The holiday season always makes me nervous.
As someone who works in the cybersecurity industry, I know that the November to December timeframe is when many consumers and businesses will get hacked or defrauded. In many ways, the holiday season is an ideal time for cybercriminals: more people are using their debit cards online and at insecure retailers; people are traveling and using open WiFi ports at airports, hotels and shopping venues; businesses, especially retailers, are slammed and have less time to check their systems and networks for possible attacks; consumers are stressed out, distracted, busy and rushed, so it's easier to make basic mistakes with computer security and fall for common scams; and it's harder for financial institutions to monitor for suspicious spending habits since people are traveling more and spending money in different places.
This holiday season, it's important that everyone be more cognizant of the risks they face, both online and in the physical world. They should also understand how certain behaviors can make them an easier target for cybercriminals.
Here are six risky things you're likely to do this holiday season, which could get you hacked:
Use a Debit Card at a Non-EMV Retailer
Starting October 1st, all US retailers were supposed to implement new payment terminals called EMV (Europay MasterCard Visa), and alternately known as "chip-and-pin" or "smart" cards, which can protect consumers' debit and credit cards against hackers and identity thieves. Unfortunately, few stores have adopted the new technology because it's more expensive and not as easy to use as the older and more vulnerable "swipe" card readers.
As a result, many stores consumers visit over the next few months will be vulnerable to the same large-scale data breaches that affected Target and Home Depot (although both of those retailers have switched to the safer EMV system), as well as other types of card fraud. Card theft/fraud is an important industry for cybercriminals -- it's worth billions of dollars each year - so don't expect the criminals to slow down. These groups are also getting more advanced with black market hacking tools and malware designed specifically for targeting retailers.
To make matters worse, the credit card industry is now holding retailers responsible for cardholders' losses if they haven't implemented EMV systems. Although the financial industry claims consumers won't notice any difference in the recovery process for fraud, it's unclear just how well this will actually work, particularly if there's a large-scale breach.
Security Tip: Don't use a debit card at non-EMV stores. Instead, use a gift card that has been preloaded with a limited amount of money, or else use a credit card because it's easier to dispute the charges before the money is pulled from your account.
Use Public WiFi
By now, everyone should know they're not supposed to surf the web from a WiFi hotspot - and yet people still do it all the time, because it's convenient.
It's extremely easy to hack a WiFi connection, whether it's at the airpot, hotel, coffee shop or even at home. There are online tools that almost anyone can download which enable you to "sniff" a person's data over an unprotected WiFi channel, hack the password of WEP and WPA/WPA2 WiFi networks, and even create fake WiFi networks that will trick you into connecting with them.
Consumers should never use a public WiFi connection period, but at the very least never, ever make an online purchase or login to a bank account or mobile banking app from them.
Security Tip: To stay safe, install a VPN (virtual private network) on your mobile device. A VPN encrypts your online activity, making it very difficult for a hacker to steal your information. Another option is to only surf the web in public places using a cellular 3G or 4G signal. You can do this by creating a mobile hotspot with your smartphone and tethering other devices to it.
Check Your Bank Account from the Family PC
There's a very high probability that the home computer you and your kids use all the time to surf the web, check email, watch movies and download files is infected with malware.
Consumers should never do online banking from a multi-user computer, even if it's the home PC. If that sounds paranoid and inconvenient, consider this: a type of malware called the "banking Trojan" is spreading rapidly across the web. You get infected with it primarily by visiting compromised websites or opening an infected email. This malware is extremely dangerous - it will intercept your online banking sessions even when you're using a secure online connection with the bank. Antivirus programs can't detect it and the malware will steal your bank login/password and even has the ability to change a live transaction (for example, switch the recipient of an online payment).
The best way to avoid this risk is by using a safe device to access online banking.
Security Tip: Don't use the family PC; instead use a dedicated laptop or netbook that literally does nothing else except access your online bank account.
Google Shop for Deals
Bargain hunting goes into overdrive during the holidays, but consumers should be careful. Cybercriminals anticipate an uptick in online searches for sales and discounts on popular items and they're sometimes able to sneak "black hat" websites into these search results for specific products. Those who visit the fake black hat sites will be infected with spyware, lose their logins/passwords or be ripped off if they try to make a purchase.
Although search engines have become better at blocking black hat sites, they can't always catch them all, especially during a busy period like the holidays. Therefore it's important for consumers to be careful about the sites they visit.
Security Tip: Try to stick with well-known retailers for online purchases. Double check the website address too to make sure it's not an impersonation. Use PayPal, gift cards or credit cards when buying online, not debit cards. Consider adding a script-blocking plugin such as ScriptSafe, NoScript or AdBlock Plus to your browser to prevent certain types of web attacks.
Open Holiday Spam
The holidays are open season on phishing emails and spam. Cybercriminals know that consumers are more likely to be stressed out, distracted, worried about how much money they're spending, eager to find deals, and also more likely to donate to charities -- and they play off of these emotions. This is the time when we're all more likely to fall for emails about an overdrawn checking account, about 75 percent off offers on popular gift items, about a traveling friend who's stranded and needs money.
It's important for consumers to recognize how good some of these phishing emails have become. In many cases, they look virtually identical to the real thing. Phishing emails may contain malware, trick you into sharing sensitive information or redirect you to fake websites.
Security Tip: Make sure your email's spam filter is activated. Use antivirus with anti-phishing support. Never click on a link in an email, go to the website directly if it's a legitimate, well-known one (such as a bank or IRS). Learn how to spot a "spoofed" email - they're often not addressed to a specific person, they may have typos or spelling/grammar errors and they often use fear to entice the person to respond.
Share Your Travel Plans on Social Media
This is another big mistake that people consistently make, whether it's a Foursquare check-in, Instagram, Vine, Facebook, Twitter, whatever. In addition to exposing you to a higher risk of burglary, it is also used by cybercriminals to target you and your family and friends with very effective phishing emails.
Security Tip: Try not to post about your travel plans. Also make sure your social media accounts are set to private.