New Banner 3

Services

Find out more about ProCheckUp's services including: Penetration Testing, PCI QSA and PCI DSS

More Detail

PCI DSS User Group

User Group is for merchants to come and share experiences with fellow professionals. We have regular presentations from the card schemes and acquiring banks.

Find out more & join...

Make Black Friday and Seasonal online shopping secure!

23 November 2015 by ProCheckUp Team

With Black Friday and Cyber Monday approaching, we thought we would send out a little reminder of things to look out for if shopping online...

First, a little history in case you're not familiar with the terms: Black Friday is the Friday after Thanksgiving Day in the US. There are different speculations as to why it is called black Friday; one of which is that retailers often operate at a financial loss and are in the red from January through to November. Black Friday indicates the point at which retailers begin to turn a profit, and are 'in the black'.

Retailers in the US have been marketing and milking this day for years now, with early and late opening times, and sales to die for (sometimes literally) in store and online. Inevitably, this trend made it over the puddle to the UK and companies like Amazon enjoy their biggest selling day of the year on Black Friday (selling 5.5m items on that day alone in 2014).

The term Cyber Monday, refers to the Monday following Black Friday where there is a trend of latecomers to the party looking for bargains online. Both of these days see a massive peak in online sales. For example, shoppers around the world are reported to have spent $300m in Bitcoin alone during Black Friday and Cyber Monday.

Retailers aren't the only ones to milk this mass consumerist weekend for all its worth... hackers are joining the party too. 

So, as a consumer, what should you look out for?

  • Phishing emails

 

Some are really obvious due to their poor grammar, spelling and/or formatting, and the way they ask you for your bank details for the account containing the most amount of money, or too-good-to-be-true offers of 100 donuts for the price of 1. However some are a little trickier to determine.  If you are unsure, and the email is of no interest to you, simply move to Junk or delete. You may be tempted to send a reply to the email telling them where to go or to ask them to somehow verify their identity; don’t. Doing this will only verify that your email account is active, and will result in you being bombarded with many more spam emails.  Also, do not be tempted to click on ‘unsubscribe’ if it is offered, as this is likely to be the last thing it will do.

If you think the email may be legit, but are unsure, do not be tempted to click anywhere in the email to see where it takes you.  If it takes you to a malicious site, your entire machine could be compromised by malicious software. The same goes for attachments, do not be tempted to open any if you are even slightly suspicious of the email.

If you’ve received an email containing anything of interest, contact the company directly and ask if the offer is genuine. Ensure however that if contacting the company, that you find their contact details from their official website, and not through any mentioned in the suspicious email.

If the email has come from a friend, but contains suspicious content, let them know right away so that they can change their password for the compromised account.

All of the above advice applies to text messages too. 

  • Encryption

 

Before entering any sensitive information such as your username and password, or your bank details, make sure the site is going to securely encrypt your details for their journey i.e. make sure the site is using HTTPS as opposed to HTTP, and has a valid digital certificate. The screenshot below show what to look for:

 

The screenshot shows how it will look in the Firefox browser, but the format is the same for all browsers. In short, look for ‘https’ and the locked padlock. Note that on some browsers, it is necessary to highlight the URL in order to view the protocol in use.

  • Outdated software

 

Keeping your software up-to-date will help prevent any attempted attacks from being successful. If for example, you are tricked or enticed into visiting a malicious website which relies on an outdated vulnerable version of Java to be in use, the attack may not be successful if you have the latest stable release installed.

  • Firewall and anti-virus

 

Ensure your firewall is on, and you have anti-virus software installed whenever browsing the web.

  • Opt not to store bank details

 

Often websites will ask if you want to store your bank details to save you re-entering them next time you log in to buy something.  My advice would be to uncheck that box.  If your user account for the website is compromised (for example, by someone guessing your password), or if the website itself is compromised, so too are your bank details. The fewer sites holding your financial information, the better.

  • Browser anti-phishing facilities

 

Most modern browsers have anti-phishing functionality that you can utilise which will attempt to prevent you from visiting and interacting with potentially malicious sites.

  • Provide the minimal amount of information required

 

Often when registering or checking out there are fields marked with a * to indicate mandatory.  I would advise only filling in these and no more. The more information you provide, the more there is to either be compromised or sent on to other companies.

Lastly, if you do a lot of shopping online, perhaps set up an email account dedicated to shopping accounts.  Also, it is good practice to get into the habit of checking your debit/credit card statements afterwards just to make sure no fraudulent activity has occurred – especially if you have purchased goods from lesser known websites. 

Back To listing