Your 2017 Safe Holiday Shopping Guide
By Anthony Giandomenico, Product Manager FortiSIEM & Threat Intelligence at Fortinet
Starting the Friday after Thanksgiving, millions of Americans will be braving the crowds and heading out to malls, big-box stores, and local merchants looking to take advantage of seasonal discounts.
Are you ready? You are building your shopping lists, checking your credit card balances, scanning for can’t miss deals, and planning your shopping itineraries. You may have even installed new apps that can automatically scan and compare prices to make sure you are getting the best deal.
But what about cybersecurity? How safe are you when you are holiday shopping? Here are some things to consider when you are out and about during the 2017 holiday shopping season.
Shopping today requires a number of electronic transactions, whether you are swiping your credit card or pulling cash out of the ATM. Of course, data breaches and identity theft continue to be a problem. But when you are making purchases elbow to elbow with a mob of other shoppers, you need to be more careful than ever.
Here are a few things to be on the lookout for. If you see any of these things, our advice is that you may want to pay with cash, use a different machine, move to a different cashier, or shop somewhere else. And let someone know.
ATM and credit card skimmers
Whether you are getting cash from your ATM, buying gas, or swiping your card at the store, the holiday season always sees a spike credit card usage – as well as a spike in having that credit card data stolen. The problem is that we are in a hurry, there is a crush of people around us, we have been standing in line forever, and we just want to make our purchase and get in the car. But being careful only takes a few seconds. Here are few things to keep in mind:
There are a number of different ways that criminals can steal your credit card data. Skimmers are electronic devices that are designed to either slide on top of or over an existing card reader, or can be inserted into the card reader slot in something like an ATM or gas pump. They look remarkably like the original credit card reader, but they capture your credit card data and PIN when you make your transaction.
What to look for:
- “We’ve been having trouble with that card reader all day.” That may be true. It also may be because a skimmer has been placed on that reader that uses those extra card swipes to capture your data before letting you make your purchase. You might want go to another line or rethink your purchase.
- Look for signs of tampering. Are the colors or materials on the device consistent? Are the graphics aligned? Are there gaps or seams between components? Do components line up exactly? Is there any damage around the card slot that might indicate that it was forcefully removed or replaced?
- Hide your PIN. Some skimmers have a pinhole camera located nearby to capture your PIN. They can be disguised as anything. Best practice is to cover the keypad with one hand while entering your PIN with the other.
- Compare devices. Does the device you are using look like the ones around it? Check colors, flashing lights, size of the device, materials used, etc.
- Wiggle everything. ATMs and credit card machines are designed to withstand thousands of users. They don’t have loose parts or components. If the cover moves, the keypad is loose, the card slot wiggles or moves when you push on it or when you insert your card, or anything feels less than industrial grade, move on.
- Check to see if the tamper-proof tape on the credit card component placed on many gas pumps and public ATMs is intact. Most will display a VOID message if they have been tampered with or removed. And if there is no tape on your pump, look to see if there is tape on other pumps. If there is, use another device.
- Use your credit card rather than your debit card as it provides you with fraud protection.
- Report what you find. Most ATMS have a phone number to report something suspicious, and cashiers and store managers need to be alerted. It’s the holiday season – take a few minutes to help the next shopper in line.
NFC (near-field communications) risks
If you are using a contactless payment card or your smartphone to pay for items, you should know that these devices use a technology called near-field communications that can be monitored and captured remotely. Of course, the person intercepting your payment data almost always needs to be close by, usually within a few feet, and most of the time you can spot someone just oddly lingering next to the checkout registers. But at holiday time shoppers can surround you. So if you are using a contactless payment system, look around you first, and then insist that anyone standing right next to you move several feet away before you use your phone to make your purchase.
Chip reader bypass attacks – Banks and credit card companies have finally started rolling out cards with embedded chips that make stealing and duplicating their data more difficult. But they still have magnetic strips for all those machines still out there without a chip reader, and card readers still read magnetic strips because many cards do not yet have chips.
Cybercriminals will disable a chip reader or cause it to display an error, forcing you to swipe your card using your magnetic strip data. If a payment device has been enabled to read chips but keeps giving you an error message, you may want to consider an alternate form of payment.
Track your bank and credit card statements
Look at your bank and credit card statements online during heavy shopping periods, rather than waiting for your statement to arrive in the mail weeks later. The quicker you spot unauthorized transactions the faster you can get the resolves and limit your exposure.
Protect your purchases
The last thing you want to do is spend hours and money finding that perfect gift, only to have someone else walk off with it. Here are a few things you should know
Don’t leave stuff in your car. – Even if it’s locked in the trunk. Here’s why. Electronic car key fobs that allow you to remotely lock and unlock your car, open the trunk, or even start it and run the heater or air conditioning are now standard issue. They might be convenient, but they aren’t necessarily secure.
Your key fob and your car’s electronic security system both use algorithms to generate a random lock code. When the devices are synched together, and you press on your fob, the numbers match and the car locks or unlocks itself. Unfortunately, these devices sometimes get out of synch. Manufacturers solve that problem by letting the devices store a rolling set of numbers, called a rolling code scheme, so that if the numbers don’t match right away it can search for other codes looking for a match. It doesn’t matter what you drive – with few exceptions, most manufacturers all pretty much use the same concept, and in certain cases, may be vulnerable to this type of attack.
Unfortunately, so do a number of other devices that connect to each other, like walkie-talkies and other connected toys. And with a few simple modifications, a criminal can use these devices to communicate with other systems, like your car. And online hackers have made it easy, with step-by-step instructional videos and libraries of stolen algorithms for virtually any car imaginable. All a criminal needs to do is follow the instructions, download the algorithm and rolling code schemes for a range of automobiles, and then broadcast it across a parking lot. And like magic, car doors unlock and trunks pop open.
Unfortunately, this technique is not just limited to automobiles. The same hack can be used to open a surprising number of garage doors and other electronic locks that use the same sort of rolling code scheme, and step-by-step instructions are likewise available online to enable cybercriminals of just about any skill level to take advantage of this vulnerability.
Home deliveries – Of course, everyone is familiar with items delivered to someone’s home being stolen right off the porch or doorstep. Here are some things to do to protect purchases that are being delivered to your home.
- When possible, require a signature for delivery.
- Have items arriving during the day be delivered to your office or place of business.
- If that’s not possible, require packages to be left at an alternate location, such as a side or back door, behind the bushes, or with a neighbor.
Many of the items being purchased this holiday season are devices that connect to the Internet for one reason or another. Unfortunately, few of these devices were designed with security in mind. These devices can often be used to collect personal information, or they can be hijacked and used as weapons, such as a recent series of denial of service attacks that redirected traffic from tens of millions of compromised devices, such as digital cameras and DVRs, to shut down the online services of a targeted victim.
Vulnerable connected devices can include:
- Smart entertainment systems– game consoles, TVs, DVRs, DVD players, and online gaming
- Smart accessories– watches, phones, tablets, laptops, weather clocks, radios
- Smart toys– dolls and toys with corresponding online lives and data, remote controlled vehicles – including those that can be driven or flown using your smartphone, interactive toys that can be updated online
- Smart appliances– everything from toothbrushes to washing machines
- Smart cars– entertainment systems, communications, onboard computers and diagnostic systems, and automated payment systems for parking or fuel
Of course, hacking these devices themselves is not really the problem. No one is really interested in hacking into your smartwatch to figure out your exercise routines, your calorie intake, or your weight loss plan. But they ARE using reconnaissance hacks to discover your passwords for the WiFi network at work, or your account information for automatic online purchases, to steal or spoof your identity, or even to figure out when you are away from home.
And that toothbrush that automatically orders new brush heads or humidifier that orders new filters? What if 1,000 of them show up at your door that have already been billed to your account?
We all need to become more aware.
While there are standards established for the secure transmission and storage of credit card information required by the payment card industry, there are currently no legal requirements that the connected devices you buy are safe from cybercriminals. As consumers we need to insist that vendors take this challenge seriously. Many times, security standards are created only as a reaction to the fear of government-mandated regulation, or the loss of business.
Banks, retailers, and other point of sale services also need a way to verify that the electronic devices we use to make purchases and conduct financial transactions haven’t been tampered with. Tamper-proof systems, security tools that detect unexpected behavior, and automated physical inspection of devices need to be required.
And finally, we need to take the time to educate ourselves – and our friends and family – about how to shop carefully and safely.
Happy – and Safe – Holidays!