New Evidence Suggests Internet Shopping Is a Safe Option

Which is safer: buying something in a convenience store or over the Internet?

Given all the attention Internet crime is getting, you might think cyberspace is more dangerous. In fact, just last week the FBI arrested a computer hacker, charging him with stealing 100,000 credit-card numbers via the Internet. But now there is new evidence that shows online businesses are actually more secure than the local corner store.

An analysis of six years of computer attacks reported to the Computer Emergency Response Team in Pittsburgh suggests that a computer network linked to the Internet was likely to be infiltrated an average of once every 10 years. That was far less than the average convenience store, which was robbed every year and a half. By taking basic precautions, security analysts say, consumers and companies can protect themselves fairly well.

The trick is taking the right precautions.

For example, a big debate is whether shoppers should use their credit-card numbers online. The consensus is that it is wise to avoid doing so unless the online store can send the data in scrambled form. (The process is often referred to as making a "secure link.") Still, some analysts warn against online transactions because the data can be unscrambled within a day or two using a desktop computer. Others counter that this risk is minimal.

"There are no total answers in any of this," says Sanford Sherizen, president of Data Security Systems in Natick, Mass.

But consumers and companies can reduce the risks of online theft. John Howard, a Carnegie Mellon University dissertation candidate who wrote the study on computer attacks, suggests three steps for consumers:

* Back up your important files.

* Use passwords that are at least eight characters long, that incorporate uppercase and lowercase letters and special characters such as punctuation, and that can be easily remembered without being written down.

* Make sure that access to your sensitive files is restricted if your computer is hooked up to your company's local network.

Companies can also do a much better job of protecting their computers from attacks. Last month, the NCSA started its own program of minimum computer-security requirements. Companies that pass its audit get the NCSA's seal of approval.

"These things together get you a 10-fold (but we think its closer to 100-fold) reduction in risk," says Peter Tippett, president of the National Computer Security Association, based in Carlisle, Pa.