With the end of the year, the volume of internet sales increases drastically due to Black Friday, Cyber Monday, Christmas, and New Year's Eve. Cyber criminals also increase their activity on these dates, as they want to go unnoticed in the high number of transactions.
For that reason, you must be aware of the threats you are exposed to in order to avoid an unwanted gift -- more than your grandma's socks.
According to Allianz Risk Barometer for 2015 Cyber Crime rose three positions from 2014 to become the fifth top global business risk of 2015. It is a big threat that continues to expand; you have to be informed about it and take action to avoid it.
Let’s take a look at the biggest threats that you should be aware of.
Malvertising: A growing threat
Malicious ads are online advertisements on legitimate websites created to deliver and spread spyware, ransomware, and other malware to end-user systems. They are usually shown as targeted pop-up advertisements or as banner ads on online shopping sites, news portals, social media sites, and gaming and adult platforms.
Unlike other malware delivery mechanisms which require user action (clicking a link or opening an email attachment), malvertisements often require no user interaction to work, which makes them quite dangerous.
Sometimes, just visiting a webpage with malicious ads on it is enough to infect a system. In other cases, users have to click fake Flash or Java updates, or fake anti-virus alerts, to get infected.
Typically, larger websites receive ads through multiple ad brokers and networks automatically, with little action margin to filter them. As advertisements are tailored to the user's demographics, location, and browsing history, attackers can deliver the malware to their desired victims.
Security vendor RiskIQ reported a shocking 260 percent increase in the number of detected malvertisements in the first half of 2015, compared to the same period last year.
Unfortunately, there isn't much you can do to avoid malvertising, but make sure you have antivirus software installed so that if you do stumble upon a bad ad, you will have an extra layer of protection.
One of the most dangerous threats this season is Phishing. Phishing occurs when cyber criminals attempt to get your usernames, passwords, and credit card details by creating a fake version of a real and well-known site. Users get tricked into entering their sensitive information, thinking that the site is the real one. You may arrive at one of these sites by misspelling the site address or by following links on forged emails, ads, or posts.
This time of year we always see several fake stores emerge. They are there for a couple of weeks, then disappear with your sensitive data and your money.
The Anti-Phishing Working Group reports that in the last quarter of 2014, there was an increase of 18 percent in the number of unique phishing reports compared to the previous quarter, and that Retail/Service was the most-targeted industry sector, with Payment Services close behind.
Getting lured to a phishing site or a fake store is a common mistake, and easy to make. It's very hard to tell if a site is legitimate without checking its registration records to see how long it's been online.
To confirm that you are on a real, legitimate site, look for the https protocol at the beginning of the URL and check that there is a padlock icon, indicating that the identity of the site is confirmed by a third-party security firm.
When you are browsing a site look for https and the padlock icon to ensure its authenticity and that your information will be transmitted securely.
Big sites have strong security measures in place, but independent of all that security, the weakest link is probably your password.
Nowadays, several sites enforce the use of secure passwords, but for those that don't, you should be proactive.
Here are some suggestions for creating passwords:
Don't use common passwords.
Don't use passwords related to your personal information.
Do use a combination of lowercase characters, uppercase characters, numbers, and symbols.
Do use long passwords: 10+ characters.
Change your passwords periodically.
If you use a phrase, using random words is preferred.
Use multifactor authentication wherever available. Multifactor authentication adds one or more security layers to accessing accounts, making them almost impossible to compromise, even if the attacker gets your password.
"Multifactor authentication adds one or more security layers to accessing accounts, making them almost impossible to compromise"
Using debit cards for online purchases
As debit cards are a direct link to your bank account, you should avoid using them for online purchases. If they get compromised, a cyber criminal can empty your bank or savings account.
Credit cards offer better protection against identity fraud, and allow you to dispute any fraudulent charges. Even better if you have a low-limit credit card that you use only for online purchases.
Remember also to frequently check your card statements, especially during the holidays, and immediately refute any suspicious charges.
Security holes due to outdated software
Update your software frequently on all your devices, including smartphones and tablets, as it will keep you safer. Cyber criminals are constantly working to discover security flaws that will grant them access to your sensitive information.
Nowadays, people know the importance of keeping their operating systems up-to-date to be protected against viruses and malware. But they do not know that hackers have moved to targeting browsers, which everyone uses to interact with the Web. They are looking for vulnerabilities in the browser, specially in the browser's plugins, such as Flash Player or Java.
To prevent these flaws from being exploited, make a habit of frequently updating both your operating system and any third-party applications, including browser plugins.
Not having anti-virus and anti-malware software
Whether you're using a Windows or a Mac computer, run anti-virus and anti-malware software. Macs are just as prone to getting viruses as Windows computers, contrary to what most people believe. These software don't degrade your computer performance, specially on new devices. Lastly, schedule periodic - at least once a month - full malware scans on your computers.
Your personal devices - laptops, tablets, and mobile phones - typically contain a lot of sensitive information about you.
What if they end up in the wrong hands? Encrypt your devices. Encrypting scrambles the information so it is not easy to read. If any of your devices are lost or stolen, your sensitive data will be safe.
Encrypted devices protect your information if your device is stolen
Never, ever send your sensitive information when on a public Wi-Fi network, especially if you want to buy online or enter in your bank account. Most public Wi-Fi services are not secure. Cyber criminals may be watching the network, waiting for you to enter your personal information.
Recommendations to be safe from cyber criminals
Based on all the aforementioned threats, we created the following list of recommendations that you should consider to stay protected this season.
One easy way to confirm that you are on a legitimate site is to look for https:// at the beginning of the URL, and look for the padlock icon, identifying that the site has been approved by a third-party certification authority.
It doesn't matter how convincing a site might look - a deal that seems too good to be true probably is. Try to stick to stores you recognize, if possible.
Be careful against scams that spoof major retailers by always verifying the URL.
Do not click on any links you do not recognize, especially if they come from an unknown source.
Use credit cards for online purchases; if you have low-limit cards, even better. Credit cards have better protection against identity fraud, should you be victimized.
Periodically review your credit card statements, and report suspicious transactions immediately.
Never disclose your credit card information, either online or over the phone, unless you know who you are doing business with.
Use strong passwords for your accounts.
Passwords you use on shopping sites should never match passwords you use for more sensitive sites, such as your bank, social media networks, or cloud storage accounts.
Password management software is a very good idea, so you can have different strong passwords for each site you use without memorizing them. You just have to remember the password to unlock the password manager. Password management software helps you create complex passwords for your accounts and automatically submits this information when you need to log into them. There are even excellent free alternatives, such as Last Pass.
Use multifactor authentication wherever available. Multifactor authentication adds one or more security layers to accessing accounts, making them almost impossible to compromise, even if the attacker has your password. For example, Amazon added this option a few days ago.
If you use your smartphone to shop online or use online banking, make sure your mobile devices are protected using a password or your fingerprint. This reduces the chance of losing confidential data if your phone is stolen.
Equip your devices with security software (anti-virus and anti-malware) and encrypt them if possible.
Aside: Protecting your users is easy with Auth0
If you are a developer and want to protect your application, you can use Auth0 to authenticate and authorize your users.
Auth0's lock component requires users to input their credentials using https protocol to guarantee that information is transmitted securely.
Additionally, you can define password policies to customize the level of complexity of the passwords a user enters during sign-up. Auth0 offers five levels of security, matching the OWASP password recommendations:
- None (default): The password must exist and be at least one character long.
- Low: The password must be at least six characters long.
- Fair: The password must be at least eight characters long and must contain a lower case letter, an upper case letter, and a number.
- Good: The password must be at least eight characters long and must contain at least three of the following four characters: a lower case letter, an upper case letter, a number, or a special character (e.g. !@#$%^&*)
- Excellent: The password must be at least 10 characters long. It must contain no more than two identical characters in a row (e.g., "aaa" is not allowed). It must contain at least three of the following four types of characters: a lower case letter, an upper case letter, a number, and a special character (e.g. !@#$%^&*).
Lastly, you can also enable multifactor authentication in a few steps for extra security for your critical applications.
Cyber criminals are always lurking to steal information from vulnerable devices and incautious customers, especially this season.
"Cyber criminals are always lurking to steal information from vulnerable devices and incautious customers"
The best defense against cyber crime is prevention - knowing the threats and taking action to minimize the risk of being an easy target. We have given you the knowledge - use it to your advantage and shop safely.