Online transaction security - protecting your personal information

The more I learn about online threats, the scarier it gets. And I’m not saying that as a Symantec employee looking to peddle more software (really!) - I’m saying it as a longtime online banking user who has learned a lot in my first two months at Symantec. Currently, there is a huge gap between criminals’ expertise and ingenuity and the readiness of consumers and online businesses alike to protect online transactions and the login process.

As a consumer, it’s important to understand that you will ultimately need to take responsibility for your own security, in addition to any efforts your financial institution or online retailer might be taking - they can’t protect you from motivated criminals who have compromised your computer. This means you must work to educate yourself, find your comfort zone in balancing convenience and risk, and purchase and apply the appropriate security measures to suit your needs. So how do you start?

Educate yourself. There is a lot out there if you look, but I will name a few. Symantec’s Security Response Weblog is an excellent resource for both beginners and experts, as the blogs describe a variety of techniques online criminals use to deceive people into divulging their confidential information. If nothing else, you may be amazed at the level to which criminals will go to obtain your personal information. Brian Krebs of the Washington Post writes the Security Fix blog, which I’ve only just learned about, but seems extensive, easy to read, and a perfect fit for those interested in learning more. I’ve also mentioned Symantec’s TransactSafely site and the National Cyber Security Alliance’s Stay Safe Online site in a previous blog.

Next, evaluate your security protection. Think specifically about protecting your ability to bank and shop online safely, as this is the sweet spot for online criminals. Here’s a checklist of features and functionality to consider:

* Firewall, antivirus, and antispyware software - many of you already have this through an Internet Security suite or a collection of individual products. If you don’t, get it! This software requires updates for protection to be effective - check your update settings and make sure it’s set to automatically occur at least every week (daily would be better).
* Combined protection against emerging threats - online criminals don’t distinguish between stealing your passwords through a phishing site, keystroke logging program, or any other method and neither should you. Make sure the software indicates that both the Web site and your computer are safe.
* "Zero-hour" heuristic or behavioral detection of "unknown" threats - this is critical! Basically this means the software needs to be able to "sniff out" and protect against suspicious Web sites and software, even if it’s never encountered the threat before. This is because these new types of threats come and go so quickly that by the time the software is updated to protect against a specific threat, it may be too late.
* Low false positive rate - heuristic detection is an imperfect science. Look for software that provides accuracy and transparency while minimizing unnecessary interruption of your online experience - otherwise you will end up disabling or ignoring protection warnings if it becomes too annoying or is wrong too frequently.
* Increased protection when providing or viewing confidential information - the software should automatically scan and protect without requiring your intervention when you are entering passwords, account numbers or viewing sensitive data.
* Password security - the software should store and encrypt your passwords, less for convenience (although this is nice), but more because if the software knows your passwords, it should also prevent you from unintentionally providing one to an unauthorized Web sites.
* Integrated protection - the whole security suite can be greater than the sum of each component if the software provider integrates technologies across security layers. Read Laura Garcia-Manrique’s Suite Security blog for more on this.
* Use your head - it’s not just software you need…be wary of any requests for your personal information that are not controlled by you. Type in the main web site URL and login rather than clicking on a link sent to you if you can.