
April 04, 2012 22:42
Scott,

Thanks for the summary write up, I am forwarding this to my parents right now.
April 04, 2012 23:08
Open DNS set to at least moderate catches almost all of it without any effort and it's free. I'm sure you've heard that before many times.
April 04, 2012 23:09
Ignore me. Meant to type that somewhere else.
April 04, 2012 23:24
Well, it seems my bank doesn't use an extended validation certificate... and it's one of the 2 largest banks in France! #fail
April 04, 2012 23:33
Thomas - Now you know to tell them to step up! ;)
April 04, 2012 23:52

Trust and Privacy are different things. "Do I trust this person" and "Can our conversation be overheard" are different questions. You want to answer yes to both questions before you give a company your credit card number.


I don't think you want to answer yes to the second question.
April 04, 2012 23:55
Nice! A great writeup that can be easily shared with non-techs. Thanks!
April 05, 2012 0:14
Great article, forwarding it on to the fam.

Not sure if you noticed/care but your last screen shot has a pretty offensive "N bomb" in it.
April 05, 2012 2:21
Nevada - Oops, I'll fix that sentence.

Abe - Yes, sadly, that's why the site is unsafe and I mention that in my other A&F link. I'll remove that however.

April 05, 2012 4:07
@Joe - Sorry dude.

I like apps as much as the next guy, but you need to be a little less smug and follow these directions just as much with apps: http://techcrunch.com/2012/02/03/app-store-fakes/

(Only I suppose with apps, there are a few less clues that it's a fake app).
April 05, 2012 5:01
I don't trust www.mywot.com :p
April 05, 2012 8:21
one other thing

put online purchases on a dedicated credit card, and make sure that it has good customer service. American Express would be my go to card for online stuff.

Sooner or later your stuff will get stolen, so make sure you get to work with a company that has good service.
April 05, 2012 10:21
Thank you for the article.

The only change problem: "Parents" should be "Family". :)

I am now sending it to my family.
April 05, 2012 14:00
Everyone's got the same idea and I'm doing it too - make my family read this!
April 05, 2012 16:59
Thanks, good Job.
April 06, 2012 3:00
yet another excellent post Scott. am passing on to my parents :D
April 06, 2012 5:30
Hi. Do you remember the phone? That thing that goes ring ring? If a page looks fishy, call the business up and check with them. Same with offers that do not look reasonable. Or check all offers. It pays to be sure. Anyway, good and useful article. I did not know about the green text in the URL. Thanks

Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.