Kenneth Van Wyk: 'Tis the season to shop with care

With online holiday shopping on the rise, and mobile-device shopping coming into its own, the need to be aware of the necessary security precautions has grown

With online holiday shopping on the rise, and mobile-device shopping coming into its own, the need to be aware of the necessary security precautions has grown.

With the 2012 holiday shopping season well under way, it's already evident that online shopping is on a record-setting pace this year, and mobile devices have had a huge impact. Every year, people have questions about the sorts of security precautions they should take when shopping online, and there will probably be even more questions now that mobile has entered the picture in a big way.

That's good; people need to be conscious of the need to take certain precautions online, just as they are aware that they shouldn't go into a physical shopping mall with hundred-dollar bills sticking out of their pockets and handbags. Personally, my awareness is heightened because I've had two credit cards defrauded this year. Did that happen as a result of my online or my on-site payment activity? I suspect that it was on-site, but I'll never know for sure. In any event, I hope my misfortune can help you avoid something similar.

Here are some pointers.

* Always opt for the payment method that's safest. Many sites these days support PayPal, Google or other payment services. When they do, use them and minimize the number of merchants that have access to your more sensitive payment details.

* Keep a secure log of all the sites on which you divulge your payment information.

* When given the choice, opt to not store your payment information with the vendor. It will be a bit of a hassle to have to re-enter your payment information every time you go back to buy something on that same site, but it's nothing compared to the hassle of having your payment card information stolen. Try to minimize your payment footprint.

* If you register with an online vendor, use a strong and unique password -- not one that you've already used on other sites. A lot of people will probably skip right over this bit of advice on the grounds that they think it isn't feasible to use a different password for every site. Don't be one of those people. To help with this, you have at least two options: either keep a secure log, on paper, of your usernames and passwords for each site, or use a password vault application to do that for you. I've been using such an app for years. It's easy to manage, and I am confident that my passwords for sites that have my payment information won't be easily cracked.

* Have your packages shipped to your place of business, unless you're at home during the day. Many shippers will leave packages by your front door if you're not home. That's convenient and all, but it also gives thieves plenty of opportunities to steal during the holiday shipping season. And a big box with a familiar logo from a high-tech company just helps the thieves better target their work.

* If you use a vendor app on a mobile device to shop, you should probably spend a few minutes doing some static and dynamic analysis of the app to see for yourself whether your information is being adequately protected. I provided some tips for doing just that in my May and June 2012 columns.

If you do run into problems with any of your payment cards, it's likely you'll get a phone call and/or email from your payment provider. Don't ignore those calls! Respond to them quickly and answer their questions. (Of course, be sure you're really talking to your payment card vendor first.)

After my first defrauded credit card, I signed up for a service in which my provider sends me a text message asking for verification of any questionable transactions. I reply with a yes or no, and the transaction is handled accordingly. Of course, this service has to happen over a mobile number that is previously configured with the payment card company, but many card vendors will do that sort of thing for customers upon request. (And if I'm out of the country, I incur a cost for the text messages, but it's worth it to me.)

If it turns out your card has been attacked, you'll want to quickly get to all the merchants that have your card information stored in their databases -- especially any that have recurring charges to your account. By keeping a log of all of those merchants, you'll be able to quickly update things. While you're doing that, consider it a good opportunity to also change your password with all those merchant websites (or mobile apps).

There are certainly plenty of things that consumers can do to make their online shopping reasonably secure. It may sound like a lot of inconvenience to do things such as setting up a separate password for each site, but you really won't regret getting your online payments in clean working order.

When my card was attacked a second time, I was able to go clean things up in just a few minutes, in large part because I took my own advice and kept a meticulous log of all my online payment activity. A little bit of carefully applied paranoia can go a long way.

Happy holidays.

With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitymobile security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kenneth van Wyk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place