Shopping risks to guard against this holiday season

Credit card skimming devices and hidden cameras are just two ways crooks make this the most scam-filled time of the year for shoppers

The ubiquitous warnings about online shopping risks are well founded. As numerous experts are reminding consumers and businesses, the high season for shopping is also the high season for cybercrime.

[Security at the point of sale]

To paraphrase the song playing in the mall, "It's the mo-o-o-ost dangerous time of the year."

But IT crime is not limited to the cyber world. There are real-world risks as well, from sophisticated hardware that can steal your personal information just as effectively as any online scam.

That doesn't mean the major focus on cyber risks is misplaced — they are more varied and abundant than real-world threats.

As CSO reported recently, millions of spoofed emails are already clogging in-boxes, purporting to be from online retailers or shipping notifications from FedEx, UPS and others. Cyber criminals are all over social media sites, trying to get you to click on links from your "friends," or to open up fake e-cards. Or, they're trying to scam you into purchasing fraudulent gift cards for unbelievably low prices.

There are also multiple risks from specialty mobile apps, which tend to collect much more information from devices than their users may know, including contact lists.

And the dangers from public Wi-Fi are, or ought to be, well known. They have spawned yet more revised versions of holiday jingles like, "You better watch out, you better not cry, you better not use that public Wi-Fi..." Anyone who enters user names, passwords or credit card numbers while using such a service is asking for trouble.

But it is also important to be aware of physical risks, besides those from parking-lot thieves hoping you'll leave a bunch of parcels in your car and then return to the mall to do some more shopping.

These are more subtle. As is the case with most online theft, they are designed to steal your credit or bank card information without stealing your card. By the time you are aware of it, some or all of your money is gone or fraudulent purchases have been made on your cards.

[Retailers tracking customers via Wi-Fi suggests that privacy really is dead]

One of the most popular is the so-called skimmer, which is used on point-of-sale (POS) credit card devices, ATMs and gas pumps. Security blogger Brian Krebs, who has written about them multiple times, had a recent post on one that he described elegantly simple — "little more than a false panel which sits atop the PIN pad and above the area where customers swipe their cards," which could be installed and removed in seconds.

"The underside of the device includes a tiny battery and flash storage card that allows the fake PIN pad to capture the key presses, and record the data stored on the magnetic stripe of each swiped card," he wrote.

[Eight tips for more secure mobile shopping]

These are obviously attractive to crooked employees, who could install them when nobody is watching and then remove them if a manager drifts into the area. Or, thieves posing as customers can install them while their partners distract the salespeople.

Chester Wisniewski, senior security adviser at Sophos, said thanks to technology like 3D printers, skimmers like this are well within the reach of the common criminal. "The parts aren't much more complicated than a cassette tape read head and an Arduino computer board," he said.

So, while retail managers should check POS devices regularly and monitor them with security cameras, Wisniewski said shoppers can check the POS device themselves. "Aside from giving it a good once over before inserting your card, we recommend giving it a wiggle," he said. "The part of the machine that accepts your card should not move or look like it has been bolted on."

But skimmers don't always have to be on the device itself. Robert Siciliano, CEO of IDTheftSecurity, said some of them are body worn or hand-held. A crooked employee, with access to hundreds of credit card transactions every day, "can easily double swipe card data on hand held or body worn skimmers fast enough that cameras, fellow employees or the customer would never notice," he said.

The only good news about most skimmers is that there are limits to the damage they can do. "They often are simplistic, and can only get credit-card numbers and not the CSC, CVD or CVN numbers on the back of the card to verify the transactions," said Chris Strand, security compliance practice manager at Bit9.

"Unless the exploit is using camera technology to record both the card swipe and the back of the card, which is often more physically detectable, these common skims limit the use of the stolen data to transactions where the card verification or security code is not needed," he said, noting that requiring the CSC or CVD code within transactions – especially online – is becoming commonplace.

[Slideshow: 5 risks to avoid for the holidays]

Besides skimmers, experts say the other major physical threat is from cameras. "All it takes to log someone's keystrokes is a strategically placed web/security/spy camera," Wisniewski said. "And a smartphone can be easily reconfigured into a rogue access point for supposedly free Wi-Fi. It doesn't always require specialized equipment."

How can retailers and customers detect and defeat threats like these? A good way to start is with the same kind of healthy suspicion that should apply to unsolicited emails. "You are not being paranoid, they are out to get you," Wisniewski said.

A big piece of that should fall to retail management, Siciliano said. "Managers, coworkers and customers must be trained on the risks posed by skimming in general," he said. "Daily checks of existing hardware and close monitoring of employees are essential."

Strand said technology can help as well. "The best way to defeat them is to ensure that hardware or fixed-function devices are limited in their interface to allow only customer input via the keypad or close proximity RFID input," he said.

"Limiting the common interfaces that many of these devices have, such as open wireless ports, physical inputs like USB ports, and any other interface to access the device, reduces the possible access points that cyber thieves may use to compromise a device."

[The 12 scams of Christmas]

Monitoring can help as well, he said, "to detect if the device is attempting to run a process that is either prohibited under the business logic of the machine, or that is suspicious."

Experts agree that there is little hope that law enforcement can cut off or even curb the supply of these devices. The highly publicized recent shutdown of the online black market Silk Road will make little difference, they said.

"The darkweb is exponentially larger than what everyday consumers have access to," Siciliano said. "The tools to search and navigate via TOR (The Onion Router) are getting better every day."

Strand added that other illicit marketplaces, "will easily fill the void that Silk Road left when it was shut down."

And even if those markets disappeared, "many of these devices can be constructed using home-based manufacturing techniques," Strand said. "The devices and the tools used to create them are becoming more simplified making them more difficult to trace."

Copyright © 2013 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)