X

Hackers try to con the wrong mom. Knitting circle not the same

The eagle-eyed Char Yarema noticed something wasn't right when shopping online. But experts say not enough people know how to stay safe.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
3 min read

Hands knitting

Jonathan Yarema's mom likes knitting -- not computers. But she figured out something was wrong with a shopping website she visited because her son warned her to look for the padlock icon in the upper-left corner of the website.

James Martin/CNET

Has your mom ever helped you bust an online criminal operation? If you're Jonathan Yarema, the answer is yes.

His mom, Char, noticed the padlock icon -- the way your computer tells you your connection is private -- was missing from the top left corner of a shopping website she was visiting. Worried, she got in touch her son.

"I bubble-talked him," 67-year-old Char Yarema said, coining her own momspeak for texting on an iPhone.

Jonathan, 38, happens to be a consultant at cybersecurity firm Trustwave. He took a look at the code behind the suspicious website and it turned out hackers behind a Russian website were receiving a copy of everything his mom typed into the checkout form. That included her credit card information, which Char immediately canceled. Mom and son declined to name the retailer.

Cybersecurity experts say the vast majority of online shoppers have no idea what that little padlock is supposed to mean. Many may not even recognize it's supposed to be there, they worry.

The padlock tells you whether someone could intercept personal information, like your credit card or Social Security number, when it's sent over the Web. Sites sporting the padlock icon scramble all information using encryption as it travels. The website the Yaremas encountered not only failed to offer this protection, but had been compromised by hackers who tinkered with its code, as detailed by a company blog post in December.

If you've seen a red or yellow padlock, you've encountered a website whose private connection has been broken. That means the website was at least trying to offer protection, but something went wrong with the code. Websites with no padlock icon aren't offering a private connection.

A 2007 study from researchers at Harvard and MIT found websites with no padlock were especially dangerous. Participants in the study failed to notice there was no padlock, and entered their passwords over unsafe connections.

To get people up to speed, Mozilla said earlier this week it would put a red "X" next to URLs without a private connection if the websites asked you to enter a password. Last year, Mozilla said it will eventually stop supporting websites that don't offer a safe connection. Google has made similar plans for the Chrome browser.

Google declined to comment beyond its announcement. Mozilla also referred to its previous blog posts about its plans.

Nick Sullivan, head of cryptography at cybersecurity firm CloudFlare, said efforts to encourage websites to use private connections are great. The sticking point is that many websites don't offer a private connection now, so users will likely ignore the red "X" when they encounter it over and over again.

"Warning fatigue is a thing," Sullivan said. "This is really toeing an interesting line psychologically."

Of course, a private connection alone won't keep your information safe from every attack. The lack of a padlock tipped Char off to the hacked shopping website. But, even if the website had offered a private connection, the attack would have worked because it stole the information before it was sent to the retailer.

What's more, companies still have to keep your information secure once it gets to their computers. If hackers break into a company's servers and steal your personal information, it won't matter if you sent the data over a private connection.

Mama Char is spreading the word about the padlock after her experience. She started with her knitting group, whose oldest member is in her 80s.

"We were at a luncheon at Christmastime and I told them what had happened," Char said. "And they looked at me like, 'Whoa.'"

Char says she's still a little "paranoid" after her brush with hackers.

"Before, my biggest fear was that I would be pressing the wrong buttons and I would break the computer," Char said. "Now I'm not so concerned about breaking the computer as I am about ruining our credit."