Skip Links

Holiday security risks are in the real world too, not just online

By Taylor Armerding, CSO
December 09, 2013 05:22 PM ET

CSO - The ubiquitous warnings about online shopping risks are well founded. As numerous experts are reminding consumers and businesses, the high season for shopping is also the high season for cybercrime.

+ ALSO ON NETWORK WORLD A safer alternative is our gift guide +

[Security at the point of sale]

To paraphrase the song playing in the mall, "It's the mo-o-o-ost dangerous time of the year."

But IT crime is not limited to the cyber world. There are real-world risks as well, from sophisticated hardware that can steal your personal information just as effectively as any online scam.

That doesn't mean the major focus on cyber risks is misplaced they are more varied and abundant than real-world threats.

As CSO reported recently, millions of spoofed emails are already clogging in-boxes, purporting to be from online retailers or shipping notifications from FedEx, UPS and others. Cyber criminals are all over social media sites, trying to get you to click on links from your "friends," or to open up fake e-cards. Or, they're trying to scam you into purchasing fraudulent gift cards for unbelievably low prices.

There are also multiple risks from specialty mobile apps, which tend to collect much more information from devices than their users may know, including contact lists.

And the dangers from public Wi-Fi are, or ought to be, well known. They have spawned yet more revised versions of holiday jingles like, "You better watch out, you better not cry, you better not use that public Wi-Fi..." Anyone who enters user names, passwords or credit card numbers while using such a service is asking for trouble.

But it is also important to be aware of physical risks, besides those from parking-lot thieves hoping you'll leave a bunch of parcels in your car and then return to the mall to do some more shopping.

These are more subtle. As is the case with most online theft, they are designed to steal your credit or bank card information without stealing your card. By the time you are aware of it, some or all of your money is gone or fraudulent purchases have been made on your cards.

[Retailers tracking customers via Wi-Fi suggests that privacy really is dead]

One of the most popular is the so-called skimmer, which is used on point-of-sale (POS) credit card devices, ATMs and gas pumps. Security blogger Brian Krebs, who has written about them multiple times, had a recent post on one that he described elegantly simple "little more than a false panel which sits atop the PIN pad and above the area where customers swipe their cards," which could be installed and removed in seconds.

"The underside of the device includes a tiny battery and flash storage card that allows the fake PIN pad to capture the key presses, and record the data stored on the magnetic stripe of each swiped card," he wrote.

[Eight tips for more secure mobile shopping]

These are obviously attractive to crooked employees, who could install them when nobody is watching and then remove them if a manager drifts into the area. Or, thieves posing as customers can install them while their partners distract the salespeople.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News