Your 2017 Safe Holiday Shopping Guide
We will soon be in the throes of the holiday gift-buying season. A whole set of must-have connected devices have hit the stores, from smart accessories and appliances, to game consoles and online games, to web-enabled toys. And we will be buying many of them online, especially on cyber Monday.
Are you ready? You are scouting online shopping websites, loading apps that automatically scan sites and compare prices to make sure you are getting the best deal, building your shopping lists, and checking your credit card balances.
But what are your plans for cybersecurity? How safe are you when you are holiday shopping online? And how safe are the things you are buying? Here are some things to consider for the 2017 holiday shopping season.
1. Safe Online Shopping
Online shopping is capturing a larger portion of holiday shopping dollars every year. Given the rise in identity theft, malware, and phishing and scam sites, online shoppers need to be more careful than ever. But online shopping can be a safe way to buy things – if you follow a few simple rules:
- Use credit, not debit. Use your credit card and not your debit card when making online purchases to take advantage of its built-in consumer fraud protection. If you use services such as PayPal, ApplePay, or Google Wallet, make sure you are using payment options linked to a credit card, and not another payment method such as checking account or provider credit.
- Where are you? Shopping at home is one thing, but if you are using the public WiFi connection at your local coffee shop you may want to think twice before making an online transaction. That’s because there are too many ways for someone to intercept your communications. For example, a man-in-the-middle attack occurs when that guy over in the corner with his laptop open is broadcasting his device as “Free Coffeshop WiFi.” When you connect, he connects you to the Internet through his device and then captures all the traffic moving between you and your online shopping site. Remember you should always use a secure, trusted VPN provider on any open WiFi network.
- What device are you using? If you may be doing some online shopping while visiting your Brother or Grandma, you may want to consider bringing your own laptop and reading this blog we posted a couple of years ago.
- What website are you shopping on? Lots of fake shopping sites pop up during the holidays, often offering great bargains and hard to find items to lure shoppers. If you are looking at items on a website you have never seen before, here are a few things to consider before making that purchase:
Look up the url at who.is. It will provide you with a variety of information, including when the site was first created, where they are located, and contact information. Be suspicious of anything that has only been online for a very short time.
Use your browser search engine can also look for online reviews and ratings of a site.
Look at the website design. Does it look professional? Are the links accurate and fast? Are there lots of popups? All bad signs.
Look at the name of the site. Is the name too long or contain lots of hyphens or numbers? Does it use the name of other popular brands or sites in its name? Does it replace letters with numbers, such as amaz0n.com?
Read the text. Bad grammar, unclear descriptions, and misspelled words are all giveaways that the site may not be legitimate.
Unusually low prices and high availability of hard to find items are red flags for scam sites.
Make sure they use a secure checkout system that accepts major credit cards. Avoid sites that require direct payments from your bank, wire transfers, or untraceable forms of payment.
Make sure they have a physical address and phone number, a clear return policy, and a privacy statement on how they will protect your information
Our FortiClient software has built in protection to protect against many malicious or scam sites. The software is free and available for Windows and Mac OS X computers at www.forticlient.com
- Do you have a secure connection? Anytime you are online in a public location, or are making a financial or private transaction, make sure that your connection is secure or encrypted. Look at the url bar of your browser and make sure that the address starts with https:// rather than http://, which means that the transactions are protected using SSL encryption. Also consider using a VPN (virtual private network) connection. If you are going to be online in public places frequently, there are a number of low cost/no cost services that will ensure that your connection is always protected.
- Track your bank and credit card statements – Look at your bank and credit card statements online during heavy shopping periods, rather than waiting for your statement to arrive in the mail weeks later. The quicker you spot unauthorized transactions the faster you can get the resolves and limit your exposure.
2. Protect your purchases
The last thing you want to do is spend hours and money finding that perfect gift, only to have someone else walk off with it. Here are a few things you should know
- Don’t leave your stuff in your garage – Many of the latest garage door openers use algorithms to generate a random lock code. Once the door opener and the remote are synched together, when you press on the remote a check is made to ensure its lock codes match the garage door opener. Unfortunately, these devices sometimes get out of synch. Manufacturers solve that problem by letting the devices store a rolling set of numbers - called a rolling code scheme - so that if the numbers don’t match right away it can search for other codes looking for a match. (Remote locks on your car pretty much use the same concept.)
Unfortunately, a number of other devices that connect to each other, such as walkie-talkies and some connected toys use the same rolling code scheme. And with a few simple modifications, a criminal can use these and other devices to communicate with your garage door. And you don’t need to be an engineer. Online hackers have made it easy, with step-by-step instructional videos and libraries of stolen algorithms. All a criminal needs to do is follow the instructions, download the algorithms and rolling code schemes, and then broadcast it while walking or driving. And like magic, garage doors open all down the street.
- Home delivery – Of course, everyone is familiar with home delivery items being stolen right off the porch or doorstep. Here are some things to do to protect purchases bought online.
When possible, require a signature for delivery.
Have items arriving during the day be delivered to your office or place of business.
If that’s not possible, require packages to be left at an alternate location, such as a side or back door, behind the bushes, or with a neighbor.
3. Connected devices
Many of the items being purchased this holiday season are devices that connect to the Internet for one reason or another. Unfortunately, few of these devices were designed with security in mind. These devices can often be used to collect personal information, or they can be hijacked and used as weapons, such as a recent series of denial of service attacks that redirected traffic from tens of millions of compromised devices, such as digital cameras and DVRs, to shut down the online services of a targeted victim.
Vulnerable connected devices can include:
- Smart entertainment systems - game consoles, TVs, DVRs, DVD players, and online gaming
- Smart accessories – watches, phones, tablets, laptops, weather clocks, radios
- Smart toys – dolls and toys with corresponding online lives and data, remote controlled vehicles – including those that can be driven or flown using your smartphone, interactive toys that can be updated online
- Smart appliances – everything from toothbrushes to washing machines
- Smart cars – entertainment systems, communications, onboard computers and diagnostic systems, and automated payment systems for parking or fuel
Of course, hacking these devices themselves is not really the problem. No one is really interested in hacking into your smartwatch to figure out your exercise routines, your calorie intake, or your weight loss plan. But they ARE using reconnaissance hacks to discover your passwords for the WiFi network at work, or your account information for automatic online purchases, to steal or spoof your identity, or even to figure out when you are away from home.
And that toothbrush that automatically orders new brush heads or humidifier that orders new filters? Imagine your surprise when 1,000 of them show up at your door that have already been billed to your account.
4. Emerging threats
We are also seeing a wave of new threats that are likely to begin targeting consumers. Here is a short list:
- Ransomware – This past year we saw the rise of targeted attacks that take over or encrypt computers or networks and demand the payment of a ransom for them to be released. We anticipate that this sort of ransom-based attack will be expanded to include connected home devices, such as alarm systems, refrigerators, heating systems, cars, utility meters, etc.
Given the right set of circumstances, a hacker could conceivably track your car, wait until you are far from home, and then lock you out or turn off your onboard systems. How much would you be willing to pay to get back into your car after a long day at the mall? Or to turn off your fire alarm system in the middle of the night? Or turn your heat back on?
- Hijacked online services – We are currently seeing literally millions of accounts for premium streaming and entertainment services for sale on darkweb black market sites. We recommend that you look at your cable or satellite service bills carefully, and that you occasionally contact your service provider to ensure that you recognize remote usage of these services.
- Stolen online accounts – We are also seeing stolen or spoofed online accounts that either already belong to someone else, or were opened using stolen credentials. Regularly check your accounts and track your bank and credit card statements for unauthorized purchases, and at a minimum, check your credit rating looking for activity you do not recognize.
We all need to become responsible net citizens. That includes accountability. But where does accountability start?
While the payment card industry has established standards to protect consumers, there is no way to evaluate the security deployed by an online merchant. We should insist on an easy-to-recognize set of security certifications for online vendors, and a reliable source to validate those credentials so we can shop online for goods and services with confidence.
There are also no legal requirements that the connected devices you buy are protected from cybercriminals. As consumers we need to insist that vendors take this challenge seriously.
And finally, we need to take the time to educate ourselves - and our friends and family – about how to shop online more carefully and safely.
Happy – and Safe - Holidays!