Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

The Most Plunder-ful Time of The Year: Keeping Others Safe During The Online Shopping Season

The Most Plunder-ful time of the Year: Protecting Your Family’s Financial Identity During the Online Shopping Season

The holiday season is a time of giving. But savvy security and technology professionals such as yourselves know, both during the holidays and year-round, that not all giving is good. Some things, namely company and personal information, are not to be given out generously.

The Most Plunder-ful time of the Year: Protecting Your Family’s Financial Identity During the Online Shopping Season

The holiday season is a time of giving. But savvy security and technology professionals such as yourselves know, both during the holidays and year-round, that not all giving is good. Some things, namely company and personal information, are not to be given out generously.

This knowledge is tested each day we come to work and guide our corporate charges in the methods of sound security. We remain in that elite corps only by sticking to the fundamentals and practicing what we preach. Yet the cobbler’s children, as they say, often have no shoes. Ask yourself if you treat yourself and your family to the same level of diligence and oversight as you do your work colleagues. It’s not so easy when you’re off the clock. So let us bring security home for the holidays.

The following is an actual text conversation between the author and his twelve-year-old daughter:

Daughter: “Can I have our Apple password?”

Me: “Why?”

Advertisement. Scroll to continue reading.

Daughter: “I want to buy an app.”

Me: “I’ll get it for you when I get home from work.”

Daughter: “Daaaaaad!”

The foregoing was more powerful than any phishing or probing attack. It comes when you are most vulnerable, such as when you are going into a big meeting, and it comes from a trusted source. Plus, that source will be greeting you with a scowl and threats (unfulfilled) of not talking to you when you get home for dinner.  It’s not easy to do the right thing.

Your family relies on you just as your CEO does. Let’s start with the fundamentals of securing your family financially during the holiday online buying season. Three things you can do are: centralize purchasing authority, buy from places you know, and buy rather than get sold to.

Centralize Purchasing Authority: In an ideal world, this means making one person the purchasing agent so that purchases can be reconciled with payment, receipt of the items, and return and refunds. This works great in a company with a purchasing department, but companies don’t buy surprise gifts internally. So you might need to make limited exceptions for when it’s the family CFO getting the gift from an on-line source. We all know security is about trade-offs.

Buy from places you know: We all want a good price, and our resolve is tested when we see the same widget for sale on Amazon for $35 and on Bubba’s Sports & Ammo Shack for $28. Which one of these companies has an annual security spend in the millions? It ain’t Bubba. An additional reminder here is that when buying from a known entity; make sure you actually are on their site. Fat fingering an address or even in some cases going indirectly through search results can lead you to a page designed to look like one that is legitimate, but is really there solely to capture your personal and financial information.

Buy rather than get sold to: We’re all scrounging for gift ideas around the holidays. I even catch myself scrolling through LivingSocial listings, desperate for inspiration with regard to relatives who seem to have most of what one needs already.  In doing so, I’m being sold to. I’m responding to an inbound solicitation, of which I will receive many before 12/25/12. But you must do so wisely lest you be spoofed or phished by emails that render as authentic PayPal or LL Bean, sites but actually direct you to web pages designed to look authentic but exist solely to capture your username and password for the purpose of cleaning out your account or making unauthorized purchases.

The three big tip offs you’re being spoofed are: the email doesn’t contain your name, email address, or your account number, the email has grammatical mistakes, or the email contains web page hyperlinks that don’t match the text of the email. For example, if you receive an email from “PayPal” that asks you to verify your account at “http://www.paypal.com/accounts,” the easy way to verify the address is to place your cursor over that address and the actual hyperlink shows in a bubble pop up. If that bubble reads “http://www.Ilikesuckers.com,” then it’s best to avoid clicking that link. The easiest way to avoid being spoofed or phished is to buy rather than get sold to. If you get any message that you are anything less that 100% positive about, go directly to the merchant’s website instead of clicking the link and log into your account to read message or purchase an item that caught your eye.

With the fundamentals secured, we must practice what we preach and lead by example. Your family watches what you do. I was updating the operating system on my daughter’s iPhone the other evening, and I made her think about each question before she made a selection during the install. As we were prompted to select whether or not to turn on location services, I asked her, “Do you really want companies to know where you are?” “Are there any apps that you use where you need that on?” Answer: “No.” I even had her scroll through the license agreement. We didn’t read every line (her patience has limits) but I told her that this is where you learn about what companies can do with your pictures and other personal stuff.

Bringing security home doesn’t make you the Grinch if you keep it simple, follow the fundamentals, suggest rather than prescribe, and lead by example. A simple and kind approach is best. After all, it’s the holiday season. 

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.