SAN FRANCISCO -- In the rush to get holiday shopping done, it's too easy to take shortcuts that could put you at major risk of cyber attack.
According to a recent CNET survey, one in four holiday gift shoppers has been a victim of an online hack in the past 12 months. To avoid joining their number, cybersecurity experts offer these tips to keep you, your credit cards and bank accounts safe.
1. Don't use sketchy wireless networks
This is the easiest to fall for. You're out and about, maybe waiting for someone else to finish shopping, maybe standing in a long checkout line, maybe you just want to take a quick look at whether something you want is cheaper elsewhere. You pull out your phone and up pops a free WiFi hotspot. It might even have a safe-sounding name: Westfield Mall Guest Network, or Holiday Happiness Free Wifi. Without thinking, you click and get connected. Hackers get the chance to infect your phone with malware or siphon off your passwords and account information.
There are a couple issues there. Sometimes the network is a fake one, what security professionals call a honeypot, meant to lure in the unsuspecting so their information can be stolen. To guard against these, look around for signs at the mall, store or airport that include the WiFi network name and make sure you're using that. Don't just assume that any network that pops up is legitimate. Hackers routinely create them and wait for the unwary to connect up. Ask an employee if you're not sure. When in doubt, don't connect.
Even if you are on a legitimate network, remember that public Wi-Fi isn't secure. It's all too easy for someone to monitor the traffic whizzing through the air and potentially steal login and password information that you yourself type in or that your phone automatically fills in through pre-existing cookies. "Consider waiting to enter your credit card information when you get home," suggests James Lyne, global head of security research for Sophos, a security firm.
2. Who really sent you that online holiday card?
Electronic holiday cards are increasingly popular, but be careful about clicking on the links that show up in your mailbox. While we've become cautious of subject lines like "HELP! Stuck in the Philippines" or "Urgent: Must move funds from Romania," something that says "Merry Christmas from the Andersons" might slip through our defenses. Do you actually know any Andersons? And didn't you already get a paper card from them last week?
3. Use different passwords for each account
Yes, broken record time here. But criminal hackers really do keep searchable lists of all the account IDs, email addresses and passwords they've stolen. They can even rent those lists for pennies for a thousand names. So when they break into one account, they add it to the database. Then they try that same email address and password against a list of hundreds of other stores and banks. Think of it as the Lord of the Rings maxim: One password to rule them all makes for bad security. If you can't remember all those passwords, consider using a password management program, suggests EY Cybersecurity Services.
4. Watch for Typo Squatters
We're all busy and trying to do a million things at once. Which is why you should always take a second to look at the URL you just typed into your browser and make sure you are where you think you are. Cyber criminals know we make mistakes when we type, and they've registered lots of typo-ridden addresses that are just a hair away from the one you meant to type. It could be something as simple as Gooogle.com (though Google long ago got most possible variations on its name, so this one's safe) or say AuntSalliesTeaShop when the actual Aunt Sally spells hers with a Y, not IE. Criminals can almost perfectly copy the site they're aping, so you think you're where you want to be. Double check to be sure.
5. Change your coffee pot's password
Connectable devices will be a hot item this holiday season, whether they're coffee pots you can turn on with an app on your phone, a drone or a smart light bulb system. But they're also eminently hackable and most come with laughably easy pre-set passwords that take hackers only a few second to get past. When you're setting up your new gadgets, take the extra five minutes to reset the password they came with, so your device doesn't run the risk of becoming part of someone else's zombie botnet.
6. Don't hand over your credit card number
It's tempting to let a website keep your credit card number and information on file. But if that site gets breached and it hasn't done a good job of protecting your and everyone else's credit card information, it could mean trouble. "While it’s a little more work to enter your information each time you make a purchase, you are less likely to be compromised if a website is hacked," said Fred Rica, cyber services lead with KPMG.
7. Read through your credit card bills
While it can be daunting to go through your January and February credit card bills line by line and confront exactly how much you spent, it's vital to catch any mistakes and hacks that might have gotten through. If you see a charge you don't recognize, call immediately to check it out. Too often hackers presume people won't notice the $40 here or $20 there on their cards and thereby miss fraudulent charges. Get them reversed quickly so you don't have to pay.
8. Careful of package delivery notices
Phishing emails that try to get you to click on a link that can install malicious software on your computer are a perennial problem. This year Intel Security says it’s seen an uptick in fake delivery notices.
These look like the common email notices sent out when something you’ve ordered online has been shipped. They might say, “Click here for expected delivery date,” except they aren’t from an actual store but instead from hackers.
“During the holiday season we tend to be rushed, and we tend to click on things that we maybe shouldn’t,” said Intel Security chief consumer security evangelist Gary Davis. “I would be really careful about the emails I click on.” If it seems the slightest bit fishy, don’t click on the link but instead go to the website of the store the delivery notice purports to be from.