The Most Plunder-ful time of the Year: Protecting Your Family’s Financial Identity During the Online Shopping Season
The holiday season is a time of giving. But savvy security and technology professionals such as yourselves know, both during the holidays and year-round, that not all giving is good. Some things, namely company and personal information, are not to be given out generously.
This knowledge is tested each day we come to work and guide our corporate charges in the methods of sound security. We remain in that elite corps only by sticking to the fundamentals and practicing what we preach. Yet the cobbler’s children, as they say, often have no shoes. Ask yourself if you treat yourself and your family to the same level of diligence and oversight as you do your work colleagues. It’s not so easy when you’re off the clock. So let us bring security home for the holidays.
The following is an actual text conversation between the author and his twelve-year-old daughter:
Daughter: “Can I have our Apple password?”
Daughter: “I want to buy an app.”
Me: “I’ll get it for you when I get home from work.”
The foregoing was more powerful than any phishing or probing attack. It comes when you are most vulnerable, such as when you are going into a big meeting, and it comes from a trusted source. Plus, that source will be greeting you with a scowl and threats (unfulfilled) of not talking to you when you get home for dinner. It’s not easy to do the right thing.
Your family relies on you just as your CEO does. Let’s start with the fundamentals of securing your family financially during the holiday online buying season. Three things you can do are: centralize purchasing authority, buy from places you know, and buy rather than get sold to.
Centralize Purchasing Authority: In an ideal world, this means making one person the purchasing agent so that purchases can be reconciled with payment, receipt of the items, and return and refunds. This works great in a company with a purchasing department, but companies don’t buy surprise gifts internally. So you might need to make limited exceptions for when it’s the family CFO getting the gift from an on-line source. We all know security is about trade-offs.
Buy from places you know: We all want a good price, and our resolve is tested when we see the same widget for sale on Amazon for $35 and on Bubba’s Sports & Ammo Shack for $28. Which one of these companies has an annual security spend in the millions? It ain’t Bubba. An additional reminder here is that when buying from a known entity; make sure you actually are on their site. Fat fingering an address or even in some cases going indirectly through search results can lead you to a page designed to look like one that is legitimate, but is really there solely to capture your personal and financial information.
Buy rather than get sold to: We’re all scrounging for gift ideas around the holidays. I even catch myself scrolling through LivingSocial listings, desperate for inspiration with regard to relatives who seem to have most of what one needs already. In doing so, I’m being sold to. I’m responding to an inbound solicitation, of which I will receive many before 12/25/12. But you must do so wisely lest you be spoofed or phished by emails that render as authentic PayPal or LL Bean, sites but actually direct you to web pages designed to look authentic but exist solely to capture your username and password for the purpose of cleaning out your account or making unauthorized purchases.
The three big tip offs you’re being spoofed are: the email doesn’t contain your name, email address, or your account number, the email has grammatical mistakes, or the email contains web page hyperlinks that don’t match the text of the email. For example, if you receive an email from “PayPal” that asks you to verify your account at “http://www.paypal.com/accounts,” the easy way to verify the address is to place your cursor over that address and the actual hyperlink shows in a bubble pop up. If that bubble reads “http://www.Ilikesuckers.com,” then it’s best to avoid clicking that link. The easiest way to avoid being spoofed or phished is to buy rather than get sold to. If you get any message that you are anything less that 100% positive about, go directly to the merchant’s website instead of clicking the link and log into your account to read message or purchase an item that caught your eye.
With the fundamentals secured, we must practice what we preach and lead by example. Your family watches what you do. I was updating the operating system on my daughter’s iPhone the other evening, and I made her think about each question before she made a selection during the install. As we were prompted to select whether or not to turn on location services, I asked her, “Do you really want companies to know where you are?" "Are there any apps that you use where you need that on?” Answer: “No.” I even had her scroll through the license agreement. We didn’t read every line (her patience has limits) but I told her that this is where you learn about what companies can do with your pictures and other personal stuff.
Bringing security home doesn’t make you the Grinch if you keep it simple, follow the fundamentals, suggest rather than prescribe, and lead by example. A simple and kind approach is best. After all, it’s the holiday season.