How to Shop Online Like a Security Pro
‘Tis the season when even those who know a thing or two about Internet scams tend to let down their guard in the face of an eye-popping discount or the stress of last-minute holiday shopping. So here’s a quick refresher course on how to make it through the next few weeks without getting snookered online.
Adopting a shopping strategy of simply buying from the online merchant with the lowest advertised prices can be a bit like playing Russian Roulette with your wallet, for the simple reason that there are tons of completely fake e-commerce sites out there looking to separate the unwary from their credit card details.
Even people who shop mainly at big-name online stores can get scammed if they’re not wary of too-good-to-be-true offers. For example, KrebsOnSecurity got taken for hundreds of dollars just last year after trying to buy a pricey Sonos speaker from an established Amazon merchant who was selling it new and unboxed at huge discount.
I later received an email from the seller, who said his Amazon account had been hacked and abused by scammers to create fake sales. Amazon ultimately refunded the money, but if this happens to you around the holidays it could derail plans to get all your shopping done before the expected gift-giving day arrives.
Here are some other safety and security tips to keep in mind when shopping online:
-WHEN IN DOUBT, CHECK ‘EM OUT: If you don’t know much about the online merchant that has the item you wish to buy, take a few minutes to investigate its reputation. After all, it’s not uncommon for bargain basement phantom Web sites to materialize during the holiday season, and then vanish forever not long afterward.
If you’re buying from an online store that is brand new, the risk that you will get scammed increases significantly. How do you know the lifespan of a site selling that must-have gadget at the lowest price? One easy way to get a quick idea is to run a basic WHOIS search on the site’s domain name. The more recent the site’s “created” date, the more likely it is a phantom store.
-USE A CREDIT CARD: It’s nearly impossible for consumers to tell how secure a main street or online merchant is, and safety seals or attestations that something is “hacker safe” are a guarantee of nothing. In my experience, such sites are just as likely to be compromised as e-commerce sites without these dubious security seals.
No, it’s best just to shop as if they’re all compromised. With that in mind, if you have the choice between using a credit or debit card, shop with your credit card.
Sure, the card associations and your bank are quick to point out that you’re not liable for fraudulent charges that you report in a timely manner, whether it’s debit or a credit card. But this assurance may ring hollow if you wake up one morning to find your checking accounts emptied by card thieves after shopping at a breached merchant with a debit card.
Who pays for the fees levied against you by different merchants when your checks bounce? You do. Does the bank reimburse you when your credit score takes a ding because your mortgage or car payment was late? Don’t hold your breath.
-PADLOCK, SCHMADLOCK: For years, consumers have been told to look for the padlock when shopping online. Maybe this was once sound advice. But to my mind, the “look for the lock” mantra has created a false sense of security for many Internet users, and has contributed to a dangerous and widespread misunderstanding about what the lock icon is really meant to convey.
To be clear, you absolutely should run away from any e-commerce site that does not include the padlock (i.e., its Web address does not begin with “https://”). But the presence of a padlock icon next to the Web site name in your browser’s address bar does not mean the site is legitimate. Nor is it any sort of testimonial that the site has been security-hardened against intrusion from hackers.
The https:// part of the address merely signifies that the data being transmitted back and forth between your browser and the site is encrypted and can’t be read by third parties. Even so, anti-phishing company PhishLabs found in a survey last year that more than 80% of respondents believed the green lock indicated that a website was either legitimate and/or safe.
Now that anyone can get SSL certificates for free, phishers and other scammers that ply their trade via fake Web sites are starting to up their game. In December 2017, PhishLabs estimated that a quarter of all phishing Web sites were outfitting their scam pages with SSL certificates to make them appear more trustworthy. That percentage has almost certainly increased a year later.
-CHCEK THE SHIPPING
Often times, items that are advertised at steeper discounts than other online stores make up for it by charging way more than normal for shipping and handling.
Be careful what you agree to: Check to make sure you know how long the item will take to be shipped, and that you understand the store’s return policies. Also, keep an eye out for hidden surcharges, and be wary of blithely clicking “ok” during the checkout process.
-DON’T TAKE THE BAIT
Be on guard against phishing and malware schemes that take advantage of shopper distraction and frenzy during the holidays. In years past we’ve seen both leverage emails crafted to look like they were sent from a name-brand store claiming that there was a problem with your order or some component of the shipping process.
One perennial phishing and malware scam that seems to kick into high gear around the holidays is spam that purports to have been sent by the U.S. Postal Service, FedEx, UPS or some other shipping service, warning of a wayward package.
When in doubt about such a message, visit the e-commerce or shipping site directly, and avoid clicking on links or attachments in email — particularly missives that warn of some dire consequences unless you act quickly. Phishers and malware purveyors typically seize upon some kind of emergency to create a false alarm that often causes recipients to temporarily let their guard down.
-SCOUR YOUR STATEMENTS
Some credit card companies offer cardholders that ability to use “virtual credit cards” — apps that generate a unique, ephemeral credit card number that is good for just one purchase or for a short period of time. The idea being that if fraudsters compromise the virtual card number, your bank doesn’t have to issue you a new card and you won’t have the headache that comes with entering new card details at all of the sites where you’ve set up automatic monthly payments.
These virtual cards are nice in theory, but I’ve never been a big fan. Probably because in many cases they require users to have risky add-ons installed and enabled — like Java or Flash Player. But, hey, if this works for you, great.
Most importantly, keep a close eye on your monthly statements. If I were a fraudster, I’d most definitely wait until the holidays to cram through a bunch of unauthorized charges on stolen cards, so that the bogus purchases would get buried amid a flurry of other legitimate transactions. That’s why it’s key to closely review your credit card bill and to quickly dispute any charges you didn’t authorize.
If you’re planning to spend time with friends and family this holiday season, consider giving the gift of your time and helping out with a security checkup. This might involve making sure that new or old PC has up-to-date security software and the requisite software patches, or locking down their wireless router by enabling security features and disabling risky ones.
If you’re visiting parents or older relatives, consider helping them plant their flags at various online sites and services if they haven’t already done so, such as at the Social Security Administration, the U.S. Postal Service, or their wireless phone provider and/or Internet Service Provider (ISP).
You’d definitely make it off of Santa’s naughty list if you helped your loved ones take stock of which online accounts could benefit from more robust multi-factor authentication — and perhaps even guiding them away from SMS/text messages for multifactor toward more secure app- or key-based options, where available. You might even take a minute to explain the perils of re-using passwords across multiple sites, and see if they’re interested in using a password manager.
While you’re at it, ask your friends and family if they’ve frozen their credit files at the major consumer credit bureaus. If not, talk with them about what this entails and how it can help ward off identity theft. If they’re game, you might even consider helping them set it up and ensuring that freeze PINs are securely stored so the information is easily available when and if their credit files ever need to be thawed.
This post first appeared on Krebs on Security