Compliance Insight with David Schneier

Cyber Monday Guide: Tips for Safer Shopping

Last night I spent nearly three hours helping out a friend who had called in desperation because the PC was running slow and "weird things" were happening. You might not know it based upon what I do for a living these days, but there was a time and place when I was a genuine "techie" -- a real hands-on PC-guru kind of guy who could take a machine apart, put it back together and reinstall every piece of software from the BIOS on up. Despite my best attempts to leave that in the past, I find it difficult to reject friends and family when they come looking for help. And with the ever improving remote control capabilities available these days and the broadband connectivity, I can't even claim it's inconvenient. So shortly after getting the house settled down, I established a remote session and went to work.

The good news for my friend was that the problem was mostly your common, run-of-the-mill trojans lurking about, and nothing truly insidious that required a complete reformat/rebuild of the hard drive. While the anti-virus software was scanning the machine, I took advantage of the phone time to catch up with my friend. We discussed the holiday season that's upon us, and I asked her what her plans were for shopping for gifts for everyone. She replied that she had already picked up much of what she needed, and the rest was going to be purchased online. I'm a big fan of irony, and so the moment jumped right out at me.

Here I was working on getting her PC scanned and cleaned of a string of invasive agents, and she was blissfully ignoring the obvious and planning on using her connectivity to conduct a wide range of purchases. Her only reason for calling me was because the machine was running slow and she was sick and tired of clicking "No" when all those annoying prompts popped up on her screen.

Wasn't she worried that the strange behavior on the machine portends to suspicious or undetected activities? Does she even know what to consider when conducting online transactions? I mean, if she was oblivious to the threat already presented to her, how likely is she to be aware of threats that are way more subtle? And how many more people are there like her in the world (and my little piece of it)? Geez, we're about to enter into the buying frenzy known as Black Friday and Cyber Monday, and everyone should be thinking about these things. But they're not. That's when I remembered that I think about these things for a living, and they don't.

So this morning I came up with a few analogies by which to educate my friend (and the rest of my non-paying client base otherwise known as friends and family). In each of these scenarios I'm certain you'd leave the store without completing the purchase, but online it just looks different. Here's what I have so far:

  1. Brick and Mortar: You go into a store to make a purchase and when you give them your credit card, they make a copy of the card (either by hand or machine), give you a hand-written receipt and never use a cash register or computer.
    Online: Legitimate online retailers operate the same way as a brick-and-mortar store. If you don't get a legitimate receipt describing all key components of the transaction including price, tax, purchase date, your ID and their contact details, it's very likely that something is amiss. You should contact your credit card company immediately to notify them of your concerns.
  2. Brick and Mortar: You go into a store to make a purchase, and when they scan your credit card and an electronic signboard above them displays your personal details including the credit card number for all to see.
    Online: If the URL (the string of characters that appears in the address bar of your browser) doesn't begin with HTTPS (the "S" is the key character) then the connection between your machine and the vendor's website is not properly secured. As a rule you should never, ever conduct online transactions without at least that control in place. It has to do with the use of encryption that scrambles the information being passed back and forth, making it very difficult for someone to capture. Without it, someone can intercept the data flow and see all of the sensitive information being shared. You should also see a tiny yellow padlock image displayed on the screen (its location varies based on your browser) which also indicates a properly secured connection.
  3. Brick and Mortar: You go into a store to make a purchase, and when they print the receipt there's only the name of the store, no address, no telephone number, no contact information of any sort.
    Online: This is related to my first example. Legitimate businesses make it easy to contact them should you need to. If there's no contact information beyond the website address itself, there's a very good chance that the business is not a reputable one.
  4. Brick and Mortar: You go into a store to make a purchase, and there are strange people standing next to you while you present your card, some with a camera/video device, some taking hand-written notes while you complete your transaction. In general the scene makes you uncomfortable.
    Online: If your machine is acting odd, things aren't running right, windows are popping up all the time and there appears to be software running that you can't identify, call your resident PC guru (but please, not me). Do not, I repeat, do not use your PC to conduct any form of financial activities. It may be nothing, but experience has taught me that it's always something. And if you've already conducted online banking or commerce activity under these circumstances I strongly recommend that you contact the involved institutions and notify them of your concerns.

But above all else I highly recommend applying healthy doses of common sense. If something doesn't look right, feel right, present itself properly, then do something about it. I also recommend using additional measures where available. Many issuers and financial institutions provide online safeguards such as virtual credit card numbers that can only be used once, or secondary validation requiring a password. The threats are numerous, but can be avoided if you keep your eyes and ears open (and you use the best security software on the market).

Go forth and shop, but do so with caution. And if anyone wants to know what to get me, drop me an email and I'll send you my wish list.



About the Author

David Schneier

David Schneier

Director of Professional Services

David Schneier is Director of Professional Services for Icons Inc., an information security consultancy focused on helping financial institutions meet regulatory compliance with respect to GLBA 501(b) and NCUA Part 748 A and B. He has over 20 years' experience in Information Technology, including application development, infrastructure management, software quality assurance and IT audit and compliance.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.