2011 Top 10 Recommendations to Help Businesses
Protect Consumers From Being Fooled
March 31, 2011 - Press Release
The Online Trust Alliance (OTA) today announced the
release of their “2011 Top 10 Recommendations to Help Businesses Protect
Consumers From Being Fooled.” This document includes a list of techniques
and procedures, which can easily be implemented to help businesses and
government agencies protect their customers' and employees' personal and
financial data from being compromised. OTA developed the list to address the
most common and dangerous threats based on a review of thousands of
fraudulent emails, data breaches, hacking, and identity theft incidents.
The 2011 Top 10 recommendations address the most
frequent exploits including malicious email, phishing and deceptive websites
as well as emerging threats impacting online trust and confidence.
In addition, OTA encourages businesses to review
existing OTA best practices to protect the DNS and users' data and privacy.
Upgrade all employees to the most current version of
Browsers that have integrated phishing and malware
protection and privacy controls including support of "Do Not Track"
mechanisms and controls. Such controls provide users the control
on third party data collection, usage and data sharing of their online
browsing activities, while balancing out the value of ad supported
online services. Encourage consumers to update their browsers by
notifying them of insecure and outdated browsers. In addition
consider terminating support for end-of-life browsers with known
vulnerabilities by preventing logons and providing instructions to
Establish and maintain a Domain Portfolio
Management program that includes monitoring look-a-like or
homograph-similar domains and tracking renewals to prevent “drop
catching” of expiring domains. Domain locking is recommended to help guard against
unintended changes, deletions or domain transfers to third parties. Such
programs and practices can help protect a company's brand assets and
consumers from landing on look-alike sites compromising trademarks and
Email Authentication including
both SPF (Sender Policy
Framework) and DKIM (DomainKeys Identified Mail)
to help reduce the
incidence of spoofed and forged email, helping to prevent identity theft
and the distribution of malicious malware from tarnishing your brand
reputation. Authenticated email allows ISPs, mailbox providers and
corporate networks an added ability to block deceptive email, reduce
false positives and protect online brands and sites from deception.
Encrypt all data files containing
customer profiles, email address and or PII, which are transmitted externally or stored on portable devices or
media including flash and USB drives.
Upgrade to Extended Validation Secure Socket
Layer Certificates (EV SSL) for all sites requesting
sensitive information including registration, ecommerce, online banking
and any data which may request PII or sensitive information. Use
of EVSSL certificates help to increase consumer confidence of your
online brand. When an EVSSL is presented, the address bar turns green
providing the user a higher confidence level the site and company they
are visiting is a legitimate business.
Develop and test a proactive
Breach & Data Loss Incident plan
to be prepared for data breach and data loss incidents, minimizing the
risk and impact to customers and business partners. Such plans help to
inventory data collection policies, user access and destruction
processes while developing a plan to respond to data loss and breaches.
Require strong passwords and educate users on
effective Password Management to minimize the risk of
account takeovers. Consider modernizing password/passphrase
requirements. Include security questions with highly variable answers
which are not publically discoverable on social networking sites.
Consider requiring a) strong passwords for employees and restrict
customers from using weak passwords; b) force password reset every 30 to
60 days, c) ensure services accounts are not used by staff or able to
be used through customer facing applications; d) perform regular
entitlement reviews and remove unused or terminated employee accounts
immediately; e) limit the number of access attempts and force account
shut down requiring administrative interaction.
Enable automatic patch
for operating systems, applications, including add-ons and plugins.
Proactive patch management can harden your system from known
vulnerabilities. End-of-life applications which are no-longer
supported, should be removed or used in isolated and secure sessions.
third-party code, links and advertising on your site to
help prevent malicious content and ads being served on your site.
Request third-party content providers and ad networks to adopt
all wireless routers and Access points
and hide your SSID (Service Set Identifier Names), or name it to help
ensure that SSID does not provide details which identify your business.
Change your keys frequently to help prevent key disclosure or
unauthorized use. If you are providing free wireless services,
limit how and when your network can be used, monitor usage and keep the network isolated from your business network.
recommends that private sector as well as government agencies
consider the following:
Initiate planning to support
DNS Security Extensions (DNSSEC). DNSSEC adds
security to the DNS and is designed to help address man-in-the-middle
attacks and cache poisoning by authenticating the origin of DNS data and
verifying its integrity while moving across the Internet. DNSSEC is an
Internet Engineering Task Force (IETF) set of specifications that
secures communication between DNS name servers and clients. With
the root zone signed for .org, .net, .gov and recently .com, the number of domains using DNSSEC and the number of
resolvers conducting validation will increase.
Update privacy and
data use policies
to clearly state what data is being collected, who it is being shared
with and how it is being used to increase consumer trust and
self-regulation. Consider multilingual policies to support users where
English is a second language.
Adopt third-party security, privacy and opt-out seal
and certification programs.
OTA Member Blogs
of Related Terms