Safety Net - APEC

Safety Netwww.aoema.org

Not feeling safein the online world?Use this guide to createyour own ”Safety Net“.

FEATUR

ING vita

l info on

dot.com

scams, w

eb bugs

,

trojans

and oth

er

interne

t traps..

.

INSIDE!

Take Th

e 2-Min

”Safety

Net“ Te

st and a

void

online t

rouble

before

it happ

ens.

INTRODUCTIONPage 3

THE 2-MIN “SAFETY NET” TESTPage 4

SAFETY NET TOPICS AND RECOMMENDATIONSPage 5

ANSWERS TO YOUR QUESTIONSPage 6

SAFETY NET GUIDELINESPage 33

Safety NetContents

ESSENTIALLY THEREARE 4 QUESTIONSWE NEED TO ASK:

How do I securemy computer?

How do I protectmy personal data?

How can I trustonline transactions?

How do I avoid Internettrouble, traps and scams?

The Internet has become animportant communication toolfor the 21st Century. With morethan 300 million peopleworldwide taking advantage ofthis exciting phenomenon, theInternet is nothing short of arevolution. It has changed howwe relate to each other and theworld around us. We now haveaccess to people, places andinformation never beforeavailable. Businesses andgovernments are streamliningoperations, grandparents arestaying in touch withgrandchildren living half a worldaway, school children arecommunicating with astronautsin outer space – all over theInternet. The Internet has becomeubiquitous, permeating allaspects of life. The Internet isliterally changing our way of life.

This booklet aims to answer these importantquestions in a simple, straightforward manner,without getting too technical or bogged down inso much detail that you end up more confused.There are 24 topics, covering a range of securityconcerns and organized according to whichquestion they relate to. For each topic there is adefinition of the potential problem, recommendedsteps for avoiding trouble before it occurs, andreferences to websites that can provide furtherassistance or more in-depth coverage of the topic.

For more information and updates on all subjects,including specific references for individual APECeconomies, refer to www.aoema.org/safetynet.

Introduction 3

You may, however, have someconcerns about venturing intothe online frontier. We hearabout viruses, Trojans, invasionof privacy, lack of consumerprotection, “dot.com scams”and even something called “web bugs” – all reasonsto be concerned. However, this is the way of thefuture and it will become increasingly difficult toignore the online world. Your best defense againstthese potential problems is to learn how to preventthem from occurring in the first place.

This booklet is a practical guide for beginners aswell as experienced Internet users for creating yourown “safety net” to safeguard against fraud in theonline world. There is risk associated witheverything we do and nothing can be 100%. Wecan, however, greatly minimize the risks associatedwith online transactions if we take a little time tolearn what the “bad guys” know and beat them attheir own game by taking preventive measures. TheInternet can be an enjoyable experience and if youfollow the simple advice in this booklet, you canavoid trouble before it happens.

If you answered “NO” toany of these questions,

it is highly recommendedthat you refer to the pagesnoted and become more

familiar with those topics.

You don’t have any questions atthis time? You have everythingunder control? Very possibly, butwe would like to recommendthat if you do nothing else, atleast take this 2-Minute SafetyNet Test to determine if you haveaccounted for all critical securitymeasures.

TAKE THE 2-MINUTE”SAFETY NET“ TEST

AND AVOID ONLINETROUBLE BEFORE IT

HAPPENS.

Do you have anti-virus softwareinstalled on your system?

Do you know if you have themost recent version of

anti-virus software?

Have you selected the “automaticupdate” option for continuous

updating of virus definitions?

Have you downloaded new virusdefinitions in the past 7 days?

Do you have a personal firewallinstalled on your system?

Do you have the mostrecent version of your

firewall software program?

Do you “disconnect”from your Internet connection

when not in use?

Do your passwords include acombination of numbers,

uppercase and lowercase letters?

Have you changed yourpasswords within the last 30 days?

Do you remember yourpasswords without having

to write them down?

Are you using the latest versionof operating system software,

browser, email and allapplication programs?

Have you selected“automatic update” for all

programs that offer that option?

Do you know what the “cookies”setting is on your browser?

YES NO

❏ ❏

❏ ❏

❏ ❏

❏ ❏

❏ ❏

See p.32

❏ ❏

❏ ❏

❏ ❏

❏ ❏

❏ ❏

❏ ❏

❏ ❏

❏ ❏

See p.32

See p.32

See p.32

See p.12

See p.12

See p.12

See p.23

See p.23

See p.23

See p.27

See p.27

See p.10

The 2-Min ”Safety Net“ Test4

CONSUMER PROTECTION Page 8

COOKIES Page 10

DIGITAL SIGNATURES Page 11

FIREWALLS Page 12

IDENTITY THEFT Page13

INSTANT MESSAGING, CHAT ROOMS Page14

INTELLECTUAL PROPERTY RIGHTS Page 15

INTERNET DUMPING Page 16

INTERNET SCAMS Page17

LEGAL ISSUES Page 18

MONITORING INTERNET USAGE Page 19

ONLINE DEFAMATION Page 20

ONLINE DISPUTE RESOLUTION Page 21

ONLINE STALKING Page 22

PASSWORDS Page 23

PRIVACY OF PERSONAL INFORMATION Page 24

PUBLIC ACCESS Page 25

SECURE WEB PAGES Page 26

SOFTWARE UPDATES Page 27

SPAM Page 28

SPOOFING Page 29

SPYWARE Page 30

TROJAN PROGRAMS Page 31

VIRUSES Page 32

Topics and Recommended Actions

Safety Net

HOW DO I SECUREMY COMPUTER?

How can I stop hackers from enteringmy computer system?

How can I protect my young childrenfrom pornographic material and hate sites?

What is wrong with using my dog’s namefor a password? It’s easy to remember.

Why should I update to the latest version of mysoftware when I don’t need the new functionality?

Is it true that programs can be put in mysystem that either disrupt my computer or

cause trouble for others?

What can I do to prevent virusesfrom entering my computer?

HOW DO I PROTECT MYPERSONAL DATA?

How do I prevent websites from capturing thepersonal information contained in my computer?

Are chat rooms a safe place to meet peopleand exchange information?

How do I prevent businesses from using mypersonal information without my consent?

How can I protect myself when accessingthe Internet from a public location like

a library or Internet café?

I am so sick of junk emails, but do theyactually pose any type of security risk?

Are there really “spy” programs that can get into my computer?

6

Page Reference:

FIREWALLS Page 12

MONITORING Page 19

PASSWORDS Page 23

SOFTWARE Page 27

TROJANS Page 31

VIRUSES Page 32

Page Reference:

COOKIES Page 10

CHAT ROOMS Page 14

PRIVACY Page 24

PUBLIC ACCESS Page 25

SPAM Page 28

SPYWARE Page 30

Where To Find The Answers To Your

HOW DO I AVOID INTERNETTROUBLE, TRAPS AND SCAMS?

How can I make sure someone isn’t using mypersonal data and pretending to be me?

Am I free to use any information I find on theInternet?

I understand some users are finding mysteriouscharges on their phone bills. How do I prevent that?

How do I know if a business opportunity discussedon the Internet is actually legitimate?

What if someone publishes defamatory statementsabout me personally or about my business?

Someone is continuously harassing me with emailsand while in chat rooms. How do I stop this?

How is it possible that a friend of mine received anemail from me, but I never sent it?

HOW CAN I TRUST ONLINETRANSACTIONS?

How can I protect myself from con artistsoperating in the “dot.com” world?

How is it possible to sign legal documentsand business contracts in the onlineenvironment?

How can I find out what is legally permissibleand what isn’t in the online world?

How can I resolve a dispute over a purchaseif the merchant is halfway around the world?

How can I tell which sites are secure beforeI shop on them?

Questions

Page Reference:

Page 8 CONSUMER PROTECTION

Page 11 DIGITAL SIGNATURES

Page 18 LEGAL

Page 21 DISPUTE

Page 26 SECURE WEB PAGES

Page Reference:

Page 13 IDENTITY THEFT

Page 15 IPR

Page 16 DUMPING

Page 17 SCAMS

Page 20 DEFAMATION

Page 22 STALKING

Page 29 SPOOFING

ABOUT CONSUMER PROTECTION

Con artists have been around forever andconsequently, consumers have always had to becareful about who they do business with. Theold Latin phrase “caveat emptor” or “let the buyerbeware” should be heeded whether shopping inperson or over the Internet. Considering mostpeople have yet to make an online purchase,there is a certain amount of fear associated withthe unknown. Consumers should use reasonablecaution and common sense, just as you wouldin the physical world.

WHERE TO GO FOR HELP AND MORE INFORMATION

www.econsumer.gov

www.bbbonline.org

Consumer Protection8

Let the following list ofRecommended Actions

serve as a guide for whatto do BEFORE you

actually make a purchaseover the Internet.

RECOMMENDED ACTION

• Look for and read policystatements on websites. Thisincludes statements on theprivacy of personal information,customer satisfaction andproduct return procedures, andthe security of financialtransactions made on thewebsite.

• Make sure that online forms aresecure.

• Reject unnecessary cookies.

• Use a secure browser and makesure it is the latest versionavailable from the manufacturer.

• Make sure you clearlyunderstand the merchant’sshipping and refund policies.

• If there is an “FAQ” (FrequentlyAsked Questions) section, it is agood idea to read through thelist of questions to find out moreabout how a particularmerchant deals with itscustomers.

• Don’t disclose more personalinformation than is necessary tocomplete a transaction. Don’tprovide any personalinformation to a website unlessyou feel comfortable with thestated policies and procedures,and you can be sure that yourpersonal details will betransmitted over a secure link.

• Never divulge your password toanyone online or over thetelephone.

• Be sure to keep records of youronline transactions. You may needto refer back to this informationshould you question a charge onyour credit card statement.

• Review monthly credit card and bank statementsfor errors or unauthorized purchases. It isimportant to notify the appropriate financialinstitution immediately.

• Be cautious of any company that makes claimsyou find hard to believe. Chances are it is not areputable business.

• Get to know the business you are dealing with.Honest merchants tend to be “up front” about theirbusiness practices, providing clear instructions onhow they intend to do business with you and willtypically respond to email queries if you have aquestion that isn’t covered by a policy statement orincluded in the FAQ section.

• Make sure the terms and conditions of the saleare clearly stated, including product availability,method of shipping, price, additional costs thatmight be incurred by the customer, return andrefund policies, warranties and guarantees.

• Use a credit card rather than a bank debit card.With a debit card, the funds are immediatelydebited to your bank account and it is generallymore difficult to deal with disputed charges.

• Be wary of consumer rating sites, as many of themare not being honest with consumers.

• Most importantly, learn what rights you have as aconsumer by finding out what consumerprotection laws are in effect in your local area.Consumer protection laws vary dramatically.

IF A PROBLEM OCCURS, DO THEFOLLOWING:

• Contact the merchant to discuss the problem.

• If an agreement cannot be reachedcontact your local consumer group.

• If the merchant participates in arecognized program like BBBOnline, contactprogram administrators.

• Contact your credit card company for advice.

RECOMMENDED ACTION

the information will be used to create personalizedWeb pages for you. For example, a welcome pagemight have your name on it or you might bepresented with special offers for products you arelikely to be interested in based on your buyinghistory. Cookies generally enhance your onlineexperience and with reputable businesses there islittle to worry about. However, there are somebusinesses that use something called “third-partycookies” and this is what you have to be wary of.

A “third-party cookie” comes from a websitedifferent from the one you are actually visiting andtypically originates from an advertiser wishing tolearn more about your interests and preferences inorder to determine which ads are most appropriatefor you. These advertising companies are alsointerested in displaying new ads each time you visita particular site and cookies help them keep trackof your viewing history. This type of cookie isimposed on your browser without your permission,often resulting in a lot of pop-up screen ads youdidn’t ask for nor are interested in. While “third-party cookies” are not likely to cause damage toyour system, they can be intrusive and certainly anuisance.

It is now possible to controlcookies. Free, downloadable,programs are available to helpyou manage this annoyingproblem. Refer to the websitesnoted below.

The easiest way to find out if abusiness is using cookies and ifthey are, how they are using theinformation they collect fromcookies, is to look for a policystatement on their website.Reputable online businessestoday are very honest with

consumers about exactly howthey use cookies and explaintheir intentions in the form of apolicy statement. If a websitedoes not include this type ofdisclosure, you may want to thinktwice about dealing with thatbusiness entity.

Check the cookie setting in yourbrowser. For example, inMicrosoft Internet Explorer, go to“Tools” then “Internet Options”then “Privacy” and select thesetting that best meets yourneeds.

Regularly delete temporaryInternet files (refer to “help”menu on your browser).

ABOUT COOKIESThe main purpose ofcookies is to identify usersfor purposes of customizingweb pages to better meetthe specific needs ofconsumers. Some websiteswill ask you specificquestions and then packageyour responses into a “cookie” to be stored by yourWeb browser for later use. Others will simply trackhow you interact with their website and create acookie that reflects your browsing or shoppinghabits. Then, the next time you visit that same Website, it will look at the cookie on your machine and

www.cookiecentral.com

www.lavasoft.de

WHERE TO GO FOR HELPAND MORE INFORMATION

Cookies10

ABOUTDIGITAL SIGNATURESIn the paper world we use handwrittensignatures as a way to signify ouragreement with, acceptance of orcommitment to a paper document.Many people are concerned theelectronic world may not provide thatfacility. Digital signatures do in factprovide it and much more.

The term “digital signature” should notbe confused with the terms “electronicsignature” or “digitized signature”. An“electronic signature” covers abroader range of possibilities and inits simplest form can be a name typedat the end of an email. A “digitizedsignature” is actually an electronicpicture of your handwritten signature.Sign your name on a piece of paper

party and this entity signs the keyto signify that they are satisfied thatthe key belongs to a particularperson. This is called certificationand a certificate is attached to thepublic key. A group of trusted thirdparties working together to verifyidentities is called a Public KeyInfrastructure or PKI.

An example in the paper world thatmakes this process easy to relate tois your passport. When you apply

for a passport, you must provide a photo of yourself andmore than one document to verify your identity. Yourgovernment then verifies that you and your photo are thesame person and are valid. You are then issued a passport(certificate) that attests to your identity. Other governmentstrust that your government has done its job and they acceptyour identification. Just as there are false passports, it ispossible to falsely obtain a certificate. It is, however, highly


www.apectelwg.org/apecdata/telwg/eaTG/crypto.html

http://searchsecurity.techtarget.com

unlikely that you will ever have to deal with this problemas the incidence rate is extremely low.

To send a private message to someone you must first encryptit using the recipient’s public key. It is the private key pairedwith the public key that allows the recipient to decrypt yourmessage and read it. By employing the “paired key”methodology, no one can read an encrypted message unlessthey have access to the private key. Therefore, it is extremelyimportant to protect your private key.

The subject of digital signatures is actually very complexand this is only a basic introduction to the topic. To learnmore about this subject and related technologies, refer tothe websites noted below.

NEVER GIVE OUT YOUR PRIVATE KEY TO ANYONE.

Digital Signaturesand scan it into your computer. Whileit might look like your signature, it maynot be a legally binding signature foran electronic document.

Complex mathematical formulas areused to create digital signatures. At theheart of the process is somethingcalled a “key pair”. One part of the“key pair” is private and used todigitally sign your name. This keyshould never be revealed to anyone.The other part of the “key pair” ispublic and is used to verify that asignature belongs to a particularperson or entity. The public key iseither available from an onlinerepository or is sent with an emailmessage to the intended party.

But, I hear you ask, how do I knowthat the private key actually belongsto the person who is using it?

The key is verified by a trusted third

11

RECOMMENDED ACTIONwhy hackers may want to break into your computer,such as for purposes of:

VANDALISM – to gain access to your critical filesand potentially cripple your system;

THEFT – obtain account details and passwords, ordeploy “spyware” to take on your identity;

MANIPULATION – use your computer to attackor spam other computers.

It is not necessary for the hacker to know anythingabout your system or your passwords. Software isavailable to randomly scan the Internet, lookingfor open “ports” or doorways into computers. If,for one reason or another, your system has an openport, a hacker could gain access to the data onyour computer, or send spam to other computersfrom your computer, which may result in yourInternet address being blocked. Firewalls can helpto protect you from these threats and ensure thatyour system will run smoothly and withoutproblems while connected to the Internet. Firewallscan also help to protect you from unwantedcookies, pop up ads and prevent programs frombeing planted in your computer without yourknowledge.

ABOUTFIREWALLSThrough the use of a“personal firewall”you can protectyour computer fromhackers and preventunwanted programsfrom entering your system in the first place.

You might think that you have nothing on yourcomputer worth looking at or stealing and thereforesee little or no reason to concern yourself with apersonal firewall. There are, however, many reasons

www.zonelabs.com

www.symantec.com

www.sygate.com


Firewalls

All computers accessing theInternet today should use afirewall. This should not beoptional or based on yourlevel of Internet activity. Theoccasional user is just asvulnerable as the full-time user interms of random scanning byhackers. There is no excuse for notinstalling a firewall since severalexcellent programs can bedownloaded from the Internet atno cost. Refer to the websitesbelow for examples of this typeof firewall software and foradditional information on firewalltechnology.

There are two types of firewalls.One is a hardware-based firewalland is most appropriate forinternal networks (computersnetworked for home or businessuse). The other type of firewall iscreated by installing a softwareprogram on an individualcomputer and monitors all trafficto and from the Internet.

It is best to “disconnect” yourInternet connection when not inuse (extremely important forbroadband users).

12

RECOMMENDED ACTION

Since this is a crime that can occur in either thephysical or online environment, the followingpreventive measures should be heeded at all times:

Some personal data is more critical than othersfrom a security standpoint. For example, in the

United States a Social Security Number (SSN) is usedextensively to identify a person and often becomesthe primary question asked when trying to enter asecure website or on the telephone when you wantto get account details from your bank or otherfinancial institution. Other critical data is mother’smaiden name, driver’s license number and any otherform of identification that is considered to be themost personal and therefore the most secure.

Be very careful with bank account details andmonthly bank statements in both the online and

physical environments.Do everything you can to protect your credit cardaccounts. Keep an eye on your card when you

hand it over to someone for processing. If youanticipate using your credit card for an online

1

purchase, first check to make sure the website usesadequate security for processing financialtransactions. It is also a good idea to cancel anyaccount you haven’t used in the past 6 months asopen, but inactive, accounts are often a target.

Be ever vigilant when using ATM cards to preventyour pin number from being seen by people

standing near you.Make sure you have strong passwords for all youraccounts and change them frequently.Regularly monitor your bank and credit cardstatements for any unusual activity.

Identity theft can have direconsequences for the victim andtherefore should be taken seriously.If someone takes on your identity,they can ruin your credit history,create massive debt due tounauthorized use of your creditcards, or worse yet, cause you to becharged with crimes you hadnothing to do with. Not only is yourgood name ruined by identity theftbut it can cost you a lot of time andmoney to repair the damage that hasbeen done. Considering the rathersevere consequences of this type ofproblem, it is far better to takepreventive measures than to wait forit to happen and then deal with it.

23

456


Identity Theft

www.idtheftcenter.orgwww.privacyrights.org/identity.htm

www.consumer.gov/idtheft/

13

ABOUTIDENTITYTHEFTIdentity theft andidentity fraud areterms used torefer to all typesof crime inwhich someonew r o n g f u l l y

obtains and uses another person’spersonal data in some way thatinvolves fraud or deception,typically for economic gain. Whilethis type of crime occurs in boththe physical as well as the onlineenvironment, there are concernsthat we may become even morevulnerable to this type of crime asmore and more personal data iscollected, maintained and accessedvia the Internet.

RECOMMENDED ACTION


Instant Messaging, etc

• Maintain up-to-date virusprotection and be sure to installa firewall.

• Be very careful when installingfile sharing software, and onlyallow access to those files thatyou want to share, not all yourfiles.

• It is extremely important thatyou do not reveal personaldetails while in Chat Rooms.

• Be aware of copyrightimplications of sharing files.

• Be aware that this area of theInternet is not private and oftensubject to scrutiny.

www.icq.com/support/security/

www.cert.org

ABOUT INSTANT MESSAGING,CHAT ROOMS, FILE SHARINGThere are many different ways to communicate or“chat” in real time over the Internet. Web-basedchat is the simplest method, and only requires abrowser. Instant Relay Chat (IRC) requires that youeither purchase or download a specific softwarepackage that allows you to participate inestablished “chat channels” or discussion groups.Instant messaging (IM) lets you to set up a list offriends or co-workers and keep track of who’sonline. If someone in your group is online at thesame time you are, a message can be sent and theywill receive it instantly.

Businesses are increasingly utilizing IM for internal,as well as external, communications. Conferencesinvolving two or more employees can now be doneonline. Companies are also using IM to effectivelycommunicate with suppliers and customers. WhileIM has become a useful communications tool forlarge and small businesses, Chat Rooms seem tobe the domain of teenagers. Both forms of real-time communications over the Internet posepotential security risks if preventive steps aren’ttaken to protect both your computer and yourpersonal information. Follow the recommendationsin this section and review the suggestions includedin Online Stalking, Monitoring, Firewalls andViruses.

Another popular application on the Internet todayis known as file sharing. Different approaches tofile sharing pose different security risks, but theyall have the potential to unintentionally open upsome or all of your computer’s files to hackers onthe Internet. Ignoring the security risks couldcompromise your personal or financial information,or result in your computer being vandalized. “Peer-to-Peer File Sharing” is particularly popular todayand programs like Kazaa, Morpheus and LimeWireallow people to share files by taking them directly

from the owner’s computer. Therisks associated with this type ofapplication include:

• improper configuration of filesharing software making yourcomputer accessible to anyoneon the Internet;

• violating copyright laws.Permission must be sought fromcopyright owner to avoidinfringement of copyright.

14

RECOMMENDED ACTION


www.wipo.int

www.apecipeg.org

ABOUTINTELLECTUALPROPERTY RIGHTS(IPR)Human creativity and innovationis everywhere. From the plates weserve our meals on to thepaintings we enjoy on the wall,hand-made carpets we walk on,the refrigerator, the telephone, themusic we listen to and the bookswe read, these are all creations ofthe human mind and consideredto be intellectual property (IP).

To better understand the conceptof IP, you only have to go as far asyour refrigerator. Undoubtedlyyou will find a wide variety ofbranded food products, eachdisplaying a familiar “trademark”or logo of the company thatproduced it. Thanks to marketingand advertising, company

trademarks have become veryfamiliar and tend to influence ourbuying habits.

Considering the marketing powerof trademarks, companies will doeverything possible to protecttheir brand and guard againsttrademark infringement. If we goback to the refrigerator and lookat the many different containersand special packaging (such ascanned, vacuum-packed, cartons,air-tight seals), we encounterregistered designs for the shape ofcontainers, patents covering theproduction of packaging and

Be aware that SEVERE penalties can be imposedwhen infringing on the Intellectual Property Rights(IPR) of another person or company. Copyrightviolations include using graphics withoutpermission, plagiarizing someone else’s work, and“peer-to-peer” file sharing of music, to name afew. Considering the importance of understandingwhat is at stake, it is crucial to refer to the websitesnoted below.

Intellectual Property Rights

trademarks for the brands andlogos. The refrigerator itselfmay be subject to numerouspatents covering refrigerationunit, shelving, and othercomponents. Even the manualis covered by copyright, as itis original written text.

Since the Internet has become popular withmainstream society, there has been increasedawareness and concern about the unauthorizeddistribution of IP, including films, art forms, music,photos, books and software over the Internet. As auser or provider of online content, it is yourresponsibility to become familiar with the issues,recognize all national IP laws that might apply, andgenerally be aware of international IP conventions.

When linking your web site to other web sites,permission should be sought to avoid infringing theother site’s trade marks or copyright. Commonproblem areas are: meta tag abuse, banneradvertisement, framing and unauthorized deeplinking.

15

RECOMMENDED ACTION


Internet Dumping

www.tio.com.au/FAQ/int_dumping.htm

To protect yourself from this typeof scam:

• Monitor the activities of yourchildren or employees (anyonewho might have access to yourcomputer) to ensure that theyare not agreeing to the terms andconditions on these types ofwebsites.

• Ensure that the volume is turnedup on your modem so that youcan hear if it redials.

• Ensure that the “history” in yourbrowser is kept for a long timeso that you can trace back to thesites that might have caused theproblem.

• You may want to speak to yourtelecommunications providerabout barring international or“premium” numbers like “1-900” on your data line.

• If you intend to access “adult”sites, be extremely careful toread and understand allagreements before you actuallyclick on “OK” or “YES”.

How does it happen? Unscrupulous onlinebusinesses, many of which are “adult” sites, willtrick users into agreeing to view their websites overalternate numbers that cost a premium. How thisworks is that a new user will be instructed todownload a special program called a “viewer” forpurposes of viewing the website, and the terms-and-conditions statement you must agree to priorto actually downloading the software includes astatement that you consent to use a different numberto access the site. This terms-and-conditionsstatement is typically presented in such a mannerthat you are not fully aware of all the conditions,especially the use of an alternate number.Additionally, the so-called “viewer” is actually aprogram expressly designed to re-dial a premiumnumber that results in outrageous charges on yourphone bill.

Unfortunately, many people have unknowinglyfallen for this scam and have been liable for theoutrageous phone charges, as they explicitly agreedto the terms and conditions of the site when theydownloaded the software. Claims to recover thesecosts are nearly always rejected, leaving theconsumer with no choice but to pay.

16

ABOUTINTERNETDUMPING(OR MODEMHIJACKING)What is it? Known byvarious names indifferent parts of theworld, Internet dumping occurs when a programin your computer drops your connection to theInternet and dials another number (such as aninternational number or a “premium pay-for-service” number). In most cases you don’t knowthat you have been “dumped” until you receiveyour phone bill and find mysterious charges.

ABOUT INTERNET SCAMSUnfortunately there are many scams on the Internet today.Working from actual complaints lodged by consumers inthe United States, the Federal Trade Commission (FTC) hasidentified the following as the 12 most common scams tobe on the lookout for:

Business Opportunities – offering big incomes withoutmuch work or cash outlay. Many of these are illegal

pyramid schemes.

Bulk Email – offering large lists of email addresses towhich you can advertise your own products or services

to. Most ISPs do not allow bulk emails or unsolicitedmailings and you could be shut down.

Chain Letters – you send a small amount of money toeach of 4 or 5 names on a list and replace one of the

names with your own. Chain letters have been around fora long time and they are illegal when sent via email or viathe post office.

Work-at-home Schemes – promises of steady incomefor minimal labor. For example, “earn $2 each time

you fold a brochure and seal it in an envelope”. You paythe start-up fee, do the work as requested, but never getpaid the money you were promised.

Health and Diet Scams – pills, herbal formulas, curesfor impotence and hair loss are among the most popular

scams flooding email boxes today. These gimmicks simplydo not work and you are throwing money away.

Effortless Income – these are the get-rich-quickschemes and none of them work.

Free Goods – pay a small fee to join a club and recruitothers to earn free goods. You pay your money, but

never receive the goods.

Investment Opportunities – promises of high rates ofreturn with no risk. These are almost always schemes

that have no way of paying any kind of investment returnas they are not properly funded. Their claims and statisticsare mostly lies.

Cable De-scrambler Kits – pay a small sum of moneyand receive a kit to assemble a cable de-scrambler

that allows you to receive cable television without payinga subscription fee. These do not work and if they did, it isillegal to use them.

12

3

4

5

678

10

11

12

9WHERE TO GO FOR HELP

AND MORE INFORMATION

If it sounds too good to be true, it isalmost always exactly that. Don’t betaken in by slick sales pitches andbe aware that many of these scamscan actually result in criminalcharges against you. Familiarizeyourself with the FTC website andothers like it that try to keepconsumers informed of the latestscams on the Internet.

www.ftc.gov

www.crimes-of-persuasion.com

RECOMMENDED ACTION

Internet Scams 17

Guaranteed Loans or Credit,on Easy Terms – unsecured

home loans and credit cards areoffered through unsolicited emails.Legitimate financial institutions donot work this way.

Credit Repair – offers to erasenegative information from your

credit file so you can qualify for acredit card, loan or job. If you followthe advice given, you will becommitting fraud.

Vacation Prize Promotions –“you have just won a fabulous

vacation” or “you have beenspecially selected for a great vacationpackage”. You will find that it isn’twhat you thought it was or berequired topay additionalf e e s t h a tw e r e n ’ texplained inthe first place.

RECOMMENDED ACTION


Legal Issues

www.eclip.org

www.bmck.com/ecommerce/

www.gipiproject.org/

www.ilpf.org

www.uncitral.org

www.cybercrime.gov

in many parts of the world:• Gambling;• Purchasing firearms;• Dealing in drugs (prescription as well as illicit)

and other medical supplies;• Hate sites aimed at certain races, religions, ethnic

groups, etc.;• Pornography of all types;• Encrypting messages so that governments can’t

read them if they want/need to;• Hacking;• Pirating software;• Writing and releasing virus software;• “Denial of service” attacks which prevent people

from accessing certain websites;• Intercepting communications;• Maliciously misrepresenting oneself for financial

gain (including Identity Theft);• Pyramid and Ponzi Schemes.The first rule you should observe is that if it is illegalor prohibited in the off-line world, it is illegal orprohibited in the online world. You should also keep

Before selling on the Internet,check with your government’sinternational trade department tomake sure there aren’t restrictionsfor the products you wish to sell.

Before buying products frominternational sites, you may wantto check first with the appropriategovernment departments to makesure you are not in violation ofany restrictions or regulations.

in mind that the laws governingbusinesses in the off-line worldsuch as contract law, productliability and advertising also applyin the online world. The Internetis evolving into a serious place ofcommerce and business shouldbe conducted according to thelaws and conventions that havebeen in effect for many years. TheInternet is not the “wild west” ora “lawless frontier”. You areexpected to know what the legalboundaries are and abide bythem.

18

ABOUTLEGAL ISSUESThe Internet is a globalresource, but the lawsgoverning Internetactivities may be differentas you cross nationalb o u n d a r i e s . S o m eactivities, like childpornography or hacking into computers, areuniversally illegal. Others, like gambling or hatesites, are permissible in some parts of the worldbut not in others.Here are some examples of activities that are illegal

RECOMMENDED ACTION

BUSINESS USE: In developing a policy andassociated guidelines, the following should beincluded:• Establish a written policy that prohibits

employees from using company computers forpersonal email or visiting inappropriate sites.

• Clearly communicate the fact that the company’scomputer resources are not to be wasted andare strictly for approved business purposes.

• Include guidelines on language and content foremails.

• Manage your Internet policy with monitoringsoftware.

• Reinforce your Internet policy with on-goingemployee education.

FAMILY USE: The challenge for parents is to educatethemselves and their children about how to usethe Internet safely. Parents can take advantage ofsoftware that audits as well as filters children’sInternet usage. Use the website references notedbelow as a starting point.

ABOUTMONITORINGINTERNET USAGEMONITORING EMPLOYEE USE:The Internet has become avaluable business tool as well asa powerful distraction intoday’s workplace. Monitoring


BUSINESS USEwww.email-policy.com

www.epolicyinstitute.com

www.fatline.com

FAMILY USEwww.getnetwise.org/

www.wiredpatrol.org/

www.childnet-int.org/

employees’ Internet use hasbecome a necessary part of amanager’s job. To ensure thatproductivity doesn’t decline andto protect your company fromunwanted legal challenges, it isimportant that you become awareof the issues facing all businessestoday, from the largest to thesmallest, and develop a proactivestrategy.

MONITORING FAMILY USE: TheInternet offers family membersmany opportunities for learning,constructive entertainment,and personal growth. Parents,however, are concerned abouttheir young children accessingwhat they consider to beinappropriate websites. While theInternet is fundamentally a greatplace for children, there are someareas of cyberspace that are not

Monitoring Internet Usage 19

appropriate, just as there areareas in almost every city thatare inappropriate for children.There are also certain activitieson the Internet that may beappropriate for adults but notfor children, and areas that aresuitable for some children andnot for others.


ABOUT ONLINE DEFAMATIONOnline defamation is something that everyoneneeds to understand. Defamation suits have beendebated in courtrooms for decades, causingtraditional media like newspapers, magazines andbook publishers to carefully check their sourcesbefore going to print. Recent court cases, however,make it clear that anyone publishing on theInternet could be named in a libel suit. The term“publishing” now encompasses emails, list servers,chat rooms, and websites. We all have to beresponsible for what we say and make certain thatwe don’t intentionally or inadvertently spread falseor damaging information about individuals orcompanies.

If this happens to you personally orto your company:• Stay calm and don’t get upset.

• Contact the responsible party andcalmly discuss the issue. Suggestthey withdraw the comments.

• If you don’t get the desired results,contact a lawyer familiar withdefamation suits.

• Report the offending behavior toyour Internet Service Provider(ISP).

To avoid being the target of a lawsuit:• Make sure you can back up any

claims or comments withirrefutable facts, not just opinionsor emotions.

• Remember, once an email hasbeen sent you cannot get it backbefore the recipient reads it.

• Be very careful about what yousay in emails, over list servers, inchat rooms, and during instantmessaging sessions. Be especiallycareful what you publish on awebsite.

• To avoid legal action againstyourself, be sure to educate familymembers and employees of thepotential problems associatedwith publishing in the onlineenvironment.

• Before publishing negativestatements online, assess why youare doing it and what benefit youwill receive from your action.Usually you will find that it isn’tworth the risk.

RECOMMENDED ACTION

Online Defamation

www.onlinepolicy.org/defamation.shtml

www.wiredpatrol.org/law/freespeech/defamation.html

www.spawn.org/marketing/slander.htm

www.cyberlaw.com

20

If the parties involved cannot reach a mutuallyagreed settlement through negotiation, then aneutral third party (Mediator) is appointed to assist.This third party is obligated to sign a “Declarationof Impartiality” and the mediation process isconfidential and voluntary. The parties may, at anytime, withdraw from the mediation process and taketheir claims to court.

The whole idea is that through Online DisputeResolution, a conflict born on the Internet can beresolved using the Internet. With more and morebusinesses establishing a “store front” on theInternet, this will become a necessary business toolin the not too distant future. This will provide acost-effective and efficient manner in which toresolve all types of lower value disputes arising fromonline sales transactions.

The ECODIR project involves government, privateindustry and academics from Europe and NorthAmerica. For more information about this projectand others like it, refer to the websites noted below.

www.ecodir.org

www.adr.org

Online Dispute ResolutionECODIR is an online process with secure web technology, involving 3 stages:

DISPUTE

RECOMMENDATION

MEDIATION

NEGOTIATION

RESOLUTION


21

ABOUTONLINE DISPUTERESOLUTIONDisputes happen on the Internet,just as they do in the physicalworld. However, it can be harderto work things out when you’venever met the other party face-to-face. The European Union(EU) has been running a pilotproject under the name ECODIR,which stands for ElectronicConsumer Dispute Resolution,and is designed to enableconsumers and online businessesto resolve disputes arising fromInternet transactions.

RECOMMENDED ACTION


If you are being stalked:• Delete any identities you have

created in chat rooms and instantmessaging systems.

• Immediately change your emailaddress. Use gender-neutralreferences.

• Consider using an anonymous re-mailer.

• Contact your Internet serviceprovider (ISP) or chat roommoderator with evidence ofharassment.

To reduce the risk of online stalking:• Ensure that the name you choose

as your “handle” or “screenname” is genderless.

• Ensure that your personal detailsare not made available anywhereon the Internet.

• Strengthen your passwords. Referto the password section of thisbooklet for recommendations.

• Do not create an onlinebiography. If one exists, remove itimmediately.

• Most importantly, follow thesecurity recommendationsidentified throughout this booklet.This is your best defense and canprevent it from ever happening.

• Don’t use abusive language inchat rooms or instant messagingexchanges.

• See guidelines section for furtherrecommendations.

www.cyber-stalking.net

www.wiredpatrol.org/stalking/

www.privacy.net

ABOUT ONLINE STALKINGTo define “online stalking” we first needto understand what “stalking” is. While thereare many differing definitions, two points incommon are:

repeated and unwanted behaviors wherebyone individual attempts to contact another

individual, and

the behavior causes the victim to feelthreatened or some sense of fear or dread.

Online stalking, then, occurs when one personharasses another using email, Internet Chat-rooms

and instant messaging. This can be very troublingfor the person being stalked and somegovernments have created new legislation orrevised existing legislation to include onlinestalking and in someinstances restrainingorders can be obtained.

Stalking can also extend tovandalism of computersystems if the securityprecautions identified inthis booklet are notfollowed. While it ispossible to stop a cyber-stalker, prevention isdefinitely the best policy.

12

Online Stalking22

RECOMMENDED ACTION

Passwords

Considering these statistics, it is well worth your timeto follow these simple “do’s and don’ts” whencreating passwords:

• Don’t use any word that can be found in anydictionary (any language) including scientificterms.

• Don’t use any word in reverse that can be foundin any dictionary (any language).

• Don’t use any word that can be associated withyou, i.e. address, phone number, birth date, pet’sname, nicknames, favorite sports activity or hobby.

• Don’t use consecutive letters or numbers like“abcdefg” or “234567”.

• Don’t use adjacent keys on your keyboard like“qwerty”.

• Do make it simple enough that you can rememberit without writing it down.

• Do use a combination of letters, numbers andspecial characters in random order.

• Do use upper and lower case and includespecial characters (* @ #).

• Do use at least 6 characters and the longer thebetter.

Now you must protect this password:

• Don’t write it down anywhere.

• Don’t give it to anyone for any reason.

• Don’t select the “remember my password” featureassociated with some websites and disable thisfeature in your browser software.

• Don’t use the same password for everything – haveone for non-critical activities and another forsensitive or critical activities. (Remember thatlogging onto your computer is a critical activity).

the key to the front door andthey should be of the highestquality, like a deadbolt lock.

Hackers use “passwordcrackers,” a type of softwarethat is capable of uncovering asimple password in as little as1 hour. A “strong” password,on the other hand, can take 10to 20 years of processing timeto “crack”.

23

ABOUTPASSWORDSYou go out one day andinadvertently leave the doorunlocked. A stranger comes inand looks around but doesn’ttake anything. Even thoughnothing has been stolen, howdoes it make you feel to knowthat someone has lookedthrough your private things?People can do the same sort of“snooping” in your computerunless you protect yourself.Passwords are your first line ofdefense, but only if you use“strong” passwords. Yourpasswords are as important as

RECOMMENDED ACTION


Privacy of Personal Information

www.privacyfoundation.org

www.oecd.org

http://epic.org

www.privacy.net

ABOUT PRIVACY OFPERSONAL INFORMATIONEvery day you share personal information aboutyourself with others. It’s so routine that you maynot realize you’re doing it. During the process ofpaying bills, making travel arrangements, using acredit card for purchases in shops or restaurants,etc., personal details are divulged to strangers andwe have no idea whether we can trust them. Forsome reason, though, many people tend to thinkof the online environment as being more of a riskthan the physical environment, causing them tostay away from the Internet altogether.

While you need to be serious about protectingyour personal information, there is no reason topanic, especially if you follow the simplerecommendations in this booklet. Keep in mindthat the electronic environment is really not allthat different from the physical environment. It ismore a matter of becoming aware of the types ofproblems specific to the online world and learninghow to prevent them in the first place. It is aneducational process and so it was with early creditcard use. For many years credit cards were usedwith little or no concern for what happened tothe carbon papers. However, once we becameeducated to the fact that information taken fromcarbons was being used for fraudulent purchases,we quickly learned the importance of ripping theminto tiny pieces before discarding.

Financial information isn’t the only area of concernfor consumers. The ability to profile our shoppingpreferences, website viewing preferences, onlinehealth records, credit history, etc., is just asimportant and needs to be addressed as well. Tomaintain your privacy and to protect your personalinformation, follow all recommended securitysteps in this booklet and make a habit of takingthe following action.

Once you understand thisvulnerability, the next step is totake action by checking each andevery website you visit andparticularly those you intend to dobusiness with, for a policystatement regarding how they willuse your personal information.Two very important things to lookfor in a privacy statement are:

• How the company uses youremail address – do they sell ortrade email lists?

• Does the company collectpersonal data and use itwithout your knowledge orconsent?

24

Managingy o u rp e r s o n a linformationstarts withrecognizingthe fact that some websitesincorporate technologies intenton collecting your personalinformation and using it in waysyou may find objectionable.

RECOMMENDED ACTION

Public Access Points

• Be wary of people sitting or standing close toyou – they could potentially look over yourshoulder to see your login ID, password, orpersonal data as you actually type it in.

• If you use public access points regularly, besure to change your password often.

• Clear the browser’s “cache” when you leave.This helps to minimize the chance thatsomeone else might be able to access yourpersonal details.

• Clear the browser’s “history settings”.

• Close any and all browsers you have usedbefore you leave.

• Do not allow the computer to “rememberpasswords” - this is a setting that you need tode-select.

• Never enter private or sensitive informationwhile using a public access computer.

ABOUTPUBLIC ACCESSPOINTS

Many people around the worlddo not have a computer of theirown but nevertheless wantaccess to the Internet. Peopleon vacation and not travelingwith a laptop need to use theInternet to remain in touch withfriends, family and businessassociates. Business peoplewho prefer to travel without alaptop computer, but still needto access their email andexchange important businessdocuments. These are allreasons for connecting to theInternet from a public accesspoint, and examples of popularpublic access points todayinclude Internet cafes, airport

kiosks, and publicly availablecomputer systems in hotels andlibraries.

A viable and convenientsolution for many, but one thathas to be used carefully. Bykeeping in mind the opennature of these systems andcarefully following therecommendations below, youcan safely access the Internetfrom a public location.

25

RECOMMENDED ACTION


To find out more aboutcertificates, secure web sitesand using secure web pages,

look at the help sectionof your browser.

ABOUTSECURE WEB PAGESIf you want to buy something onthe Internet you will be asked tosupply your credit card numberand personal details. Before youactually proceed with an onlinepurchase, you should of course

There is a simple test to determine if a web page issecure: On a Microsoft Windows based system,click the right mouse button while your cursor ispositioned in any blank area of the web page andselect “properties”. This will bring up a screen withinformation about that page. Click on “certificates”.If the page is not secure, it will let you know thatno certificates exist for that page. If, however, thepage is secure, you will be told what the “size ofthe key” is for the page and ideally you want a128-bit key. This is a simplified explanation of arather complex and highly technical subject,however the simple test does let you know thatyour sensitive information will in fact be transmittedsecurely.

There are two other ways to determine if a webpage is secure, but they are not as reliable. One isto check in the “address” field at the top of yourbrowser for “https” instead of the normal “http”.The “https” designator tells you IF a page is secure,but not HOW secure it is (as in the 128-bit key).

The other method, and the one most often suggestedto new users, is to look along the bottom of yourbrowser for an icon that indicates you are on asecure web page (e.g. closed lock, closed padlockor unbroken key). This technique can’t tell youHOW secure the page is either and these iconsaren’t displayed on certain types of web pages (i.e.frames-based).

Secure Web Pagesdo everything possible todetermine that the website youare dealing with represents alegitimate business and employsbest practice policies for onlinecommerce as outlined in thisbooklet.

Let’s say you feel confident thatyou are dealing with atrustworthy enterprise and areready to transact business. Youare about to submit your personaldetails and credit card numberand you want to make sure thisinformation will be transmitted ina secure manner. The followingset of recommendations outlinethe simple tests you can performprior to submitting your personalinformation.

26

RECOMMENDED ACTION


http://windowsupdate.microsoft.com/

www.apple.com/swupdates/

• If using Windows XP or Windows 2000, it isbest to specify the “NTFS” file system rather thanthe “FAT32” system. This will enable muchstronger security on your machine as well asprovide the capability of encrypting sensitivedata on the disk to ensure confidentiality.

• Check to make sure you are running the latestversion of your operating system (e.g. Windows2000, Windows XP, Mac OSX)

• Check to make sure your browser software isthe latest version (e.g. Internet Explorer 6,Netscape 6.2)

• Office application software is important sincethey produce files that are often shared ordistributed through emails, floppy disks and filesharing (e.g. word processing, spreadsheet,database, calendar)

• Your email software is extremely important sinceyou use it to regularly to communicate withpeople you know as well as strangers. You wantthe benefit of the latest security measures. (e.g.Outlook Express, Netscape Mail, Eudora).

• Make sure you have the latest version of youranti-virus software (e.g. Symantec, McAfee) andmost importantly, make certain you update thevirus definitions regularly.

• In order for your firewall to fully protect yourcomputer, it too needs to be kept up to date(e.g. ZoneAlarm, Black Ice Defender,Symantec).

• And the most important recommendation of allis that many of the software products listedabove give you the option of selecting an“automatic update” option. This is definitelythe best way to manage the update process forall your software products.

Software Updatessecurity measures beingintroduced, as reputable softwaremanufacturers are working hardto make the online environmentsafer for users. This is especiallytrue for operating systemsoftware, be it Windows, Mac orLinux. It is in your best interestto run the most up to date versionof your operating system and toregularly check for programupdates. Application softwareshould be kept up to date as well.

27

ABOUTSOFTWARE UPDATESThe software running on yourcomputer could be a source ofsecurity problems if you don’tkeep it up to date. After aprogram has been in use fora while, small problemsare discovered and themanufacturer will need to create“updates” or “patches” to fixthem. Additionally, with eachnew version of a softwareprogram you can count on new

RECOMMENDED ACTION


Spam

http://spam.abuse.net

www.cauce.org

Never, ever, respond to spam.By responding to spam you are

actually confirming your emailaddress and making yourself moreof a target.

Don’t use your normal emailaddress on subscriptions,

newsletters, mailing lists, etc.Reserve it for those people youcommunicate with regularly, suchas business associates, friends and

family. Create a separate emailaddress to be used for everythingelse. In other words, maintain aprivate address and a publicaddress.

Never buy anything advertisedin a spam email. It only

encourages the sender to continuethis selling tactic.

Use a spam filter. There aremany available so choose one

that best meets your email needs.

Report “spammers” to anti-spam web sites and to

government consumer authorities.

Remember to check theprivacy statement of all the

websites you interact with to seehow your email address will beused.

1

2

3

45

6

Actually, spam is far more insidious than junk mail.While you can easily “delete it” from your system,you should think about the more far-reachingissues regarding spam. With junk mail, the costsare entirely with the sender. Companies pay tohave advertising circulars printed and posted toyou. With spam email, on the other hand, allrecipients of a message pay to receive it, whilethe sender pays the same amount regardless if themessage is sent to one or a million email addresses.Spam is costing individuals and companies timeand money in the following ways:

• In most situations you have to download allmessages in your mailbox, not just the onesyou are interested in reading.

• Many users are subject to hourly connectionfees and it will obviously cost more if you haveto download a lot of spam emails.

• It takes time to sift through a pile of emails andtime is money.

• Spam emails are clogging the mail serversaround the world, resulting in higher costs andslower connections for everyone.

While it is unlikely we will be able to completelystop spam emails, we can hopefully reduce theincidence by following the recommended actions.

28

ABOUT SPAMMost of us get junk mail.Our mailboxes tend to fillup with advertising wedidn’t ask for and typicallythrow away without evenreading. The equivalent isnow happening withelectronic mail or “email”. Unsolicited messagesend up in our electronic mailboxes almost dailyand have become quite a nuisance.

RECOMMENDED ACTION


Spoofing

www.cert.org/tech_tips/email_spoofing.html

ABOUT SPOOFINGThere are two types of“spoofing”. The first happens atthe technical communicationslevel and is called “IP Spoofing”.Good quality Internet ServiceProviders protect their usersagainst this type of threat andtherefore most home and smallbusiness users have no need toworry about it. However, if youare running a network withrouters, talk to your equipmentsupplier to discuss how toprotect yourself.

• You may be alerted to an event of “emailspoofing” from your email recipients or byinvestigating “bounced email” error messages.If so, be sure to collect as much information aspossible about the messages in question andforward these details to your ISP for furtherinvestigation.

• If you have concerns about whether youremails are from known sources, you mightconsider using digital signatures to ensure thatall messages are authentic. Refer to the sectionon Digital Signatures for more information.

• Many forms of trickery are being used to getusers to disclose sensitive information such aspasswords. The deceptive ploy may be in theform of “spoofed” emails, an interactive sessionon a website, a telephone call or even a writtenletter sent via the post office. Before respondingto any requests for your password or otherpersonal details, verify that the request iscoming from a known and authenticatedsource. For examples of the type of ploys weare referring to, the website noted below is fromthe Computer Emergency Response Team(CERT), and they receive “spoofing” incidentreports from around the world.

The other type of spoofing is“email spoofing”. This canhappen in various ways but theresult is that a user receivesemail that appears to haveoriginated from one sourcewhen it actually was sent fromanother source. Email spoofingis often an attempt to trick theuser into making a damagingstatement or releasing sensitiveinformation (such as passwordsor personal information).

29

RECOMMENDED ACTION


Spyware

• Check the “cookies” setting onyour browser.

• Download “spy check”software, such as “Ad-aware”(www.lavasoft.de)

• For all websites you interactwith, look for and read allpolicies and statementsregarding the use of yourpersonal information andwhether spyware is used tocollect information.

• Make sure you install firewallsoftware and keep it up to date.

ABOUTSPYWARESpyware is anysoftware that usesyour computer andInternet connectionto send your personalin fo rmat ion toan indiv idual ororganization without your knowledge or consent.Spyware enters your computer as a software virus,from a web page you are viewing or from an email.

Spyware ranges from “third-party cookies” (seeCookies) to very intrusive programs that reportback to software manufacturers on how you use

www.bugnosis.org

http://grc.com/optout.htm

www.spychecker.com

their programs. Software downloaded from theInternet is particularly susceptible to this practice.For the manufacturer, they want to learn moreabout user preferences for purposes of customizingcurrent programs and to assist in developing futureprograms. The consumer, however, generallyobjects to this form of surveillance, consideringthe practice to be intrusive and a violation ofprivacy. A number of lawsuits have been filedagainst companies engaging in these practices,resulting in most programs being modified to ceasethis form of intrusive data collection.

There are, however, some companies thatcontinue to secretly gather personal information,making it prudent to carefully read all informationmade available to you during the downloadprocess. In many cases you can “opt out” of these“features” but you have to read the informationvery carefully to notice that you are actually beingasked whether you will allow the information tobe reported back to the manufacturer. Somecompanies are determined to collect personalinformation and do their best to cover-up the factthat they are installing “spyware” on yourcomputer.

Another form of “spyware” iscalled “web bugs”. These littleprograms show up as tiny imagefiles embedded in a web pageor an HTML-formatted emailmessage. In most cases they areinvisible and therefore notnoticeable, but they work inconjunction with “cookies” togather information about yourweb viewing habits. Your bestdefense against “web bugs” is tomake sure you set your“cookies” preference at thehighest level you arecomfortable with.

30

RECOMMENDED ACTION


Trojan Programs

www.cert.org

• Install a personal firewall.

• Maintain your anti-virus software by regularlydownloading virus definitions.

• Be sure to use your anti-virus software tomanually check all programs before installing.

• Perform a virus scan on your entire system atleast once a week.

These preventive measures will provide significantassurance that you will not be attacked by Trojansoftware.

ABOUT TROJANPROGRAMSA “Trojan Program” comes intoyour system without yourknowledge and works in thebackground, making it very hardto detect. Typically, a Trojanprogram comes “attached” toanother program. That is whythey are called “Trojans” – theycome in an innocent lookingpackage much like the TrojanHorse of ancient Greekmythology. Trojan programs canbe attached to files sent via email,shareware exchanged in chatrooms, files on floppy disks,pirated software and a host ofother devious means.

Trojan programs can causeconsiderable damage and shouldbe taken seriously. There are 3primary types of Trojan programs:

• “Remote Access Tools (RATs)”– allow a hacker access toeverything on your computer;

• “Key-loggers” – saves everykeystroke you make and thensends a file containing thisinformation to a hacker;

• “Password Retrievers” –collects your password filesand sends them to a hacker.

It is important to note that simplydownloading a file to yourcomputer won’t activate a virus

or Trojan program. You have to execute or run theinfected program to actually initiate the virus orTrojan. Be very careful when dealing with wordprocessing or spreadsheet files, as they couldcontain executable macros that have beenintentionally or unintentionally infected with a virusor Trojan. Considering the devious nature of Trojanprograms, how can you actually protect yourself?Prevention is your best protection and is as easy asfollowing the recommended action. WhileTrojan programsare different fromand shouldn’t beconfused withviruses, anti-virussoftware includesTrojan detectors andis a critical part ofyour defense.

31

RECOMMENDED ACTION


Viruses

ABOUT VIRUSESWhat is a virus? Computer viruses are called virusesbecause they share some of the traits of biologicalviruses. A computer virus passes from computer tocomputer much like a biological virus passes fromperson to person. Before the Internet became popular,computer viruses were mainly spread through thesharing of infected floppy disks. This made it relativelyeasy to pinpoint the source of the infection. Today,however, viruses come from a multitude of sources,including emails, word processing and otherapplication files, computer games and software

www.symantec.com

www.mcafee.com

www.europe.f-secure.com/news/hoax.htm

(additional information on virus hoaxes)

• Make sure you have the latestversion of your anti-virussoftware installed.

• Make sure you update your virusdefinitions every couple days orbetter still, take advantage of the“automatic update” optionavailable on most anti-virussoftware programs. This facilityautomatically checks for newvirus definitions each time youlog on to the Internet.

• Never open unexpected filesfrom anyone unless you canpositively verify what it is, whosent it, and why it was sent toyou. Check all files and makeno exceptions. An email couldidentify the sender as your bestfriend, but actually have beensent by a hacker who got youremail address by hacking intoyour best friend’s computer.Refer to the section on Firewallsto learn how to protect yourcomputer from hackers. All filesshould be checked by an up-to-date anti-virus software programprior to executing them.

programs downloaded from the Internet. The goodnews is that even though there are more viruses todaythan ever before, we now have a way of preventingviruses from entering our computer systems in thefirst place.

What can a virus do to your computer? Viruses aresoftware programs, and the actual effect of anyparticular virus depends on how it was programmedby the person who created the virus. Some virusesare deliberately designed to damage files on yoursystem or in some way interfere with your computer’soperation. All viruses can potentially destroy ordamage files, even those considered to be relatively“harmless”. What viruses can’t do is damage yourhardware. No matter what you hear to the contrary,viruses can’t melt down your CPU, burn out yourhard drive, cause your monitor to explode, etc.Warnings about these types of viruses are hoaxes,not legitimate virus warnings.

You might also receive an email from a friend orbusiness associate telling you about a dangerous virus.In most cases these are virus hoaxes passed on bywell meaning, but misguided, people. Do not forwardhoax messages. All that does is clog up the Internetwith useless emails, which is exactly what the“hoaxers” want. If you keep your virus program up todate, there is no reason to even look at these messages.

32

EMAIL MESSAGESPage 34

MAILING LISTSPage 35

CONSUMER-FRIENDLY WEBSITESPage 36

SAFE ONLINE BUYINGPage 37

ONLINE AUCTIONSPage 38

Guidelines for:

Safety Net

• Unless you have installed either a hardware orsoftware encryption device, you should assumethat messages exchanged over the Internet are notsecure. If it isn’t appropriate on a postcard, then itisn’t appropriate for email!

• If you are forwarding or re-posting a messageyou’ve received, do not change the wording. Ifthe message was a personal message to you andyou are forwarding it on to an individual or agroup, you should ask permission first.

• Never send chain letters via electronic mail as theyare clearly forbidden on the Internet. Your networkprivileges may be revoked. Should you happen toreceive one, notify your Internet Service Provider(ISP) immediately.

Guidelines for

Email Messages• Be careful when addressing a message or when

replying to an email address, as some addressesappear to be that of an individual but are actuallybeing distributed to a list of recipients.

• For people who routinely have to deal with a heavyload of emails, they appreciate being made awareof any specific emails that are lengthy and mightrequire extra time to deal with them. Generallyspeaking, a message over 100 lines is consideredlong and it is a good idea to use the subject line tonotify the recipient of this fact.

• Use both upper and lower case. It has becomeconvention that if you use all upper case, YOUARE SHOUTING.

• Some people like to use “smiley faces” to indicatea tone of voice or an attitude. A happy face is :-)and an unhappy face is :-( and is achieved bycombining keyboard symbols. It is best to usethem sparingly if you are going to use them at alland keep in mind that some cultures may notunderstand their meaning.

• Try to be brief with yourmessages, but at the same timebe careful you aren’t so brief asto be terse. A terse message canoften be considered rude orangry.

• Use the subject line to expresssome sense of what yourmessage is about. This makes iteasier for the recipient toeffectively sort throughincoming mail, set priorities interms of critical messagesrequiring immediate attentionand filing of messages for futurereference.

• You may not always have timeto respond fully to a message atthe time you actually receive it.Far better to send a brief emailto let the sender know you didreceive the message and a quicknote to indicate that you willsend a longer reply later.

• Unsolicited email advertising isunwelcome and in somecontexts illegal.

• Avoid sending large files. A fileover 150 Kilobytes is generallyconsidered to be too big.

• To avoid creating long andunwieldy email recipient lists,use the “blind carbon copy”(BCC) convention when sendingmessages to large groups.

34

• Before you actually get involvedin a mailing list or newsgroup,it is a good idea to spend one ortwo months getting to know thegroup before you post anything.

• Inappropriate behavior by usersis not the fault of the systemadministrator. However, it is theresponsibility of the systemadministrator to take action ifsomeone has overstepped theboundaries of proper behavior.

• Once you press the “send key”it is too late to rescind yourcomments. Be very careful notto post comments that you mightregret later.

• If by some chance you do accidentally send apersonal message to the entire group, be sure toimmediately send an apology both to theindividual and to the group.

• If you have strong feelings about what someoneelse has posted, express your feelings in personalemails.

• Don’t get involved in what is often called “flamewars.” Avoid posting or even responding toincendiary material. Leave this type of problem tothe list administrator.

• Avoid non-standard fonts, as they will displaydifferently on different systems, making it difficultto read text files.

• Send subscribe and unsubscribe messages to theappropriate address.

Guidelines forMailing Lists

• Keep your messages brief and tothe point.

• Some lists welcome advertisingwhile others have strongly statedrules against it.

• When replying to a message orposting, it is always best to makesure you include enough of theoriginal text to provide context.Otherwise your response maynot make sense.

• Be careful when sendingpersonal responses. If yousimply click on “reply to sender”you are most likely sending yourreply to the entire mailing listand not to a single recipient asintended.

• Consider unsubscribing or setting a “no mail”option (if available) when you cannot check youremail for an extended period.

• When sending a message to more than one mailinglist, especially if the lists are closely related,apologize for cross-posting.

• Never give out your user ID or password. Systemadministrators that need to access your accountfor maintenance or to correct problems will havefull access to your account without having torequest information from you.

• Avoid misunderstandings about dates by using thefollowing date format: 11 Feb 2002.

• Acronyms can be used to abbreviate whenpossible, however messages that are filled withacronyms can be confusing and annoying to thereader. Some common acronyms are:

IMHO = in my humble/honest opinionFYI = for your informationBTW = by the way

35

ABOUT YOUR BUSINESSDo you clearly describe the nature of your business?

Do you include the following pertinent details?• physical business address• email address or telephone number consumers

can use to contact you directly

ABOUT YOURINFORMATION PRACTICESDo you clearly state what your information collectionpractices are, including what you collect, how you useit and whether and with whom you share it?

Do you clearly state how personally identifiableinformation is used and whether it is shared with others?

Do you explain the security measures you employ tosecure transactions on your website?

Do you understand the laws governing the transmissionof personal data across national boundaries?

ABOUT YOUR ADVERTISINGAND MARKETING PRACTICESDo you provide accurate and truthful information aboutyour products and business practices on your website?

Can you back up any and all claims you make aboutyour goods and services?

Do you disclose all sponsors of ads on your website?

Do you respect consumers’ decisions to not receiveemail advertising?

Do you take special care when advertising to children?

ABOUT THE SALEDo you clearly identify what you are selling, withenough details that consumers know exactly what theyare buying and the conditions of the sale?

Do you provide a list of total costs (including shippingand handling charges) and identify the currency used?

Do you clearly explain any additional charges thatmight apply to the sale?

Do you indicate any restrictions orlimitations imposed on the sale?

Do you provide information regardingwarranties or guarantees that areassociated with the sale?

Do you provide an estimate of whenthe buyer should receive the order oralternatively, provide a tracking codeand the website address of yourtransport operator so the buyer cantrack the shipment?

Do you clearly explain paymentoptions?

CONSUMERPROTECTIONSDo you explain your return policy,including instructions on how aconsumer returns an item to get arefund, credit or make an exchange?

Guidelines forConsumer-friendly Websites

Are you clear about all conditionsrelated to returns?

Do you provide the necessary contactdetails for how a consumer shouldcontact you regarding complaints orproblems?

Do you provide the consumer with arecord of the transaction either throughyour website or a follow-up email?

Do you have clear policy statementson your website to inform consumersabout the privacy of their personalinformation. Do you give consumersthe opportunity to decide whether ornot they wish to participate in certainprograms like email newsletters andunsolicited email offers from othermerchants?

Do you provide information on howyou would resolve a dispute? Do youparticipate in any recognized onlinedispute resolution programs?

36

• Read and make sure you are comfortable with thecompany’s refund and return policies, as not allcompanies accept returns or issue refunds. Some willonly offer a credit for future purchases, some charge a“restocking fee” and most will not refund shipping andinsurance costs. For online businesses that also havephysical locations, you may be able to return productsto the nearest shop to save shipping costs.

• For some products, like electronics or refurbishedcomputers, it is very important to read and clearlyunderstand the terms and conditions of the warranty.

• Be sure to sign in with strong passwords (refer tosection on Passwords). Never disclose your passwordsto anyone and it is best to de-select any website optionsfor “remember my password”.

• Before you finalize your online order, very carefullycheck order details, including item description, size,amount, shape, color, etc. Check that you havecorrectly typed in the shipping and billing addressesand make sure that all calculations are accurate,including shipping, handling and tax. The bestshopping sites show you the exact amount they willcharge you before the sale is finalized.

• To protect your privacy andto guard against possibleunauthorized use of your personalinformation, read and understandthe privacy policy on the website.This policy should disclose whatinformation is being collected onthe website and how thatinformation is being used. If youcan’t find a policy, send an emailor written message to the websiteto ask about its policy and requestthat it be posted on the site. Manycompanies give you a choice as towhether you will allow yourpersonal information to be used ornot. You should be given the optionto decline or “opt-out” of havingpersonal information, such as youremail address, used for marketingpurposes or shared with othercompanies.

• Ensure that the transaction is taking place over a secureweb page (refer to section on Secure Web Page).

• It is very important to save a receipt of yourtransaction. Print the web page that includes ordernumber and order details. Some websites actuallyinstruct you to print at a certain point in the processand others advise that you will receive a receipt viaemail. If you are purchasing an online subscription(e.g. newspaper, magazine, list server), make sure youprint out the contract and understand the proceduresto unsubscribe from the service.

• The best shopping sites include an integratedshipment tracking capability to keep you informedabout where your package is and when you can expectdelivery. Other sites provide you with a trackingnumber and the address of the transport operator’swebsite. If neither is provided, you may need to contactthe company via email or telephone to specificallyask for this type of information.

Shopping on the Internet canbe easy and convenient,

however, consumers want tomake sure it is also safe and

reliable. Use these guidelinesto protect yourself whenshopping on the Internet.

• Be sure you are dealing with acompany you can trust andrespect. A friend recommends thesite or international programs likeBBBOnline (www.bbbonline.org)can verify that the companydemonstrates ethical onlinebusiness practices.

• Check for merchant details likephysical address and phonenumber to make sure you have away of contacting the merchant ifyou have a question or acomplaint.

Guidelines forSafe Online Buying 37

• Closely examine photos to learn more aboutthe item’s condition.

• Check out the seller’s feedback history (mostonline auction sites provide this information)and make sure you understand the ratingsystem used by individual auction sites. It isalso a good idea to find out how long a sellerhas been involved in the auction site. If youare dealing with a seller who is new to onlineauctions, you may want to establish emailcommunications and ask direct questionsbefore bidding.

• Read everything associated with the listing,including information at the end of the listingpage, as this is often where the sellerindicates their business policies andconditions of sale.

• To avoid a misunderstanding, get a definitedelivery time.

• Make sure you are not buying dangerous or

illegal items as defined inyour jurisdiction. Checkappropriate government sitesfor details.

• Before placing a bid, it’s agood idea to set a biddinglimit to avoid “buyer’sremorse” or finding that youhave the winning bid, butcan’t afford to pay for theitem. When you place a bidon an auction site, you areactually entering a contractand could be legally boundto pay.

BEFORE YOU BID ON ORPURCHASE AN ITEM:• Make sure you clearly understand what you

are bidding on. Carefully read the itemdescription, payment terms, shipping andhandling costs, warranty, and refund policy.If you don’t understand something or have aquestion, don’t hesitate to contact the sellerby sending an email message. You shouldbe wary of any seller who refuses to reply toyour emails or doesn’t respond to yoursatisfaction.

• If possible, research the item, using bothonline and offline sources. Try to get an ideaof fair market price before you bid.

Guidelines forOnline Auctions

• When bidding on a highpriced item or if you havedoubts about a transaction,most auction sites provideescrow services. Refer to theindividual auction site formore details.

• It is good practice to save allrelevant web pages andemails associated with anauction in the event you needto follow-up with the seller.

• Immediately report suspectedfraud to administrators of theauction site.

• Be very careful not to disclosepersonal information whencommunicating with sellers.

38

The information and URLs contained in this booklet are accurate at the time of printing.

© Copyright is jointly held by FMMC and APEC, with AOEMA managing all rights and permissions.

This booklet may not be reproduced, translated, or published in any electronic or machine readable formin whole or in part without prior written approval of Asia Oceania Electronic Marketplace Association.

Please email us at [email protected] for feedback, comments or more information.

August, 2002.

Asia-Pacific Economic CooperationAn APEC Telecommunications and Information Working Group Project

APEC Publication #202-SO-01.1www.apecsec.org.sg

Prepared by AOEMAwww.aoema.org

Funded by FMMC (Japan)www.fmmc.or.jp

With special thanks to theMinistry of Public Management, Home Affairs,

Posts and Telecommunications, Japan (MPHPT)for their support of the AOEMA AwarenessSeminar Program since 1996, with seminars

held in 14 economies. This publicationresponds to needs and priorities identified

during these workshops and builds on the workof the E-Japan Forum (EJF) in developing a

similar guide for use in Japan.

www.soumu.go.jp

Asia Oceania Electronic

Marketplace Association

With special thanks to the

Australian Department of Foreign Affairs

and Trade and AusAID for supporting the

APEC E-commerce Awareness Workshops

presented by AOEMA in Vietnam,

the Philippines, Indonesia and China

in 2001-2002. This publication responds

to needs and priorities identified during

these workshops.

www.dfat.gov.au

Consumer Protection

Cookies

Digital Signatures

Firewalls

Identity Theft

Instant Messaging, Chat Rooms, etc

Intellectual Property Rights

Internet Dumping

Internet Scams

Legal Issues

Monitoring Internet Usage

Online Defamation

Online Dispute Resolution

Online Stalking

Passwords

Privacy of Personal Information

Public Access

Secure Web Pages

Spam

Software Updates

Spoofing

Spyware

Trojan Programs

Viruses

Guidelines for Email Messages

Guidelines for Mailing Lists

Guidelines for Consumer-friendly Websites

Guidelines for Safe Online Buying

Guidelines for Online Auctions

Safety Net - APEC

Documents

Transcript of Safety Net - APEC