The shopping season is upon us, and like it or not there are lots of individuals who would love to replace your happiness with their sadness. Thus, at this festive time of the year, it is imperative to give some thought and prep time to you and your family’s shopping habits and the security that surrounds those habits. If you’re like most people, you will NOT be using cash for all your holiday purchases. Therefore, it's important to ensure your taking steps to keep your card and bank accounts secure. Most bad actors purchase or download software from what’s known as the “dark web”. Software in the dark web is generally “known” and proven to work code that can give malicious users the ability to assess, capture and attain user information and data from unknowing computer systems and users. The good news is most security vendors are aware of these software packages and actively track and alert on their installation, usage and existence. As individuals, we should also take additional steps to ensure all accounts that we use are secure. What are some of the steps we should be taking this season to ensure our accounts are protected?
Staying Safe When Shopping Online
While very convenient, popular and propped up with the latest mobile apps and technology, online shopping is where most malicious activity happens, and it is where most of the media attention is given. Is it possible that a vendor that you normally shop at has been hacked in the past? If so, were you aware of the hack and did you take steps to ensure your security? Maybe you received a letter providing you with a free one-year subscription to a credit card protection service? did you sign up? Maybe a bad incident hit the news, but little action was taken by the vendor? Over the past 5 years when large vendors were breached it made immediate news, but as time has passed it seems that many of these breaches go unnoticed. What can you do to protect yourself and your family?
1. Changing passwords: For every vendor you regularly shop with or for those that will be new to you this holiday season please take these best practice steps. Navigate to the vendors website login and then go to the account section. There should be an option to change your password or to reset it. What should be in a password? Most vendors now require the password to be at least 8 characters long, with at least 1 uppercase, 1 numeric, 1 lowercase and 1 special character. This policy creates passwords that are hard to decipher.
However, there is a better way using the same policy, try a phrase instead. The longer the password the harder it is to crack. Use something familiar but modified a bit, that is easy to remember, for example: “Pet3rPeterPumpkinEaterHad@WifeWhoWasVeryPretty2”. This password is 46 characters long and meets the password policy, would be extremely hard to crack, yet easy to remember. Also, avoid duplicating passwords on multiple sites and use a reputable password manager to store and log all your passwords.
2. Protecting my Email: Bad actors love to harvest personal information from you, whether it be on your personal or work-related devices. Cell Phones, laptops workstations and tablets… all are capable of email and all are targets by bad actors. The number one tactic used is called “phishing”. Put yourself in the mind of a hacker who has his/her eye on you or those you know. You could be a random target because your email address is known. In how many places do we provide our email address(es)? Is it on a business card? Is it public knowledge on social media?
So, what is phishing?
Webster defines it as “a scam by which an Internet user is duped (as by a deceptive e-mail message) into revealing personal or confidential information which the scammer can use illicitly”.
An example of this could be: One day late in the year Susan was sitting at her desk at work and received an email notification. Upon reviewing the email, it looked like her companies HR department was asking her to verify information on file to modify or allow it to carry-over to the following year's benefits. The email provided a link and a "Thank you"! Before clicking that link, ask yourself:
a) Is this legitimate? If you’re not sure, call HR to verify.
b) Verify the link. Hover over it, is it recognizable? Many times, links within phishing emails will redirect you to malicious webpages, sites or will quickly download malicious code to your local system, for the purpose of data collection.
If in doubt about the email’s validity, ask!
3. BEWARE of Telemarketing Phone Calls: There is malicious code out there that uses telemarketing as a front. For example, A telemarketer makes phone calls and offers deals that are unheard of, through the process the telemarketer gains the trust of the shopper. The telemarketer gains the shopper's email address, sends an email and then asks the shopper to open the attachment to get the certificate/coupon needed for the incredible transaction (all while still on the phone for authenticity). While a fake coupon is presented within the attachment, malicious spy code is also installed on the shopper’s device. Allowing the capture of web passwords, app passwords and payment information to be sold later.
Staying Safe when Shopping Offline
Many people feel it is so much safer to shop at the local brick and mortars due to all the press generated from known reported online breaches. However, is this a myth? Shoppers like to take items home immediately, the ability to browse, touching and the feel of a product, are huge drivers as well.
1. What is PoS or “Point of Sale”? PoS terminals process sales at what is commonly called cash registers or at store “checkout" counter. PoS terminals are commonly attacked by bad actors, who use creative ways of getting malicious code onto a PoS terminal or the PoS backend where the processing happens (i.e. a PoS server). Bad actors are after credit card information to include names and expiration dates. If possible, they would love to attain the “3” digit code present on the back of most credit cards as well. This information is generally captured and then sold to the highest bidder(s) on the dark web. The information is commonly used to create fake credit cards which are also sold and used to purchase items illegally and defraud you.
2. What is RFID or “Radio Frequency Identification”? One of the most common forms of protecting an item for sale as well as safeguarding credit cards is through the use of RFID technology. RFID tags are found on most common store items today and when scanned are disabled at the cash register. An RFID tag that is NOT disabled at the cash register will cause alerting systems at store exits to sound an alarm. As annoying as this is, it helps store owners to keep costs down from theft.
RFID is also used to safeguard credit card data. How you ask? Many vendors who manufacture card-carrying wallets and handbags offer a form of RFID that is installed in their products, this technology “jams” any attempts to use NFC (see item 3 below) to remotely assess and capture information from one or more credit cards even if the credit cards are not being used. There are mobile app methods to test this safeguarding technology before going shopping and it is recommended to do so.
3. What is NFC or “Near Field Communications”? NFC devices can be found attached to cash registers, these are devices that have the ability to read your credit card or payment card without having to scan it. In addition, NFC technology can scan your mobile device payment app to then process payment for goods or services. But did you know the bad actors also use NFC technology to read and attempt to steal your personal and credit card data?
Just like that scanning device at the register, bad actors can carry a mobile scanner that’s actively scanning and capturing personal and credit card information. Ever have a person stand really close to you in a store or purposely bumping into you while using pleasantries like “excuse me” or “I’m sorry”. While I am not proclaiming those individuals are out to get you, I am stating that you need to be aware of your surroundings and be cautious while shopping in the wild outdoors.
4. I’d also like to take notice that recently there was a breach detected at a fast-food restaurant, where the drive-up window clerk appeared to be using their cell phone while processing customer credit card orders. It was determined that the employee was taking pictures of customer credit cards maliciously and then using those credit cards for online purchases.
In conclusion, while shopping this holiday season, whether it be online, or at the local mall, love, be friendly, but also be aware of your surroundings. Merry Christmas and Happy Holidays to all 😊!