Home

Contact Us

Our Libraries

Albany Village

Birkenhead

Devonport

East Coast Bays

Glenfield

Mobile

Northcote

Takapuna

Holiday Hours

Catalogue

Catalogue

Kids

Te Reo Maori

Te Reo Kura

Airpac – for WAP enabled small screen devices

My Info

Join the Library

Join the library

Welcome Booklet

Membership Policy

Fees, Fines and Charges

Policies

Lending

Membership

Children Left in Library

By Laws

Displays

Website Privacy

FAQ

Our Vision

Online resources

Reference

Ask A Question

Electronic Resources

Collections

Interloans

Web Links

Local History

Capturing Our Past

Heritage Collections

Heritage Walks

Teens

Catalogue

Booklists and Reviews

Music

Homework

Links

Youth Events

Feedback

Kids

Kids' Catalogue

Rhymetime

Reads

Rākau

Homework

Any Questions

Internet safety and online commerce

Internet safety is not just for children, but for everyone. Here is some simple advice for a safe internet experience. Most of this advice is not about configuring your software correctly but making sure you make sensible choices.

The vast majority of information here is about scams, which many people see as a major turnoff for purchasing goods and conducting business online. Is it safe to buy goods online? Yes, as much so as in the physical world.

Would you buy a TV from a dodgy looking businessman operating out of the boot of his car? Hopefully not! Why? Common sense and intuition. The internet is exactly the same, except we often ignore our common sense. Scams on the Internet are a fact of life and unlikely to go away anytime soon. Most scams either rely on impersonation or making an offer too good to be true. Just like in real life, if it sounds too good to be true, it probably is.

Always remember:

Never trust links or attachments in emails. Always type the address yourself.
Only give out your personal details when absolutely needed.
Never use email for sensitive information - email is insecure and lacks privacy controls.
Purchase online only with secure websites - those that display a padlock.
Keep your passwords secret and hard to guess.
Be careful in Internet cafes and public computers - close your browser when finished.
Keep your software updated.

Always type the address yourself

The world wide web is a great source of information and also misinformation. A person can easily whip up a professional looking website pretending to be a well known firm, catching unsuspecting visitors off guard as they enter confidential details which the scammer then uses against you. During 2003 there were frequent scam websites imitating banks, commerce sites, auction sites, email providers and more. More importantly, New Zealand banks and firms are being targeted. It's not just Australia and the United States that are affected.

These scams work by sending you an email or presenting you with a link or a button on a webpage that claims to go to your bank, auction site, etc... when in fact it will take you to the scammer's own site, designed to look exactly like the original.

In particular, scammers often send information update emails which are designed to trick you into telling them all your details, such as credit card number, by requesting that you 'reconfirm' your details using the link provided. Email is by its very nature insecure, there is no easy way to stop someone pretending to be someone else⁽¹⁾. Thus while it may look like person@amazon.com or person@somebank.co.nz, chances are it's not. Often the email cites a possible security breach or a loss of customer records, or the need to delete inactive customers. Do not be fooled. Email is also passed through many computers on the internet until it reaches its destination - this is done without any encryption leaving your email open to be read by any of those computers. Hence never trust sensitive information in emails.

If you do believe the email is genuine, then play it safe by visiting the website by whatever means you normally would - such as typing the address out or clicking on a bookmark⁽²⁾. This way you ensure that the link won't redirect you to some mock up of the real thing.
If you are asked to submit your personal or financial details before entering your username and password, chances are it's a scam.
Look at the URL (The website address) for signs of trouble. If it has a @ or : character in it, chances are it's a scam. If it has lots of %'s near the start of the address, chances are it's a scam. These are used by scammers to hide the real website, e.g. http://ebay.com@www.somefakesite.com/scam.html. The actual website doesn't start until after the @ symbol. You aren't really visiting ebay.com, but www.somefakesite.com. This is why the first point is very important - always visit the website by typing the address out yourself.
Scam the scammer: Enter a fake username and fake password. If the website accepts it, chances are it's a scam. Some scam sites trick you into believing it's safe by asking you to login first. They don't know what your password is, they just assume whatever you entered is correct, and then keep that information for themselves.

Unfortunately, the smarter scammer can actually relay your password to the real website to check. Once again, this is why the first point is very important - always visit the website by typing the address out yourself.

Only give out your personal details when absolutely needed

Just as you should never give out your credit card number or street address to a complete stranger, you should never give personal details to a website or a person via email unless you absolutely need to. Even then, try avoid email. Giving a website your details can lead to your information being used by someone totally unrelated, either from when the business gets bought out by another firm, or when the website is hacked and the customer database is compromised.

Registration Forms and Password Recovery

These days lots of websites have registration forms so people can access more content or customise the content to suit your tastes; or like Hotmail and Yahoo!, access to free email. Unfortunately each site requires a password and the task of remembering different passwords for different sites can be tedious and so many people forget. Most websites that let you register also have a 'forgot your password?' link which you can use to by-pass the password by using other personal details given at registration. This system can be easily exploited by even those with minimal information about you. Often all that is needed is your birthday and some easily guessed question, such as your pet's name. It wouldn't take more than a few minutes of friendly chatting with someone over email or instant messaging to get this information. Some advice:

If the website allows it, disable password recovery.
Never use your real birthdate unless you absolutely must. This is the easiest way to prevent others from using the password recovery system against you. Perhaps use your pet's birthday or a famous celebrity's birthday.
Remember to never place your real birthdate on any publicly viewable profile, such as on ICQ, MSN Messenger, and message boards.
When creating the 'what is your pet's name?' / 'what is your mother's maiden name?' questions use incorrect answers.
Only provide your real address if absolutely necessary, for example billing information. Do not post it on publicly available profiles such as ICQ, MSN etc... If you must then consider using a P.O. Box.

Purchase online with secure websites

All good online businesses and banks use secure websites to ensure that what is sent between you and them is safe from prying eyes. What is a secure website? A website that starts with the extension https:// - the s meaning the website uses SSL, a technology designed to encrypt communication between two parties using certificates (It's more complex than this, but we don't need to go into too much detail).

Yahoo! Mail HTTPS Address Screenshot
Yahoo! Mail users can use https when logging in

Secure websites display a golden padlock in the web browsers status bar, as shown below. Clicking on the padlock brings up details about who the certificate belongs to, and what level of security is used (128 bit security is the bare minimum today).

Golden Lock
Internet Explorer	Mozilla

Below is some more detailed information to ensure that the secure website is (in non-technical terms) using valid, trustworthy certificates. This can get a little complex so you may or may not want to read it. Another good read is Yahoo!'s Consumer Tips guide.

You need to do more than just check if the website starts with https however. You also need to check that the certificate is trustworthy. A certificates is an electronic document that is similar to a passport. It is issued by some authority, which has ideally done some checks to ensure that the person or website that the certificate claims to be for is indeed valid. What authority does this task? Many. Herein lies a fundamental problem: How do you know if the authority is checking the person's application properly? How can you be sure that this authority isn't a sham company either?

Long story short: Your computer comes with a list of well known authorities and it is these authorities that your web browser will trust when it checks to see who authorised the certificate. Microsoft Windows' Internet Explorer ships with such a list, the same applies for other web browsers.

Back to the main point. Check that the certificate is signed by one of those well known authorities (Such organisations include Thawte and VeriSign). Internet Explorer will usually complain if the certificate is invalid, or if the authority that authorised it is not in its list of well known authorities. Click on the Golden Lock located near the bottom right hand side of the web browser window. This should open up the certificate information window, allowing you to see the certificate details.

Certificate Details

Details for Amazon.com

Internet Explorer

Mozilla

Note the Issued To section of each of these windows. It displays clearly the address of the website that the certificate belongs to. This is important because you could be visiting a spammer's website, e.g. www.somefakesite.com, which may have a certificate from a well known authority (Because the certificate is for www.somefakesite.com not the actual website the authority will authorise it).

Also note the Issued By section. It displays who actually created the certificate for this website. This is important because you need to trust this organisation and trust that it took appropriate measures to ensure the certificate is issued to the correct person. Thawte, VeriSign and RSA are all well known authorities. Check the spelling of the names as well.

If you are unsure of the reputation of a certification authority (the organisation in the Issued By field) then do a quick check on them using Google, and in particular Google Groups.

Be careful in Internet cafes and public computers

Internet cafes can be a potential security problem as the computers you use were built and maintained by the business. They could put any sort of spying software on the computer and you wouldn't even know it. Yes, your banking website will have the correct address and display its golden padlock but that won't protect your password if the keyboard itself is being spied on using key logging software on the computers. Hotmail has a checkbox asking if you are using a public computer in order to help protect someone else from resurrecting your information.

The general advice here is to not conduct too much sensitive or financial business in an internet cafe. Not every single cafe is out there to steal your credit card, especially in New Zealand, and in fact it is most likely the complete opposite. However when travelling to unknown places you should be careful about what you do on a public computer.

When you have finished using the computer, immediately close the browser window. This clears any data held in the web browser's memory, such as the financial statements or emails you might have been looking at. This is why Hotmail encourages you to close your window when you sign out. Closing the browser also clears any login details for sites you may have visited (unless you explicitly clicked on a 'remember me' checkbox on login page). In fact, you should do this when you log in to the My Account section of our library catalogue when using one of the OPAC computers in the library.

This advice also applies to other public computers, such as at a friend's house, a local store, or any other place where you can access the internet (including libraries, because while we would in no way spy on you, there could be people behind you watching you type your passwords in).

Keep your passwords secret and hard to guess

Any article on Internet Security would not be complete without the obligatory section on general password advice. Here it is:

Never use a common word or phrase - never use the word 'password'. Never use a common word or phrase, reversed. Never use your email as your password.
For commerce and banking sites, never ever use the same password as any other website. This is particularly true if you used for example a messaging board and a bank, both of which use the same password. The message board likely has lax security and is easily breached, leaving your banking password incredibly vulnerable.
Use numbers and letters at the very least. Ideally you want to use both uppercase and lowercase letters as well as a couple of special characters, e.g. !@#$%^&*.
Change your important passwords occasionally. This is hard for everyone to do. Remembering IS a lot of effort. Think about a password scheme where you simply change 1 or 2 characters, e.g. $illyP@ss27 where the 27 changes. Maybe next time make it 28, then 2a, then 2b, ... but at least it's easier to remember than a completely new password.
Never write your password down. It's like leaving the keys in your car with a full tank of gas to boot.
Never give your password out to anyone. This is especially important if you are over the phone and can't really tell who that supposed tech support person is. Never give your password to a stranger, even if they claim to be tech support.

Keep your software updated

People are always looking for opportunities to exploit a program you use, which is why you should check for software updates periodically. Updating your software ensures that problems with the software are reduced and quite often patches improve the speed of the program as well. At least one major internet worm in 2003 could have been easily prevented if system administrators had patched their computers with a patch released many months before the attack.

Microsoft Windows has Windows Update which provides all the patches and updates you need to download to insure your system is safe against known problems. Windows 2000 and Windows XP allow you to use Automatic Windows Update (2000 Guide, XP Guide) which takes care of the entire process for you - once configured. In general, if you aren't technically inclined then you should let the Automatic Update download and install all patches for you.

Mac users can visit the Apple support site for patches and additional downloads. Linux users options vary depending on what distribution of Linux they use.

Errata

Secure email is possible using programs like PGP and other PKI programs, however for it to work effectively everyone you communicate with needs to have PGP on their computers.
Unfortunately, sometimes even bookmarks cannot be trusted. If you ever create a bookmark, type out the address yourself and don't just click on some button on a webpage which claims to do it for you.

Top | Feedback | Site Map | Site Search

Useful Links

- GIS
- Cemetery Search
- What's On
- Shore Life
- Birkenhead
Library Project