Security tips
Steve Ragan explains how to keep your money, gadgets and personal details safe this Christmas
As far as theft and fraud are concerned, you face (and willingly accept) a moderate amount of risk when you shop online or out in their local neighbourhoods. This holiday season is no different, but the risk is elevated some, because criminals are looking for easy marks and low-hanging fruit.
With that said, here are a few tips to help you keep your money, gadgets, and information safe this holiday season, as well as the year ahead.
Card skimming
While shopping, or stopping for fuel, be mindful of credit card skimmers that can copy or read your card data as you swipe. Criminals use the captured information to create fake cards or go shopping online. The skimmers can be attached to a cash point, or even installed inside of a petrol pump.
So how do you spot a skimmer? “Look for glue around the edges of the card reader or an extra thick border. If in doubt, give the card machine a tug, a skimmer will pop right off,” explained Dan Tentler, the founder of Phobos Group.
Support scams
Support scams happen year-round, but they’ll peak around the holiday season.
Often the goal is to get consumers to pay for support or software they don’t need, but sometimes the goals are more sinister. CSO has covered support scams before, including one where the caller pretended to be a Microsoft representative.
It isn’t a stretch to imagine scammers placing calls to fix the new computer that’s just come into the house – eventually they’ll get someone on the phone who did honestly purchase a new system.
Scammers will also call and pretend to be your bank this time of year and call or email to resolve security concerns. But neither Microsoft, nor your bank, will ever call or email you to address security concerns or support issues. In the rare occasion that your bank does call about a security matter, they will not ask for credit card details, passwords, or other personal information – they don’t need to, because they already have it.
“Never give any sensitive information over to the phone callers,” advised Tentler, adding that when scammers contact you by phone, they’ll usually hang-up if you call their bluff and ask for their number, in order to call them back.
Phishing
Phishing attacks are another threat that spikes during the holiday, but exists all throughout the year. Criminals will pretend to be big-name retail outlets or financial instructions and request information via email or offer special savings, as long as you open an attachment or follow a link. You should never click links inside of a random email, and unless you were expecting an attachment, you shouldn’t open those either. If
you’d like to see what a URL does without visiting it, Tentler says, copy the URL and submit it to urlquery. net. Another nasty type of email-based attack to be on the lookout for, which has affected millions of people this year already, is called Ransomware. Ransomware essentially holds your computer hostage, rendering it useless unless a fee is paid. In the fourth quarter of 2016, millions of emails were sent by criminals with Ransomware as attachments.
Public Wi-Fi
Wi-Fi access is a convenient way to save yourself from paying massive overage fees to your mobile provider, but there’s a risk involved when it comes to public Wi-Fi. Criminals can create malicious access points, or hijack access points that were poorly configured. In fact, creating a fake access point and tricking people into connecting to it is
literally child’s play, as a 10 year-old proved this summer during DEF CON.
If you don’t need Wi-Fi while out running errands, then you should avoid connecting to any of the access points listed. If you do need Wi-Fi, then using a VPN (virtual private network), and sticking to websites that use SSL is a way to lower some of the risk, but it won’t eliminate it completely.
“[A VPN] will securely transport your traffic through the network you’re currently on, into another one. This makes it extremely difficult for coffee shop networks, or attackers targeting your mobile phone to perform what are called man-inthe-middle (MITM) attacks. VPNs are handy to have while travelling abroad, or sitting in coffee shops,” Tentler explained. If you’re looking for VPN options, F-Secure has Freedome VPN, and there are services from Buffered VPN and IP Vanish.
Unless you’ve configured it yourself, each VPN offering will require payment. Remember the golden rule, if you’re not paying for the product – you are the product, so avoid free VPN offers if possible. If you are using public Wi-Fi without a VPN, you should avoid conducting any banking or online shopping, as it’s usually safer to do such things from home.
Gifts from the Internet of Things
“Be careful what brands of equipment you buy for people [this holiday],” said Tentler. “In the last month, cheap Chinese routers, DVRs and IP cameras have been compromised and used in massive worldwide DDoS attacks. Make sure your gift for a family member doesn’t turn into a weapon for an attacker.”
You can do this by ensuring that the default password on the device is changed. Not only is this a good security precaution to take all year long, but doing so will keep criminals from taking control of the device with little to no effort.
System and software patching
“Let your operating system patch itself,” Tentler said. “On OS X and Windows 7, Windows 8, and Windows 10 this is mostly automated. Just let Windows do its thing. If it has been a while, go and manually install updates, just to make sure you’ve got the latest and greatest.”
Not only are operating system updates important, but browsers such as Firefox and Chrome will need to be regularly updated as well.
Firefox will install updates automatically, but you’ll need to restart the browser to apply them. You can check for updates in Firefox by clicking Help, then selecting About Firefox.
Chrome will also update automatically, and you’ll know updates are ready by the green icon on the upper right of the browser window.
Ad Blocking
These days, you need an ad blocker. Not only that, you’ll need to limit the number of websites added to the blocker’s exemption list.
Criminals are able to leverage ad networks in order to display malicious ads, often leading consumers to exploit kits that deliver Ransomware or other malware to the system.
Imagine browsing the web on Christmas morning, only to have that new computer bricked
because an ad on a website redirected you to website serving the Locky family of ransomware. If your system isn’t updated, and you’re not using ad blockers, this is a real possibility.
u Block Origin is the ad blocker preferred by most, as Ad Block Plus will still show ‘approved ads’ – something that defeats the purpose of ad blocking entirely.
Two-Factor Authentication (2FA)
2FA, or Two-Factor Authentication, is where you need your password in addition to a code that’s usually delivered to a token or via text message to your phone. It’s better to use a token, but service providers often stick to text message.
With 2FA enabled, simply knowing your password won’t be enough if a criminal wants to
access an account. However, if the criminal can intercept your text messages, or if they control your phone, the protection offered by 2FA is rendered useless.
“Setup 2FA everywhere you can, don’t make it easy for bad guys to get into your stuff,” Tentler explained. “Consider setting up a Google voice number, and using that Google voice number for SMS-based 2FA. Do not share this Google voice number with anybody. Use it only for your own, private two-factor authentication.”
Not every website you have an account on offers 2FA, but some do. At Turn On 2FA (turnon2fa.com), you can get step-by-step instructions for enabling this layer of security on most of the larger, more popular websites.
Check your statements
Check your credit card and bank statements. You should be doing this all year long, not just during the holidays Tentler said, so you can “watch for shady things appearing on that list.”
Look for charges you don’t know, or smaller charges at places you normally shop. When testing a card, criminals sometimes make a small purchase, usually less than £10, as such things aren’t flagged, and people usually don’t notice them.
Common purchases for testing include fuel, fast food, grocery items, and gift cards.
RFID protection
RFID cards, sometimes branded with the name Pay Pass, Blink, Express Pay or Pay Wave, allow you to charge things with a quick tap of the card on the
pay terminal. Unfortunately, these cards have RFID (radio frequency identification) chips that criminals with a reader can scan, allowing them to capture your card’s data. You can protect them though, but using a RFID blocking sleeve, or a RFID wallet.
“RFID wallets are available on Amazon, Think Geek, and several other sites that sell geek-style toys. They’re pretty readily available, and they shouldn’t hurt anything other than attackers with the intention of stealing credit card data directly out of your wallet wirelessly,” Tentler said.
The good news is you would notice a criminal scanning you for RFID. Homemade RFID scanners don’t have a good range, and you’d notice someone standing in a room with a giant antenna.