We will soon be in the throes of the holiday gift-buying season. A whole set of must-have connected devices have hit the stores, from smart accessories and appliances to game consoles and online games to Web-enabled toys. And we will be buying many of them online, especially on Cyber Monday (News - Alert).
Are you ready? You are scouting online shopping websites, loading apps that automatically compare prices to make sure you are getting the best deal, building your shopping lists and checking your credit card balances.
But what are your plans for cybersecurity? How safe will you be as you are holiday shopping online? And how safe are the items you are buying? Here are some things to consider for the 2017 holiday shopping season.
1. Safe Online Shopping
Online shopping captures a larger portion of holiday shopping dollars every year. Given the rise in identity theft, malware and phishing and scam sites, online shoppers need to be more careful than ever. Online shopping can be a safe way to buy things – if you follow a few simple rules:
- Use credit, not debit. Use your credit card when making online purchases to take advantage of its built-in consumer fraud protection. If you use services such as PayPal, ApplePay or Google (News - Alert) Wallet, make sure you are using payment options linked to a credit card and not another payment method such as a checking account or provider credit.
- Consider your location. Shopping at home is one thing, but if you are using the public Wi-Fi connection at your local coffee shop, you may want to think twice before making an online transaction. That’s because there are too many ways for someone to intercept your communications. For example, a man-in-the-middle attack occurs when that guy over in the corner with his laptop open is broadcasting his device as “Free Coffeshop Wi-Fi.” When you connect, he connects you to the Internet through his device and then captures all the traffic moving between you and your online shopping site. Remember, you should always use a secure, trusted VPN provider on any open Wi-Fi network.
- What website are you shopping on? Lots of fake shopping sites pop up during the holidays, often offering great bargains and hard-to-find items to lure shoppers in. If you are looking at items on a website you have never seen before, here are a few things to consider before making that purchase:
- Look up the url at who.is. It will provide you with a variety of information, including when the site was first created, where the company is located and contact information. Be suspicious of anything that has been online for a very short time.
- Use your browser search engine to look for online reviews and ratings of a site.
- Look at the website design. Does it look professional? Are the links accurate and fast? Are there lots of pop-ups?
- Look at the name of the site. Is the name too long? Does it contain lots of hyphens or numbers? Does it use the name of other popular brands or sites in its name? Does it replace letters with numbers, such as amaz0n.com?
- Read the text. Bad grammar, unclear descriptions and misspelled words are all giveaways that the site may not be legitimate.
- Unusually low prices and high availability of hard-to-find items are red flags that you are on a scam site.
- Make sure the site uses a secure checkout system that accepts major credit cards. Avoid sites that require direct payments from your bank, wire transfers or untraceable forms of payment.
- Make sure the business has a physical address and phone number, a clear return policy and a privacy statement on how they will protect your information.
- Do you have a secure connection? Any time you are online in a public location, or are making a financial or private transaction, make sure that your connection is secure or encrypted. Look at the url bar of your browser and make sure that the address starts with https:// rather than http://; this means that the transactions are protected using SSL encryption. Also consider using a VPN (virtual private network) connection. If you are going to be online in public places frequently, there are a number of low-cost/no-cost services that will ensure that your connection is always protected.
- Track your bank and credit card statements – Look at your bank and credit card statements online during heavy shopping periods rather than waiting for your statement to arrive in the mail weeks later. The quicker you spot unauthorized transactions, the faster you can get the resolves and limit your exposure.
2. Protect your purchases
The last thing you want to do is spend hours and money finding that perfect gift, only to have someone else walk off with it. Here are a few things you should know
- Don’t leave your purchases in your garage – Many of the latest garage door openers use algorithms to generate a random lock code. When you press on the remote, a check is made to ensure its lock codes match the garage door opener. Unfortunately, these devices sometimes get out of synch. Manufacturers solve that problem by letting the devices store a rolling set of numbers—called a rolling code scheme—so that if the numbers don’t match right away it can search for other codes looking for a match. (Remote locks on your car essentially use the same concept.)
Unfortunately, a number of other devices that connect to each other, such as walkie-talkies and some connected toys, use the same rolling code scheme. And with a few simple modifications, a criminal can use these and other devices to communicate with your garage door. And he or she don’t need to be an engineer. Online hackers have made it easy with step-by-step instructional videos and libraries of stolen algorithms. All a criminal needs to do is follow the instructions, download the algorithms and rolling code schemes, and then broadcast it while walking or driving. And like magic, garage doors open all along the street.
- Home delivery – Of course, everyone is familiar with home delivery items being stolen right off the porch or doorstep. Here are some things to do to protect purchases bought online.
- When possible, require a signature for delivery.
- Request that items arriving during the day be delivered to your office or place of business.
- If that’s not possible, require packages to be left at an alternate location, such as a side or back door, behind the bushes or with a neighbor.
3. Connected devices
Many of the items that will be purchased this holiday season are devices that connect to the Internet for one reason or another. Unfortunately, few of these devices were designed with security in mind. These devices can often be used to collect personal information, or they can be hijacked and used as weapons, such as a recent series of denial of service attacks that redirected traffic from tens of millions of compromised devices—like webcams and DVRs—to shut down the online services of a targeted victim.
Vulnerable connected devices can include:
- Smart entertainment systems - game consoles, TVs, DVRs, DVD players and online gaming
- Smart accessories – watches, phones, tablets, laptops, weather clocks, radios
- Smart toys – dolls and toys with corresponding online lives and data, remote controlled vehicles (including those that can be driven or flown using your smartphone), interactive toys that can be updated online
- Smart appliances – everything from toothbrushes to washing machines
- Smart cars – entertainment systems, communications, onboard computers and diagnostic systems, and automated payment systems for parking or fuel
Of course, hacking these devices themselves is not really the problem. No one is really interested in hacking into your smartwatch to figure out your exercise routines or your weight loss plan. But they ARE using reconnaissance hacks to discover your passwords for the Wi-Fi network at work, or your account information for automatic online purchases, to steal or spoof your identity or even to figure out when you are away from home.
And that toothbrush that automatically orders new brush heads or the humidifier that orders new filters? Imagine your surprise when 1,000 of them show up at your door, already billed to your account.
4. Emerging threats
We are also seeing a wave of new threats that are likely to begin targeting consumers. Here is a short list:
- Ransomware – This past year, there was a rise in targeted attacks that take over or encrypt computers or networks and demand the payment of a ransom for them to be released. We anticipate that this sort of ransom-based attack will be expanded to include connected home devices, such as alarm systems, refrigerators, heating systems, cars, utility meters etc.
Given the right set of circumstances, a hacker could conceivably track your car, wait until you are far from home and then lock you out or turn off your onboard systems. How much would you be willing to pay to get back into your car after a long day at the mall? Or to turn off your fire alarm system in the middle of the night? Or turn your heat back on?
- Hijacked online services – We are currently seeing literally millions of accounts for premium streaming and entertainment services for sale on darkweb black market sites. We recommend that you look at your cable or satellite service bills carefully and that you occasionally contact your service provider to ensure that you recognize remote usage of these services.
- Stolen online accounts – We are also seeing stolen or spoofed online accounts that either already belong to someone else or were opened using stolen credentials. Regularly check your accounts and track your bank and credit card statements for unauthorized purchases and, at a minimum, check your credit rating for activity you do not recognize.
We all need to become responsible net citizens. That includes accountability. But where does accountability start?
While the payment card industry has established standards to protect consumers, there is no way to evaluate the security deployed by an online merchant. We should insist on an easy-to-recognize set of security certifications for online vendors and a reliable source to validate those credentials so we can shop online for goods and services with confidence.
There are also no legal requirements that the connected devices you buy be protected from cybercriminals. As consumers, we need to insist that vendors take this challenge seriously.
And finally, we need to take the time to educate ourselves— and our friends and family—about how to shop online more carefully and safely.
About the Author
Anthony Giandomenico is an experienced Information Security Executive, Evangelist, Entrepreneur and Mentor with over 20 years of experience. In his current position at Fortinet (News - Alert) he is focused on delivering knowledge, tools and methodologies to properly demonstrate advanced threat concept and defense strategy using a practical approach to security. Anthony works closely with FortiGuard Labs and Fortinet System Engineering to respond to advanced threats as they break – and proactively plan beforehand.
Edited by Alicia Young