December 04, 2007 08:00 ET

Deloitte's Tips for Safe Holiday Online Shopping

TORONTO, ONTARIO--(Marketwire - Dec. 4, 2007) - The fast-approaching holiday season is one of the busiest times of the year for bricks and mortar and online retailers alike. While the number of shoppers turning to the Internet for their goods and services grows rapidly, the holiday season is also one of the busiest times of the year for unscrupulous individuals who take advantage of the online shopping spree to lure innocent shoppers into disclosing confidential information, such as passwords and credit or bank account numbers, to use them for their financial benefit.

Given heightened concern about security and identity theft relating to online shopping, Deloitte's security and privacy professionals offer the following tips to consumers and retailers looking for a safe and secure online shopping experience.

Consumers should:

1. Practise good housekeeping

- Make sure your computer has updated anti-virus and anti-spyware software, and a firewall. Set your computer to automatically scan for and detect any malicious programs (Trojan horses, spyware) planted by hackers who want to capture sensitive data or get you to disclose sensitive information or to misdirect you to a fraudulent web site. If your operating system offers free software upgrades to close security holes, make sure to install them before you begin shopping online. Also be sure to use reputable anti-virus and Internet security software, as they provide regular updates to enable enhanced protection.

- Verify that your browser has been updated with the latest security upgrades (also known as patches), and that it supports 128-bit encryption. This high encryption level helps to prevent sensitive data from being accessed by unauthorized people while transacting online. Consider upgrading the web browser to the latest version, as it provides a better security level and tools. Many operating systems offer the automatic update capability and should be enabled if possible.

- Avoid opting for the "remember password and username" option. Despite its convenience, your information will be stored for any and all future users to access. On a public computer, avoid this option altogether.

2. Beware of online fraud activities

- Never respond to emails requesting that you log in to a shopping/financial web site in order to update account information or to rectify a security problem. Never click on web site addresses sent via email. Unscrupulous individuals who attempt to steal your personal data often use this technique, also known as "phishing," to lure customers to bogus, look-alike web sites designed specifically to collect as much of your personal information as possible. Your financial institution or bank will never communicate with you via email or over the Internet requesting your account number or password.

- Never send your financial information via email, as it is not a secure method of transmitting information such as credit card, chequing account or social insurance numbers. If you initiate a transaction and want to provide your financial information through an organization's web site, look for indicators that the site is secure, such as a lock icon on the browser's status bar or a URL for a web site that begins with "https:" (the "s" stands for secure). Fraud is ever more sophisticated, so vigilance here is important.

3. Practise safe online shopping

- Avoid using Internet kiosks and Internet cafes to conduct online transactions. Kiosk workstations may contain malicious code, such as keystroke loggers, to capture your username and password, and other sensitive personal information.

- When using a wireless network at home or in public, make sure the wireless access point you are using has strong wireless security and controls built in such as Wi-Fi Protected Access (WPA). These controls, identified by a yellow lock icon next to the network's name, will ensure that your passwords and other sensitive data are encrypted on the wireless network you are surfing. They are also designed to deter individuals from hacking into your wireless network and intercepting your sensitive information. Also, ensure you are using the most up-to-date firmware on the wireless access point (can be downloaded from the manufacturer of the access point), and all the security features, such as encryption, and filtering are enabled. It is recommended that you do not use the default passwords provided with the products.

- Look for "seal of approval" icons, and read the company's privacy policy. Many, but not all, companies will post a privacy policy online that clearly spells out how they will treat your confidential information - if none appears, you may request it from the company directly. Seals of approval are provided by different authorities such as Verisign™ and WebTrust™, and serve to verify that the web site in question has been reviewed for adherence to their stated privacy and security policies that will protect your personal information. If you have any questions or concerns about its validity, consider contacting the retailer directly by phone to clarify that the site is adequately protected.

Retailers should:

- Adhere to the Payment Card Industry Data Security Standards (PCI DSS), and other application security standards. Assess your payments systems regularly using the PCI DSS. Adherence on your part will protect both you and your customers from breaches of confidential information.

- Provide assurances around the privacy of customer information. Post your privacy policy on your web site and communicate to your internal workforce the importance of adhering to a privacy policy.

- Ensure that all card information is transmitted using SSL (secure socket layer). A high level of encryption (128-bit) safeguards the confidentiality of sensitive data transmitted over the web.

- Leverage and adhere to Internet Seals of Approval. Leveraging seals, such as Verisign™ and WebTrust™, can enhance consumers' confidence in your web site.

- Take the time to examine the security features enabled on the credit card by the card issuers.

- Do not use email as a basis for driving traffic to your web site. Use other means to attract traffic (such as search engine advertising or other forms of advertising or branding), as consumers may not discern between legitimate and phishing email until it is too late.

- Never send 'unmasked' credit card information in email messages to your customers. Emails containing confidential information can be intercepted and exposed if left unmasked. Masking is a simple technique of providing xxx in substitute of the middle eight digits of the card.

- Encourage customers to check your web site for status updates. A good practice is to always drive customers back to your web site for status updates or confirmations. Do not send links to your web site by email - rather, advise customers to re-type your domain name directly into the address bar. This will ensure that they are visiting your legitimate web site.

- Test the vulnerability and exposure of your web site. Regularly verify and quickly correct vulnerabilities as a service to yourself and your customers. This should include checking for web sites that are misspellings of your legitimate business or just carry a different domain name in Canada (.com versus .ca)

- Practise due diligence with regards to payment card addresses. Validate cardholder information for all transactions (i.e. do the area codes for phone number and billing address match?)

About Deloitte

Deloitte, one of Canada's leading professional services firms, provides audit, tax, consulting, and financial advisory services through more than 7,600 people in 56 offices. Deloitte operates in Quebec as Samson Belair/Deloitte & Touche s.e.n.c.r.l. The firm is dedicated to helping its clients and its people excel. Deloitte is the Canadian member firm of Deloitte Touche Tohmatsu.

Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms, and their respective subsidiaries and affiliates. As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms have any liability for each other's acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names "Deloitte," "Deloitte & Touche," "Deloitte Touche Tohmatsu," or other related names. Services are provided by the member firms or their subsidiaries and not by the Deloitte Touche Tohmatsu Verein.

Contact Information