With the holiday season kicking off, bad guys would be on the hunt to exploit every opportunity they have, and most often they target the average user who is the weakest link in the chain. The impact would vary from stealing your personal information to emptying the funds in your bank account. Below are practical methods or tips to keep in mind while you shop this holiday season so that you stay secure:

1. Check for HTTPS (Green Padlock):

Not everyone shops from reputed sites such as Amazon or eBay. Hence if you are trying a new shopping site, check if the site has SSL certificate. To verify this, the site should start with https:// and you should notice the green padlock symbol, which is in the address bar at the top.

This is very important for a couple of reasons:

  • This ensures that the information that is transmitted across is via a secure channel, meaning it cannot be read by any attacker by sniffing your network. If you are browsing a site that does not use https, your entire details including username/password can be viewed by an attacker who is connected to your network.
  • SSL certificate is generally issued (by companies such as Symantec) after extensive background checks on the and verification of website ownership. So apart from providing security over the network, having this certificate also means that the site is legitimate and is not a fake/scam site. That said, there are several cases where certain certificate authorities issued certificates to fake sites without proper verification. Hence do not rely entirely on this to decide whether the site is legit or fake!

2. Beware of Phishing Emails:

The holiday season is a prime time for hackers to perform phishing attacks due to the increase in online purchases. Attackers aim to steal your credentials by sending fake/phishing emails with attractive offers, fake coupons, fake shipping notifications, etc. that lure normal users into clicking them. Any email that asks you for your personal/account information or to pay outside the trusted online shopping site should be considered fraudulent. Below are a few tips to safeguard yourself from these kind of attacks:

  • Carefully notice the URL in the address bar: Attackers come up with domain names which look almost like the legitimate ones (Ex: www.amaz0n.com – notice its “0” not “o”). Be on the lookout for misspelled domain names, odd combinations, and extra affixes at the end of URLs.
  • Look out for poor grammar: In addition to misspelled words, phishing emails are often filled with grammatical errors. If the email does not look like something that was professionally drafted, you might be looking at a scam.
  • Beware of embedded links: To verify the legitimacy of the URL, move your cursor over the embedded link before even clicking it and observe the name carefully.

Do not assume that you will not be hacked; phishers do not discriminate!

3. Do Not Shop by Connecting to Open Wi-Fi:

If the Wi-Fi connection that you use while shopping is not secure, then all your details including passwords, credit card details can be compromised. It is very common for most of us to connect to open W-Fi connections at public places like coffee shops, restaurants, etc. without realizing the risk involved in doing so. Hackers often use open Wi-Fi connections as bait to lure the users to connect and then exploit them to harvest passwords, credit card numbers, etc. Using attacks such as ARP cache poisoning, it is possible to redirect all the user traffic to the attacker machine. Even if the website has SSL/HTTPS, an advanced attacker can employ techniques such as SSL Stripping to steal the data. Hence do not buy online by connecting to open Wi-Fi with no password, it is just not worth the risk!

4. Shop Using Virtual Wallets with Limited Amount:

This is based on the principle of least privilege in security which states always use an account that has just the required privilege to accomplish the job. That translates to – Do not use your savings bank account that holds a significant amount of money to purchase pancakes online. Instead, use a virtual wallet or a service like PayPal that holds limited funds so that in the event of a compromise the impact is minimal. Additionally, these virtual wallets also have other security options such as two-factor authentication which would ensure that even if the credentials are compromised, the attacker still will not be able to empty your funds. As a rule, two-factor authentication should be enabled whenever possible including for the online shopping site.

Ethical Hacking Training – Resources (InfoSec)

5. Use Credit Card for Purchasing Instead of Debit Card:

For some reason, if you had to use only a card for the transaction, use a credit card instead of a debit card. This is because credit cards have some extra-legal defenses built in that make them safer to buy stuff with. For instance, with credit cards, you are not liable if some fraudulent credit card transaction happens provided you report the incident promptly. Remember that in case of credit card, the money belongs to the bank, not you! Banks are much protective of the credit card money because of this reason. Credit card purchases limit your liability (usually to around $50 of unauthorized charges) if your financial information is stolen, and the money in your bank account is not affected. Most debit cards do not offer the same level of protection.

6. Do Not Provide Sensitive Information:

Avoid buying from an online store that asks more information than necessary to make the sale. It is normal to provide information on the method of payment, shipping address, telephone number, email address and so on, but if the merchant requests other information, think twice before giving away the information. You never want to give them your bank account information, social security information, or driver’s license number. You can also look at the seller’s privacy policy to figure out if the information you provide is shared with other vendors and how exposed your information may become. Many stores explicitly state that they do not share, sell or rent consumer’s information – others say they own your info and can use it however they choose.

7. Always Use Trusted Systems to Shop:

The machine you use to shop online should be a protected and trusted system. For instance, a malware running on your system can specifically wait until you log into a shopping site and then steal your credentials (or steal the bank account credentials during purchase) and send it to the attacker. To avoid such scenarios, ensure that:

  • The machine has an anti-virus installed and is updated regularly
  • Check and install Operating system updates regularly
  • Ensure the browser you are using is up to date.
  • Make sure that the firewall is turned on (On Windows machine, navigate to Control Panel > System and Security > Windows Firewall)
  • System is always locked/turned off when not in use

Never login from internet cafes or from those machines which are not trusted as you never know what’s running behind the scenes! Happy shopping!