Welcome!
Here’s the first of three pieces we’ll be publishing this Thanksgiving weekend.
That’s the weekend that brings us Black Friday, a shopping day so busy in the USA that it is said to mark the point for many retailers at which their accounts for the year move into profitability, thus getting them out of the red and into the black.
And if that’s not enough, the online era has brought us Cyber Monday, when you can catch up online and buy all the bargains you missed in store over the Black Friday weekend.
In other words, this is a great time for us to offer you advice that will not only improve your cybersecurity over the coming weekend, but also keep you more secure through Christmas and the holiday season, all the way into the New Year and beyond.
Here’s what we’ve got lined up:
- Tuesday 22 Nov 2016 (today): Black Friday: What to watch out for when you hit the stores.
- Wednesday 23 Nov 2016 (tomorrow): Cyber Monday: What to watch out for when you hit the web.
- Thursday 24 Nov 2016 (Thanksgiving Day): Facebook Live Video: Don’t be a security turkey this Thanksgiving.
The Facebook Live video is scheduled for 16:00 UK time (4pm), which is 11am on the US East Coast and 8am on the West Coast.
If you can tune in to our Naked Security Facebook page at that time and join in, we’d love to have you; if you can’t make it, the video will be available to watch any time afterwards.
Here we go.
Four tips to keep you safe on Black Friday.
1. Keep control of your credit card
If you have a Chip and PIN card (or Chip and Signature in the US), use the chip and avoid swiping the card.
For most point-of-sale devices, that means inserting the card into the slot at the bottom rather than swiping the magstripe of the card along the side of the machine as in the old days.
Chip and PIN isn’t perfect, but the data on your card’s chip is almost impossible to clone, whereas the magstripe is read in its entirety every time you swipe, and is trivial to skim.
Skimming is where crooks make an unauthorised copy of the data on your card, for example using a tiny additional magnetic read head hidden in the skimming slot, and use that data to make a working facsimile of your card.
Chip transactions also provide better protection against the sort of hack that saw tens of millions of credit cards skimmed at Target stores in the US around Thanksgiving in 2013.
The Target hack involved malware on each cash register that watched out for magstripe data appearing in the computer’s memory.
In contrast, during a chip payment you can’t “sniff out” card data from cash register’s memory because the data in each transaction depends on one-off cryptographic calculations done inside your card.
That makes each transaction a bit like two-factor authentication (2FA), where each login code is unique and can’t be used again.
Don’t forget to cover your PIN hand completely while you’re typing in your code.
Shielding your typing hand is a simple precaution to protect your PIN from shoulder surfing (where the person behind gets a clear view of your typing) and any video cameras that might be in the vicinity.
Thank you America. Could you please join us in the 21st century? There are 400 lb hackers out there pic.twitter.com/cT6iUILLLU
— Chester Wisniewski (@chetwisniewski) October 20, 2016
Sadly, many merchants in the US have adopted chip readers in order to reduce their liability, but nevertheless actively try to discourage you from doing chip transactions.
If you think you’re going to be faced with stores that simply won’t let you pay by chip, consider taking your business to retailers who will, or using cash instead, or buying a prepaid debit card in advance with as much balance on it as you’ll need on Black Friday
Apparently, the reduction in liability comes from having the reader installed, not from actually using it. Swiped purchases apparently still go through faster in the US than chip transactions; in a busy retail period such as Thanksgiving and the holiday season, shorter waiting times keep both shopkeepers and customers happy. In other words, there’s not much incentive for retailers to encourage customers to get into the habit of chipping, or for customers to insist on it.
2. Check your statements promptly
If you go on a retail outing during the holiday season, you’ll probably end up doing lots of small transactions along with any significant purchases you might make.
Even if you’re really careful about keeping track of how much you’ve spent, the final amount may well vary from what you expect.
For example, there’s the coffee shop you stopped at to decide if $1499 was too much to spend on a new bicycle, there’s the impulse decision to take a taxi back to the station instead of trying to get your new bike on the bus, and so on.
If you end up $9 over what you figured, it’s easy to assume it was a small miscalculation and to shrug it off as an absorbable side-effect of your Black Friday session.
However, if it wasn’t a miscalculation, then it was a fraudulent transaction instead, and whether it’s $9 or $999, it’s still makes you a victim of cybercrime.
If you’ve ever been skimmed or “carded” before, you’ll know that bogus transactions often happen in bursts, and in varying amounts; the sooner you spot that something is wrong, even if it’s just a modest amount, the sooner you can raise the alarm.
So don’t forget to go through your statements carefully to make sure that the only charges are ones that you incurred yourself.
If your bank supports SMS-based notifications for transactions against your account, consider enabling that feature.
That way if someone manages to pickpocket or clone your card, you’re likely to receive an alert as soon as they try to use it at an ATM or in a store.
3. Slim down your radio footprint
If you’re like most people, you may very well leave location services turned on all the time on your mobile phone.
That means you can quickly find yourself on the map if you get lost, re-orient yourself, and figure out a new route to your destination.
Modern mobile phones typically use a cocktail of signals to pinpoint where you are, and regularly call home to Apple, Google, Microsoft and various other app vendors.
The signals used to track you include GPS (which gives an absolute location but doesn’t work terribly well inside modern buildings like shopping malls), Wi-Fi and Bluetooth.
Wi-Fi and Bluetooth can’t compute your actual position, but they can call home with a list of other wireless devices in the vicinity, including indoors.
This provides a relative location that can be compared with a central database to see if there’s an earlier record of an absolute location for any of the devices you’re near right now.
For example, if Google StreetView recorded the exact location of the ACME Coffee Shop Wi-Fi access point last year, then that’s a good first guess for where you are now if you are in range.
Likewise, tiny Bluetooth beacons from companies like Apple and Google can track you indirectly.
These beacons transmit unique identifiers that your phone picks up, for example as you walk around a store; the manager of the store registers each beacon’s identity and location with the vendor’s database; and your phone then calls home with those unique identifiers as it encounters them.
The beacon vendor therefore acts as a sort of “location tracking broker” between you and the store, allowing the store to paint a possibly very precise picture of where you went and what you did as you passed through.
Indeed, in a busy shopping mall, stores may be actively competing for your business based on where you’ve been, where you are now, and where you might go next.
The problem with letting anyone and everyone track you wherever you go is that the more data that’s needlessly collected about you, the more likely it is to get breached at some stage.
Our recommendation, this Black Friday, is to try turning off location services altogether and seeing if your retail experience is any different.
If it isn’t, or ends up being even better because you’re hit up with fewer targeted ads you don’t like, you will have learned a usable technique to improve your privacy in the future.
4. Cybersecurity is for life, not just for Thanksgiving
We say this at every special holiday, major sporting event, and more.
Black Friday would, indeed, a bad day to be incautious about security, but the advice we’ve given here won’t lose its value when the Thanksgiving weekend is over.
If you decide to use Black Friday as a reason to take cybersecurity more seriously…
…we urge you to make that a lasting digital lifestyle choice!
Jeff
Great article, thanks!
One quick comment — as an alternative to turning on SMS notifications for transactions, you may have the option of receiving emails with transaction notifications. These work well too, and provide a convenient way to check transactions timely, but without interruptions. They’re also easy to file away in a separate folder, for easy review later, such as when the statement arrives.
Paul Ducklin
The thing I like about SMS over email is that I receive 1000s of emails a week, and I deal with them in bursts at my leisure. I receive 10s of SMSes at most each week, and almost all of them messages about things I want to be alerted to…and if I’m on the road I can put my SIM in my tiny old-skool phone-phone and still see alert messages.
Tom
Great tips! I’m posing them on our office bulletin board.
Simon McAllister
Brilliant article. Brilliant advice. Thanks
Wilbur
Paul, thank you for the Bluetooth explanation; I have wondered why iOS complains about degraded accuracy when I turn Bluetooth off. I knew about WiFi MAC address tracking in stores but I didn’t realize the same thing was happening with Bluetooth. Sometimes iOS turns it back on after an update so I periodically verify it is still off. I seldom use Bluetooth devices so didn’t see the need to waste battery power. I also keep Location Services completely turned off because those features are rarely useful to me.
MrGutts
Most important is physical security, keep your eyes off your phone and pay attention, mindful of your surroundings.
Jim
Regarding the first entry: I will be amused when the first company to push people to the magnetic stripe when they could accept the chip gets sued.
It’s one thing to not want to spend the money to upgrade the hardware. (Retailers still should, but at least there’s a business reason.)
But, push your customers back to mag stripe? That’s a recipe for disaster (on the part of the customer), and makes the retailer liable for the losses.
Plus, it’s really dumb. REALLY dumb. Screen-doors on a submarine level of dumb.
Paul Ducklin
Apparently the retailer only has to take liability for magstripe losses if they don’t have a chip-enabled payment device in the first place.
In other words, it’s bit like a law saying you have to have seat belts fitted in your car but there’s no need to use them.
Jim
Yeah, that seems to be the case.
But my musings above were more pointed at a civil lawsuit. Consider the case: they do have a chip-enabled device, but they still push people towards the mag-stripe. In that scenario, I think a jury would slam them pretty hard.
Criminal? No, stupid isn’t criminal (in most cases). But making a bad business decision that directly impacts a customer financially could be huge.
(Although, customers are technically only liable for $50 of losses in the US. Still, multiply that by millions of customers ….)
Paul Ducklin
I guess it might be hard to prove whether they were genuinely trying to prevent you Chipping, or merely working around some unknown “reliability issues” with the network :-)
There’s also a really annoying problem I encountered last week, trying to rent a car. The Chip and PIN machine was one of those annoying “combo” devices with one long slot that reads your magstripe while you push the card in far enough to reach the chip.
I try to deal with those by inserting my card really, really slowly in a series of short, separate movements until it reaches the chip contacts, but [a] I don’t know if that defeats all skimmers and [b] it looks dodgy and attracts suspicion of its own :-)
Jim
That makes me cringe. I wonder if there might be a better solution:
Instead of replacing the old mag-stripe POS devices with new ones that can do both, why couldn’t they just keep the old mag-stripe devices and add the chip devices as second devices. Both would be connected. Then, the customer would choose, but a warning could be placed on the devices telling customers that if their card has a chip, they should use it.
Later, when chip devices take over completely, then just trash the old mag-stripe readers.