How to navigate Black Friday and Cyber Monday without getting scammed or hacked

With Black Friday and Cyber Monday almost upon us, in the piece below, several cybersecurity experts give their thoughts and advice on how to navigate both shopping days without getting scammed or hacked.

Black Friday and Cyber Monday can make or break a year for retailers, with online becoming a critical channel for most. This necessitates highly available and rock-solid systems to deal with what has become a predictable yet simultaneously overwhelming demand. This shouldn’t just be focused on the underlying IT infrastructure; retailers also need to ensure their applications can handle the onslaught, be it their website, their mobile apps or their in-store payment terminals.

For years, the main driver for security within retail appears to have been PCI DSS, the data security standard merchants must comply with to accept and process payment cards. It’s reassuring to see some retailers join the BSIMM community, which may signal an evolution from a compliance-driven mentality to that of a proactive security mindset. Compliance will always be important, but retailers have much to gain from investing in strategic software security initiatives. This is especially true in territories where privacy legislation is getting stricter. Poor software security leading to information disclosure of customer data can now lead to business-altering fines in Europe, for example.

How to stay safe while shopping online this holiday

So, what are the issues when it comes to shopping online at this busy time of year and what can people do to remain safe?

The key is to identify the legitimate from the fake when a “50% off all iPads” deal is enticing. With all the various data breaches over the past few years, identification is particularly difficult. Some simple options are:

  • If you received an “great deal” email and don’t recognise the source, don’t assume because its personalised that it’s legitimate. 

Visit the website directly and while logged in look for the same deal. If it’s there and still interests you, then go for it. If it’s not, then the fact that the deal was tied to clicking a link in an email should indicate just how suspect the offer was.

Identifying the legitimacy of a “great deal” found on a non-vendor website is a bit harder. That deal might be the result of the website being an authorised distribution channel for the vendor or the website offering a fake deal. Authorised distribution channels will tend to behave in one of two ways – you’ll either purchase directly from them, or they’ll link you to the vendors website and pass along a referral code. 

The nice thing about authorised distribution channels is that neither party tends to benefit from the relationship being a secret. Perform an internet search with both company names and see if there is mutual identification and endorsement. Another thing to recognise is that if the deal site has you click a link and passes a referral code to the vendor, then that vendor will have your item in their cart. 

To avoid being scammed, first ensure you’re logged out from the vendor website and then click the link. That way if the deal site was suspect, they’re less likely to get any personal information from the vendor. Assuming the deal does show up in the cart at the correct price, simply login and complete the transaction.

In addition:

  • Use 2-factor authentication whenever possible.
  • If your credit provider doesn’t offer virtual credit cards, consider using PayPal or Amazon Pay (among other options) as a third-party payment solution. This provides one more layer of security between online stores and your financials.
  • Similarly, Google Pay (among others) will alert you when charges are made to your card. That way, if you’re not the one making a purchase, a red flag is raised early.
  • If you must create a password on the site to complete a purchase, don’t re-use a password. Take advantage of password managers to create new, unique passwords for each site.
  • Don’t allow websites to store your credit card information. Sure, it’s less convenient, but if the website or your account is hacked, the attackers won’t have access to your credit card information. 

Don’t assume your new device is secure

Some of the most popular items bought during Black Friday and Cyber Monday are connected devices. Gary McGraw, vice president of security technology at Synopsys says “when it comes to security, devices, gadgets, and consumer electronics are NOT secure by default.  If your gizmo maker does not mention security, do not assume that the thing you bought is secure.

IoT remains a security disaster waiting to happen.  One of the main problems is that there is no way to update the (broken) software and hardware running inside of IoT devices when new security problems are discovered.  IoT needs to be secure by design and secure by implementation.  Firewalls on the network will not fix this problem

In fact, IoT stuff is only one kind of cloud architecture.  And with cloud architecture…”

Follow this advice to stay safe online, and happy shopping! 

Tim Mackey, Larry Trowell and Nick Murison from Synopsys

  • Also check out our roundup of the best antivirus software to stay safe online this holiday season
Nick Murison

Nick Murison is a Managing Consultant at Synopsys. He is passionate about software security and empowering developers to build security in. Nick has over a decade of experience leading and performing technical and strategic security engagements, and has helped build and grow several security consultancy businesses in Europe. He specialises in software security, policy and corporate governance, developer training, project management, research, and BSIMM. Nick is a CISSP and PCIP.