How to Shop Online Safely this Black Friday and Cyber Monday

Editor's note:

A Q&A with Chris Hetner, Senior Cybersecurity Expert and a Mentor at the Center for Technology Management

November 26, 2019

Many in the United States are already busy preparing for Thanksgiving this Thursday. The day after is called Black Friday, when the holiday shopping season begins as retailers offer major discounts and consumers shop for holiday gifts. Cyber Monday, which promotes online shopping just days after Black Friday, is another big day for sales. With billions of dollars spent online this season, cyber criminals seek to exploit online vulnerabilities. Cybercrimes that include hacks, phishing scams, identity theft, or computer viruses, are prevalent.

How can shoppers shop safer online? We asked Chris Hetner, a former Senior Cybersecurity Advisor to the Chairman of the Securities and Exchange Commission (SEC) who is now a Cyber Risk Advisor to the National Association of Corporate Directors (NACD). Mr. Hetner has over 25 years of experience in cybersecurity, risk management and regulatory compliance. He is also one of our mentors at the Columbia University Center for Technology Management. 

Mr. Hetner urges everyone to beware of phishing and other scams. In a phishing scam, a cyber criminal contacts the victim by email, telephone, or text message and poses as a legitimate entity in order to trick someone into opening the message, or clicking on a link that goes to a virus-infected website, or sharing sensitive data like credit card numbers or passwords. Be wary and vigilant of electronic communications you receive.

Read more of Mr. Hetner’s expert advice and tips in the interview below.

 

Online shopping is very popular and there are various devices that connect to the internet, such as computers, tablets, smartphones. Which of these devices is the safest for making online purchases?

There’s no such thing as a foolproof device. But to minimize the chances of falling victim to a cyber attack, ensure that your devices are current on software updates. Security updates use authentication to prevent attacks. You should also install anti-virus programs to keep those devices safer.

 

How can consumers make their online purchases secure?

There are many steps in the process of completing an online transaction that can be exploited by cybercriminals. All online users should be vigilant and think of the following: Device, Connection, Browser, Content, Sharing. Is your physical device secure? How are you connecting to the internet? What browser do you use to reach online content? What content do you visit or click on? What information do you share? Think about security at each of these points. This is a very busy time of the year and there are a lot of activities that can distract and lower our guard. Slow down before clicking or making transactions.

 

Speaking of the hustle and bustle of this shopping season, many consumers are shopping on their electronic devices while on the go. They may find it convenient to use the Wi-Fi at the coffee shop or on the train. Is that safe?

Be aware of how you connect to the internet. There are many places now that offer free, public Wi-Fi, like coffee shops, libraries, airports, and public transportation. They may be convenient, but they are not secure. A malicious actor can join that open Wi-Fi connection and hack devices that are on that network to steal your data and payment information. Avoid using unsecured, public Wi-Fi connections.

It is better to use a private, encrypted Wi-Fi connection, such as a password-protected router in your home or office. That said, such routers must be setup properly by following the instructions for enabling encryption and proper configuration. 

 

What about using the data plan on a smartphone or tablet to connect to the internet?

When you use your cell phone's data plan, for example, it uses your telecommunications company’s secure network. That tends to be more secure than public wi-fi hotspots. But that takes care of just one point of security. Even if you use the data plan to open a mobile browser on your phone, you still have to make sure that the mobile browser is also secure. Make sure your device has the software updates installed and that you have the newest version of the browser. 

In any browser, check that a website you are visiting has the SSL Certificate, which enables encrypted communication between a web browser and a web server. Look for the “https” in the URL in the address bar. There is an added “s” to the usual “http” to indicate that it is secure.


Many retailers have apps that making shopping easier. Are apps secure?

An App, which is short for “application,” is a software that can run on devices. Apps have an embedded security and provide encryption between the device and the retailer (or app creator). But apps, like browsers and operating systems, must also be updated.


What cybersecurity threat have you been seeing that online shoppers should avoid?

There is an increase in phishing scams, in which a victim is lured into sharing their sensitive information by a cyber criminal’s seemingly legitimate electronic communication. 

This is the point in the online experience where consumers need to be vigilant about the security of the content. Be alert when visiting websites and reading emails. Be wary of suspicious emails that claim to be from a legitimate website and that ask for private data and password. Do not click on links that you do not trust because they may lead to malicious attacks. When visiting a website, re-read the URL in the address bar and check for misspellings. There have been cases where cybercriminals cloned websites and used similar-looking URLs to trick some visitors into providing sensitive information by logging in with personal credentials or paying with a credit card. If you want to confirm a message and respond, don’t click on suspicious links, but go straight to the company’s official website by search engine or by a confirmed URL.

By the way, if you place an order on a website, legitimate businesses often send an email order confirmation. Check that you received a proper confirmation email from the online retailer. You should also monitor your credit card activity. Check your credit history and use an Identity Theft Protection service.

 

Devices usually offer the convenience of storing a user name and password after you log in so that you can sign in more quickly on the next visit. Some also feature the ability to save credit card information for future purchases. Is it safe to store those information?

No, it’s not. Do not save credit cards in your browser history or web accounts because web attacks that steal that data are prevalent. Credit card fraud persists today, so be extra careful about sharing payment information. Use a credit card that offers enhanced monitoring so that you are alerted to suspicious activity. I actually suggest that, if possible, use just one credit card for all of your online purchases. That allows for easier monitoring.

 

Connectivity-enabled gadgets are very popular. Health trackers, refrigerators, voice digital assistants, and more, that are network-capable are broadly known as the Internet of Things (IoT). Should shoppers be cautious of using those IoT gadgets?

Yes, definitely be cautious because there have been reported hacking problems with IoT devices. The introduction of these network-capable devices expands the “attack surface” in which a cybercriminal can get someone’s private data. Unfortunately, there are no regulations that require manufacturers to include security in IoT devices. So, buy an IoT device from a company that you know and trust. Read online reviews. When you own an IoT gadget, protect it just as you would your computer or smartphone, by installing the latest software updates.

 

Where can we find additional information about online safety tips?

You can visit https://www.usa.gov/online-safety and https://www.us-cert.gov/ncas/tips/ST07-001 .

 



Chris Hetner is a cybersecurity expert. Read his mentor profile.