Four Questions on Safe Online Shopping this Holiday Season

Whether solicited or not, during the holiday shopping season, consumers are often bombarded with advertisements, coupons and promotions promising the best price on any given good. 

The SDSU News Team recently sat down with San Diego State University Graduate Program in Homeland Security and Fowler College of Business lecturer, Steven Andrés, to discuss how shoppers can best protect themselves from malware and deter potential hackers and thieves this holiday season. Spoiler Alert: According to Andrés, in-store shopping is not always safer. 

Q: How are online shoppers most commonly targeted?

A: There’s not one “common” attack vector for online shopping, but a novel method that we are seeing this year is where an attacker will take advantage of the flexibility of some third-party shopping cart systems and inject their own Javascript code into the checkout page. 

This would not affect large brand names, which write their own shopping cart systems; this attack targets smaller sellers that rely on third-party software. 

The injected code “watches” as you type in your credit card and address details, and shoots off a copy to the attacker’s server when you click the “Buy Now” button but still allows the transaction to continue to the original shopping cart system. Thus, the purchase looks entirely normal and, in most cases, the vendor has no records in their logs about the information being stolen—the swipe of your data is executed entirely on the victim’s web browser, which makes it a clever (albeit nasty) cybercrime.

Q: What are the major mistakes online shoppers are making when it comes to their cybersecurity during the holidays?

A: In the hustle and bustle of the holidays, everyone’s patience is running a bit thin due to stress that seems to be synonymous with this time of year. So, when a phishing email pops up in your email or as a text to your phone saying your recent purchase with (insert major seller name here) has been blocked for security and will not arrive in a timely fashion, our brains panic. We want to make sure our loved one’s holiday is not ruined after the careful planning we took in selecting the gift. Without thinking, we click on a link in the phishing email to purportedly “unblock” the shipment or prevent the cancelation of the order. When prompted to login “for security purposes” (of course), it does not seem odd to us that the store we are shopping at is asking us to log in. That’s where the attackers will capitalize on your quick reactions to steal your password. If you’re like most people that re-use the password on other sites, they now have access to several accounts tied to your identity.

Q: Is it safer to shop in-store or online?

A: I think they both have challenges for information security. 

When you’re in the store, you are handing over your credit card which has both a high-security chip and a very laughably low-security magnetic stripe on the back. An unscrupulous store clerk or restaurant server may swipe the card into a “skimmer” which is a palm-sized battery-powered box that records the account information off of your card and stores it on a small memory chip. Weeks later, the chip is sold to black market “carders” that resell your card information many times over. By the time your card is used fraudulently, there’s almost no way to tie the skimming to the stolen information. 

The black market pays much better than the usual seasonal minimum wage, so it is easy (and disappointing) to see how someone could justify that it is a victimless crime. In reality, we all pay more in terms of higher prices to absorb the cost of the fraud.

Q: What are your three best tips for protecting yourself while shopping during the holidays?

A: Whenever possible—online and in real life—use Apple Pay or Android Pay that is built-in to modern smartphones. Apart from the convenience factor, these payment systems are highly secure. Your real account number is never transmitted to the vendor. Instead, a virtual one-time-use account number is sent and the transaction is tied to your location at the time of payment. If that vendor’s systems are compromised, the attackers will only have a worthless temporary account number that cannot be used again.

Secondly, if you receive any sort of text message or email that suggests urgency, stop and do not react. Close the email and wait until you are back at a desktop and can closely inspect the email. What is the actual “from” address—not just the name in bold? Any links in an email that claims urgency should be considered dangerous. The rhyme “when in doubt, type it out” is sage advice: rather than click on the link that purports to be from Amazon, just go to your browser and type in a-m-a-z-o-n-(dot)-c-o-m yourself. If it is a genuine alert, it will also be prominently repeated within your account summary.

Lastly, everyone reading this should get a “security freeze” on all of their credit reports. This is different than a “security lock” or monitoring services like LifeLock. The really great part about a security freeze—since it's a firewall or deadbolt, nothing can be run against your credit report. So there's nothing to monitor—it's really an amazing tool that more people should know about. 

For more information on a security freeze and how to apply on click here: https://homelandsecurity.sdsu.edu/freeze