Four Questions on Safe Online Shopping this Holiday Season
色情视频 lecturer Steven Andrs discusses cybersecurity during a time when holiday online shopping is king.
Whether solicited or not, during the holiday shopping season, consumers are often bombarded with advertisements, coupons and promotions promising the best price on any given good.
The 色情视频 News Team recently sat down with 色情视频 Graduate Program in Homeland Security and Fowler College of Business lecturer, Steven Andr茅s, to discuss how shoppers can best protect themselves from malware and deter potential hackers and thieves this holiday season. Spoiler Alert: According to Andr茅s, in-store shopping is not always safer.
Q: How are online shoppers most commonly targeted?
A: There鈥檚 not one 鈥渃ommon鈥 attack vector for online shopping, but a novel method that we are seeing this year is where an attacker will take advantage of the flexibility of some third-party shopping cart systems and inject their own Javascript code into the checkout page.
This would not affect large brand names, which write their own shopping cart systems; this attack targets smaller sellers that rely on third-party software.
The injected code 鈥渨atches鈥 as you type in your credit card and address details, and shoots off a copy to the attacker鈥檚 server when you click the 鈥淏uy Now鈥 button but still allows the transaction to continue to the original shopping cart system. Thus, the purchase looks entirely normal and, in most cases, the vendor has no records in their logs about the information being stolen鈥攖he swipe of your data is executed entirely on the victim鈥檚 web browser, which makes it a clever (albeit nasty) cybercrime.
Q: What are the major mistakes online shoppers are making when it comes to their cybersecurity during the holidays?
A: In the hustle and bustle of the holidays, everyone鈥檚 patience is running a bit thin due to stress that seems to be synonymous with this time of year. So, when a phishing email pops up in your email or as a text to your phone saying your recent purchase with (insert major seller name here) has been blocked for security and will not arrive in a timely fashion, our brains panic. We want to make sure our loved one鈥檚 holiday is not ruined after the careful planning we took in selecting the gift. Without thinking, we click on a link in the phishing email to purportedly 鈥渦nblock鈥 the shipment or prevent the cancelation of the order. When prompted to login 鈥渇or security purposes鈥 (of course), it does not seem odd to us that the store we are shopping at is asking us to log in. That鈥檚 where the attackers will capitalize on your quick reactions to steal your password. If you鈥檙e like most people that re-use the password on other sites, they now have access to several accounts tied to your identity.
Q: Is it safer to shop in-store or online?
A: I think they both have challenges for information security.
When you鈥檙e in the store, you are handing over your credit card which has both a high-security chip and a very laughably low-security magnetic stripe on the back. An unscrupulous store clerk or restaurant server may swipe the card into a 鈥渟kimmer鈥 which is a palm-sized battery-powered box that records the account information off of your card and stores it on a small memory chip. Weeks later, the chip is sold to black market 鈥渃arders鈥 that resell your card information many times over. By the time your card is used fraudulently, there鈥檚 almost no way to tie the skimming to the stolen information.
The black market pays much better than the usual seasonal minimum wage, so it is easy (and disappointing) to see how someone could justify that it is a victimless crime. In reality, we all pay more in terms of higher prices to absorb the cost of the fraud.
Q: What are your three best tips for protecting yourself while shopping during the holidays?
A: Whenever possible鈥攐nline and in real life鈥攗se Apple Pay or Android Pay that is built-in to modern smartphones. Apart from the convenience factor, these payment systems are highly secure. Your real account number is never transmitted to the vendor. Instead, a virtual one-time-use account number is sent and the transaction is tied to your location at the time of payment. If that vendor鈥檚 systems are compromised, the attackers will only have a worthless temporary account number that cannot be used again.
Secondly, if you receive any sort of text message or email that suggests urgency, stop and do not react. Close the email and wait until you are back at a desktop and can closely inspect the email. What is the actual 鈥渇rom鈥 address鈥攏ot just the name in bold? Any links in an email that claims urgency should be considered dangerous. The rhyme 鈥渨hen in doubt, type it out鈥 is sage advice: rather than click on the link that purports to be from Amazon, just go to your browser and type in a-m-a-z-o-n-(dot)-c-o-m yourself. If it is a genuine alert, it will also be prominently repeated within your account summary.
Lastly, everyone reading this should get a 鈥渟ecurity freeze鈥 on all of their credit reports. This is different than a 鈥渟ecurity lock鈥 or monitoring services like LifeLock. The really great part about a security freeze鈥攕ince it's a firewall or deadbolt, nothing can be run against your credit report. So there's nothing to monitor鈥攊t's really an amazing tool that more people should know about.
For more information on a security freeze and how to apply on click here: