Black Friday and Cyber Monday security concerns

Ahead of the upcoming shopping season, we’re spreading awareness of potential Black Friday and Cyber Monday security concerns affecting people who shop and sell online.

In anticipation of the upcoming holiday shopping season, we want to help spread awareness of potential Black Friday and Cyber Monday security concerns affecting people who either buy or sell products or services through digital means. There are many scams that fraudsters attempt when targeting victims online. Falling for a scam can be as simple as clicking on an email link or visiting an insecure website where attacks take place in the background, without your knowledge or consent. Here we’ll cover common attacks and, more importantly, some practical advice to identify phishing and other attacks to reduce your chances of falling victim to online scams and fraud.

Perfect security is a myth

Security is all about trade-offs. Security can easily be achieved by disconnecting—but you can’t do anything without connecting. It’s just a fact that shopping online entails risks and so must be approached with awareness.

Image credit: The Verge on Twitter

Let’s use Amazon Key as an example. It’s great for customers who have had packages stolen from their doorsteps, and it ultimately reduces fraud and financial loss. But in the meantime, attackers—in this case, burglars—want to unlock houses that use Amazon Key. Through this service, an attacker could potentially unlock your front door. It would require a breach of some sort: attacking the organization, obtaining a valid key to unlock the door, or finding a software vulnerability in the smart lock software. But while Amazon might have escaped major breaches recently, it has had breaches in the past.

Myth busted?

Now the question concerns the trade-off between having a package stolen or your house broken into. Amazon Key is a risk issue. What I mean is that if you have stuff constantly stolen from your porch, the trade-off between the risk of your stuff being stolen and the risk of your house being broken into is actually a good one. Stuff being stolen is a common occurrence, but how many people have their houses broken into? We should acknowledge there are risks, but for many, Amazon Key is a good idea to reduce the loss of things they’ve paid for and ensure their packages remain safe. The door cannot be opened without consent, and there’s video. We also know:

• Who the drivers are
• Where they are
• How long they’ll stay in a place

So for those who choose to use Amazon Key, the risk is acceptable—and if you know the risks and don’t accept the trade-off, you just don’t use Amazon Key. But what about people who buy or sell online, where you don’t know who the “drivers” or “burglars” are, you can’t record them on video, and there are plenty of ways for attackers to access your information without your consent?

The method of a scammer

Scammers first approach you in a way to ensure you, or someone else, will fall for a scam. They spread a wide net through legitimate websites such as Craigslist, Amazon, and eBay. They also create fake advertisements and even e-commerce websites that can be found through online searches, email, or text messages.

To obtain sensitive information, scammers deploy a range of tactics to make victims hand over their information:

Once they’ve gained the trust of their victim, the scammers simply cash out, walking away with personal information such as the victim’s name, address, and date of birth. If the victim signed up on the fake website, the scammers have also captured the victim’s username and password, which the victim may have used elsewhere, such as on PayPal. Finally, scammers want to get as much cash from victims as possible and thus often capture credit card details or take money for items that do not exist.

Identify theft

With the immense volume of personal information being passed to websites, stored in databases, and even shared with third parties, it’s no wonder people are now calling data the new oil. The way we handle our data and provide data to companies, and the way they secure it, are the common factors in today’s identify theft cases. In 2017 the BBC released an article stating that 88% of recorded incidents occurred online.

Image credit: BBC News

As you can see, identity theft is increasing yearly. This might be from security breaches, where someone has found a way to gain a foothold within an organization, or from users entering or handling their personal information insecurely.

When scammers obtain your information—for example, through a data breach—they might attempt to do the following:

• Redirect your mail to a controlled address, such as a P.O. box.
• Take out loans in your name.
• Take out credit cards in your name.
• Take over your bank accounts.
• Destroy your creditworthiness.
• Make it difficult for you to get new credit or mortgages.

Scammers take over your devices

A data breach is out of a user’s control; however, the goal of scammers is not only to profit from you by impersonating you but also to gain control of your devices. This allows them to expand their attack surface so they can continue to benefit from you. Today’s criminals will attempt to persuade you to install malicious software on your devices—for example, keyloggers to exfiltrate every key you press. If they can install a keylogger, they can capture your credentials for every website you visit and read sensitive information in every email you write.

Scammers have a wide range of tools to get your information:

• Install remote access Trojans / spy software (keyloggers or software to take screenshots or access your camera or microphone).
• Intercept secured communications (such as on banking and online shopping sites).
• Install malware or ransomware and encrypt your files—payday!
• Install command-and-control (C2) software so you unwittingly control botnets and RATs.
• Install spam software so you unwittingly send millions of spam messages.
• Anything else they want.

Attacks

Phishing

Phishing is a common technique used by scammers, fraudsters, and other types of attackers. Phishing coerces a user into clicking a link. On the other end of the link is a method for scammers to either extract information from the user or spread malicious software.

Phishing doesn’t affect just the gullible; it can affect anyone. In fact, everybody knows somebody who has fallen victim to one of these scams:

• Generic emails, such as those starting with “Dear Banking Customer”
• Targeted attacks
• Phone calls
• Texts

Insecure websites: HTTP

An example of an insecure website includes one loaded over HTTP and thus sent in clear text. Another example of website insecurity involves sensitive information being sent over insecure channels that can be captured.

I like to think about HTTP this way: You are in a public place and overhear Bob talking to Alice about how silly passwords are. Bob says he uses the name of his favorite baseball team, the San Francisco Giants, and the year they won their last World Series. Alice says she has a very strong password that nobody can guess; it’s a combination of the names of her dog Buster, her son Jerry, and her daughter Janyce.

That’s not very secure. Someone just overheard both of their passwords. This is just like HTTP. When you visit a website over HTTP, it’s the same as if you were talking in a public place near someone listening. Anything you send over HTTP can be captured by scammers. The good news is that unlike in the outside world, a web browser will tell you, “Hey, this is actually an insecure website. Maybe don’t enter sensitive information here.” In real life, you aren’t going to get someone waving at you and telling you the same.

Insecure websites: Public Wi-Fi

Unsecured Wi-Fi hotspots pose a major security risk. Anyone could be listening in to insecure traffic. Additionally, attackers may be running the Wi-Fi networks. They could be siphoning usernames, passwords, or other confidential information.

Insecure devices

Have you or your friends ever used a public computer for online shopping? Could you ensure that the computer had not been compromised? Keylogging is an attack in which someone with malicious intent captures keystrokes entered on a system in an attempt to grab:

• Credentials
• Personal information
• Credit card information

Cybersquatting / typosquatting

It’s very easy to visit the wrong domain. For example, “Synopsys.com” could be typed as “Synopsis.com” or “Syn0psys.com.” And sometimes visiting the wrong domain opens you up to a cybersquatting or typosquatting attack. Wikipedia defines “cybersquatting” as “registering, trafficking in, or using an Internet domain name with bad faith intent to profit from the goodwill of a trademark belonging to someone else.”

Scammers lure users to their sites with common victim accidents (e.g., mistyping the URL) or phishing email scams, with these goals:

• Phishing for information
• Installing malware
• Generating ad income
• Tainting an established brand
• Spreading misinformation/disinformation

A perfect example of how easy it is to be directed to the wrong URL is last year’s incident in which Equifax’s Twitter users were told by the verified Equifax account to visit http://securityequifax2017.com/ rather than https://www.equifaxsecurity2017.com. This proves that the secure lock icon next to the URL is not a guarantee that the website is legitimate.

How to spot a scam

If it’s too good to be true, it usually is!

• Approach
  • If the approach is unexpected or you didn’t initiate it, delete.
  • If the approach appears to be from a trusted site, report it immediately.
• Trust
  • Stop as soon as you feel pressured by high-pressure sales tactics or emotional manipulation. Real businesses will not harass or contact you continuously.
• Cash out
  • Stop if you are asked for much more information than is required.
  • If selling, stop immediately if someone “overpays” you with a check or money transfer.

How to avoid a scam

How to avoid phishing

• Don’t trust any link in an email or text message.
• Never give up personal information—including passwords, birth data, addresses, social security numbers, or any other sensitive or private information—without verifying the destination and purpose.
• Use a junk email account for random sign-ups, and keep another “tidy” one that won’t be inundated with spam/attacks for your banking and core activities.

How to avoid insecure payments

• Use only trusted websites that you regularly do business on.
• Check the URL bar for a green EV certificate (best) or the secured site you started on.
• For online shopping, use a small-balance credit card (debit cards have worse fraud terms and conditions) not associated with your main bank account or even your main bank.
• Do not store your credit card information on websites; this opens you up to account hacks that misuse your funds.
• Stop if an unexpected payment pop-up window appears, particularly without an address bar.
• Never send money orders or wire transfers.

How to avoid insecure websites

• Never click links in emails; always type the website address manually.
• Visit websites only over a secure channel HTTPS.
• Never enter sensitive information over public Wi-Fi.
  • Use a VPN.
  • Use your mobile device as a hotspot.
• Validate the URL before entering your credentials, sensitive personal information, or credit card details.

Best practices

Secure personal devices

• Uninstall Flash today.
• Always apply all the latest patches.
• Upgrade to the latest version of your operating system as soon as you can.
• Ensure your devices are password- or biometrically protected.
• Disable Java in the browser and web start.
• Be wary of applications you install, particularly on Windows, Mac, and Android.
• Be wary of unsolicited updates, such as for Flash or a media codec.
• If you didn’t ask for an update, it will be malware.

Ensure two-factor authentication

Always enable multifactor authentication. Types of verification include these, from strongest to weakest:

• Transaction signing (commercial banking)
• Token- or key-based two-factor authentication (e.g., YubiKey, RSA token)
• Application approval-based two-factor authentication (e.g., Google)
• Time-based one-time password (TOTP) (e.g., Google Authenticator)
• Random email verification (e.g., Medium)
• SMS verification

Note that SMS verification should be phased out; although it is stronger than passwords, it is only as good as SS7 (terrible) and telco porting procedures (also terrible).

Set up a password manager

Remembering different passwords for all your websites and accounts is hard. But security people love to tell you to do it. So consider using a password manager, an application that securely manages passwords for all your accounts.

• You need to remember only one master password.
• The manager automatically inserts passwords into log-in forms.
• The manager can autogenerate strong passwords and alert you to:
  • Insecure passwords
  • Password reuse
  • Passwords found within a website hack
  • Passwords regarded as not strong enough

Strengthen passwords

• Don’t write them down.
• Don’t put them on your case / the back of your device.
• Don’t use simple passwords such as 0000, 9999, and 1234.
• Do use a six-digit passcode or, better yet, an alphanumeric passphrase.
  • Passwords don’t need to be overly complex, such as 9x!-nHAl35o$i.
  • Passphrases or sentences can be stronger: “This Is A Secure Password That Is Quite Easy To Remember.”
• When dealing with password-reset questions:
  • Create your own questions.
  • You don’t have to tell the truth; you just have to remember the lies.

Arrange backups

Backups protect you against data loss, device malfunction, and ransomware.

• Use continuous backup (Windows), Time Machine (Mac), or a third-party product.
• Consider a diversity of backup locations, and always have more than one location:
  • Local
  • Off-site (store at a friend’s place)
  • In the cloud (Apple iCloud, Google Drive, Microsoft OneDrive, or a backup solution)
• Always encrypt your backups.
• Consider rotating a few hard drives for backups, and rotate one to a family or friend’s place to protect against burglary, flooding, and fire (i.e., once-in-10-year risks).
• Always test your backups—at least once per year. Remember that backups aren’t real unless you’ve restored from them.

If you’re the victim of a security breach

• Contact your bank or credit union as soon as you realize you’ve been breached.
• Recover your stolen identity. Start here: https://www.identitytheft.gov/ and https://www.actionfraud.police.uk/
• Report it to the real site or business.
• Report it to the police.

Read more about social engineering