Buy online with confidence
I’ve made a lot of online purchases and I often purchase goods online to take advantage of better selection and prices. For example, I recently ordered a larger drive for my desktop PC. Newegg and Tiger Direct both had a good product for a good price, and shipping was reasonable considering the cost of gas and my time to go to the store.
I’ve only had two bad online experience, and I got my money back both times. Yet I continue to hear horror stories from others. So I thought I’d share my approach.
First and foremost, there is nothing magic about shopping online. The major difference when you walk into a shop is that you have a good idea where they are located. However, disreputable bricks-and-mortar stores (along with phone and mail order outfits) ripped off consumers for years before the Internet was invented.
So how can we shop online with confidence?
1) Consider ordering from businesses you know. Saving a few dollars on an unknown vendor may not be worth it.
2) If you’re looking for something and don’t know where to find it, consider using eBay or Amazon. Carefully check feedback on the vendor before buying.
3) Always pay by credit card. From time to time you may run across vendors who request payment by other means. They might want to you wire money using Western Union or a similar service. The problem is that once you’ve sent your money, there is little you can do about it. Real online merchants accept credit cards or use a service like PayPal that accepts credit cards on their behalf. Period.
4) Understand any rules that apply to disputes. For example, if you make a purchase on eBay and pay using PayPal you must open a dispute within 45 days. Be wary of anyone who may be trying to string you along with a series of excuses, delays and apologies.
5) Next to how they treat other customers, the best predictor of how a business will treat you after getting your money is how they treat you before. When shopping online we often have our choice of products and resellers. When I”m trying to decide, I’ll often email a few vendors to ask their advice or for product information. The timeliness and quality of their response speaks volumes about them.
Have other words of wisdom to share? Please comment!
Tabnabbing
Aza Raskin has an interesting article on his blog about tabnabbing. In summary, an attacker can use javascript that sits quietly on a page waiting until it is no longer in the foreground (for example when you have switched to another tab in your browser), and then switches to a legit looking phishing page. For example, you could be reading a blog, switch to another tab to do something else, and then click on a tab that looks like it is a gmail login — when it is in fact a phishing page.
This is yet another example of why passwords are a really bad idea. However, from a practical perspective, the best thing you can do is to ensure that you have opened a tab yourself before logging in. If you click to a tab and find yourself at a login screen, close the tab, open a new one, and navigate to the site you want.
Thanks to Thorin for the link!
Garage break-in technique exposed
As a security professional, I sometimes struggle with how much information to divulge about security vulnerabilities. However, by the time it makes YouTube and links circulate in email, my general thought is that criminals already know about it and the benefits of informing the public outweigh the risk.
As you can see in this YouTube video, it is possible to open many residential garage doors using only a simple wedge and a wire hook. What was intended as a safety feature to allow the door to be opened without power creates a security vulnerability. Using a plastic cable tie might be the best way to address this, provided that you have a way to cut the cable tie if you need to open the door during a power failure.
The new SPOT
It’s always nice to see a good product get even better. I reviewed the original SPOT Satellite GPS Messenger back in 2008 and was thrilled. It would have been perfect for my trip to Death Valley the previous year, on family camping trips, and anywhere else there might not be mobile phone coverage. So I bought one and it has seen a lot of travel over the past two years. It’s reassuring to know that I can contact help from almost anywhere, and with the addition of their very reasonably priced US $30 per year roadside assistance package, my “help” button will no longer require my friends and family to look at a map and figure out what I might need.
For those not familiar with the original SPOT, it has four buttons. Power, OK, 911, and HELP. OK sends a predefined check-in message, along with the user’s current location, to a programmed list of email addresses or mobile phone numbers. HELP either sends a different predefined message or contacts roadside assistance if you’ve purchased that option. 911 sends your current location and a distress message to their International Emergency Rescue Coordination Center, as it did in this case.
According to the manufacturer, “The new SPOT Satellite GPS Messenger is 30% smaller and lighter than the original SPOT Satellite Personal Tracker, offers additional custom messaging modes, and uses a state-of-the-art GPS chipset and satellite communications to provide enhanced reliability and performance.” While I never considered the first model particularly large, SPOT 2, as many are calling it, is smaller in all dimensions and felt just bit larger than a deck of cards in my hand.
Other noteworthy changes are covers over the emergency button (now labelled SOS instead of 911) and the HELP button. Two other buttons, one to transmit an additional customized message, and one to activate the optional $50/year tracking option have also been added.
I had the opportunity to test-drive the new SPOT for a few weeks, and like with the previous model, I’m impressed. We didn’t have snow, so I couldn’t toss it in a snow bank like I did while testing the original model, but it’s obviously just as tough, and even easier to carry. And it works.
“Since its introduction, SPOT has helped in more than 450 rescues and sent millions of check-in and tracking messages around the world, making it an ideal personal safety device” said Jim Mandala, General Manager, Globalstar Canada. “Active outdoor enthusiasts such as hikers, back country skiers, snowmobilers, campers, pilots, fishermen, hunters and remote workers will appreciate the smaller compact size which makes it ideal for portable use. The improved ease-of-use will appeal to the family on-the-go or anyone who travels in remote areas or spends time outside cellular coverage.”
H1N1: A case study in poor risk decisions
In security circles we often discuss why some individuals and businesses find themselves in a perpetual state of high risk. While there can be complex factors, the bottom line is that many of us make poor risk management decisions in our business and personal lives.
Sometimes a high risk position results because we don’t correctly asses asset values, threats or vulnerabilities. Sometimes the cost of implementing a safeguard exceeds and expected loss, and the decision to accept risk is a logical one. And sometimes we simply make mistakes.
But there are other reasons that we Canadians are often too polite to point out: Laziness, denial, rationalization and risk decisions based upon emotion rather than logic. The H1N1 ‘flu gives us plenty of examples.
We’re in the midst of an influenza pandemic. Fortunately we know how to create ‘flu vaccines — we do it every year to combat the seasonal flu. So we have a vaccine, and every credible organization from the World Health Organization down to our local medical officers are recommending that we vaccinate ourselves and our families.
The risk is clear: pH1N1 is a nasty virus that, at best, will make you sick for a week or two. At worst, it could kill you. The threat is real and much of resulting risk can be mitigated by a simple vaccination. The Public Health Agency of Canada advises that, “without interventions like a vaccine and antivirals, close to 25 to 35 percent of the population could become ill over the period of a few months.” Other health organizations have released similar estimates. The vaccine has been tested in Canada as well as other countries, and we know that approximately 1 in 100,000 people will have a serious reaction to it, as with any other vaccine. (Source: http://www.phac-aspc.gc.ca/alert-alerte/h1n1/vacc/options-eng.php)
From a risk management perspective it doesn’t get much simpler than this. The benefits of the vaccine clearly outweigh the risks, and the cost (a few hours of our time at most) is minimal compared to the potential loss. And that doesn’t take ethics and social responsibility into account. Those who choose not to be vaccinated not only may become ill, but could also pass H1N1 on to more vulnerable family, friends and colleagues — including those who can’t be vaccinated due to alergies.
As a result, we continue to see people announce on the Internet that they’re not getting vaccinated. Some quote “facts” that are uninformed myths at best. Some focus on the 1 in 100,000 serious reaction rate and completely loose perspective. Others ignore a century or so of medical science and proclaim that they don’t need a vaccination because they are “healthy and take their herbs and vitamins.”
Chances are that you’ve already seen the writings of otherwise intelligent parents who are incapable or making good risk management decisions. Their blog posts usually start with how much they love their kids. Then they latch on to the one quack that chargers people $50 each to attend a seminar to learn “the truth” and rationalize that “the medical community don’t all agree”. They focus on the danger of mercury in vaccines, even though the exposure is less than you’d get from eating a can of tuna. Or they repeat silly claims like suggesting that the vaccine is “untested”.
Some of these people obviously have other agendas. It’s clear from their writing that they’re simply anti-vaccination shills. They write clever “balanced” articles pitting fact against laughable fiction and seek to “support” others who share their defective logic.
Some see themselves as rebells, not “giving in” to the experts who tell them they should be vaccinated. The old phrase, “Rebells without a clue” comes to mind.
In others, the barrage of H1N1 information creates neurotic behaviour and they operate on a completely emotional level. They “agonize” (often at length and in writing) about how “difficult” the decision was. They loose all perspective, and should you dare point out the flaws in their reasoning their feelings are hurt. How dare you suggest that they don’t know what’s best. They behave as if the act of conceiving a child instantly made them more knowledgeable on vaccines than the WHO, CDC, and the medical experts of countless countries, including their own. They have “the right” not to vaccinate themselves and their children, and as emotional people often do, they confuse having a right with it being the right thing to do.
Keep in Touch
Kudos
Recent Comments