About Us Membership Resources OTA Members Login

2012 Top 10 Ways Businesses Can Protect Consumers From Being Fooled

OTA Updates April Fool’s List: New Efforts to Combat Spear Phishing & Wireless Snooping

March 29, 2012 - Press Release

The Online Trust Alliance (OTA) today announced the release of their “2012 Top 10 Recommendations to Help Businesses Protect Consumers From Being Fooled.” This document includes a list of techniques and procedures, which can easily be implemented to help businesses and government agencies protect their customers' and employees' personal and financial data from being compromised. OTA developed the list to address the most common and dangerous threats based on a review of thousands of fraudulent emails, data breaches, hacking, and identity theft incidents.

The Top 10 recommendations address the most frequent exploits including malicious email, phishing and deceptive websites as well as emerging threats impacting online trust and confidence. 

  1. The browser is the first line of defense, yet over 40% of users have outdated and insecure browsers, lacking integrated anti-phishing, malware protection and online tracking privacy controls. Why Your Browser Matters” is a helpful resource for all businesses to provide “teachable moments” to site visitors to upgrade their browser at no-cost.  Businesses are recommended to upgrade all employees to the most current browsers and encourage consumers by notifying them of insecure and outdated browsers.  In addition, consider terminating support for end-of-life browsers with known vulnerabilities by preventing logons and providing instructions to upgrade.

  2. Upwards of 10% of computers are infected by “botnets”.  Scan your systems weekly with tools and resources to help fight botnets detect and remediate the threats.

  3. Deceptive and malicious email continued to grow in the past year, targeting business users, government agencies and consumers.  Implement Email Authentication to reduce the incidence of spoofed and forged email, which may lead to identity theft, and the distribution of malware and tarnish your brand reputation.  Authenticated email allows ISPs, mailbox providers and corporate networks an added ability to block deceptive email, reduce false positives and protect online brands and sites from deception.

  4. Cybercriminals are increasingly snooping and eavesdropping on wireless connections, including airports, coffee shops and the library.  Always-on SSL (AOSSL), encrypts all connections and communication -- including users’ names and passwords. This standard is now implemented by leading sites including Twitter, Facebook, PayPal and Microsoft.

  5. Encrypt all data files containing customer profiles, email address and or PII, which are transmitted externally or stored on portable devices or media including flash and USB drives.

  6. Develop and test a proactive Breach & Data Loss Incident plan to be prepared for data breach and data loss incidents, minimizing the risk and impact to customers and business partners. Such plans help to inventory data collection policies, user access and destruction processes while developing a plan to respond to data loss and breaches.

  7. Require strong passwords and educate users on effective Password Management to minimize the risk of account takeovers.  Consider modernizing password/passphrase requirements. Include security questions with highly variable answers which are not publically discoverable on social networking sites.  Consider requiring a) strong passwords for employees and restrict customers from using weak passwords; b) force password reset every 30 to 60 days, c) ensure services accounts are not used by staff or able to be used through customer facing applications; d) perform regular entitlement reviews and remove unused or terminated employee accounts immediately; e) limit the number of access attempts and force account shut down requiring administrative interaction.

  8. Enable automatic patch management for operating systems, applications, including add-ons and plugins.  Proactive patch management can harden your system from known vulnerabilities.  End-of-life applications which are no-longer supported, should be removed or used in isolated and secure sessions.

  9. Continuously monitor third-party code, links and advertising on your site to help prevent malicious content and ads being served on your site.  Request third-party content providers and ad networks to adopt anti-malvertising guidelines.

  10. Enable encryption on all wireless routers and Access points and hide your SSID (Service Set Identifier Names), or name it to help ensure that SSID does not provide details which identify your business.  Change your keys frequently to help prevent key disclosure or unauthorized use.   If you are providing free wireless services, limit how and when your network can be used, monitor usage and keep the network isolated from your business network.

In addition, OTA recommends that private sector as well as government agencies consider the following:

  1. Initiate planning to support DNS Security Extensions (DNSSEC).  DNSSEC adds security to the DNS and is designed to help address man-in-the-middle attacks and cache poisoning by authenticating the origin of DNS data and verifying its integrity while moving across the Internet. DNSSEC is an Internet Engineering Task Force (IETF) set of specifications that secures communication between DNS name servers and clients. With the root zone signed for .org, .net, .gov and recently .com, the number of domains using DNSSEC and the number of resolvers conducting validation will increase.

  2. Upgrade to Extended Validation Secure Socket Layer Certificates (EV SSL) for all sites requesting sensitive information including registration, ecommerce, online banking and any data which may request PII or sensitive information.  Use of EVSSL certificates help to increase consumer confidence of your online brand. When an EVSSL is presented, the address bar turns green providing the user a higher confidence level the site and company they are visiting is a legitimate business.

  3. Update privacy and data use policies to clearly state what data is being collected, who it is being shared with and how it is being used to increase consumer trust and self-regulation. Consider multilingual policies to support users where English is a second language.

  4. Establish and maintain a Domain Portfolio Management program that includes monitoring look-a-like or homograph-similar domains and tracking renewals to prevent “drop catching” of expiring domains. Domain locking is recommended to help guard against unintended changes, deletions or domain transfers to third parties. Such programs and practices can help protect a company's brand assets and consumers from landing on look-alike sites compromising trademarks and trade names.