Factoring in greater security into your online transactions
The advent of the internet has made our lives even more convenient than before.
Today, we can basically do our entire grocery shopping online through e-commerce websites that sell a wide range of products — from electronics and home appliances to food items and personal care products.
If you’re going somewhere, you don’t even have to go outside anymore to hail a taxi. Transport network vehicle services (TNVS) now enable people to find a taxi that would take you from point A to B at a fixed rate — all within the convenience of your mobile device.
But with the widespread use of the internet for e-commerce transactions comes risks. Just as actual thieves would rob a bank, counterfeit money or falsify a check, online thieves also have several means to infiltrate secure internet infrastructures to steal users’ data and finances.
INTERCEPTING TRANSACTIONS
One example of such means is through a man-in-the-middle attack, wherein an attacker pretends to be both the sender and the receiver of the transaction to intercept the financial data being sent.
An attacker can execute this method through a number of ways, one of which is by infecting a web browser with malware that could compromise its security. This enables the attacker to modify the host website, alter the transaction, or put additional transactions. The attacker could also impersonate the host website and reroute data sent to it to the attacker’s website.
This particular type of attack is called man-in-the-browser and is quite difficult to detect. Once the user is directed to the attacker’s fake website, the attacker can already harvest the user’s personal data entered on the website. The attacker can then use the personal data to impersonate the user and purchase items online or transfer funds from the user’s bank account to his or her bank account.
RECORDING KEYSTROKES
Another way of executing this method of attack is through the use of keystroke loggers. An attacker can unsuspectingly install a keystroke logger application into a person’s computer by sending an email that contains a link or attachment. Clicking on the link or attachment would install the application onto the computer. This can also be inadvertently installed if the user inserts an infected USB flash drive into the computer. In some instances, other hardware can be used to install a keystroke logger, such as an infected keyboard or mouse connected to the computer.
Once installed, the application can now record the user’s keyboard activity, including the keys used to input passwords. If the user has a credit or ATM card, the attacker can simply clone the card and use the password recorded from the keystroke logger to make a legitimate transaction
online or through ATMs and point-ofsale terminals. As such, the merchant would think that the transaction was made by the cardholder instead of the attacker, who has no idea that the his or her data has been stolen and used for to make transactions on his or her behalf.
Such attacks can steal millions worth of financial data from unsuspecting cardholders. If not financial data, attackers steal the personal data of the cardholder, which they sell in the black market. The data is then used to blackmail and extort money from the data owner, or is sold to advertising companies who then use it to send adware (advertising ware) to the data owner. The data can also be used to impersonate the data owner and commit other crimes.
THE LINE OF DEFENSE
To protect users and secure their personal and financial data, e-commerce websites and tech companies have developed a number of means to prevent such attacks from being conducted. A formidable defense against man-in-the-middle attacks is the use of two-factor authentication to verify the user’s identity when making financial transactions online.
From the name itself, two factors are used to verify the user’s identity — something that the user knows (either a password, personal identification number (PIN), or other personal information) and something that the user has (either a token in the form of a key, a mobile device, or factors inherent to the user such as fingerprint, face scan, voice recording or iris scan). A combination of these two factors is used to authenticate a financial transaction made online.
Two-factor authentication works by adding an additional layer of security to the transaction. For example, even if an attacker knows the user’s password — something that the user knows — through a keystroke logger or impersonation an e-commerce website, a transaction cannot proceed if a second factor — something that the user has — is not used to verify the transaction.
As such, before an online transaction can proceed, an e-commerce website would request a second factor to authenticate transaction. This could be in the form of unique code generated by an electronic token, a unique code sent to the user’s mobile device via short messaging system (SMS) or through inputting of biometric information such as a fingerprint or face ID.
This system of authenticating financial transactions becomes even more secure as new means of verifying transactions are invented. There now studies into the use of the Global Positioning System (GPS) and ambient noise as authentication factors, thus, making it harder for online thieves to steal user’s personal and financial data during online transactions.
As an added layer of protection, users must also be mindful of their overall digital security. Users should:
• Have premium anti-virus and anti-malware software installed in their computers.
• Be wary of emails they receive from people they don’t know, or confirm it beforehand if they know the sender personally.
• Be careful with inserting US flash drives or other hardware into personal computers or mobile devices
• Check for authentic security certificates before transaction with an e-commerce website
• Learn to distinguish a fake website from the original by looking at the domain names, website features and design
• Transact using only a personal computer or mobile device you trust
• Make use of strong passwords, preferably those that combine upper case and lower case letters with numbers and symbols
• Avoid sharing their passwords and other personal data with other people