Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Data Breach Notifications: OMB Recommendations | Main | HIPAA, FERPA and Lawsuits »

"Trustworthy" Scammers & Checking Website Before Doing Business With Them

I read with interest an article from The Register yesterday, "Malware Lurks Behind Safety Seal" that looked at some research done by Ben Edelman for his PhD at Harvard.

Within his report he stated, "I find that TRUSTe-certified sites are more than twice as likely to be untrustworthy as uncertified sites, a difference which remains statistically and economically significant when restricted to “complex” commercial sites." He also determined through his research of cross-referencing 500,000 websites that of the ones with TRUSTe certification, 5.4% were linked to either spamming or spywire, compared to 2.5% of the sites with no TRUSTe certification.

TRUSTe disputed the findings.  They indicate that some of the sites Edelman reported as having the TRUSTe seal either did not actually have it, or had the seal revoked.

The research report and TRUSTe rebuttal are interesting reads.

Bottom line, consumers must realize that web seals typically only represent the "certification" of that site at one point in time.  Security and trustworthiness of a site will change as site updates are made, staff changes are made, and other business changes occur.  A web seal can show the site was considered, by a certification vendor, as being trustworthy on the date indicated on the seal, but always take that seal with a grain of salt knowing that since the seal was put on the site it may no longer be as trustworthy. 

If you aren't sure about doing business with a site, besides just looking at the seal, among other things also look at their posted privacy policy (if they don't have one, that's a red flag for you), see if they use SSL for collecting personal and sensitive information, see if they use cookies in an acceptable way (very simplistically meaning they do not collect clear text meaningful or personal data within cookies), they don't use web bugs on their site, and they have not been involved in any litigation or had adverse audit findings about their site security.

Yes, I know that is a lot of checking to do before you make that purchase that you really, really wanted.  You may decide to take the risk.  But just keep in mind that the less checks you perform before doing business with a site, the more likely it will be that you will experience some adverse consequences.

Technorati Tags







 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on September 27, 2006 10:12 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/191

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.