The Holidays are almost upon us once again. And that can only mean one thing – yep, its time to buy gifts at the last minute again!
But the evil underbelly of the web is lurking, waiting to take advantage of consumers’ generous spending binges. Criminals want your credit card details, your cash, your identity, your unborn child, your soul. And they will go to any lengths, including “smishing” you. Smishing is apparently sending a SMS version of a phishing scam, getting you to click on a fake link; even your phones are under attack.
Here are 10 ways to protect yourself and make sure you are the top dog when ordering online this holiday season.
The first rule of ordering online is to try to confine yourself to trusted websites. This can be Amazon, eBay, Etsy, Target, Walmart, basically the big names online. The ones with big serious reputations to protect, and who would go out of their way to ensure a seamless online shopping experience for their customers.
I realize this does a huge disservice to the smaller sellers trying to make a living, which is why, if you choose to order from backofatruck.com, you need to use the following protections.
It was not that long ago that I highlighted the benefits of using HTTPS. This is a secure web protocol which, instead of http://www.paypal.com, is https://www.paypal.com.
What does this mean? It means that HTTPS encrypts your visits to websites (ones that support the HTTPS protocol). And more importantly, it encrypts your payment details from your end to the seller’s end, ensuring that the details are not intercepted en route. This is hugely important for when you are handing over your credit card number to an unknown online merchant. You want to feel confident that there isn’t any way for those details to be stolen.
Just look for the padlock next to the web address. This means the site is secure and encrypted. No padlock? Then I would seriously rethink buying there. Or use PayPal. They have buyer protection in case of difficulties. More on that later in the article.
The previous section blends nicely into this one. Unsecured hotspots are a big no-no if you are not using HTTPS. If you go to Starbucks for your tall half-skinny half-1 percent extra hot split quad shot (two shots decaf, two shots regular) latte with whip (that’s a real order by the way), then you may be tempted to whip out the ol’ smartphone and take advantage of the free Wi-Fi. This would be a really bad idea if you are just using HTTP.
If you are just browsing the sports scores while sipping your latte, then OK fine. But if you are entering email login details, customer account login details, online banking PIN’s, credit card numbers with the secret CVV number on the back, anything official and sensitive – don’t use Starbucks (or any unsecured hotspot for that matter). Use the network provided by your cellphone company or wait until you get home and use your own Internet. If you decide to use an unsecured hotspot, then HTTPS and a Virtual Private Network are essential.
I know, I know. I keep banging on about using difficult passwords, but it bears repeating. When buying this holiday season, you are going to be making lots of customer accounts, to put in your orders. Those accounts need a password to protect all of the sensitive information you will be putting in there. Information that an identity thief can use.
Your address. Your cellphone number. Your credit card number, the card’s CVV number (the three digits on the back of the card that authenticates it), card expiry date, card’s billing address….you see what I am driving at? This stuff must be protected at all costs, otherwise someone impersonating you will be calling up your credit card company, and your bank to change the address, the password, the PIN number…..
We have previously shown you lots of ways to generate strong passwords. Personally, I use KeePass to store all of my passwords, and that includes a password generator. Just specify the length of the password, which characters you want in it, and click the Generate button. You’ll get the password, as well as an indicator of its strength, displayed in “bits”.
Wolfram Alpha also generates passwords on the fly. Simply tell it what you want. So “generate a 25 character password” (for example). You will then get the password, and even an extra 6, in case you don’t like the first one.
For those who are still resisting switching on 2 Factor Authentication (hereafter referred to as 2FA), my question would be “in God’s name, why?”. Yes it’s a pain in the ass having to log in twice, but it makes it extremely difficult, perhaps even impossible, for intruders to break into an online account if 2FA is enabled.
Not all sites support it though. This enormously helpful site tells you if your preferred sites use 2FA or not.
For those of you not in the know, what is 2FA? Consider this analogy. A burglar is trying to break into a house, and after much effort at picking the lock (the account password), he succeeds. But his triumph is short-lived when he opens the door and sees a keypad on the wall in front of him. The keypad demands a code, in order for the person to pass, otherwise forget it buster. That keypad demanding a code is 2FA.
After putting in your password, your temporary 2FA code (it’s generally only available for approximately 30 seconds) comes via either a SMS message on your phone, or via a smartphone authenticator app. The most widely used one is one made by Google, called Authenticator, as well as another called Authy. Type in the 6 digits it gives you, and you are in.
Many banks and big shop chains have 2FA for their online customer accounts. When shopping this holidays, PLEASE switch on 2FA. Otherwise you run the risk of your account being hacked, and your credit card details out there “in the wild”.
When it comes time to go to the checkout to pay, you need to give serious thought as to how you want to pay. If it is a big name merchant – Amazon, Barnes & Noble, Walmart, etc – then you can quite safely give them your card details. But the smaller sites….I would recommend going with Paypal.
A couple of months back, I had a HUGE dispute with a company in China who sent my wife a sub-standard knockoff of a product. They refused to refund the money, but then I filed a payment dispute with PayPal through their Buyer Protection Program. I had paid with PayPal, so I was automatically covered. PayPal diligently took my side of the story, took the company’s side of the story, and rapidly came to the conclusion that I was in the right. They immediately initiated a refund, and I got my money back within 2 business days.
So the moral of this story is – if you see a PayPal logo on the checkout page, USE IT! I know some people hate PayPal with a passion, but it has never let me down personally. Until it does, I will continue recommending it.
Credit card companies themselves obviously investigate clear cases of fraud, and will initiate chargebacks if necessary. But I have been through the PayPal process, and the credit card process in the past. To me, PayPal has seemed much faster and much more efficient.
The other day, I bought a Christmas item online and it asked me the following question :
“How old are you? Letting us know your age helps us personalize your online experience”.
I’m sure you’ve seen this chestnut before. They want to know everything there is to know about you, including age, occupation, race, and what color of underpants you have on today. When I go to my local computer store, the checkout operator asks me for my zip code. When I refuse to give it to her, she throws a tizz. So I give her a zip code from hundreds of miles away, and she wonders why I came all the way from Hamburg for a USB stick.
Companies are obviously doing this to make profiles of their customers. Profiles that they can then sell on to marketing companies, who’ll sell it on to others…..suddenly that embarrassing purchase that you thought was private, comes back to bite you in the ass when you start receiving “targeted ads”
The Golden Rule here is to give companies the minimal amount of information necessary. If they ask for a phone number, give them your cellphone number. If they ask for that underwear color, tell them you’re not wearing any today.
According to countless studies, mobile devices are taking over the world. People are eschewing the traditional desktop computer, and instead gravitating towards mobile devices, including phones and tablets.
Everyone can see this trend, including criminals. This means they are rapidly modifying their scams to adapt to the mobile device landscape. I mentioned at the start of the article about smishing. Well, there are others you need to worry about, apart from a dodgy looking text message. That phone knows everything about you, which makes it a target-rich environment.
Malicious apps are on the increase, which take more permissions than are needed, when you install them. Do you honestly look and think about it when the app tells you what information it’s taking?
Obviously Google is vastly different than your average underworld thief making his own malware app. I just used the Gmail example as this was the first one which came to hand. But as you can see, each app lays out exactly what they will be looking at – and the vast majority of people click the “Accept” button without even thinking about it.
Another example are QR codes. I like QR codes. I have one on my business cards. They are easy to make and you can fit a lot of information inside one. But therein lies the problem. Unsavoury individuals are inserting malware links into QR codes, and when people scan them with their phones, suddenly they have got the malware. So be very wary about what QR codes you scan when out shopping.
Viruses from crooks can come in a variety of forms. Email phishing is a highly popular one, getting the customer to click on an infected link, so that their computer can become a botnet and join the Borg Collective.
On a regular basis (say, every couple of days), run an anti-virus and anti-malware scan. I looked at some good security tools recently, and people started emailing me, scolding me for not including Avira. I’ve since tried it out and I have to admit it has me thinking about ditching AVG finally. Plus Avira is German, so I have to support the locals.
Also, run MalwareBytes AND Spybot Search & Destroy. Each one tends to overlook at least one thing that the other manages to find. Don’t ask me why that happens.
Finally, be extremely careful when going to pick up something from a seller in person. You might think you are smart saving those shipping fees from that Craigslist poster. But what if the “seller” happens to be an uncontrollable psychopath off his meds?
Just practise some common sense. Don’t get into a stranger’s vehicle. Don’t meet at their home or any dark alleyways. Instead, meet in a very public place, such as a shopping mall. Or a Burger King. Always tell a friend where you are going and when you are going. And ask them to check later to see if you got back OK.
To paraphrase Donald Trump, some sellers are criminals, but I’m sure the rest are good people. But you never know if you will be unlucky enough to draw the short straw and get the loonie.
I know what is going to happen now. You are all going to march to the comments section and accuse me of being paranoid. But seriously, what’s better? Being on hold to your credit card company on Christmas Day, or eating cake? I know which one I would prefer.
Image Credits:Internet Theft by David Evison via Shutterstock