Cousin asking for help with unsecure webpages... is my advice accurate?


  #1  
Old 09-04-16, 03:00 PM
T
Member
Thread Starter
Join Date: Oct 2014
Posts: 238
Received 4 Upvotes on 4 Posts
Cousin asking for help with unsecure webpages... is my advice accurate?

Cousin is big time paranoid about web security, and especially about making purchases. Personally, i've never paid much attention to web security, but im her personal IT support (yay me), and she keeps asking questions about it.

She complains that frequently when trying to make a purchase, or even checking her yahoo mail, she gets the 'mixed content' warning and feels unsafe. She is asking if updating her browser (firefox), or scanning her computer for malware, will help.

After about an hour of google research on this, here is how i understand the basics... someone can tell me if it is accurate:

If a site is unsecure, or if it has mixed content, it has nothing to do with your web browser or computer, the problem is with the actual web page... so cleaning the pc or updating the browser would have no effect on the security of the page, nor would using another browser. The only thing you can do is contact whoever runs the website and notify them of the issue.

Sound accurate?

Two follow up questions to help me understand it better:

1. How big of a deal is the mixed content warning? If it's on something like a wikipedia page is it a big deal? How about if it's on a page asking for your CC information for a purchase? How about on your email?

2. Is there any way to deal with this? Like say could you open up some sort of virtual debit card not connected to your banking account, where you could just load enough money on it to make whatever purchase you are making, and then use it on a mixed content (or even unsecure) site and not face any risk?

Thanks for any help!
 
  #2  
Old 09-04-16, 03:28 PM
PJmax's Avatar
Group Moderator
Join Date: Oct 2012
Location: Jersey
Posts: 64,928
Received 3,949 Upvotes on 3,542 Posts
I've never seen the mixed content warning. Possibly it's browser specific.

You can establish a credit card just for web purchases but don't forget.... it needs to be replenished somehow.

Have you explained to her the https before the website address signifying a secure connection ?
Never make a payment if the s is not present.
 
  #3  
Old 09-04-16, 04:08 PM
T
Member
Thread Starter
Join Date: Oct 2014
Posts: 238
Received 4 Upvotes on 4 Posts
Thanks TJ.

On firefox, https connections have a green padlock to the left of the address, and unsecure pages have no padlock. A webpage is considered 'mixed' if the page is https but also has elements on it that are using the http protocol. In firefox, this is designated as a padlock with an orange caution on it.

I just read an article about chrome that says it used to use a similar system, but apparently they changed it so that https shows as a padlock, and mixed or unsecure both have no padlock.

Here are the articles i am referencing in case anyone wants to read up on them:

H2G explanation about mixed content.

Firefox explanation of their system.

Article talking about the changes to chrome.
 
  #4  
Old 09-04-16, 04:41 PM
C
Member
Join Date: May 2015
Location: USA
Posts: 3,167
Received 169 Upvotes on 137 Posts
There are many banks/financial institutions that offer single use credit card numbers that are only valid for a single use, so even if they are intercepted/stolen, they are useless. It slows down online purchases a bit since you have to add the extra step of getting a new number for every purchase, but for those really worried about online purchases they offer a lot of peace of mind, since your real credit card number is never provided to the vendor. I go this route with vendors that seem tiny/new/flaky since I don't trust them to take reasonable precautions to keep the transaction (and their system) safe and secure.
 
  #5  
Old 09-04-16, 07:31 PM
H
Member
Join Date: Jan 2011
Location: United States
Posts: 2,412
Upvotes: 0
Received 0 Upvotes on 0 Posts
Both Visa and Master card have a program that is affiliated with most banks and you can add extra protection by having to sign in to those programs. I did have a credit card that could do that through a participating bank but I felt it was too much of a hassle over time. Also as was mentioned you can use a number your bank will give you just for internet sales and my current bank has that program however I haven't used it. It does seem to be easier to use though than most other systems of bank card protection.

Every bank though I have found has their own protection system that you can opt in for if you so desire and they do have their own fraud protection policies which vary from bank to bank.
 
  #6  
Old 09-05-16, 06:17 PM
D
Banned. Rule And/Or Policy Violation
Join Date: May 2016
Location: USA
Posts: 526
Upvotes: 0
Received 0 Upvotes on 0 Posts
There is an ongoing debate as to which is safer, entering your credit card, on the net or giving the # over the phone. Personally, I prefer the phone. So when I want to order something from a web page, I look for a contact # & I call them.

Going back to your original question, the best answer so far is to obtain credit card #s that are only good for one purchase.
 
  #7  
Old 09-27-16, 10:45 PM
Spikester's Avatar
Member
Join Date: Jun 2011
Location: USA
Posts: 167
Upvotes: 0
Received 0 Upvotes on 0 Posts
Originally Posted by tiresharkdbb
If a site is unsecure, or if it has mixed content, it has nothing to do with your web browser or computer, the problem is with the actual web page... so cleaning the pc or updating the browser would have no effect on the security of the page, nor would using another browser. The only thing you can do is contact whoever runs the website and notify them of the issue.
Correct, this is related to the content that is loaded from the website itself.

Originally Posted by tiresharkdbb
1. How big of a deal is the mixed content warning? If it's on something like a wikipedia page is it a big deal? How about if it's on a page asking for your CC information for a purchase? How about on your email?
It depends really, if it isn't something you are counting on for confidentiality (e.g. Wikipedia) then it doesn't really matter. If it is your bank, or anything that could be directly linked to potential identity theft, contact the support for the business.

Originally Posted by donoli2016
There is an ongoing debate as to which is safer, entering your credit card, on the net or giving the # over the phone. Personally, I prefer the phone. So when I want to order something from a web page, I look for a contact # & I call them.

Going back to your original question, the best answer so far is to obtain credit card #s that are only good for one purchase.
I second this. If I can order over the phone, I prefer to do so. There is something unfortunately reassuring by speaking to an actual individual. However, they are just entering it into another computer, so as far as security it probably doesn't really matter. As for the credit card, I always recommend a credit card for online purchases over using a debit card or bank account. Unless you really trust the vendor, this is the best. Credit cards have a much better insurance for this sort of thing, plus if your credit card gets maxed, you still have money in your bank to eat while you get it straightened out.
 
  #8  
Old 09-28-16, 10:00 AM
T
Member
Thread Starter
Join Date: Oct 2014
Posts: 238
Received 4 Upvotes on 4 Posts
Thanks spikester, that is helpful information.
 
  #9  
Old 10-09-16, 09:29 PM
S
Member
Join Date: Oct 2016
Posts: 7
Upvotes: 0
Received 0 Upvotes on 0 Posts
A few things in response to some of the posts in this thread:
  • Just looking for the S in HTTPS doesn't always work well. For one, if you are on a phishing (fraudulant) website that looks like the website you are expecting, they can easily have the page encrypted so it has the S. Plus as the OP's question about mixed content web pages pointed out, your browser may not display the S even though the area of the page you are putting your CC# in IS secured and on a legitimate website. Encrypting all traffic on a busy page at a high traffic site takes a lot more horsepower for the servers and is slower from the end user's perspective, so some sites have portions of the page in the clear.
  • If you look at credit card fraud across the industry more credit cards are stolen "offline" than online. That person you talked to on the phone, that waitress that copied your CC info, that retailer who went cheap and their cash registers don't encrypt the transfer of the CC info to the server in back room and/or the payment processing center, or speaking of payment processing center, they've been hacked. The last stats I saw about a year ago it wasn't even close, online credit card thefts were in the minority compared to other ways your card info was stolen. But online credit card theft is a sexier news story that is easier to understand.
  • Looking for the S in https is still a good thing to do, but also arrive at that page by a bookmark or googling amazon, not typing in amazon.com where you may fat finger it in and make a typo.
  • Don't follow links in emails even if they look real. Go to the site yourself via the previous bullet.
  • Find last "." in the web address and look at the preceding domain name to be sure it is what you think it his. https : // www(dot)amazon(dot)com(dot)secure(dot)com/I_just_phished_you is secure.com, not amazon.com. Just an example, don't follow that link, I have no idea who secure.com is, lol.
  • You are not liable for fraudulent charges to your credit card if you report them in a timely manner (just look at your monthly statements). You are responsible for some if you use a debit card ($50?). Having your card stolen is a pain, but it isn't as if they get your entire identity, which would be a nightmare. Be safe, but don't be paranoid.
  • Oh, and don't do credentialed anything (buying stuff, email, etc.) while on public wifi networks unless you are using a VPN or something. Too easy to have an eavesdropper in that hotel room down the hall.

Also, I personally don't show my ID at cash registers when asked. Sign the back of your card and keep your ID private. The merchant agreement for both Visa and MasterCard specifically states to retailers they can not force you to show an ID. Part of this is to make it convenient for you to have your relative use your card for you, but another part of it is to prevent personal data displayed on your ID from being stolen too.

I know some of that sounds tinfoil-hatty, but information security is was what I did for a good part of this last decade.
 
  #10  
Old 10-09-16, 09:36 PM
T
Member
Thread Starter
Join Date: Oct 2014
Posts: 238
Received 4 Upvotes on 4 Posts
.............

thanks sunnyowl.
 
 

Thread Tools
Search this Thread
 
Ask a Question
Question Title:
Description:
Your question will be posted in: