Best practices for safe web surfing

Computer-savvy criminals are increasingly setting up fake web sites in order to capture usernames and passwords that can be used to steal funds from bank accounts, for other activities involving identity theft, or otherwise gain unauthorized access to online resources.

Internet users must be on guard against such activities and must exercise special care to protect their confidential passwords.

One of the most important "best practices" when visiting a website that requires authentication is to type in the URL or web address of the desired site rather than selecting it from a saved bookmark which can be altered by spyware.

In particular, one should never log into a site after having clicked on a URL link received by e-mail. It is a common practice (referred to as "phishing") for hackers, to send out legitimate looking email that contains a link to a fraudulent site they've created. Many financial institutions have sent advisories to their customers warning them to ignore such requests.

However, even if the URL is typed in directly, a computer infected by spyware may have been set up to redirect the user to a fraudulent site. One method of doing so is to insert an entry into a Window user's HOST file, telling the computer to send any requests destined for a particular financial institution to an alternative server.

Additional precautions are therefore necessary.

One fraud prevention technique used by many financial institutions is to store a cookie on their customer's computer after the first visit, and then use that cookie to partially identify the customer on subsequent visits and allow the site to display a user-defined message (to help the user confirm that he or she has accessed the legitimate site) or to skip the need to require the user to enter the account number when revisiting the site.

While the latter approach may appear to reduce the level of security, it does help the user confirm the authenticity of the site, and also by not requiring the user to re-enter the account number, it offers partial protection against a "key logger" program installed (by spyware or by an employer) after the user's first access of the site.  As users aren't typing in their account number, such software will only be able to capture the password but will not be able to obtain the vital account number.

Prior to logging into a secure web site, it is also prudent to first confirm the authenticity of a site by checking its SSL certificate. SSL certificates are used by all "secure" web sites.

URLs for such sites begin with "https" instead of "http." Such certificates are issued by one of the public certification authorities (such as Verisign, RSA Data Security or Entrust) that vouch for the authenticity of the site.

For computers running Internet Explorer, the identity of the organization that has issued a particular digital certificate can be checked by clicking on (i) file, (ii) properties, (iii) certificates, (iv) details, (v) subject. The name of the organization should be listed on the line beginning with "O" (for Organization Name).

The public certification authority that issues the certificate will usually assume some level of liability if it had issued the certificate improperly. The level of liability can range from $1,000 (for Entrust, used by National Bank and Bank of Montreal) up to $100,000 depending on the "class" of the digital certificate (for Versign, used by Royal Bank and CIBC). Check the "Certification Practice State-ment" for limitations on warranties and the certificate authority's liability.

These techniques are only partially effective and continued vigilance in using up-to-date antivirus and anti-spyware software is still necessary.

Ideally, financial institutions and other sites offering access to sensitive information will eventually offer two-factor authentication mechanisms (such as RSA SecureID) of the type used by many lawyers at large firms in order to obtain remote access to their office systems.

Alan Gahtan is a Toronto-based technology lawyer. Check out his web site at www.gahtan.com/alan

Free newsletter

Our newsletter is FREE and keeps you up to date on all the developments in the Ontario legal community. Please enter your email address below to subscribe.

Recent articles & video

Ontario Superior Court refuses to set aside settlement in car crash case involving fraudulent lawyer

Ontario Superior Court removes sibling as estate trustee amid conflict and mismanagement concerns

Lenczner Slaght's Susannah Alleyne talks new inclusion, diversity, equity, and accessibility role

Ontario court deducts COVID-19 income benefits from past income loss award in personal injury case

Ontario Superior Court dismisses impaired driving charges due to uncertainty in THC test results

Ontario Superior Court upholds cell phone search as lawful and rejects bid to exclude evidence

Most Read Articles

Ontario court deducts COVID-19 income benefits from past income loss award in personal injury case

Ontario Superior Court dismisses impaired driving charges due to uncertainty in THC test results

Lenczner Slaght's Susannah Alleyne talks new inclusion, diversity, equity, and accessibility role

Ontario Superior Court refuses to set aside settlement in car crash case involving fraudulent lawyer