Let's go shopping!
As far as theft and fraud are concerned, you face (and willingly accept) a moderate amount of risk when you shop online or out in their local neighborhoods. This holiday season is no different, but the risk is elevated some, because criminals are looking for easy marks and low-hanging fruit.
With that said, here are a few tips to help you keep your money, gadgets, and information safe this holiday season, as well as the year ahead.
While shopping, or stopping for fuel, be mindful of credit card skimmers that can copy or read your card data as you swipe. Criminals use the captured information to create fake cards or go shopping online.
The skimmers sit on top of the credit card terminal at the register, or they can be installed inside of the gas pump. The video in this article shows how quickly a skimmer can be installed, and how seemless it looks once it’s placed.
So how do you spot a skimmer?
“Look for glue around the edges of the card reader or an extra thick border. If in doubt, give the card machine a tug, a skimmer will pop right off,” said Dan Tentler, the founder of Phobos Group.
Earlier this year, skimmers were discovered at several registers in a Walmart.
Also, look for broken tamper seals at the gas pump. Many states are using these tamper seals to show that the pump hasn’t been messed with. If in doubt, pay with cash.
Support scams happen year-round, but they’ll peak around the holiday season.
Often the goal is to get consumers to pay for support or software they don’t need, but sometimes the goals are more sinister. CSO has covered support scams before, including one where the caller pretended to be a Microsoft representative.
It isn’t a stretch to imagine scammers placing calls to fix the new computer that’s just come into the house – eventually they’ll get someone on the phone who did honestly purchase a new system.
Scammers will also call and pretend to be your bank this time of year and call or email to respolve security concerns.
But neither Microsoft, nor your bank, will ever call or email you to address security concerns or support issues. In the rare occasion that your bank does call about a security matter, they will not ask for credit card details, passwords, or other personal information – they don’t need to, because they already have it.
“Never give any sensitive information over to the phone callers,” advised Tentler, adding that when scammers contact you by phone, they’ll usually hang-up if you call their bluff and ask for their numnber, in order to call them back.
Phishing attacks are another threat that spikes during the holiday, but exists all throughout the year.
Criminals will pretend to be big-name retail outlets or financial instructions and request information via email or offer special savings, as long as you open an attachment or follow a link. You should never click links inside of a random email, and unless you were expecting an attachment, you shouldn’t open those either.
If you’d like to see what a URL does without visiting it, Tentler says, copy the URL and submit it to urlquery.net
Another nasty type of email-based attack to be on the lookout for, which has affected millions of people this year already, is called Ransomware. Ransomware essentially holds your computer hostage, rendering it useless unless a fee is paid. In the fourth quarter of 2016, millions of emails were sent by criminals with Ransomware as attachments.
Wi-Fi access is a convenient way to save yourself from paying massive overage fees to your mobile provider, but there’s a risk involved when it comes to public Wi-Fi.
Criminals can create malicious access points, or hijack access points that were poorly configured. In fact, creating a fake access point and tricking people into connecting to it is literally child’s play, as a 10 year-old proved this summer during DEF CON.
If you don’t need Wi-Fi while out running errands, then you should avoid connecting to any of the access points listed. If you do need Wi-Fi, then using a VPN (virtual private network), and sticking to websites that use SSL is a way to lower some of the risk, but it won’t eleminate it completely.
“[A VPN] will securely transport your traffic through the network you’re currently on, into another one. This makes it extremely difficult for coffee shop networks, or attackers targeting your mobile phone to perform what are called man-in-the-middle (MITM) attacks. VPNs are handy to have while traveling abroad, or sitting in coffee shops,” Tentler explained.
Unless you’ve configured it yourself, each VPN offering will require payment. Remember the golden rule, if you’re not paying for the product - you are the product - so avoid free VPN offers if possible.
If you are using public Wi-Fi without a VPN, you should avoid conducting any banking or online shopping, as it’s usually safer to do such things from home.
Gifts from the Internet of Things
“Be careful what brands of equipment you buy for people [this holiday],” said Tentler.
“In the last month, cheap Chinese routers, DVRs and IP cameras have been compromised and used in massive worldwide DDoS attacks. Make sure your gift for a family member doesn’t turn into a weapon for an attacker.”
You can do this by ensuring that the default password on the device is changed. Not only is this a good security precaution to take all year long, but doing so will keep criminals from taking control of the device with little to no effort.
System and software patching
“Let your operating system patch itself,” Tentler said.
“On OSX and Windows 7, Windows 8, and Windows 10 this is mostly automated. Just let Windows do its thing. If it has been a while, go and manually install updates, just to make sure you’ve got the latest and greatest.”
Not only are operating system updates important, but browsers such as Firefox and Chrome will need to be regularly updated as well.
Firefox will install updates automatically, but you’ll need to restart the browser to apply them. You can check for updates in Firefox by clicking Help, then selecting About Firefox.
Chrome will also update automatically, and you’ll know updates are ready by the green icon on the upper right of the browser window.
These days, you need an ad blocker. Not only that, you’ll need to limit the number of websites added to the blocker’s exemption list.
Criminals are able to leverage ad networks in order to display malicious ads, often leading consumers to exploit kits that deliver Ransomware or other malware to the system.
Imagine browsing the web on Christmas morning, only to have that new computer bricked because an ad on a website redirected you to website serving the Locky family of Ransomware. If your system isn’t updated, and you’re not using ad blockers, this is a real possibility.
uBlock Origin is the ad blocker preferred by most, as AdBlock Plus will still show “approved ads” – something that defeats the purpose of ad blocking entirely.
Two-Factor Authentication (2FA)
2FA, or Two-Factor Authentication, is where you need your password in addition to a code that’s usually delivered to a token or via text message to your phone. It’s better to use a token, but service providers often stick to text message.
With 2FA enabled, simply knowing your password won’t be enough if a criminal wants to access an account. However, if the criminal can intercept your text messages, or if they control your phone, the protection offered by 2FA is rendered useless.
“Setup 2FA everywhere you can, don’t make it easy for bad guys to get into your stuff,” Tentler said.
“Consider setting up a Google voice number, and using that Google voice number for SMS-based 2FA. Do not share this Google voice number with anybody. Use it only for your own, private two-factor authentication.”
Not every website you have an account on offers 2FA, but some do. At Turn On 2FA, you can get step-by-step instructions for enabling this layer of security on most of the larger, more popular websites.
Check your statements
Check your credit card and bank statements. You should be doing this all year long, not just during the holidays Tentler said, so you can “watch for shady things appearing on that list.”
Look for charges you don’t know, or smaller charges at places you normally shop. When testing a card, criminals sometimes make a small purchase, usually less than $10, as such things aren’t flagged, and people usually don’t notice them.
Common purchases for testing include fuel, fast food, grocery items, and gift cards.
RFID cards, sometimes branded with the name PayPass, Blink, ExpressPay, or PayWave, allow you to charge things with a quick tap of the card on the pay terminal.
Thing is, these cards have RFID (radio frequency identification) chips that criminals with a reader can scan, allowing them to capture your card’s data. You can protect them though, but using a RFID blocking sleeve, or a RFID wallet.
“RFID wallets are available on Amazon, ThinkGeek, and several other sites that sell geek-style toys. They’re pretty readily available, and they shouldn’t hurt anything other than attackers with the intention of stealing credit card data directly out of your wallet wirelessly,” Tentler said.
The good news is that you would likely notice a criminal scanning you for RFID. Homemade RFID scanners don’t have a good range, and you’d notice someone standing in a room with a giant antenna. Snopes has a good article on RFID fraud, including video from a demo at the airport in Indianapolis.
If your card has a chip like the one shown in this image, keep in mind this is different from the RFID cards discussed in the previous slide. This chip means your card supports EMV, which is a new layer of card security introduced in the U.S. over the last year or so.
The goal of EMV was to lower card fraud in the U.S., but it isn’t a foolproof system. One of the biggest issues is that some retailers still don’t support EMV, despite the deadline ending in 2015. Also, while EMV has lowered the level of fraud at point-of-sale terminals, criminals have shifted to other types of fraud, such as card-not-present transactions online.
While shopping this holiday season, and every day after, if the card reader supports EMV, you should use that over swiping. If you do have to swipe the card, make sure the transaction is credit and not debit.
By now, you should have an EMV chip on your card, if you sill haven’t received one, call your financial institution to find out why.