There are some quick and easy checks you can do to feel confident about visiting a website. Safety and security are actually two different things online. One involves trust and credibility while the other maintains certain standards of encryption for sensitive data. We need to pay attention to both.
A secure website can be determined by the use of HTTPS instead of HTTP in the URL address. Http stands for Hypertext Transfer Protocol, the addition of the ‘S’ means it has a secured layer.
The site goes through a process to confirm its identity and make sure that any information you share with it is encrypted and conversations cannot be read by others especially personal financial information. Once the site identity has been established, no one else can falsely set up a website and claim that same identity for the purpose of collecting data. As long as you see the HTTPS, you’ve reached the proper domain.
Only a business requiring personal data and financial information needs to apply for this added security. It is a difficult and lengthy process to complete and there must be a valid reason for needing a protected site. To be sure you are always reaching the intended site, remember to practice the following:
- Don’t click on pop-up ads that claim to redirect you to the website.
- Don’t respond to an unsolicited email. A credible company would only send an email if you already visited the site and shared your email address with them.
- Look for a Secure Socket Layer (SSL) Certificate indicating the site’s server is secure.
SSL Certificates explain the level of encryption between the website (server) and the browser (user’s) computer. This connection protects private information involving your identity and financial data being exchanged during each visit to the site. Companies choose a level of security that works best depending on the number of domains and servers. The strength of the security layer on a site is the level of bit encryption. A common number used is 256-bit encryption referring to the number of possible combinations of codes before being able to decrypt the site information. The length of the key (the minimum required by web browsers as of 2013 is 2048 bits) multiplied by the number of bits of encryption gives you the total.
Like everything in technology, there are still weak areas that need investigation like the use of the RC4 streaming cipher to stop hackers from sending random requests to servers using stolen authentication credentials. These attackers are able to manipulate the information a victim receives while visiting a site. They insert false date while web servers are negotiating the connection between the site and the victim. RC4 is designed to block the insertion of deceitful data during the process. 58% of websites are still not secure because they either have not updated their servers to use the RC4 patch or RC4 failed to secure the site due to a vulnerability. This is not a new issue either.
It became a focus at Infosecurity Europe in London in 2012 and they began the Trustworthy Internet Movement (TIM) beginning with a project for increased SSL control to force sites to upgrade and implement the use of RC4. Security experts called for proposals to switch from TSL certificates to increased use of SSL on the Internet and then launched SSL Pulse, an index to track the progress of SSL usage across the top one million websites. The RC4 patch was not working properly to prevent problems from happening before and after negotiation processes using TSL and still has some vulnerability with SSL. TIM now has a dashboard with tools and information to help website owners improve their SSL security.
There are free services that help consumers analyze a website’s security level too. Typing “free site server SSL tests” into the browser will give a list of several sites like Qualis SSL Labs. Google has an app that will check the SSL status of the sites you are visiting and warn you. Check Google Support to see how it works. There is even an app in the Chrome Store to install on the browser that will check automatically.
Spotify Data Breach Compounded by Password Sharing
There appears to have been a recent data breach with Spotify Radio although Spotify has not confirmed. The discrepancy is on whether the data was breached in an earlier incident despite complaints from users beginning in February of 2016. Victims claim receiving email notifications that their passwords or email addresses have been reset without their authorization, have playlists deleted, unfamiliar music saved to their accounts, and issues causing them to prove to Spotify that they are the real account owner.
An A+ Rating Still Requires Caution
Running a test through Qualis SSL indicates that the site is graded A+ on three different servers, but somehow, emails, usernames, passwords, account type and other supposedly secure data has been posted on a site called Pastebin, a website pasting tool used to store text online. There is clearly a hole the security process being exploited somewhere unless it is a result of an earlier breach prior to implementing upgraded security measures.
Don’t Reuse Your Passwords
The delayed reaction from Spotify complicated problems with other accounts the users had sharing the same passwords such as Facebook, Uber, Skype and even bank accounts. It is not recommended to use the same passwords for different sites, but this is a common mistake and people need to be aware of the impact it can have on their security across multiple sites.
When it comes to safety, you need to search for signs of a quality reputation before sharing information. This has nothing to do with the security technology on the site. To check for signs of a safe website, do the following:
- Check their reputation by looking are reviews and testimonial for positive consumer feedback. A Better Business Bureau rating and badge helps as well
- Look for the company’s physical address and phone number
- Make sure there is a return policy
- Don’t fall for prices that are too low to be believed
- Credit cards should be accepted
- Check for an icon of a padlock or an unbroken key which indicates a safety enabled and encrypted site
- Look for a privacy statement
Extra Security Verification Efforts
Take an extra step to protect yourself and your online accounts with additional security. Make sure passwords are unique for each site and use a multifactor authentication wherever it’s offered. It works like the 2-step verification used with a bank card. This security requires both the card and a PIN to access the account from an ATM.
Email and other personal accounts will ask to use mobile phones to verify a code in addition to your password. The code is sent as a text to your mobile device and is time sensitive.
Google Authenticator generates a code on your mobile device using an app to keep your security code separate from the site.
Login verification uses a backup code stored on an online app like Twitter and does not require a mobile device to login or receive a text. Having any internet connection allows you to securely access a site even if your phone or other device is lost.
Taking both safety and security issues seriously can prevent cyber-attack from visiting an unsafe site. Develop new habits going forward in this ever-changing technological world. There will always be new evolving threats, but staying ahead of them reduces the risk that you will become a victim. Steer clear of any site not displaying the correct signs of a healthy and trustworthy website.