Kenneth Van Wyk: 'Tis the season to shop with care

With online holiday shopping on the rise, and mobile-device shopping coming into its own, the need to be aware of the necessary security precautions has grown

With online holiday shopping on the rise, and mobile-device shopping coming into its own, the need to be aware of the necessary security precautions has grown.

With the 2012 holiday shopping season well under way, it's already evident that online shopping is on a record-setting pace this year, and mobile devices have had a huge impact. Every year, people have questions about the sorts of security precautions they should take when shopping online, and there will probably be even more questions now that mobile has entered the picture in a big way.

That's good; people need to be conscious of the need to take certain precautions online, just as they are aware that they shouldn't go into a physical shopping mall with hundred-dollar bills sticking out of their pockets and handbags. Personally, my awareness is heightened because I've had two credit cards defrauded this year. Did that happen as a result of my online or my on-site payment activity? I suspect that it was on-site, but I'll never know for sure. In any event, I hope my misfortune can help you avoid something similar.

Here are some pointers.

* Always opt for the payment method that's safest. Many sites these days support PayPal, Google or other payment services. When they do, use them and minimize the number of merchants that have access to your more sensitive payment details.

* Keep a secure log of all the sites on which you divulge your payment information.

* When given the choice, opt to not store your payment information with the vendor. It will be a bit of a hassle to have to re-enter your payment information every time you go back to buy something on that same site, but it's nothing compared to the hassle of having your payment card information stolen. Try to minimize your payment footprint.

* If you register with an online vendor, use a strong and unique password -- not one that you've already used on other sites. A lot of people will probably skip right over this bit of advice on the grounds that they think it isn't feasible to use a different password for every site. Don't be one of those people. To help with this, you have at least two options: either keep a secure log, on paper, of your usernames and passwords for each site, or use a password vault application to do that for you. I've been using such an app for years. It's easy to manage, and I am confident that my passwords for sites that have my payment information won't be easily cracked.

* Have your packages shipped to your place of business, unless you're at home during the day. Many shippers will leave packages by your front door if you're not home. That's convenient and all, but it also gives thieves plenty of opportunities to steal during the holiday shipping season. And a big box with a familiar logo from a high-tech company just helps the thieves better target their work.

* If you use a vendor app on a mobile device to shop, you should probably spend a few minutes doing some static and dynamic analysis of the app to see for yourself whether your information is being adequately protected. I provided some tips for doing just that in my May and June 2012 columns.

If you do run into problems with any of your payment cards, it's likely you'll get a phone call and/or email from your payment provider. Don't ignore those calls! Respond to them quickly and answer their questions. (Of course, be sure you're really talking to your payment card vendor first.)

After my first defrauded credit card, I signed up for a service in which my provider sends me a text message asking for verification of any questionable transactions. I reply with a yes or no, and the transaction is handled accordingly. Of course, this service has to happen over a mobile number that is previously configured with the payment card company, but many card vendors will do that sort of thing for customers upon request. (And if I'm out of the country, I incur a cost for the text messages, but it's worth it to me.)

If it turns out your card has been attacked, you'll want to quickly get to all the merchants that have your card information stored in their databases -- especially any that have recurring charges to your account. By keeping a log of all of those merchants, you'll be able to quickly update things. While you're doing that, consider it a good opportunity to also change your password with all those merchant websites (or mobile apps).

There are certainly plenty of things that consumers can do to make their online shopping reasonably secure. It may sound like a lot of inconvenience to do things such as setting up a separate password for each site, but you really won't regret getting your online payments in clean working order.

When my card was attacked a second time, I was able to go clean things up in just a few minutes, in large part because I took my own advice and kept a meticulous log of all my online payment activity. A little bit of carefully applied paranoia can go a long way.

Happy holidays.

With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.

FREE Computerworld Insider Guide: Five IT certifications that won’t break you
Join the discussion
Be the first to comment on this article. Our Commenting Policies