The Beginners' Guide to Hacker-Powered Security » Free Download from HackerOne!
Welcome Guest | Sign In
LinuxInsider.com

How to Use a VPN for Safer Online Shopping

By John Mason E-Commerce Times ECT News Network
Dec 4, 2018 11:43 AM PT
a virtual private network or vpn can bolster online shopping security

With the holidays fast approaching, are you looking to buy presents online?

The holiday season has become synonymous with online shopping. This isn't really surprising as physical stores usually attract crowds of deal hunters. This often conjures up images of throngs of people waiting in line outside the store, some even camping out. This activity is tolerable for some and even fun for others. However, for many others, it's not worth the hassle.

Why would it be, when there are perfectly legitimate and convenient alternatives online?

Well, for one thing, many people shop online without first thinking about their security. Most people are led to believe -- or want to believe -- that all e-commerce sites are secure. This isn't completely true. With so much personal and financial information being exchanged, online shoppers aren't the only ones enjoying the holiday rush -- cybercriminals are too!

Still, it's possible to add security to your e-commerce transactions by using a virtual private network. A VPN can help you enjoy your online shopping experience without worrying about falling prey to cybercriminals.

The Cybercrime Problem

First, here are some of the pressing reasons for securing e-commerce transactions in the first place.

As you know, e-commerce stores usually require you to register with their site in order to enjoy their services. This involves trusting them with your personal information, usernames, passwords, and credit card details -- information that you'd rather did not fall into the wrong hands.

The thing is, cybercriminals know this fact. They will descend to any depth just to get their hands on such information. How exactly do they do this?

KRACK Attacks

A KRACK (key reinstallation attack) is a severe replay attack on the WiFi Protected Access protocol that secures WiFi connections.

An attacker gradually matches encrypted packets seen before and learns the full keychain used to encrypt the traffic by repeatedly resetting the nonce transmitted in the third step of the WPA2 handshake. This attack works against all modern WiFi networks.

Simply put, KRACK attacks can intercept sent data by infiltrating your WiFi connection, no matter which major platform you're on (Microsoft Windows, macOS, iOS, Android, Linux, OpenBSD and others). These attacks require the attacker to be within the range of the WiFi connection they're trying to infiltrate, which means they might lurk somewhere near or inside your home, office or school.

MitM Attacks

In a MitM (Man-in-the-Middle) attack, the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.

This attack can succeed only when the attacker can impersonate each endpoint to the other's satisfaction, delivering results as expected from the legitimate ends.

In the context of e-commerce transactions, these attacks are done on unprotected WiFi networks like the ones you find in airports, hotels and coffee shops. This is actually one of the reasons I often suggest that people stay away from public WiFi unless they're packing some security software.

With this type of attack, you never know if the person sipping coffee at the next table is simply checking up on social media accounts or is actually sifting through the data being sent by other patrons.

Rogue Networks

Imagine yourself going to a downtown hotel to visit a friend. You wait in the lobby and decide to connect to the hotel WiFi while you wait. You find that there seem to be two networks with the same name, so you connect to the one with the stronger signal.

STOP! You may be connecting to a rogue network.

Rogue networks are ones that impersonate legitimate networks to lure unsuspecting users into logging in. This usually is done by setting up near a public WiFi network and then copying that network's name, or making it appear that it's an extension of the legitimate network.

The main problem with this is that you never know who set up the rogue network or what data is vulnerable to monitoring and recording.

The Green Padlock's Trustworthiness

Now, you may have heard that HTTPS sites can give you the security you need while you visiting them. Most, if not all, e-commerce sites are certified and will have a green padlock and an "HTTPS" prefixing their URL to reassure visitors that their transactions are safe and encrypted.

Hypertext Transfer Protocol Secure, HTTPS, is a variant of the standard HTTP Web transfer protocol, which adds a layer of security on the data in transit through a secure socket layer (SSL) or transport layer security (TLS) protocol connection, according to Malwarebytes.

The thing is, just because your connection to a site is encrypted doesn't automatically make the site safe. Bad actors actually can forge SSL certificates and make it appear that their site is safe. Even worse, anyone can get an SSL certificate -- even cybercriminals. The certificate authority simply needs to verify the site owner's identity and that's it -- the owner gets an SSL certificate.

Now, bringing it all back, I'm not saying that all sites with green padlocks are unsafe. What I am saying is that you shouldn't rely solely on the presence of these green padlocks to keep your transactions safe.

A VPN Can Provide Security

I'm now getting to the meat of the matter: using a VPN to secure your e-commerce transactions.

A virtual private network, or VPN, is software that routes your connection through a server or servers and hides your online activity by encrypting your data and masking your true IP address with a different one.

Once you activate the client, the VPN will encrypt your data, even before it reaches the network provider. This is better understood if you have basic knowledge of how online searches work.

Let's say that you're looking to buy some scented candles to give as emergency gifts. You open your browser and type in "scented holiday candles" and press "search."

Once you do, your browser will send a query containing your search words. This query first goes through a network provider (your ISP or the owner of the WiFi network you've connected to), which can monitor and record the contents of these queries.

After going through the network provider, your query is sent to a DNS (domain name system) server that searches its databanks for the proper IP address corresponding to your query. If the DNS server can't find the proper IP address, it forwards your query until the proper IP address is found.

The problem with this is that the contents of your query consist of easily readable plain text. This means that hackers or your ISP are able to view and record the information contained therein. If that information is your name, username, password, credit card information, or banking credentials, they're in danger of being viewed or stolen.

These queries also can be traced (by hackers or your ISP) back to your IP address which usually is traceable to your personal identity. This is how bad actors infiltrating your connection can discover what you're doing online.

So, with a VPN active, your online transactions and private information will get an extra layer of protection through encryption and IP address masking.

When discussing VPNs, it's always important to consider the protocols they use. These protocols determine the security level and connection speed. As of this moment, there are five major VPN protocols:

  1. PPTP (Point-To-Point Tunneling Protocol)

    PPTP is one of the oldest protocols still in use today. It originally was designed by Microsoft. The good thing about this protocol is that it still works on old computers. It's a part of the Windows operating system, and it's easy to set up. The problem is, by today's standards, it's not the most secure. You wouldn't want a VPN provider that offers this protocol alone.

  2. L2TP/IPsec (Layer 2 Tunneling Protocol)

    L2TP/IPsec is a combination of PPTP and Cisco's L2F protocol. On paper, this protocol's concept actually is quite sound: It uses keys to establish a secure connection on each end of your data tunnel. The problem is in the execution, which isn't very safe.

    While the addition of the IPsec protocol does improve security a bit, there are still reports of NSA's alleged ability to crack this protocol and see what's being transmitted. Whether the rumors are true or not, the fact that there's a debate at all should be enough of a warning to anyone relying on this protocol.

  3. SSTP (Secure Socket Tunneling Protocol)

    SSTP is another protocol that traces its roots to Microsoft. It establishes its connection by utilizing SSL/TLS encryption which is the de facto standard for modern day Web encryption. SSL and TLS utilize setups built on symmetric-key cryptography in which only the two parties involved in the transfer can decode the data within. Overall, SSTP is a very secure protocol.

  4. IKEv2 (Internet Key Exchange, Version 2)

    IKEv2 is yet another Microsoft-built protocol. It's simply a tunneling protocol with a secure key exchange session. Although it is an iteration of Microsoft's previous protocols, it actually provides you with some of the best security. It requires pairing with IPSec to gain encryption and authentication, which is what most mobile VPNs use because it works well while your VPN reconnects during those brief times of connection loss or network switching.

    Unfortunately, there is also strong evidence that the NSA is spying on mobile users using this protocol.

  5. OpenVPN

    This takes what's best in the above protocols and does away with most of the flaws. It's an open source protocol based on SSL/TLS, and it is one of the fastest and most secure protocols today. It protects your data by using, among other things, the nigh-unbreakable AES-256 bit key encryption with 2048-bit RSA authentication, and a 160-bit SHA1 hash algorithm.

    One notable flaw it does have is its susceptibility to VORACLE attacks, but most VPNs already have solved this problem. Overall, it's still the most versatile and secure protocol out there.

About Free VPNs and Jurisdictions

Now you've learned about the risks you may face with your e-commerce transactions and how you can avoid those risks by using a VPN with the right protocol. However, you may have heard rumors about VPNs not being as safe as they seem to be.

These rumors are partly true.

Not all VPNs can be trusted. There are VPNs that purport to be "free forever" while you're actually paying with your personal information. Needless to say, you should avoid these types of VPNs and instead look for trustworthy VPN services.

Another rumor you may have heard is that trusting VPN companies with your personal data is just as bad as trusting your data to your ISP. This is only true for VPNs that log your data and are situated in a jurisdiction under any of the 14-eyes countries. This is why you should look into your VPN's logging and privacy policy, as well as the country it is situated in.

In Conclusion

Buying online for the holidays can be an enjoyable and fulfilling experience if your transactions are secure. Protect your private information from KRACK, MitM, and rogue networks by using a VPN to encrypt your data and hide your IP address.

When using a VPN, remember to choose the most secure protocol available, and beware of free VPNs or those that log your data while inside 14-eyes jurisdictions.

Follow these steps, and you'll be well on your way to more secure e-commerce transactions.


John Mason, an avid privacy advocate, is founder of TheBestVPN and serves as its chief researcher.


Facebook Twitter LinkedIn Google+ RSS
Does it matter to you if products you purchase are manufactured in another country?
Yes, and I will pay more for a domestically produced product.
Yes, but my shopping decisions won't change anything, so I do what's best for me.
I care, but it's impossible to keep track of where everything is made.
I want the best quality and price, regardless of country of origin.
It depends on the country. Some are OK, some aren't.
It depends on the company. I'll buy from a reputable non-domestic brand.
salesforce commerce cloud