The Internet has transformed from what was once a collection of computers networked together for academic purposes into the greatest resource of knowledge and commerce in the history of mankind.
Unfortunately, as with anything that goes into the mainstream, there are dangers and thieves lurking around the Internet. So how do we ensure that the website where we enter our personal and financial information is a secure one
These are five steps on how to identify a secure website.
1. Validate the website’s address with https and padlock symbol
Firstly, take the time to validate the website’s address begins with HTTPS. Most browsers will identify a secure site with a padlock as well.
An unsecured website’s address will always begin with HTTP, and the padlock will never appear.
Clicking on the padlock will also reveal the website’s identity, the validity of the security certificate, and who issued the security certificate.
If the website’s security certificate has expired, modern browsers today will typically give you a warning that the connection is not private.
The most likely cause for such errors is that either this is not the proper website, meaning it could be fake designed to duplicate the look of a proper website’s login page, and is designed to collect your username and password.
Alternatively, the company that owns the website failed to renew the certificate in a timely manner. Even if you trust the company that owns the website, it is advisable to contact their Help Desk to confirm, or just not do business with them until the security certificate has been renewed.
2. Pay attention to the common typos
Pay attention to the address of the website you’re accessing, as there are many fakes designed to take advantage of common typos, and are designed to look like the real thing.
Within the Malaysian context, the most common fake sites are those designed to duplicate the look and feel of the Maybank2U banking portal, because it’s the most widely used online banking system in the country.
Besides this, there are many common fake login sites designed to duplicate many widely used websites like Amazon, eBay, Facebook, PayPal, Google, Yahoo!, and so on and so forth.
Always ensure you’re entering these websites either by manually typing in the address in the browser’s address bar, or from a bookmark that you had saved from a prior secure session.
And if you receive an email asking you to reset your password, be extra cautious especially if you did not request for a password reset.
And financial institutions will never, ever ask you to re-enter or validate your password.
3. Avoid going to websites of dubious origins.
If the website is offering too many free things that you usually have to pay for, i.e. games, movies, music, software, it usually is too good to be true.
These websites may even be designed to look like legal game and software providers such as GOG, Steam, or Humble Bundle.
These websites are usually designed to inject malicious code into your device, which if it’s not updated with the latest patches would be vulnerable to these code injections. At the very least it would only be causing problems with your device and not actually harvesting any data. But more often than not these code injections are designed to collect your keystrokes so that your usernames and passwords can be collected for sale or be held for ransom.
The most high profile such ransomware was the WannaCry worm, which was very prevalent in 2017. It targeted vulnerabilities in outdated systems, exploiting security loopholes for illicit financial gain. Worse, it had spread to not only normal home users but also many government and system providers around the world.
4. Validate the business legitimacy.
All websites doing business legitimately would always have the following information on the website.
- Physical address detailing the location of the business’ office.
- The business’ contact information such as phone numbers, email addresses, and official social media channels.
- Privacy statement detailing how the company will protect or use the information they collect from you.
- Product return policies if it is a website selling goods.
- Small logos indicating that the website has been secured by a security certificate provider such as Symantec, VeriSign, or Digicert, and also local business accreditation, such as the SSM BizTrust badge.
5. Last but not least, always stay educated against virtual crimes.
It is an ongoing arms race between the criminals and the security enforcers, much like in the real world. As software become more complex and end users become more sophisticated, so too do the criminal element that haunts the darkest recesses of the World Wide Web.
No matter how secure a system is, at the end of the day the weakest link is the end user. You. All the security in the world would not be able to protect you if personal information and passwords are voluntarily shared, or is something that can be easily guessed such as 123456 or abcdef. You’ll be surprised at how commonly such passwords are still in use.
In this day and age where information can be easily shared via channels such as Facebook, Instagram, and WhatsApp, it is understandably difficult to determine what’s true and what’s fake.
As such, always maintain a healthy dose of scepticism when approaching a previously unknown website, and when all else fails check around in Google whether or not the website has a good reputation or not. There are a lot of forums and resources online, and people are always sharing the latest on scammers.
The local Malaysian resource would be the Net forum, and pay attention to the latest topics on scammers.
Are you looking for a trusted web developer?
If you’re building a website either for yourself or for your business, please get in touch with us. A trusted web developer is vital towards ensuring that your business’ website can reach your target audience easily and vice versa. Please ensure that your online presence does not offer any reason for potential customers to think that your website is unsecured or cannot be trusted.