With Black Friday and Cyber Monday almost upon us, please see below for commentary from cybersecurity experts on how to navigate both shopping days without getting scammed or hacked.
Tim Mackey, SeniorTechnical Evangelist at Synopsys:
“The core challenge as I see it relates to either inbound email ads or people searching for great deals and ending up in locations they didn’t expect. The key is to identify the legitimate from the fake when a “50% off all iPads” deal is enticing. With all the various data breaches over the past few years, identification is particularly difficult. Some simple options are:
- If you received an “great deal” email and don’t recognise the source, don’t assume because its personalised that it’s legitimate. Visit the website directly and while logged in look for the same deal. If it’s there and still interests you, then go for it. If it’s not then the fact that the deal was tied to clicking a link in an email should indicate just how suspect the offer was.
- Identifying the legitimacy of a “great deal” found on a non-vendor website is a bit harder. That deal might be the result of the website being an authorised distribution channel for the vendor or the website offering a fake deal. Authorised distribution channels will tend to behave in one of two ways – you’ll either purchase directly from them, or they’ll link you to the vendors website and pass along a referral code. The nice thing about authorised distribution channels is that neither party tends to benefit from the relationship being a secret. Perform an internet search with both company names and see if there is mutual identification and endorsement. Another thing to recognise is that if the deal site has you click a link and passes a referral code to the vendor, then that vendor will have your item in their cart. To avoid being scammed, first ensure you’re logged out from the vendor website and then click the link. That way if the deal site was suspect, they’re less likely to get any personal information from the vendor. Assuming the deal does show up in the cart at the correct price, simply login and complete the transaction.”
Larry Trowell, principal consultant at Synopsys:
- Go directly to the website itself. Don’t trust quick links.
- Use 2-factor authentication whenever possible.
- If your credit provider doesn’t offer virtual credit cards, consider using PayPal or Amazon Pay (among other options) as a third-party payment solution. This provides one more layer of security between online stores and your financials.
- Similarly, Google Pay (among others) will alert you when charges are made to your card. That way, if you’re not the one making a purchase, a red flag is raised early.
- If you must create a password on the site to complete a purchase, don’t re-use a password. Take advantage of password managers to create new, unique passwords for each site.
- Don’t allow websites to store your credit card information. Sure, it’s less convenient, but if the website or your account is hacked, the attackers won’t have access to your credit card information.
Nick Murison, Managing Consultant at Synopsys:
“Black Friday and Cyber Monday can make or break a year for retailers, with online becoming a critical channel for most. This necessitates highly available and rock solid systems to deal with what has become a predictable yet simultaneously overwhelming demand. This shouldn’t just be focused on the underlying IT infrastructure; retailers also need to ensure their applications can handle the onslaught, be it their website, their mobile apps or their in-store payment terminals.
For years, the main driver for security within retail appears to have been PCI DSS, the data security standard merchants must comply with to accept and process payment cards. It’s reassuring to see some retailers join the BSIMM community, which may signal an evolution from a compliance-driven mentality to that of a proactive security mindset. Compliance will always be important, but retailers have much to gain from investing in strategic software security initiatives. This is especially true in territories where privacy legislation is getting more strict. Poor software security leading to information disclosure of customer data can now lead to business-altering fines in Europe, for example.”