3 security reports about shopping online for Black Friday and Cyber Monday

Researchers list the most and least secure online retailers, warn about vulnerabilities in WordPress e-commerce plugins and warn that crooks are cashing in on top store brands and "Black Friday" to scam consumers.

online security hacker
Credit: Thinkstock

With Black Friday and Cyber Monday nearly upon us, here are three different reports about shopping online.

Amazon and Walmart listed among the “least secure” online retailers

The first ranks the best and worst security of top online retailers. LastPass used a set of six criteria and then ranked each e-retailer on a scale of 0 to 10 points on that password criteria. For example, does a site offer two-factor authentication? That answer is “no” to all of the online retailers in this study.

The online stores were judged to be more secure for things such as if they had a password strength meter, if the password allowed special characters and if passwords with 20 characters were allowed. The results posted by LastPass are surprising, given that Amazon and Walmart – two of the biggest online retailers – were ranked among the “least secure” of online stores.

The five “most secure” online retailers were listed in this order: QVC, Apple, Victoria’s Secret, Neiman Marcus and Best Buy. The “least secure” e-retailers were listed in this order: Amazon, Walmart, Wayfair, Nike and Sears.

Severe vulnerabilities in WordPress e-commerce plugins

So while LastPass ranked the best and worst security of e-retailers, Checkmarx looked at 12 popular WordPress e-commerce plugins and found “severe” vulnerabilities in a third of them. The company reported that over 26 percent of websites globally use WordPress and hundreds of thousands of those sites use e-commerce plugins. If vulnerable plugins are exploited by criminals, “users of over 135,000 websites could find their personal data threatened;” – yes, that includes credit card data.

Four of the 12 WordPress plugins contained “high-risk vulnerabilities” such as SQL injection (SQLi), reflected cross-site scripting (XSS), second order SQL injection and a plugin vulnerable to file manipulation.

Unfortunately, Checkmarx did not provide the list of vulnerable plugins at this time; that’s because responsible disclosure means giving developers time to fix the flaws before naming names which would help bad actors find additional ways to harm consumers.

If you add items to your cart, Checkmarx advised that before checking out you should make certain the SSL certificate is good. On an HTTPS site on Chrome, users can click the green lock to get the scoop on the certificate, connections and secure resources on a page.

Spammy scammers cashing in on store brands and “Black Friday”

Have you been making a list and checking it twice, looking for the best Black Friday and Cyber Monday deals for items on your loved one’s wish lists? That seems smart, but you need to be security-wise and not get suckered by some spammy scammer.

Just as online retailers are counting on another booming year, cyber crooks are counting on another booming year as well by scamming as many people as possible. RiskIQ researchers issued a warning (pdf) without naming names, claiming that cyber thugs have honed in on the top five leading brands in e-commerce.

The company ran a keyword search, looking for five online retailers “branded terms” along with “Black Friday” that appear in blacklisted URLs – ones which are linked to phishing, malware or spam. RiskIQ said its blacklists are collected by crawling over 300 million mobile devices, 1.8 billion HTTP sessions, 783 global locations across 100 countries, 16 million mobile apps and 300 million domain records.

While the stats are interesting, if you are trying to warn people to be aware, to be careful, why not give the silly keywords used instead of reporting that the unnamed “brand” one through five had a combined total of over one million blacklisted apps? It’s good info to have, but it seems like it would be better for the announcement to provide the actual research to the public – at the very least the keyword brands in this study – so as not to scare people about leading brands.

Nevertheless, RiskIQ’s advice is sound. Users are advised against downloading apps from unofficial sources, to be wary about apps that want too many permissions such as accessing passwords or credit card info, and not to be fooled by good reviews that can be easily faked.

Overall when considering these three reports, shopping online for Black Friday and Cyber Monday sounds like a crapshoot…but it sure sounds better to me than being out in the crowds. Just be wise about shopping.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.