Information Security Today Home

New Books

Cybersecurity: Protecting Critical Infrastructures from Cyber Attack and Cyber Warfare Thomas A. Johnson; ISBN 978-1-4822-3922-5
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition edited by Adam Gordon; ISBN 978-1-4822-6275-9
Securing Systems: Applied Security Architecture and Threat Models by Brook S. E. Schoenfield; ISBN 978-1-4822-3397-1
Practical Cryptography: Algorithms and Implementations Using C++ edited by Saiful Azad and Al-Sakib Khan Pathan: ISBN 978-1-4822-2889-2
A Comprehensive Look at Fraud Identification and Prevention by James R. Youngblood; ISBN 978-1-4987-0032-0
Corporate Security Intelligence and Strategic Decision Making by Justin Crump; ISBN 978-1-4665-9270-4

Why the Padlock Symbol and Green Bar Appear in Your Browser, and Why You Should Care

by John Amaral

Despite a series of cyber-attacks against some of the world's largest retailers and financial services companies that made international news headlines and resulted in the theft of millions of Americans' personal and financial information, consumer confidence in online retailers remains strong. They trust that when they enter their credit or debit card numbers and other sensitive information into the online checkout page, those companies are taking appropriate steps to secure that information. However, the same cannot be said of the consumers themselves. Those are some of the key findings of the CA Security Council (CASC) 2015 Consumer Trust Survey report based on a survey of more than 650 consumers on their online shopping habits. While a significant majority say they understand the security risks, they admit they do not devote adequate levels of attentiveness to reducing their exposure to those risks. The good news: most shoppers can significantly improve their security postures by following some simple precautions, and by developing a better understanding of the technologies retailers can deploy to protect shoppers.

The CASC is comprised of leading global Certificate Authorities (CA) that are committed to the security of the Internet. The CASC recently commissioned Survata Consumer Research to canvas 670 adults 18 years or older who shop online at least several times each year. The complete 2015 Consumer Trust Survey report and accompanying infographic available to view online and download from the CASC's website.

First, the expected result: consumers find online shopping to be quite important. While shopping in person at a bricks-and-mortar store still leads in terms of total spend, online represents more than a third of consumers' budget (38 percent).

This mirrors what the retail industry is seeing, particularly as more consumers adopt smartphones and tablets that place fast web browsers and retailers' mobile apps right in their hands, even as they may be browsing the aisles of bricks and mortar stores.

The Financial Times reported that sales on Cyber Monday 2014, always the year's busiest online shopping day, saw sales worth $719m take place between midnight and 10 AM Eastern alone. That represents a 17 percent increase over 2013. A primary driver was more mobile shopping than expected, with 26 percent of all purchases made on smart phones or tablets.1

As consumers do more of their shopping online, they and retailers are coming under constant attack from increasingly sophisticated cyber attackers. Stephen Bonner of KPMG told The Guardian newspaper that the more information people share online, the more vulnerable they may be to "targeted" attacks to steal our passwords and data.

"It is possible that our willingness to share and shop online will let criminals become more selective about who they target," Bonner added. "They won't need to maintain the current 'hit and hope' approach of spear phishing, instead only attacking specific users and computers based on the data these give away about their owners."2

That is why the fact that 100 percent of CASC survey respondents say they either have been a victim of cybercrime, or know someone who has. Why is it that even with such a high level awareness of the threat do so many consumers not take adequate measures to protect themselves?

For example:

  • Most have at least one device they don't bother password protecting. The most common device left unguarded is the tablet, a device that 61 percent leave unprotected.
  • 43 percent are happy to use Wi-Fi without regard to security issues, as long as it is free.
  • 33 percent use just one or two passwords to login across all their websites. This is especially problematic when considering the number of companies experiencing breaches that resulted in stolen passwords within the last few years.

This lax behavior does not signal a lack of understanding about how to identify secure websites that follow the Transport Layer Security (TLS) or Secure Sockets Layer (SSL) protocols developed to protect online interactions. TLS and SSL require the web server to have a digital certificate, typically granted by a Certificate Authority, assigned to it. The web server sends its certificate to the browser, enabling the browser to verify its legitimacy.

There are two visual indicators that a website has earned its certificate:

  1. The presence of "https://" in a link or a browser's address bar
  2. A padlock in or next to the browser's address bar

Additionally, if the web server's certificate is a special Extended Validation (EV) certificate, the browser will indicate that by highlighting the address bar in green. EV-SSL certificates are only issued by CAs after a rigorous identity verification process and provide the highest level of authentication available for consumers to validate the website owner's legitimacy.

If any of these security checks fail, the browser will warn the user, although it still may permit the user to proceed to the website anyway.

The CASC survey found consumers do favor websites that display the padlock symbol, the organization's name, and the green bar in the URL, but they can still benefit from greater education. Forty-two percent of respondents understand at a high level that the green bar means more safety, although confusion remains as to how companies receive the extended validation (EV) certification.

There is no guarantee that consumers' information will be 100 percent immune to cyber-attacks if they only shop on web sites that have earned the SSL or EV-SSL certificates, and always follow certain precautions. However, they can significantly reduce the risk by adopting best practices such as:

  • Implementing password protection on all Internet-connected devices
  • Avoiding unsecured Wi-Fi hotpots
  • Updating web browsers to the latest versions. Those updates typically include measures to address the most current online risks. If a browser displays a message about an untrusted security certificate for a website, don't proceed.

Most importantly, realize that validation matters. Consumers should look for the green bar, https and padlock symbol together when submitting private information to online retail websites, favorite social media networks, and any other site that requests data like social security numbers, credit card numbers, birth dates, emails and mailing addresses. An educated and cautious online shopper is less likely to fall victim to cyber thieves, and the more likely to help their friends and family adopt conscientious behaviors.

1. The Financial Times, "US retailers eye sales rebound," December 1, 2014.
2. The Guardian, "How you could become a victim of cybercrime in 2015," December 24, 2014.

About the Author
John Amaral is senior vice president, Product Management, at Trustwave and a member of the Steering Committee for the CA Security Council.

Subscribe to
Information Security Today

Bookmark and Share

© Copyright 2015 Auerbach Publications