With Cyber Monday just around the corner, many people still wonder if it is safe to buy online during end-of-the-year sales events. Of course it is safe in the sense that you won't be pushed, hit, or crushed by other customers who also want to get their hands on the big deals. But is your credit or debit card information safe when you shop online? If you take a few basic precautions, you can enjoy the big discounts and not worry about getting into trouble.
Historically, November and December are the months with the most online transactions, and are therefore the months in which cyber-criminals are the most active.
We will enumerate the top five security threats you may encounter when shopping online and give you hints about how to shop safely on these dates.
The Anti-Phishing Working Group reports that in the last quarter of 2014, there was an 18 percent increase in the number of unique phishing reports compared to the previous quarter, and that Retail/Service was the most targeted industry sector in the fourth quarter of 2014, with Payment Services close behind.
Phishing is possibly the most dangerous threat this season. Phishing occurs when cyber criminals attempt to get your usernames, passwords, and credit card details by creating a fake version of a real and well-known site. Users get tricked into entering their sensitive information, thinking that the site is the real one. You may enter one of these sites by misspelling the site address, or by following links on forged emails, ads, or posts.
Here are some tips to follow to make sure you don't log into a phishing site:
- Double check the URL of the page you are on, making sure it has no typos before entering sensitive data. Forged sites may look exactly the same as the original ones.
- Look for the padlock. Whenever you are going to enter your information, be it your username, passwords, or your credit card data, verify that the site has a secure connection. The URL should start with https instead of http.
Additionally, you can get phishing filters as an additional measure to keep yourself protected against this threat. Modern browsers, such as Chrome, Opera, Internet Explorer, Microsoft Edge, and Safari offer built-in anti-phishing features. Furthermore, you can get specific anti-phishing software from the top antivirus and security companies, such as Avast, Avira, ESET, Kapersky, and others.
2. Having a weak password
Big sites typically have strong security measures, but security is only as strong as its weakest link. Don't let your password be your weakest link, especially if your password is for a site that contains sensitive information, such as your credit card information. Nowadays, several sites enforce the usage of secure passwords, but for those that don't, you should be proactive.
"Big sites typically have strong security measures, but security is only as strong as its weakest link."
Here are some tips to help you create a secure password:
- Don't use information related to yourself that can be obtained easily, such as ID numbers, your nickname, your pet's name, and so on.
- Use a long password (10+ characters) with lower and uppercase letters, numbers, and symbols. An easy way to get a secure password is to start with a phrase you know, or better yet, some random words, and replace some characters with numbers and symbols. For example: "I love donuts" can be converted to: Il0v3D0nuts, which is quite a strong password.
Some sites have features to alert you (through email or text) when suspicious activity in your account occurs, such as failed login attempts, logins from a different country, or logins at unusual hours. If you have the choice, always enable this option.
3. Malware and social network scams
Malware and social networks scams are a latent threat, which is expected to increase during this season. Don't trust unbelievable deals if they come from unreliable sources, such as an email or social media, as they are probably not true. Fake deals will redirect you to phishing sites or trick you to download malware. With the uprise of social media, attackers are focusing on its users. Social media provides attackers a high propagation rate, as affected users will share posts and links to all their friends/followers without even knowing the danger they pose.
Here are some hints to help you avoid malware and scams.
- If you see a suspicious post from a friend, don't open the link. Tell your friend about it, ensure that your friend really published the post, and take action immediately.
- Keep your operating system up to date, as some security holes are patched as soon as they are detected.
- If you are using a retail store's application, make sure you have the latest version, be it a mobile or desktop app. Just as with operating systems, application updates may fix detected security holes and improve stability.
- Install antivirus and malware protection software.
4. Using public terminals and networks
Never, ever enter your credit card number on a public Wifi network or terminal. Really, we cannot stress enough how bad an idea this is. Anyone can be in public networks, including attackers listening to the network traffic, and public networks offer no security. It doesn't matter whether the site you are trying to access is secure, if the way you get there is not. Private networks, or even 3G/4G mobile networks, are safer.
5. Shopping at unsecure sites
Maybe you want to buy something from a small site, or a new site. Maybe that little-known site is the only one that has that precious item you want. Well, you can do it if you trust the company, but you will be safest if you check to see that the site meets the following security measures:
- Ensure that the site protects the security of your information during transmission by using Secure Sockets Layer (SSL) software, which encrypts the information you input. You can verify this by checking to see that the URL of the website starts with https, and that the browser shows the padlock icon to indicate the use of SSL certificates.
- Read the privacy and security information for the site to find out how it handles privacy and security. From this document, you can also learn whether the site takes security seriously. For example, you can find out whether it implements Brute Force Protection and IP logging, among other measures.
- Some sites outsource their payment platforms to online payment services such as Paypal; in this way, these well-known services handle all the user's data and typically have strong security measures in place.
- Share only as much information as is necessary to make your purchase. For example, if a site asks you for your social security number, employer, relative's information, and such, do not trust that site.
- If you log in using a social provider, always verify the information that the site asks for. Often you will find that sites ask for information that they do not need, such as your friends list.
Aside: Protecting your users is easy with Auth0
If you are a developer and want to protect your application, you can use Auth0 to authenticate and authorize your users.
Auth0's lock component requires users to input their credentials using https protocol to guarantee that information is transmitted securely.
Additionally, you can define password policies to customize the level of complexity of the passwords a user enters during sign-ups. Auth0 offers five levels of security matching the OWASP password recommendations:
- None (default): The password must exist and be at least one character long.
- Low: The password must be at least six characters long.
- Fair: The password must be at least eight characters long and must contain a lower case letter, an upper case letter, and a number.
- Good: The password must be at least eight characters long and must contain at least three of the following four characters: a lower case letter, an upper case letter, a number, or a special character (e.g. !@#$%^&*)
- Excellent: The password must be at least 10 characters long. It must contain no more than two identical characters in a row (e.g., "aaa" is not allowed). It must contain at least three of the following four types of characters: a lower case letter, an upper case letter, a number, and a special character (e.g. !@#$%^&*).
Finally, we would like to give you a word of advice to complement these tips. Use a low-limit credit card to buy online; that way, even if it does get compromised, attackers won't do much damage. And, more importantly, check your credit card statement periodically; if you detect unknown or suspicious charges, you will be able to contact your bank and reject the transactions.
Keep these things in mind, and we promise you will be buying from the comfort of your couch, getting Cyber Monday deals safely and securely.