Do you remember the first time you heard the term “hijacking”? It probably seemed very distant, because the chances you would be on a commercial airliner that was seized by terrorists were and are very low. What about the first time you heard of “carjacking”? This is a little scarier for the average American, because many of us own cars. The chances you’ll be attacked while getting in your car, or while stopped at a light, are still relatively low, but they’re higher than the chances your cruise liner will be boarded by pirates. Now, however, there’s a new “jacking” you need to worry about, and the chances it could affect you are very high. It’s clickjacking, and if you use a Web browser, you could be vulnerable to this threat.
For obvious security reasons, detailed information about the clickjacking threat is hard to find – because the more these exploits are discussed, the more aware of them (and willing and able to use them) criminal hackers become. Simply disabling your browser’s various scripts and plug-ins will probably keep you safe (or at least make you safer), but it’s no guarantee, especially in the absence of truly thorough information on the problem.
The good and bad news, again according to Computerworld, is that this type of threat is not really new and is similar to a cross-site request forgery. You know those security windows that sometimes pop up when you navigate to a site, telling you that the “security certificate presented by this website was not issued by a trusted certificate authority” and that such certificate problems “may indicate an attempt to fool you or intercept any data you send to the server”? Well, this type of browser security exists specifically to stop this type of information traffic “hijacking.” Clickjacking is simply the latest permutation of the problem.
The sad reality is that absolutely anything, any data, any personal information or details, any financial transaction that you make online could potentially be intercepted and misused. This is reality. Faced with this reality, you have only two choices. You can become a Luddite and shun all technology, disabling all scripts and plug-ins for those rare occasions when you dare navigate to specific websites – or you can join the rest of us in the real world, and accept the risk knowingly, responding with prudent caution but accepting a certain amount of uncertainty.
On a day to day basis, your personal information is in no more danger when making credit card purchases over the Internet than it is when you hand your card over to a server in a restaurant. Your waiter disappears with your card and could make any number of unauthorized purchases with it. Fortunately, though, if your credit card is compromised either in person or online, you generally are not liable for the fraudulent charges (and it is relatively easy to dispute a charge). The dangers increase when you input increasingly sensitive data, of course, such as the detailed personal information and Social Security number you would need to transmit if you are applying for a loan online.
There are many online monitoring systems that can be used to safeguard your identity and to monitor attempts at identity theft. These include companies like LifeLock and various credit reporting sites (the incredibly annoying jingles for at least one of these are probably stuck in your head right now, if you watch television or listen to the radio). Using services like these helps you catch, pre-empt or correct problems as they occur, or before irreparable damage can be done. Do not forget, however, that these services cut both ways. There are countless “private investigation” websites that, for a fee, will produce all available public records for a person. This is great if you are checking up on someone before you, let’s say, hire an in-home nanny – and not so great if you’ve upset someone who posts your records on a public website to harass you or encourage theft of your identity.
With appropriate safeguarding systems in place and a little common sense (only doing business with established, trusted websites and being very aware of the vulnerabilities you expose when you exchange personal and/or financial data through online transfers of information), you can minimize the risks of Internet data theft. You will never be able to eliminate those risks entirely, nor should you ever feel completely secure with this type of online interaction. The threat of being “clickjacked” is only a piece of the overall problem, which is that information technology carries with it inherent risks that can never truly be eradicated.