Last year, Black Friday took on a new meaning for many Americans when Target point-of-sale systems nationwide were compromised resulting in the theft of more than 40 million payment card numbers. Throughout 2014, companies including Neiman Marcus, Home Depot, PF Chang’s, Goodwill Industries, Supervalu Supermarkets, JP Morgan Chase, Sally Beauty Supply, and K-Mart also announced they had been breached. This frequency and scale have us all thinking “Who’s next?” As a result, you may be wondering, “What can I do to protect myself this holiday season?”
With Black Friday and Cyber Monday quickly approaching, consider me Buddy the Cyber Elf, here to spread Christmas cheer by sharing some simple cybersecurity tips for all to hear.
#1: Be Password Smart
I am going to share one of my wife’s dirty little secrets … are you ready? She uses the same password for multiple sites. I know, right?
It doesn’t matter how many times I tell her to use different passwords and rotate them, she doesn’t listen. She usually says something like “Why would hackers care about my Pinterest password? Do they want to see what projects I have planned or cupcakes recipe I want to try out?” I calmly and in a totally non-sarcastic manner tell her that it is indeed highly unlikely that hackers want to access her Pinterest account. However, they would like to have her Pinterest credentials because of the likelihood they could use them on other sites that would be a source of financial value.
Human beings are creatures of habit. For example, we all have a favourite coffee cup, we like a particular brand of running shoe (I’m a Brooks man myself), put on our pants with the same leg first every time (left leg for me), and towel dry after a shower or bath in the same pattern (that’s personal). This is basic human behaviour. Hackers know this, and fully expect (and even count on) people to use the same credentials on sites like Pinterest as they do for online banking site, PayPal, Facebook, or online gaming. So by harvesting credentials from softer, low-value targets, they will gain valuable intelligence that will allow them to compromise harder, higher-value targets.
To combat this type of attack, don’t use the same password over and over again on multiple sites. Some good tips are to pick a theme, and use word permutation. For example, in the past I have used comic book character names and phrases, and I’ve replaced letters with numbers or special characters. This concept yields passwords like W0!v3r3neSn1kt, H@mmer0fTh0r!, L0n3w0lfandCub!, Th3Gr33nLant3rn, and Th3Sh@d0wkn0ws. These are much easier to remember than random strings of letters and numbers, and you can easily rotate them every 90 days (there are plenty of comic book characters to choose from).
You might also use a password journal (http://www.amazon.com/Personal-Internet-Address-Password-Book/dp/1441303251/ref=sr_1_1?ie=UTF8&qid=1416927633&sr=8-1&keywords=internet+password+journal) or a tool like Password Safe (http://passwordsafe.sourceforge.net/) or KeePassX (http://www.keepassx.org/). These resources will aid you in maintaining passwords and other personal security information, but remember that they become a single point of failure—so don’t drop your password journal on the bus.
#2: Use Credit Cards Instead of Debit Cards
During payment card transactions, the point-of-sale (POS) or ecommerce systems don’t make a distinction between debit and credit card numbers. If you are conducting a “card present” transaction (meaning you are in physical possession of the card and swiping it at a payment terminal), the data the terminal reads is the same whether you run the transaction as a credit or debit purchase. The only thing that changes is with debit transactions, the POS terminal requires your personal identification number (PIN) for authorization. (I don’t want to frighten you too much, but if the POS terminal has been compromised, your PIN is also susceptible to theft).
For ecommerce or card-not-present transactions (meaning the vendor does not physically have the card in their hands), the only information the vendor usually needs is the primary account number (PAN), the expiration date, and a card verification code (the little three-digit number on the back of Visa, MasterCard, and Discover cards, and the four-digit code on the front of American Express cards). I say “usually” because some ecommerce sites only require the PAN and the expiration date.
Your PIN and card verification numbers are not present on the magnetic stripe on the back of your card, so attackers cannot steal them in point-of-sale breaches. However, some ecommerce merchants store card verification numbers after customers have made purchases, so these can also be harvested by attackers.
So, if you use your debit card to do your holiday shopping, and one of the places you shopped at gets breached, your debit card number will be taken. If attackers use that number fraudulently, the money will be GONE from your bank account. The bank will eventually refund it to you, but it can two weeks or longer, depending on the holidays and the number of refunds they have to do. In contrast, it is exponentially easier for a credit card company to make the necessary adjustments to your credit card balance, which does not require an electronic transfer of funds to your bank account. These refunds take only a couple of days and more importantly, do not impact your bank balance.
#3: Check Your Statement Daily
While each of the major card brands and most banks have fraud monitoring systems, they must parse through massive amounts of data from every cardholder in the world. Additionally, carders (hackers who steal, buy, sell, and exploit stolen payment card data) build intelligence into their fraud execution patterns to try and avoid detection. This has proved a significant challenge for financial institutions.
You can speed up this process by checking your account transaction logs daily during the holiday season. Just about every bank provides internet banking and a mobile application, so doing this has become pretty simple. You know where you shop and what you buy. So if a transaction appears that you are not familiar with, call your bank’s fraud hotline (the number is usually printed on the back of your card) immediately. Who knows, you may be one of the first people to report the fraud and help the authorities catch some bad guys!
#4: Track Your Packages
As more consumers do more shopping online, shipping theft has become a very common and lucrative crime. Criminals monitor neighbourhoods to determine when courier companies make deliveries and when people leave to go to work, take kids to school, etc. Then, when the deliveries are dropped off at the door, they swoop in behind the trucks and swipe the packages.
Preventing this type of crime isn’t rocket science. Pay attention to when packages are scheduled to be delivered and make sure somebody is home to receive them. If you can’t be there, ask a friend or a neighbour to watch for deliveries and pick them up for you. Also, be aware of vehicles that don’t seem to belong in your neighbourhood and report any suspicious activity to your local police department.
#5: Anticipate a Breach and Change Your Passwords and Cards After the Holidays
Based on the number of payment card breaches recently, there is a high probability that more will follow this holiday season. Assume that someplace you shop or dine will be breached. Proactively request new cards (for whichever cards you used for your holiday shopping) and change any passwords for your financial service providers. This will be inconvenient and require some effort, but if you plan for it you can make the changes with relative ease.
Unfortunately, none of these suggestions is 100% guaranteed to prevent a data breach or stop you becoming a victim of payment card fraud. But they will decrease the chances and help to lessen the impact on you. The responsibility for protecting your data is in the hands of merchants and service providers. Hopefully they are doing their due diligence and being responsible custodians of your information.
Have a safe, happy, and healthy holiday season!