Its that time of year where once again we are rushing and stressing to have the perfect holiday season. Many of us are shopping, and to save time and given the supply chain problems of the last year, many of us are shopping online. We are also re-connecting and socializing with many of our friends and relatives with much of this being done online also. One result of all this holiday bustle is that we become susceptible to cyber criminals and fraudsters. In this post I will remind you of all the things you should be doing to maintain good cyber health and to help ensure a happy holiday!
Traditional Things to do:
Ensure you shop on the store’s real web site. Check the web address to make sure it is from the real store, if there are a lot of numbers or other characters in the address it is probably fake. Best practice is to type the name of the store into your browser and it will pull up the real website. Using a fake website allows hackers to copy your purchase details from transactions done on their website.
Don’t make payments using a public network. A public network is what you find at the airport or the coffee shop. While these networks are free, they are also open meaning that all the users logged into the network can see all the other users devices. This can open you up to being spied on by the other users.
Ignore emails that tell you that you must click on the link to update your information or your account will be cancelled. No legitimate company will do this. If you are concerned, don’t click the link but instead log into your account through your regular website access and check your account.
Ignore all calls that tell you that they are on the way to arrest you or a loved one unless you make an immediate payment, again, these are all fraudulent.
And There’s More:
Do not input or give out your social security number, drivers license number, birthday, or information not needed to do a purchase. They are just collecting data on you to potentially use later in a social engineering attack.
When making an online purchase make sure the payment site either starts with https instead of http or has a locked padlock to the left of the web address. This indicates that data is transmitted encrypted so it won’t be read by hackers
Don’t use passwords, use passphrases. A passphrase is usually 16 to 20 characters that constitute a phrase that is easily remembered. Change a few letters to symbols such as 0 for o and 1 for l. Do this and you don’t need to change the passphrase on a regular basis. If you use passwords make them strong by using special characters in the password.
Use malware and virus protection on your devices and keep it updated.
Monitor your accounts frequently to ensure there is no unexpected activity on them.
Some New Considerations
COVID has caused some changes to online business. The biggest is the rise of contactless payment systems. These systems are fine but now is the time to keep these payment cards in a rfid protection wallet. The concern is that there are hackers walking around with readers in their pockets that can possibly read your card data just by being near you. Rfid wallets block electronic access to your cards.
The rise in the use of QR codes has created shortcuts to web pages. Unfortunately, hackers are using QR codes to get you to come to their websites rather than the official websites. Best practice is to never access a unlabeled QR code. Only access QR codes that are clearly labelled with the website to which they connect, and even then, be wary. I am not a fan of using any QR code as the QR code directly opens the website to which its attached and runs the website code on your device and in this process, will download any malware loaded on the website to your device.
Don’t accept friend or connection requests on social media without first validating that they are real people and that you know them or that you have a legitimate reason for connecting. The first step in every cyber attack is to make an initial penetration. A hacker who gets you to admit them to your social network gains some of your trust just by being a part of your network plus they can now see your personal posts. Seeing personal posts gives them more knowledge of you that they can then use to earn even more of your trust.
Be wary of anyone in your network that wants you to like or visit a website. Many times getting you to go to a website is a way of getting you to download malware. Additionally, don’t trust QR codes from contacts in your social network unless you know the contact well, and they are known to use QR codes.
Any post or request from a member of your social network that seems to be out of character for that contact probably is and should not be trusted without further validation from that contact. Seek that further validation through methods other than the social media account the original request came from. I mention this in this blog post because the holidays are the time we all seem to reach out and connect with old friends, thus generating a lot more social media activity.
It’s this additional and heavy social media activity that provides hackers with the perfect cover to send out fake requests in the hope that you will be so overwhelmed with requests that you’ll just click accept and let them into your trusted social network.
Food For Thought
Many of our family will want electronic gifts and will receive them. Once received the tendency will be to rush to use these gifts. The danger comes from using poorly setup devices. Some suggestions:
Include malware and virus protection software with all communication devices and make sure it is installed prior to connecting the device to the Internet. A new device will be discovered by hackers and subject to attack within 5 minutes of being connected to the Internet. Don’t connect and use unprotected devices!
Some Post Holiday Guidelines
Be careful with new voice based assistant devices such as Alexa. These are voice activated devices and constantly listen to conversations for commands. While these devices do not record and retain these discussions (per vendor claims), they do have them for several seconds. You and your family need to understand what activation words and commands are and be aware of using those words in regular conversation.
Be careful with new smart/IoT devices. These devices connect to Bluetooth and the Internet and will store data about your use of the device on storage repositories owned by the company that sold the device. Most of these devices have options to turn off external communications. Smart/IoT devices are a wide range of products including coffee makers, refrigerators, doorbells, baby monitors, toys, yoga pants, massagers, games, fitbits, etc. Additionally, these devices are subject to attack by hackers and are poorly protected, allowing hackers to take control of the devices and use them to conduct further attacks. Take the time to read the instructions and do not simply plug them in and turn them on.
As your new gifts replace older devices be sure to remove data from the older devices before discarding, selling, or donating them. Be sure to erase phone and gps data stored in cars. Same for phones and if possible, remove sim and memory cards. Computers should be reformatted or at the minimum remove memory storage such as internal hard drives. Game consoles and toys should be reviewed for any data on them and that data erased. Review where smart/IoT devices/appliances send data and delete those accounts
The holidays are a joyous time spent with family and friends. Our tendency is to focus on the fun and not the danger. Be vigilant while shopping, pay attention to your accounts and to requests for information. After the holidays be vigilant in removing data from older devices that are being replaced. Do all the this and all the above and your chances of having a joyous holiday without a cyber attack are greatly increased!
Murray E. Jennex, Gensler Professor of Computer Information Systems, PVECOB, West Texas A&M University