Holiday Shopping Safety Series
Shopping Via Credit Card and e-Commerce
By Joe Gray
It’s that time of year again: stores closing for a couple of hours (if at all) on Thanksgiving while others are completely closed. Black Friday is creeping into Thursday and cutting into turkey overload time. Starbucks has the peppermint syrup for our frappuccinos, lattes, and mocha drinks. Families are shopping for the best deals for the perfect gifts for their loved ones. Christmas (and Santa Claus) is coming.
Because the cash flow is on the rise, the activity of cyber criminals is increasing as well. The purpose of this blog series is to educate you about how to be safe through this season including Black Friday, Small Business Saturday, and Cyber Monday. While I try to be thorough, I cannot possibly cover everything, but I try.
With the rise of online retailers, and conventional, brick and mortar retailers having online presences, the Internet continues to cement itself as a viable way to save money. In addition, the Internet is a place of glee, danger, savings, and mischief. Because cyber crooks know that people are ready and willing to spend money online, they are ramping up their campaigns and strategies to trick consumers into giving up their payment card information or to make bogus purchases.
The sections below provide anecdotal scenarios of the attacks you may encounter that targets your credit card information:
Insecure websites are not quite as malicious as some of the other online threats in that the sites, themselves, are not exactly what you need to worry about. The site may be legitimate or it may not be (see the Hoax Website section below), but you need to worry about the traffic you’re passing to the website.
As a point to begin the discussion, an insecure website is a very subjective term. In this context, I am referring to those lacking an SSL Certificate and the ability to verify and encrypt the connection. This is not always the case, as attackers are also able to obtain SSL Certificates. Other examples include bad coding, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and issues with the underlying database allowing attackers to obtain or manipulate any or all information contained within it.
PUBLIC WI-FI HOTSPOTS
Public Wi-Fi hotspots are one of my favorite topics to evangelize to non-security professionals. We find them everywhere: the doctor, grocery store, and notably at Starbucks and Panera Bread, just to name a few. These signify the epoch of convenience.
While you are sipping your pumpkin spice latte, having your salad or waiting for your spouse to finish trying clothes on, you may connect to the venue’s wi-fi. You may also do so without notice if you leave wi-fi enabled on your smartphone. In either circumstance, these networks are not always monitored or protected.
This allows an attacker to “sniff” out traffic and capture packets (the unit of measure of data across a network). With these packets, the attacker can either read your traffic (possibly user names, passwords, or other sensitive information) or “replay” the packets acting as you. For example, in the replay, the attacker can manipulate the packets to allow them to log in as you (no password required) to change information (like shipping address).
Phishing emails are commonplace year-round. The only difference this time of year is the tone that the attackers take in the campaigns. They will convey scarcity or urgency, two of the six drivers of Social Engineering, to attempt to coerce you into performing an action or providing them information (credentials, credit card data, or other sensitive data).
Many of these will claim to be from a bank, possibly your bank. They will likely have poor English, they will contain links to sites that may look legitimate with logos and branding, or shortened links (like Bit.ly). Examples of this attack would be “problems with your bank card,” “problems with your chequing account,” or “sign up for (insert deal here).” Notice the spelling of chequing. That is the traditional English (Britain) spelling for the word. Other common misspellings are: favour, favourite, rumour, organise, and defence.
VISHING (VOICE PHISHING) CALLS
Just like phishing we have vishing, which is nothing more than voice phishing. You may receive unsolicited calls from “Unknown Caller” or from spoofed numbers. They will employ similar tactics as the phishermen. Sometimes, the organizations (ran like businesses) are offshore, so the English may lack there as well. This is not to say that there are no native English speaker attackers, as there certainly are.
ATM AND CREDIT CARD SKIMMERS
We have seen stories about skimmers at various financial institutions, ATMs, and gas stations in and around Knoxville. The key here is to for the attacker to put something over the real card reader that allows the real reader to still read the card while allowing the sled to capture the magnetic stripe and card information as well. Some are advanced and use Wi-Fi or cellular, while others just store the information and the attacker comes back and picks it up. Extremely advanced skimmers can be implanted inside the ATM or Gas pump and there is no way to check without getting access.
I will discuss these a little more thoroughly in the next post, but in essence, think of them similarly to insecure websites. They very well may be. These are intended to work in parallel to phishing and vishing campaigns to dupe the victim into believing that the site is legitimate, thus getting them to process a transaction.
My advice to you in staying secure during this time of year is to remain vigilant (not that you don’t year round) and to follow these tidbits of wisdom:
- If it seems too good to be true – it probably is.
- If it claims to give inside information, special sales, free stuff, or spoilers – it will probably spoil your system (with malware) or bank account (with a $0 balance or lower).
- Only view reputable sites for e-commerce and online shopping.
- When clicking links on social media platforms, hover over the link and observe the website that it’s sending you to.
- Ensure the site you’re using has HTTPS and a Green Lock. This is not fool-proof but better than nothing.
- Ensure that the site you’re using is what it claims to be.
- For example: make sure you are on ABCNews.com and not ABCNews.com.co or ABCNwes.com.
- If you must use public wi-fi consider using a VPN service for an encrypted connection.
- Turn Wi-Fi and Blue Tooth off by default. Enable it only when you need it.
- If the website is a shortened or obscure URL like bit.ly (nothing against them, but this is a popular attack method), right-click “Copy Link Address” and go to Virus Total (A Google Project) and select URL then paste it and “Scan It!”
- This will tell you if the URL is known to be malicious. Be warned: Just because it says it’s not does not mean that the site is safe, it may have not been reported enough yet.
- You can also use this site for uploading software to check it for malware as well.
- Ask someone like me or another information security professional.
- Contact Sword & Shield with any additional questions. Call us at 865-244-3500 or email us at firstname.lastname@example.org or fill out a consultation request.
Joe Gray is an enterprise security consultant with Sword & Shield Enterprise Security, Inc. He has worked as a systems engineer, information systems auditor, senior UNIX administrator, information systems security officer and director of IT security. He holds the (ISC)² CISSP-ISSMP, GIAC GSNA, GCIH, CompTIA Security+, CompTIA Network+, and CompTIA A+ certifications. Gray also maintains the Advanced Persistent Security Blog and Podcast.