2012 Top 10 Ways Businesses Can Protect Consumers From Being
OTA Updates April Fool’s List: New Efforts to Combat Spear
Phishing & Wireless Snooping
March 29, 2012 - Press Release
The Online Trust Alliance (OTA) today announced the
release of their “2012 Top 10 Recommendations to Help Businesses Protect
Consumers From Being Fooled.” This document includes a list of techniques
and procedures, which can easily be implemented to help businesses and
government agencies protect their customers' and employees' personal and
financial data from being compromised. OTA developed the list to address the
most common and dangerous threats based on a review of thousands of
fraudulent emails, data breaches, hacking, and identity theft incidents.
The Top 10 recommendations address the most frequent
exploits including malicious email, phishing and deceptive websites as well
as emerging threats impacting online trust and confidence.
The browser is the first line of defense, yet
over 40% of users have outdated and insecure browsers, lacking
integrated anti-phishing, malware protection and online tracking privacy
controls. “Why Your
Browser Matters” is a helpful resource for all businesses to provide
“teachable moments” to site visitors to upgrade their browser at
no-cost. Businesses are recommended to upgrade all employees to
the most current browsers and encourage consumers by
notifying them of insecure and outdated browsers. In addition,
consider terminating support for end-of-life browsers with known
vulnerabilities by preventing logons and providing instructions to
Upwards of 10% of computers are infected by
“botnets”. Scan your systems weekly with
tools and resources to help
fight botnets detect and remediate the
Deceptive and malicious email continued to grow
in the past year, targeting business users, government agencies and
Email Authentication to reduce the incidence of spoofed and forged
email, which may lead to identity theft, and the distribution of malware
and tarnish your brand reputation. Authenticated email allows
ISPs, mailbox providers and corporate networks an added ability to block
deceptive email, reduce false positives and protect online brands and
sites from deception.
Cybercriminals are increasingly snooping and
eavesdropping on wireless connections, including airports, coffee shops
and the library.
SSL (AOSSL), encrypts all connections and communication -- including
users’ names and passwords. This standard is now implemented by leading
sites including Twitter, Facebook, PayPal and Microsoft.
Encrypt all data files containing
customer profiles, email address and or PII, which are transmitted externally or stored on portable devices or
media including flash and USB drives.
Develop and test a proactive
Breach & Data Loss Incident plan
to be prepared for data breach and data loss incidents, minimizing the
risk and impact to customers and business partners. Such plans help to
inventory data collection policies, user access and destruction
processes while developing a plan to respond to data loss and breaches.
Require strong passwords and educate users on
effective Password Management to minimize the risk of
account takeovers. Consider modernizing password/passphrase
requirements. Include security questions with highly variable answers
which are not publically discoverable on social networking sites.
Consider requiring a) strong passwords for employees and restrict
customers from using weak passwords; b) force password reset every 30 to
60 days, c) ensure services accounts are not used by staff or able to
be used through customer facing applications; d) perform regular
entitlement reviews and remove unused or terminated employee accounts
immediately; e) limit the number of access attempts and force account
shut down requiring administrative interaction.
Enable automatic patch
for operating systems, applications, including add-ons and plugins.
Proactive patch management can harden your system from known
vulnerabilities. End-of-life applications which are no-longer
supported, should be removed or used in isolated and secure sessions.
third-party code, links and advertising on your site to
help prevent malicious content and ads being served on your site.
Request third-party content providers and ad networks to adopt
all wireless routers and Access points
and hide your SSID (Service Set Identifier Names), or name it to help
ensure that SSID does not provide details which identify your business.
Change your keys frequently to help prevent key disclosure or
unauthorized use. If you are providing free wireless services,
limit how and when your network can be used, monitor usage and keep the network isolated from your business network.
recommends that private sector as well as government agencies
consider the following:
Initiate planning to support
DNS Security Extensions (DNSSEC). DNSSEC adds
security to the DNS and is designed to help address man-in-the-middle
attacks and cache poisoning by authenticating the origin of DNS data and
verifying its integrity while moving across the Internet. DNSSEC is an
Internet Engineering Task Force (IETF) set of specifications that
secures communication between DNS name servers and clients. With
the root zone signed for .org, .net, .gov and recently .com, the number of domains using DNSSEC and the number of
resolvers conducting validation will increase.
Upgrade to Extended Validation Secure Socket
Layer Certificates (EV SSL) for all sites requesting
sensitive information including registration, ecommerce, online banking
and any data which may request PII or sensitive information. Use
of EVSSL certificates help to increase consumer confidence of your
online brand. When an EVSSL is presented, the address bar turns green
providing the user a higher confidence level the site and company they
are visiting is a legitimate business.
Update privacy and
data use policies
to clearly state what data is being collected, who it is being shared
with and how it is being used to increase consumer trust and
self-regulation. Consider multilingual policies to support users where
English is a second language.
Establish and maintain a Domain Portfolio
Management program that includes monitoring look-a-like or
homograph-similar domains and tracking renewals to prevent “drop
catching” of expiring domains. Domain locking is recommended to help guard against
unintended changes, deletions or domain transfers to third parties. Such
programs and practices can help protect a company's brand assets and
consumers from landing on look-alike sites compromising trademarks and