Don’t Let The Grinch Ruin Christmas: Top Tips To Stay Safe Online This Black Friday

Pay Cash

With the Christmas holiday season around the corner, eager shoppers will be prowling the high streets as they look to secure some fantastic deals, making it the busiest period for shopping in the year. To avoid the huge crowds of people and the hours spent on waiting in zig zagging queues, many will be doing their shopping online especially around Black Friday and Cyber Monday. Although online shopping is considerably more convenient it also has many risks with cyber criminals looking to prey on sale-driven customers.

Here are some tips to follow to avoid an online Grinch ruining your Christmas:

1. Pay In Cash, Otherwise Use Chip & PIN

The safest way to pay in a brick and mortar store is to use cash. It is a physical medium which requires no interaction with the internet, where cyber criminals can lurk in any corner of the world. If you are forced to use a credit/debit card for a transaction, using the Chip and PIN method of payment is much more secure than swiping the magnetic strip. Magnetic stripe is by far the riskiest of all the technologies due to the fact that the credit card data is processed by the terminal in memory in clear-text, as the credit card number has to be sent to the payment processor to extract funds from the account.

The way magnetic stripe transactions keep your account safe is mainly due to encrypting the traffic as it is sent between merchant and payment processors.  As a customer, you have little control over protecting your account besides keeping your card number a secret.

Chip & PIN and other contactless payment systems such as Android/Apple/Samsung Pay have more protections in place to hide the credit card information from those seeking to steal it. Creating one-time tokens for each transaction tied to the card number or account holder, the attacker cannot do anything with that information. The card number is not in the token, and the token cannot be replayed to try and extract additional money from the account. The move to this payment style at merchants has been to reduce fraud from attackers stealing and re-using credit card numbers.

2. Make Sure Website Is Encrypted

It is absolutely critical to make sure the website you are entering your card information into is encrypted. This can be denoted by the HTTPS and/or green lock near the address bar of the browser. Unencrypted traffic can be easily viewed by anyone watching. More importantly if a website isn’t encrypting their website in 2017, let alone their payment processing page, then they cannot be trusted to handle your credit card information properly either.

3. Apply General Safety Habits

General safe internet habits also apply to online shopping. If you wouldn’t go to a shop that openly takes note of your PIN, don’t do it online either. Only enter in your credit card information into trusted and reputable sites, don’t click on unsolicited links, and do not do online shopping while you’re logged onto public networks (i.e. – your local coffee shop). We are constantly under the threat of attack from people trying to steal our information. The best way to stay safe is by constantly keeping your guard up.. If a website or retail terminal doesn’t seem right, it may be best to just walk away.

4. Use Online Payment Services

The downside that Chip & PIN has over something like PayPal or Venmo is with “card not present” transactions, for example buying a pair of shoes from Amazon. For credit/debit cards, you still need to enter in your credit card number regardless if you have a chip enabled card or not. This opens up the risk of an attacker being able to steal the credit card information while it is in transit between your computer and the online retailer. A technology such as PayPal or Venmo, for example, will reduce the footprint of where your credit card information is processed between, thereby reducing your risk of having your credit card information stolen.

That being said, card not present transactions are still where the majority of credit card fraud will take place now that the US has made the switch to chip based cards. Even though PayPal, Venmo, Android/Apple/Samsung Pay, and other contactless or app based payment systems are more secure, if your credit card number is stolen these technologies will not protect you from card not present fraud. So the number one recommendation is to keep your credit card number safe, no matter what method of payment you choose to use.

Travis Smith

Travis Smith is a Principal Security Researcher at Tripwire. He has over 10 years experience in security, holds an MBA with a concentration in information security, and multiple certifications including CISSP, GIAC and GPEN. Travis specialises in integrating various technologies and processes, with a passion for forensics and security analytics with the goal of helping customers identify and mitigate real threats.