What geeks need to tell our parents about shopping online safely and securely
Mom and Dad, it's a dangerous Internet. You like it and you use it but you don't understand it. I totally get that. I don't understand plumbing. I know that the sink drain goes into the bendy thing and then into the wall. After the pipe hits the wall, as far as I know, it's turtles all the way down. I assume the Internet feels about the same to you.
I don't want to condescend or imply that the web is a series of tubes. You're not interested in knowing all the details and I'm not a plumber, but there's a minimum amount of stuff you should know to be safe. You don't need to memorize this stuff, but it's nice to know generally where the pipes go and when to call a plumber. Or me.
Looking up web addresses
When you type in an address www.amazon.com in your browser, your computer queries the Internet's Yellow Pages and tries to find out exactly where amazon.com is. These yellow pages are called DNS (Domain Name Services). This is just like me taking your home address and getting a latitude and longitude location on a map, then going there.
Just like it's easier to remember an address like "6 Main Street" than some numbers like latitude and longitude. It's easier to remember "amazon.com" than it is to remember a number like 18.104.22.168. An address is a convenience.
However, do you trust the Yellow Pages? One day a book showed up on your doorstep, you reference it and it tells you where stuff is. What if an evil-doer dropped pretend Yellow Page books on everyone's doorstep and folks who wanted to go to the store were sent somewhere evil? Hopefully at some point you'd "feel wrong" about the directions you were given and you'd question yourself.
For the most part, you're usually OK, but if you ever type an address and go somewhere that feels wrong, ask someone. There are toolbars and weird little evil bits of software (called malware or adware or spyware) that can "hijack" your browser. They deliberately give your browser incorrect directions in order to get you to go to their site.
It'd be like calling the operator and asking for directions to the Safeway Market and having the operator give you directions straight to Thriftway. You didn't know you couldn't trust the operator!
Develop your Internet Street Smarts
If I tell you to go to www.amazon.com you should usually feel OK about that. If someone tells you to go to www.payments-secure-amazon.com you should think that smells fishy. Keep your head up and protect your neck.
See the picture below? It looks like a link to amazon.com and I'm about to click on it, but see the down at the bottom there's a little window that shows a different website. The blue link is under evil guy's control and can say anything, but the one at the bottom is a hint from your browser that something is fishy.
The browser you use might show this in a different way, but the idea is the same. If someone gives you a link that smells fishy, use your judgment. Develop a healthy - but not paralyzing - suspicion. Everyone in the world isn't out to get you, but pickpockets do exist.
Here's some hints on what to look for. Try to think about not as a scary computer thing but rather use the common sense you've developed in the real world. When you go to Macy's to shop, does it look and smell and feel like Macy's? How do you know it's not a fake Macy's façade that someone put up with cardboard?
Does the address match the logo?
Take a look at this screenshot. Is this a real Abercrombie & Fitch store? The logo says it is, but that address is kind of smelly, don't you think?
Lets say I start shopping at this fishy site anyway. When I start putting things into my shopping cart and giving a store money OR my personal information, a reputable site should change our conversation to a secure line.
Just like in spy movies we hear the lead say "Is this phone encrypted? Don't call me from an insecure line, do you want to get us all killed!?!" you want to think in the same terms.
A Private Conversation
Is your conversation with a website private? Here's the fake site on the left and the real one on the right. See how a little lock appeared? That means the conversation we're having with that site is private.
Now, please, read this part carefully, Mom and Dad. The lock says the conversation is private, but the lock doesn't say I should trust them. You can have a private conversation with a bad guy. There are bad sites with this little lock.
HTTPS (SSL) doesn't mean "I can trust this site," it means "this conversation is private." You still might be having a private conversation with Satan. - Scott Hanselman
Trust and Privacy are different things. "Do I trust this person" and "Is our conversation private?" are different questions. You want to answer yes to both questions before you give a company your credit card number.
I can click on the lock at the https://www.abercrombie.com website to see a bunch of techie stuff. That techie stuff is not as interesting as is the other locks and information. There's two green locks assuring me of the privacy of our interaction, but more importantly I can see I've never visited this site before.
But what if I know I have visited the site? What if I visit this site every day and now here it is saying I don't? This is a good time to look around and make sure I am where I think I am. Check the address again, just like you would in real life before you ring the doorbell.
Compare this to Amazon, a site I do visit all the time.
A Trusted Conversation
If you're going to do some online banking, you should expect to see that lock as soon as you get to the bank's site.
Large, reputable banks should use a special lock on their sites. See this https://www.bankofamerica.com site in three different browsers below? The address bar has turned green. This means that not only is our conversation private but that a company has checked to make sure it's really Bank of America. This means I can trust them AND our conversation is private. These are called "high assurance" or "extended validation" certificates if you want to tell your local credit union or community bank to get one.
Just like Scully and Mulder check other agent's IDs before talking to them, you should be checking the identification of websites you talk to.
Questions to Ask
Ask yourself these questions when you start giving away your name, address or credit card online.
- Does the address for this website look correct?
- Does the site look real? Have I been here before?
- How did I get to this site? Did I use a bookmark or did I click on an email from a stranger?
- Is there a lock in the address bar?
- For banks or finance sites, is the address bar green? What does it say when I click on it the lock?
What can Techies do to help our parents?
Consider setting Mom and Dad up with OpenDNS. It's not only a trusted DNS Service (That's Yellow Pages, Mom, if you're still here) but OpenDNS can block inappropriate sites for the whole family no matter what browser you use.
If you (or Mom) had the Web of Trust installed, this is what you would have seen when visiting an evil site like this. I'm installing this free tool on Mom's machine today. It's a browser plugin that uses other people's experience to augment yours!
Technical Analysis: The Abercrombie and Fitch Brown Pants Fiasco, "Splogs," and you - Techie details in layman's terms about how there are thousands of fake stores out there waiting for you.