Shopping at the Mall? It Can Be Just as Risky as Shopping Online

business security and safety concept picture id1036670298

The holiday shopping season is a big event for cybercriminals, and as a result, many individuals are slowly becoming more cautious when shopping online. And because they know that pickpockets and other grifters love crowds, shoppers tend to keep their eyes on their kids and their wallets when at a physical shopping location. However, most people haven’t been paying attention to how much digital shopping has taken over even traditional shopping, and cybercriminals are keen to exploit that lapse in caution.

The busyness of holiday shopping tends to lower people’s guards, leaving them vulnerable to exploits – especially from completely unexpected vectors like cybercrime at the mall. And with a crush of shoppers, retailers are likely to not be paying attention as well. So, to better protect you from cybercrime when shopping at your favorite store or mall, here are a few things to remember.

Be Careful Using Public Wi-Fi

Shoppers are eager to make sure they are getting the best deals, stay connected with family and friends through social media, or even document their shopping experience. And many times, that means using the local Wi-Fi at the mall or coffee shop.

However, there are simply too many ways for someone to intercept your connection and use it to steal your financial information, passwords, and other personal data. For example, a man-in-the-middle attack occurs when a cybercriminal already connected to the internet broadcasts their device as “Free Wi-Fi.” When you connect, they connect you to the Internet through their device, which means they can see and steal all the traffic moving between you and your online shopping site, bank, or social media accounts.

Cybercriminals will set malicious WiFi hotspots in popular areas around shopping centers, malls, movie theaters, and holiday gathering places. A common technique is for them to require you to accept a certificate when you join the hotspot to browse the Internet. What you might not realize is this technique allows them to run a “man-in-the-middle” attack on your Internet connections. Attackers use this technique to force all your connections into a less secure method, alinglow attackers to steal your username, password, and other sensitive information – even from encrypted, SSL protected websites. Open-source extensions such as HTTPS Everywhere from the Electronic Frontier Foundation can help mitigate this sort of attack.

Watch for ATM and Credit Card Skimmers

Whether you are getting cash from your ATM, buying gas, or swiping your card at the store, the holiday season always sees a spike in credit and debit card usage – along with credit card fraud. And credit card skimmers are a common problem.

Skimmers are electronic devices designed to either slide over an existing card reader or be inserted into a card reader slot. They look remarkably like the original credit card reader, but they capture your credit card data and PIN when you make your transaction.

Here’s what to look for:

  • A salesclerk says they’ve “been having trouble with that card reader all day.” Maybe that reader is wearing out. But it also may be because a skimmer has been placed on that reader, and it uses those extra card swipes to capture your data before letting you make your purchase.
  • Look at the card reader. Do the colors and graphics and seams on the card reader all match up? Is there any damage around the card slot that might indicate that it was forcefully removed or replaced?
  • Card readers – whether at a store, on an ATM, or on a gas pump – are designed to withstand thousands of users. They don’t have loose parts or components. If the keypad is loose, the card slot wiggles or moves when you insert your card, or anything feels less than industrial grade, move on.
    • Whenever possible, use contactless payment options such as ApplePay, SamsungPay, and GooglePay. Even when those services are linked to your credit card, the nature of those services sometimes makes them more secure than using your credit directly, especially for avoiding credit card skimmers.

Keep Your Distance for Contactless Transactions

However, keep in mind that contactless payment cards and smartphone apps use a technology called near-field communications to simplify transactions. What most people don’t know is that some of these can be monitored and captured remotely. Wait, didn’t we just say that you should use contactless payments? Yes, which means you should only turn them on when you are conducting a transaction, and leave them turned off when you are not. Luckily, modern iPhones and some Android devices only enable the feature when a physical button is pressed or the app is opened.

For someone to intercept that payment data, they also need to be close by, usually within a few feet (that why it’s called near field communications.) So start by looking for someone just oddly lingering next to the checkout registers. If you are using a contactless payment system, make sure that other shoppers are a few feet away before you use your phone to make your purchase.

Protect Your Purchases in the Parking Lot

Many shoppers during a busy day of shopping will take a load of purchases out to their car to store them while they continue shopping. The problem is, that electronic car key fob that allows you to remotely lock and unlock your car might be convenient, but it’s not necessarily secure.

Your key fob and your car’s electronic security system generate random lock codes. And when those codes match, the car will lock or unlock. Unfortunately, these devices store a set of numbers, called a rolling code scheme, so if the numbers don’t match right away it can search for other codes looking for a match. And with a handful of instructional videos, online libraries of stolen rolling code schemes for virtually any car imaginable, and some basic programming, a criminal can easily create a tool designed to communicate with other systems, like your car. They then walk through a parking lot broadcasting codes, and like magic, car doors unlock and trunks pop open.

And, by the way, many garage door openers use pretty much the same technology. Criminals have been known to drive through neighborhoods broadcasting a set of codes to see which garage doors open as they pass by.

Use Your Credit Card

Avoid using your debit card for purchases. Most credit cards have built-in fraud protection, even when using a contactless payment system. Check with your bank or your card provider to learn more about what protections your card provides. Also consider adding things like two-factor authentication when accessing bank accounts online, etc.

Next, make sure you log in and look at your bank and credit card statements online during heavy shopping periods, rather than waiting for your statement to arrive. The quicker you spot an unauthorized transaction the faster you can get it resolved and limit your exposure.

Using Caution Can Make All the Difference

Most shoppers purchase goods, conduct online transactions, manage their finances, and connect to others using the same smart device. We need to understand that these conveniences come with risks. At the same time, cybercriminals are constantly looking for new ways to exploit these digital tools. However, if we take the time to educate ourselves, our friends, and our family about lowering our digital risks, we can all have a happy, and safe holiday season.

Want to learn more about cybersecurity? Educate yourself. Find out more about Fortinet’s NSE Institute programs, including the Network Security Expert programNetwork Security Academy program and FortiVets program.


Copyright © 2019 IDG Communications, Inc.