Philatelic News

Image

I wanted to take a moment to discuss the Internet and Best Security Practices. This applies to site owners and collectors equally. There is a plethora of web sites out there that want your money and/or your personal information and there are ways to prevent them from getting it. First I want to discuss the practice of phishing.

Phishing is done via email. You receive this really pretty email that looks official with links to, what you’re expected to believe, are links back to their site. There is usually some dire warning about your account being deactivated, or unusual transactions. This in itself should be enough reason not to click on the link(s). These emails don’t always come from banks or credit card companies. I got one over the holidays that confirmed my purchase on Amazon. This email had a rather large amount listed for the order total that I knew was bogus. Normally I would delete it outright, but I had made some purchases and incorrect amounts do happen. When I opened the email the first thing I checked was what site the link went to. NEVER Click a link you don’t know just because the text say’s so-and=so company. All modern browsers allow you to run your mouse over the link (without clicking) to display the link destination. Test this is your email program so you know where it displays in your window. If you want to go to the real site, open up a browser window and type in the web address manually – don’t use the link provided! Also, don’t bother to even open emails that come from banks, or companies, you have no relationship with. Delete them outright.

Any dealer should have a secure web site whether or not they have a shopping cart. If they use forms or collect any personal information look to see if the site is secure. How? Each major browser is a little bit different but the address must always begin with HTTPS://.

In Firefox and Google you will see a locked padlock to the left of the web address.


In Microsoft that same padlock is to the far right in the address bar.

In non-secure sites the web address (url) will not begin with https and the padlock will either not be visible, unlocked, or will have a line drawn through it ( / ).

Another common mistake is typing the wrong url when you are browsing the web. We all know about Ebay (www.ebay.com). What happens if you forget to type an “a” in Ebay (or eby.com)? You are taken to a site with several suspicious links – DO NOT TEST THIS! What is more dangerous is ending up in a site that is designed to look like the site you were trying to get to, like Bank of America. There are a variety of reasons why this is done, not all of them benign.

Companies buy domain names that are similar to established companies. In many cases their site has links out to other sites that may have what you are looking for. These are advertising sites and they get paid for those links when you click on them (click-throughs). For the most part it is simply annoying to have to retype the address (which is what I always do). Don’t bother to click the links. Other sites are more dangerous. They ask for personal information which they can use to open accounts or steal your identify. You actually have to enter the information to get in trouble (look for that HTTPS). The worst sites are those that download malicious code (ransom ware or malware) that can take over your machine or otherwise track your keystrokes as you enter them. If you get any kind of a pop-up asking you to download or install a script say NO! It is always best to set your browser setting to “prompt you” rather than doing it automatically.

Get a lot of spam do you? Quit posting your email out there for the world to see (yes, I know mine is below). Companies use “spambots” to search the web for email address that they then sell to other spammers. If you own a website, build a contact form that will send you an email without disclosing it to the viewer. It is fairly easy to do.

Another trick spammer’s use is to write programs that use the forms on your own site against you. They look at the source code on your page (yes, it is visible – in your browser right-click in the window and select view source) and then set up an automated program to send in submissions. You end up with a ton of spam at best, but there is a more sinister motive. Most forms send a confirmation email back to the sender. Let’s say a spammer auto-sends 1,000 emails through your form. You then auto-respond to these 1,000 emails. You have effectively become the spammer’s mail server.

How do you stop form abuse? Put in that thing we all love to hate – the Captcha code.

If you use a random code it forces a manual entry for submission.

There are many more tricks and pit-falls out there. Be careful! If it looks suspicious assume it is until you know better.

About the author, Bruce Drumm owns and operates a web design and hosting company, Servers, Inc® – www.servers-inc.com, dedicated to philately and e-commerce. He’s been designing sites since 1997 and has partnerships with Adobe, Google, PayPal, Microsoft, and others. As a collector, he has an understanding of philately and how to do business on the Internet.