Zero Trust And Skepticism In E-Commerce

Let’s continue the discussion about cybersecurity and implementation for National Cybersecurity Awareness Month (NCSAM). Shifting from the more business-oriented technical topics, let’s talk about Zero Trust and E-Commerce. The concept of Zero Trust Architecture (also known as Zero Trust Networking) operates under the idea that no one system should inherently trust any other system.

This model is one in the abundance of caution and, in today’s digital ecosystem, lends itself to logical implementation more so now than when John Kindervag created it in 2010. While we need to trust that the websites and systems we use to perform E-Commerce are safe, we must perform appropriate checks to ensure they are safe.

E-Commerce

When navigating to sites to buy something from, the previous wisdom said to check for a green lock. While checking for the lock is still good advice, it is not enough. Scammers and criminals have taken to taking over legitimate sites with HTTPS support as well as applying SSL/TLS certificates to their malicious websites. 

While universal access to encryption is essential, it also crucial to understand that it cannot be universally trusted. Let‘sEncrypt is a solution that could potentially enable malicious actors and criminals in their quest to trick victims. Let’sEncrypt is a utility that issues free SSL/TLS certificates that are good for 90 days.

Supplementing the previous advice, a simple click on the padlock, followed by a click on the certificate itself, can tell users whom the certificate was issued to and how long it is valid. For more advanced users, sites like crt.sh can offer insight as to the lifecycle of certificates.

While credit card issuers have processes to allow you to contest charges and get refunds for fraudulent transactions, another layer of protection is prepaid cards. Alternatively, you could use cryptocurrency (where accepted) or anonymous payment methods. Consider the long-term risk of your transaction before deciding how to pay.

Skeptical Analysis

Another strategy in mitigating trust issues on the web is to take a look at the URL in the address bar. Did you mean to go to arnaz0n.com instead of amazon.com? Did you know that if you are presented with a shortened URL like bit.ly or ow.ly, you can expand the URL to see what it is without clicking on it? Use a URL expander like the one on urlex.org.

Once you know the site you are going to, it is also possible to see if it has been observed hosting malware. VirusTotal maintains a record of websites that are hosting malware as well as which numerous antivirus vendors identify or classify the site as malicious.

Zero Trust

Zero Trust applies to systems, networks, devices, emails and people. When interacting with another person or computer, there is nothing wrong with taking a moment to assess the truthfulness of their intentions. As an industry, we have been pontificating this for many years in the email space. Phishing enabling the rise of ransomware amplified this message.

As stated above, when navigating the web, critique what is presented. You are wholly responsible for your personal cybersecurity and should be a good steward of technology at work.

Connecting to an open Wi-Fi network is rarely a good idea. Doing so on your personal device could allow criminals to steal your identity and implant malware. Neither of these outcomes are good. While they are not permanent, they are painful and can throw a proverbial wrench into your plans and aspirations.

Connecting to that same network with your work computer, especially without also connecting to a VPN, can spell significant disaster to your employer. Not only may they be subjected to credential theft or malware, but an intruder may also be able to gain access to customer data or company crown jewels. Charging banks for mobile devices in public places are another opportunity for criminals to steal troves of data. People are only seeking to charge their devices. They may authorize whatever trust is requested to complete the charging transaction. Without taking the stations apart, it is impossible to know what lies between the power source and the connector inserted into the phone or tablet.

Conclusion

In conclusion, Zero Trust is an excellent concept for improving your own security. Be skeptical of information presented versus what is expected. No one cares about you and your best interest more than you do. In instilling a somewhat dystopian mindset where nothing digital is trusted can save you from headache in the future.

Follow me on LinkedIn.

I joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. I am the inaugural winner of the DerbyCon Soc...