Rediff.com« Back to articlePrint this article

Online shopping safety tips

December 31, 2008 18:56 IST

How can you know whether the website you have visited is safe to use or not? How safe is online shoping and banking?

What are the precautions you must take while transferring confidential data or money online? How should you protect your computer from being hacked?

Can scamsters cheat you using short messaging services on your mobile phone? How safe is shopping via mobile phones?

Is that true that you should login to Web sites only when their addresses start with https:// rather than http://?

Which are the companies that provide safe payement gateways?

Shekhar Kirani, Vice President, VeriSign India, answered these and many other queries related to online shopping ad banking during a chat Get Ahead readers on December 31.

For those of you who missed the chat, here's the unedited transcript:


praveen asked, how to shop online safely

TEST answers, Hello Praveen: There are three things you have to consider (high-level): 1) Accessing the website from a computer that you know for sure is not "hacked" 2) The website you are going you are sure that it is the intended site (not a duplicate website) 3) The browser shows either a green browser bar or secure lock at the bottom of the website so that transactions are secure. This is at the high-level.


rena asked, Do indian websites have the security measures needed to protect our online transactions?

TEST answers, Security thefts happen in multiple places, from the machines you access, some one stealing information by being in the middle between your browser and online website, or from online websites themselves. Most of the Indian websites have enough security measures to protect online transactions, but, most of the issues are currently with users who don't know what is right/wrong when doing online transactions.


ram asked, I am a software engineer, I just wanted to know still what are the measures need to be taken in the websites? major concerns of the online shoppers?

VeriSign answers, Ram: Very good question. As a website developer, if your website has any information about each of its customer that you need to protect from others OR an online e-commerce website, here are some simple/high-level things you need to consider: 1) You need to make sure that your servers/website is protected with appropriate firewall and other network based security elements. 2) You need to use an EV or SSL certificate at the place where ever confidential information is received from your user browsers to your webserver. This ensures that your website has a secure link from browser to your server 3) Provide appropriate information to consumers so that they know how to separate your site from a ficticious (phished) website 4) Provide your service as you "advertise"...


priti asked, what do i do if i doubt a site or if it asks me to reveal information that i think are not needed for the transactions

VeriSign answers, If you are in doubt, donot provide information. This is the site that may be ficticious or website may not have developed with all the right policy/process. You need to be 100% confident that the online use is safe and secure. Today, most of the online thefts are happening by fooling the users


Piku asked, What are the latest security solutions available in the market

VeriSign answers, It is a vast subject. In general, end-to-end security is key. As most of the world is going online, it is becoming important regarding how to protect consumers (their computers), how to protect transactions, website/online infrastructure security and also overall risk management within an enterprise.


lucy asked, Hi .... A new trend of shopping via mobile phone as emerged very recently .... is there a security threat involved there as well?


ram asked, hi, i wanted to know where the security threats are there so that we can improve on it?

VeriSign answers, A lot of issues are being reported on three fronts: a) Identity thefts, where consumer identity (login/passwords) are stolen, b)Consumer awareness, where, they have visited wrong websites and give information (phishing...). c) For more successful websites, DDOS attacks.


Varun asked, Is that true that we should login to websites only when its address starts with https:// rather than http://

VeriSign answers, This is 100% correct. The web site must have https:// instead of http:/ Secondly, the lock button at the bottom of the browser need to be there. Finally, check the web site URL to make sure that is the right website.


bhamini asked, What is the assurance/guarantee you provide as a online security provider to an online shopper?

VeriSign answers, Online security is provided by the online website provider. We enable them to have a world-class security, but, the website has to use it appropriately. In recent days, the issues are more on consumers not knowing what is right/wrong more than the website itself.


Varun asked, Which are the other companies who provide safe payement gateways...

VeriSign answers, There are several companies in India that provide safe payment gateways. The big ones are ICICI, HDFC, but, several small players are also present.


John asked, How can I be sure that the site is secure? Will the green bar, you spoke about, appear in any browser?

VeriSign answers, The latest in web/online security is what is called as "Green Bar" or EV-SSL security. In this, you need to have one of the latest browsers (e.g. IE7). Secondly, websites need to have EV-SSL certificate. Once these two things are in place, consumers see green address bar that is virtually impossible for any one to spoof and provides a very easy/visible way for consumers to identify what is a "secure" website v/s unsecure "website". If you have IE7, just go to http://jpip.verisignlabs.com as a test.


Raj asked, How to find if my machine is hacked?

VeriSign answers, Very interesting/valid question. Yes, that is the big problem. You know your machine is hacked, only when you see some activities that is not expected. It is like how do you know your house key has been duplicated? Only when you see burglary. That is the reason, you should put all effort to ensure your machine has the latest software/patches, with all the virus protection. Secondly, be cautious in what you install on the machine. When not in use, take the machine out of network. Ensure your machine is used by only trusted folks. And finally, if you see some activity on the machine, but, you are not doing anything, is a good indication of something to investigate.


Varun asked, Is the pvr site is verisign secured?? cuz once when i entered all the infomation and hit enter...its shows network 404 error...is it safe....also when i entered all things again...it said duplicate merchant id...wat is this?

VeriSign answers, The issue you are indicating here is more of a website issue rather tan security issue. May be PVR site was going under maintenance when you were trying to use.


Mahender asked, how can we know whether the website is safe to use or not?

VeriSign answers, You should make sure you know who is behind the website (trusted folks or a company). Secondly, they have used at least minimum security in establishing the website and provide an SSL-based security. You know they have SSL-based security, when the website address changes to https:// and you see a lock sign at the bottom of the browser


sd1 asked, how do i know if a site is safe before i start shopping

VeriSign answers, Verify that you are at the right website first (https://webaddress). Ensure by reading the URL. Secondly, understand whether the website is created and managed by a trusted company/folks. If you don't know the information about these things, I recommend being very cautious.


abc asked, Hi!!! I wanna shop 4 jewellery online but sometimes they put Rs 1 as auction then shipping cost more than the actual price. Pls advise!!!!

VeriSign answers, Probably, the product is less than the shipping cost. I will be cautious giving my credit card information to such websites...


Sudhanshu asked, I want to understand the role VeriSign plays between online portal and me the buyer .

VeriSign answers, VeriSign among many others, protects the transactions that happen between your browser and online portal. If online portals use VeriSign's SSL or EV-SSL certificates, they ensure that all the information between your browser and website is encrypted so that no one in the middle can understand the contents. If you see a browser address bar becoming green OR browser address changes to https:// with a lock in the bottom, you know that all the transactions are secured in transit. However, this doesn't mean that your machine is secure or website infrastructure is secure.


priti asked, is the green browser bar or secure lock a fool-proof indication of a secure transaction?

VeriSign answers, Green bar indicates that you are entering a "secure" website that encrypts all the content between your browser and website. The lock-sign is the same. However, this doesn't mean that entire online experience is secure. Because, thefts happen by compromising your machine itself or website infrastrucutre being hacked.


rajeev asked, Is it safe online shoping and banking

VeriSign answers, yes, it is safe to do online shopping and banking as long as you are aware of the basics of what is right and wrong. In the case of banking, I highly recommend you access from a computer that you know is secure (not hacked).


RahulKumar asked, Whats the chance of hacking if the web browsing is done on SSL connection.Again if I send the data in encrypted form using some public key then whats the chance it won't be hacked/decrypted by its corresponding private key provided the later key might be stolen or developed by a comp wizard.Again if the secured data is hacked midway then is there any way to pinpoint his.

VeriSign answers, SSL technology has been out for more than 10 years now. With increased encryption bits, it is allmost impossible for breaking the security. In general security thefts happen at the weakest link. Today, the weak link is not SSL security. It is consumer's identity stealing (identity thefts) or creating a duplicate website (phishing) and getting users to login to duplicate websites. In India, we are working with all the key major banks/online portals to educate and help in this area.


swats asked, Is it safe to provide passwords on bank websites, how does banks ensure that the bank employees dont have that information

VeriSign answers, You should never/ever give your passwords to any one else on the phone. Only place is where you enter the password at a website that you know for sure is a bank website and has https:// in the browser bar (or green address bar). In recent years, due to a lot of identity thefts, VeriSign has launched a new product in India called VIP (VeriSign Identity Protection) that provides a way for consumers to enter a 2nd password. We are in the process of discussing with all the banks and you should see this technology being deployed in India in 2009.


Varun asked, Some websites require security certificates, but if we continue...it shows the site but the url background becomes pink. why it says that website does not have security certificate?

VeriSign answers, Can you give an example. Are you talking about websites that require client certificates?


fsdfd asked, this might also be possible that the fake web service provider uses some SSL algorithm & cons the user in the name of original one ?????

VeriSign answers, Yes. It is the responsibility of the user to see whether he is using the right web site or the wrong website. It is like you going to a physical store and buying. If you enter a duplicate physical store (that looks and feels like the original store), no one can help. Consumers need to see the URL to make sure the website has the right address and has https:// in login or pages where you provide confidential information.


RJ asked, Yahoo has a sign in seal while we log in. How good a security measure is that?

VeriSign answers, Yes, Yahoo's sign-in seal (checkmark seal) indicates that they are using the SSL certificate to protect their login-page. This is more of an indication to consumers that they have taken appropriate security measures.


lucy asked, So if I get an SMS from an Anonyms number.... which discloses a lucarative offer on an item .. should I or should I not go for it...

VeriSign answers, You know the answer...


OK asked, Nowadays all websites have mechanisms of number of rememebring questions and images so that forms are not auto filled. It might be good security measure but from user perspective it is quite irritating? How do u see that improving?

VeriSign answers, The reason many websites are doing this is because they don't know who is using the website, other than login name/password. What happens if your login name/password is stolen and you don't know about it. To avoid such cases, some websites ask for additional information that only you know, but not the person who has stolen the information. VeriSign has launched a new product called VIP (VeriSign Identity Protection) that simplifies all of it by giving users to generate a 2nd password that they enter on the website. This 2nd password is not guessable and in this case websites don't need all the additional questions/answer or images... It simplifies consumer experience and also increases security. You should see this technology being roled out in India in 2009, initially with online banks.


Varun asked, What pupose does it solve? when a site ask us to type any given number in some blurred image...how does it works

VeriSign answers, This is being done to make sure only "human" person is logging but not a machine. They blur the image so that computers cannot analyze the image and login automatically. Websites don't know whether humans are logging or computer programs written is logging and they want to make sure only humans are logging.


Raj asked, Which one to rely on...Browser based anti-phishing feature or the ones that comes with my Anti-virus software?

VeriSign answers, Both are important and critical


cheena asked, How can I verify the certificate of a website?Is it easy to obtain a certificate for a fake URL ...Say https://www.baank.com instead of https://www.bank.com.In that case how I can be sure I am contacting correct site?

VeriSign answers, Very good question. You need to look at the browser URL. if it is baank.com you know it is a fake website. In 2009, with latest browsers, you will start seeing the real bank websites (www.bank.com eg) will have green bars in the browser. It is called EV-SSL and once it is deployed it makes consumers to recognize a secure website a lot easier.


Kunal asked, Many poeple think that Netbanking at Office premises(IT companies) is safe than Home network or cuber cafes? Whats your openion.

VeriSign answers, In general it is correct. Most of the IT companies protect the machines much better than home computers or cyber cafes. It is very important that you access from a computer that you know for sure it is not hacked. It is very easy for some one to install a key-logger on a shared computer (e.g. cafe machine) and collect what ever you type (login name/passwords etc.) and once you leave the machine steal your identity.


mandar asked, On-line shopping is still in nascent stage in india. Many people consider on-line shopping risky.How do you restore faith in people

VeriSign answers, It takes time. Currently, most of the online shopping is being done by computer savvy folks. As computers get deployed and people are aware of right/wrong, more online transactions will happen in India.


Vinay asked, Is it safe to share CVV number during online shopping??

VeriSign answers, CVV is very critical to protect your credit card. You need to make sure that the website you are giving CVV is a safe website and secondly, they have process/policies not to store any where the CVV number. In general, online shopping need to be done at a reputed website where you trust the website and the people behind it.


GG asked, WHAT IS THE SIGNIFICANCE OF DIGITAL SIGNATURE FOR SECURED LOGIN BE IT IN BANKS OR PAYMENT GATEWAY AND WHY SO FAR IT IS NOT BEING USED IN INDIA?

VeriSign answers, Digital signature is more for using electronic signature (instead of manual signature). It is being used step-by-step, initially on many of the e-governance projects. Consumers will get to see more of digital signatures as technology becomes easy to understand and consumers understand more about it.


hello asked, Can you tell me a product, on installing I should not worry about security...I know its not good practice to ask users to verify security of a site.

VeriSign answers, You should always worry about security. If you don't know the source of the product, you should never install it. If you install any thing on your machine, you should know that it is secure, safe, and has not been tampered by some one else.


hello asked, Why certificates have a validity period?Is it just to generate more money for security companies?

VeriSign answers, There are several reasons, and most important is every time a certificate is issued the enterprise is validated agains the policy/process and guidelines of usage.


Nilesh asked, Yesterday,researchers in Germany showed that all major CAs are using old hashing techniques md5 which can result in duplicate certificate generation.So what are your countermeasures to such kind of attack?How are you upgrading hashing algorithms?

VeriSign answers, In general, things that considered very secure for several years, if issues are found, companies such as ours jump on it, work closely with the researchers and find a solution and deploy.


sd1 asked, What is identity theft?

VeriSign answers, Identity theft means some one steals your login name, password and logs in as you, but, you may not know. Think of some one logs into your email account or online bank account and start interacting as if it is you, but, you don't know about it. Even if you know, some times, it is too late to take action.


Varun asked, i cant give u example...but its my company website and when i open outlook at my home with some URL it shows that this site does not have security certificate

VeriSign answers, In general, not all websites need SSL certificates. Those websites that have login page or they take confidential information from consumers or display confidential information, they need SSL certificates.


hello asked, will over banks ever enhance to smart card based security rather than the weak password based systems?

VeriSign answers, All the banks across the globe are looking into protecting consumer identity (login name/password) using 2nd factor passwords or additional client digital certificates. You will see some of this technology being deployed in India next year.


truth asked, If user has to verify the URL what is the need of certificate?Just public key would be sufficient ...right?

VeriSign answers, The SSL certificate ensures that the content b/w browser and website is encrypted and secure. Without an SSL certificate all the content is going in plain text and some one at the ISP or other intermediate servers can see the content...


Dilip asked, hello my question is ... no. 1. how uses credit card pls. give me (full defination) 2. how uses netbanking : money transactions & net shopping related shipping products

VeriSign answers, You should always use credit card if you know for 100% that you are at a legitimate website, that is safe/protected (https:// with a secure lock or green bar) and secondly you trust the website provider. Also, never login or give credit card information from a computer unless you are sure that it is not hacked or compromised.


Rahul Rakesh asked, Recently there was news all around that SBI website being Hacked. How come when majority of national, pvt banks when are tied up with some or the other security solutions provider, hackers do get their hands on the banks' security systems and hack their websites?

VeriSign answers, It is important to understand how end-to-end security works. Security thefts happen in general by finding a weakest link in the overall digital security. I don't know the details about this specific question regarding what happened.


Anilkrishnananda asked, i keep getting mail from Axis Bank saying your number of attempts for the day is over, you online account is blocked to activate please click the below link. i though have a account in Axis bank i never tried online login is this a prank from some hackers??

VeriSign answers, It is very much possible. It may be a ficticious email sent from some one else other than Axis bank. You should never click on the link unless you know for sure that the email came from Axis bank and once you click make sure the website address in the browser bar is also from axis bank.


Ravi asked, Some of the Air Line Travel Agents ask for Credit Card Number/Expiry Date/CVV. How safe is to part with them?

VeriSign answers, It all depends on the travel agent and trust you have with them in using your information.


truth1 asked, If I give a credit card number to a site how can I be sure its protected properly at their place?Even my bank employee can sell my password ,qna abroad and escape from this country.How are we protected in this case?

VeriSign answers, Very good question. Most of the banks and online enterprises have very strick security policies, where, they don't store your information any where, and ensure that only authorized folks can access your information.


truth1 asked, Can the international laws protect online identities? Could you eloborate on ciber laws in this regard?

VeriSign answers, It is very complex. Think of a situation, where, a website is hosted in countryA, but owned by a company in countryB, and used by a citizen in countryC, and identity/money stolen by a person in CountryD. This is very complex and makes it hard to prosecute due to this issue being global.


truth1 asked, Are we spending much more on the security than possible theft threat?

VeriSign answers, Very good question. It is called as Risk Analysis. Every bank looks at the risk of security/theft and make appropriate investments to protect. It is always a balance between security protection and potential liability due to thefts.


truth1 asked, Apart from certificates what products Verisign has ?

VeriSign answers, VeriSign provides products related to end-to-end security as well as core internet infrastructure for domain names. Please check http://www.verisign.com


Varun asked, When we give our credit cards to retail outlets or petrol pumps...they take it from us and fills the necessary information to complete the transaction...What if they note down the CVV number. Cant we show them our id cards or something like that...so that CVV number do not require...I dont think that CVV number should be written at the back of the card.

VeriSign answers, Very good question. The expectation of you is that you are always with the card and you are making sure that no one else is writing the CVV number. If credit card leaves your sight, you need to have a high-degree of trust in the place, where, you know for sure they are not misuing the credit card.


Kunal asked, When u signup, many of the networking site take contact information from mail Id & send friends request to all of them. Is it possible for these sites to take any other info from my mail Ids.

VeriSign answers, As long as you don't give them your password, there is no way for them to take any information.


Nilesh asked, Is it possible to do an MITM(Man-In-The-Middle attack) on SSL?What algos Verisign uses in it's certificates?

VeriSign answers, It is all most impossible to do man-in-the middle attack on SSL, as the data is encrypted using a reasonably high number of bits and computationally impossible for any one to break.


rohit asked, Hi, Where can we post/publicise web site names which are fake so that others will be aware of that? Is there any central body for that?

VeriSign answers, The closest is Cert-In (www.cert-in.org.in/) that updates all the security thefts in India. Please check this out.


Vikash asked, you said that we should login to websites only when its address starts with https:// rather than http://, but right now i can see only http:// in rediff site itself, is rediff site unsafe?

VeriSign answers, When you click on login page, you see that browser address change to https://


Nilesh asked, Is Verisign a root CA or an intermediary CA?

VeriSign answers, VeriSign has a root certificate embedded in every major browser.


VeriSign says, Thank you for all your wonderful questions.



Shekhar Kirani, Vice President, VeriSign India.