By Paul Ducklin
With the festive season upon us, most e-commerce sites will leverage the festive spirit and host big sales and have various deals on their platforms for driving sales. Unsurprisingly, however, it’s also a time to be alert for “deals” that are no such thing. If you’re incautious in your zest to score a “bargain”, you might not only lose your money on an item that never shows up, but also get phished or scammed out of your credit card number, passwords or other personal information.
Hackers will take advantage of the large traffic on e-commerce sites to swindle unassuming consumers thereby making it imperative for them to be aware of safe cybersecurity practices while shopping online this festive season.
Here are six tips to stay safe online, whether you’re shopping for bargains because it’s the festive season, or shopping online because that’s become an unavoidable part of your 2020 lifestyle.
TIP 1. Write down contact details for your financial providers. It’s just a few minutes’ work to make an old-school written copy of the emergency contact numbers and email addresses for organisations such as your bank, card issuer or insurance company. That way you will have access to them even if you lose your payment card or your phone gets stolen. Make sure you never need to rely on contact details that arrived in a message from someone else – after all, if the message was fake, the number or email address will be fake too and will lead you straight back to the crooks.
TIP 2. Learn about account lock features offered by your bank or card issuer. These days, many banking apps have a “quick lock” option that allows you to freeze and unfreeze access to your account or payment card in seconds. In an emergency, such as if you think you put your card number into a phoney site or you misplace your card, you can block access to it right away, even before you call up to ask the bank for advice. (And see tip 1.)
TIP 3. Learn how to clean up your browser’s autofill storage. Modern browsers try to help you by automatically remembering and storing details such as passwords, credit card numbers and even addresses. In many browsers, these autofill features are turned on by default, which may not be what you want. Learn how to review how much personal data your browser has kept up its sleeve in case you need it again. You may find that you want to delete some of it so that it’s no longer in what’s often called “near on-line” storage. (See below for where to look in various browsers.)
To check up how much your browser is saving for convenience when you browse, look through the Settings or Preferences screens from the browser’s main menu. In Firefox, check Preferences > Privacy & Security > Forms and Autofill. In Chrome/Chromium, see Settings > Autofill. For Safari, go to Settings > Safari > Autofill. In Edge, look at Settings > Profiles > Payment info.
TIP 4. In the US, learn how to apply a credit freeze. The US and some other countries require credit reporting agencies to let you apply a so-called “credit freeze”. Simply put, this stops anyone from doing a credit check on you, which will stymie any attempt to take out a loan or get credit in your name. Of course, the freeze also applies to you yourself, so if you want to take out a loan you will need to unfreeze first. But that extra hassle can be well worth the peace of mind of knowing that you have made it much harder for the crooks to suck you into debt without you even realizing.
TIP 5. Consider using a pre-paid debit card for one-off purchases. If you’re determined to purchase from a retailer you don’t know much about, a low-value pre-paid debit card can help you limit your risk. A $50 pre-paid card, for example, reduces your exposure to that very $50 amount (when the money is gone the card simply stops working), and isn’t linked back to any of your other accounts.
TIP 6. Turn on 2FA wherever you can. 2FA, short for two-factor authentication, usually refers to those one-time login codes that you need to type in together with your username and password when logging in. This can be annoying at times, and it means that you can’t login on your laptop if you don’t also have your phone handy, because most services rely either on a one-time text message to your phone, or a special mobile app, for supplying the needed codes. But that small extra hassle for you makes it very much harder for the crooks to mess with your accounts, even if they figure out your password. (And see tip 4.) Be especially careful with your email account, by choosing proper passwords and using 2FA if you can.
These days, many of you probably don’t make much use of email in your day-to-day life, preferring app-based instant messaging services instead, such as WhatsApp, WeChat, Instagram, Signal and Telegram. But your email account is still likely to be the channel for password resets on many of your other accounts. In other words, crooks who take over your email account can not only prey on your friends and family under cover of your identity, but also attempt “account resets” for many of the other online services you use.
(The author is Principal Research Scientist at Sophos and the views expressed in this article are his own)