How to shop online safely

With some simple tips, you can make shopping online a safer experience this holiday season.

As holiday season approaches, shopping online is an attractive option for grabbing plenty of bargains.
Like any transaction, there are security issues to keep in mind when buying online, but with some common sense you can minimize the risk.
Even if you consider yourself a seasoned online shopper, it's always worth a reminder to make sure your experience is the safest it can be.

General tips

• Don't send your credit card details via email, post them on social media (even in a private message), or enter them on an unsecured website
• Don't give away more information than you need. Retailers generally don't need to know details like your date of birth or social security number, so why disclose it if you don't have to?
• Check for a physical address and contact details like phone numbers for the vendor before buying
• Remember to log out of your account after making a purchase

Keep your PC, Mac or mobile device up to date

This means regularly checking for updates to your operating system, as well as ensuring apps and browsers are also kept up to date with the latest version. Running regular antivirus and malware scans is recommended to help avoid compromising your personal details to tools such as keyloggers.
Also, get into the habit of using strong, unique passwords for each online store you buy from. If you haven't changed your password for an existing account in some time, do it now. Password managers are a great tool if you have trouble generating and remembering unique passwords.

Keep it private (and separate)

Avoid using public Wi-Fi or public computers when shopping online. This includes library or airport PCs.
If you have to make a purchase when out and about, turn on cellular data on your mobile device rather than using Wi-Fi. A VPN is also a great option for adding another layer of security.
It's worth using a separate browser that you regularly keep up to date for shopping and banking online, and another for everyday web use.
Consider opening a second email account specifically for online shopping purposes to help minimize spam, and keep a track of which service is using your email address for what purpose.
If you have a Gmail account, you can append a plus symbol (+) to the end of your username to help filter your email. For example, you could enter your email address in the format of "osho3mtech+amazon@gmail.com" and then set up a filter within Gmail so everything sent to that address goes straight to a label called "Amazon".

Research your retailer

Make sure to fully check out the retailer's credentials if it's not a big name you have heard of before. A quick search of the site name should turn up results and reviews about the service, but keep an eye out for overly positive reviews on user forums that might not be legitimate.

Both a lock and https in the URL show you that the site is using a secure connection via SSL.

Ensure that the site is using a secure connection, which is marked by https:// in the browser bar and a number of other indicators including an image of a lock. Some sites have an icon called a trust indicator or security seal that shows that the retailer is independently verified by a third party, such as an antivirus provider.

Use a payment method with buyer protection

Although debit cards ensure you are using your own cash to make a purchase, many do not offer the same robust buyer protection as other options if something does go wrong. A credit card, PayPal or a virtual wallet option give you more flexibility when it comes to requesting a chargeback.
A chargeback is when a transaction is reversed and a refund is given to you as the buyer. It can either be initiated by your bank on detection of fraudulent activity, or you can initiate a chargeback depending on the situation. Check with your bank for details.
Another option that you might consider using to add another layer of protection is a single-use credit card number. These are tied to your regular credit card but provide a unique number to be used for one transaction so your actual credit card number is not compromised. This is particularly useful if there is a breach somewhere along the chain that might reveal your credit card details. Again, check with your bank to see if this is an option.
Although it makes it very convenient to make repeat purchases, it is worth unchecking any option that lets the retailer store your credit card details on file. This way if your account is compromised, at least your financial details are not revealed.

Shopping on your smartphone or tablet

Apart from the tips outlined above, there are a few things to be aware of when shopping on a mobile device. Set a password, pattern or PIN lock on your smartphone, and adjust the settings so the screen locks automatically after a set period of inactivity.
The vendor's own app might be a convenient way to make a purchase, but find out if it is using a secure connection to transmit your personal information and transaction details. If unsure, it's best to use the website through a mobile browser.

Turn off Bluetooth if you are not using it, and check what permissions applications are asking for before you install them. Also, jailbreaking or rooting your device may open up more features but it can leave it more open to threats.
Finally, if you lose your device and it has personal information on it such as credit card info, or you left it logged in to an account which has access to your credit card or bank details, make sure you can remotely wipe and disable your device. For iOS, enable Find My iPhone from the settings. Android users can use Google's Android Device Manager to remotely lock and erase the handset or tablet. Windows Phone owners can use the Find My Phone feature on windowsphone.com to erase the handset if lost.

Calculate the total cost

Take into account shipping, sales tax and any other taxes or charges that might apply, especially when importing goods from overseas. Product doesn't suit or you need to get a refund? Check the retailer's policies before making the purchase to work out if you need to cover return costs and any extra fees or charges you need to pay.
It's also worth shopping around to find the best deal on the same product. Don't just assume your favourite online retailer is always going to have the best price, as you might be able to find a better deal elsewhere.

Something went wrong?

Your first port of call if something goes wrong with an online transaction should be the retailer. If you need to report identity theft or fraud, each country has a local service where you can report the issue.
If something looks suspicious, it probably is. Regularly keep an eye out for online scams on the relevant sites. Find information on USA.gov, Scam Watch in Australia,  Action Fraud in the UK and the Economic And Financial Crimes Commission in Nigeria.

How to protect your credit card online 

Keep your credit card details away from prying eyes and avoid fraudulent transactions with these tips for shopping online.

There's nothing like the feeling of snapping up a hard-earned bargain when shopping online.

There's also nothing like the feeling of falling victim to credit card fraud.
With a number of high-profile breaches this year alone, it's always a good time to be alert -- not alarmed -- about using your credit card online.
On top of these general tips for safe shopping, here are some card-specific tips to keep in mind when virtually swiping your plastic.

Only enter your credit card details on secure sites

By now, you hopefully know the drill. Look for an https connection in the URL, as well as a padlock or another digital security certificate to ensure that you are only entering your details on a site that encrypts the transaction end-to-end. Don't send your credit card information over email.

Buy a prepaid card for online transactions

MasterCard

For those who want to keep online purchases completely separate from everyday credit card transactions, prepaid cards are an option to consider. These can either be bought online or from a traditional bricks and mortar retailer for a small fee.
Prepaid credit cards allow you to load a set amount of money at the time of purchase. The advantages are plentiful when it comes to using a prepaid card for online shopping, but the big one is that even if the card's details are compromised somewhere along the chain, there is a limit to the amount of money that can be taken.
Some banks and financial institutions will let you generate a virtual credit card number to complete purchases. This is generally a single-use number that you can enter in place of your regular number.

Watch statements for any unusual transactions

While many banks have sophisticated 24/7 monitoring systems designed to detect fraud and unauthorized credit card use, it's important to also keep an eye out on financial statements both online and on paper. If you spot anything suspicious, call your bank immediately.

Turn on your credit card's added layer of security

Many credit cards will have an additional layer of security that might not be enabled by default. MasterCard has a product called SecureCode, which is a private code that you enter every time you make a transaction on a supported site, and is never disclosed to the retailer.

 

Verified by Visa, on the other hand, offers a personal message that greets you when you are making a transaction, as well as a password to authorize a purchase. Check with your bank or financial institution to see if one of these options is available. The check for SecureCode is here, while Verified by Visa can be found on your region's Visa page.
On top of these safeguards, some banks also have their own verification system in place that works in place of SecureCode and Verified by Visa. This may include the bank sending a one-time PIN or security code to your phone as a second layer of authorization.
Check with your bank or credit institution to work out what other protections you have if your details are compromised. Both MasterCard and Visa offer Zero Liability protection against fraudulent transactions for both online and offline use.

Check your browser settings

Turn off your browser's autocomplete settings to avoid it inadvertently storing your credit card or personally identifiable information.
In Chrome, go to Settings and select Show Advanced Settings. Under the Passwords and Forms section, click Manage Auto-fill Settings. Delete any credit card information that is automatically stored there, then uncheck Enable Auto-fill to fill in web forms in a single click.

 

In Firefox, click the Menu button and choose Options. Find the Privacy panel and look for the History drop-down box. Here, choose Use custom settings for history. Then, unchecked Remember search and form history.

In Safari, find Preferences. Click on the AutoFill tab and then uncheck the options to remember form data, including the credit card option.
In Internet Explorer, click the settings cog and choose Internet Options. From the Content tab, click Settings next to the AutoComplete section and uncheck Forms.

Be sensible about where and how you use your card

Reduce the chance of falling victim to a large-scale breach by not allowing the retailer to store your credit card details on file (if applicable). Enter your credit card details each and every time you make a purchase.

MasterCard

Also, make sure to use a separate password for every account you make with an online retailer. It should be different to passwords used for email accounts and other online services.
Something that you might not think about is the physical location where you enter credit card details.
It sounds obvious, but don't type your details out in public view where people can see your screen. For example, on public transport it might be super convenient to whip out a tablet and make a quick impulse purchase, but think about who might be watching over your shoulder.

Use another service to make it easy

Blur (formerly known as DoNotTrackMe) offers a service that helps to add another layer of security between you and the online retailer. For premium subscribers, it offers a masked credit card feature that generates a new number for every purchase you make. You can also assign a set value for that transaction, so there's no chance of taking more money than you designate. It's $39/year but only available for users in the United States, although the service will roll out to a select number of other countries soon.

 

Today's Top 5 Malware Threats 

                              

Today attackers are not being held back by anything, and malicious software is still a surprisingly common issue around the world. No wonder that more and more IT and business leaders are feeling so concerned about security these days.
How do you prevent security breaches? I've previously described six tips on how to ensure website security, but the starting point is awareness that the threat exists and is real. Understanding the 

Here are what I consider to be the top five malware threats to websites and mobile devices, ranked by how dangerous and widespread they are:

Backoff

Backoff is a malware family that draws a bead on Windows-run point-of-sale (PoS) systems to steal customer credit card data such as names, mailing addresses, credit/debit card numbers, phone numbers and email addresses. Dairy Queen and the Supervalu supermarket chain are among retailers that suffered data breaches due to Backoff.
After copying itself to the infected machine, it calls on an API, WinExec., which replaces names with hashed values to hinder analysis process. Besides hashing the blacklist processes, the malware also collects the stolen card information locally on the system.
Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware and uninstalling the malware. Backoff breaches may affect your business reputation by storing consumers' information and using it for different scams such as counterfeit purchases and account data compromises.

Dyreza 

The Dyreza trojan (Dyre) has been triggering much fuss in the security world since the last year. By neglecting SSL, this malware sets its sights on the users of specific business apps and has targeted a range of influential financial institutions, namely Bank of America, RBS, Citybank, Ulsterbank and Natwest. Thus, Dyreza aims to steal users' credentials for online banking and other financial sites.
Using a browser hooking technique which interrupts traffic flow between users' devices and the target website, Dyreza has "conquered" Google Chrome, Mozilla Firefox and Internet Explorer. As a rule, Dyreza arrives as a bank notification message with a zip file attached. After being opened, the malware installs itself on the machine under C:\\Windows\[RandomName].exe and then contacts a command-and-control server, appearing as a false Google Update every time you start your device. Now the Trojan is exploiting the recently disclosed CVE-2014-4114 vulnerability in Windows.

BlackEnergy 

Among a variety of purposes the BlackEnergy malware family (with BlackEnergy and BlackEnergy Lite as the latest 2014 variants) was created for, its key functions include DDoS attacks, spam distribution and bank scams. Its manners of spreading include technical infection methods through exploitation of software vulnerabilities, as well as social engineering through spear-phishing emails and decoy documents (Microsoft Word or PowerPoint), or a combination of both.
Installation of the malware is accomplished through the exploit shellcode that drops two files to the temporary directory: the malicious payload named "WinWord.exe" and a decoy document named "Russian ambassadors to conquer world.doc." Then these files are opened due to the kernel32.WinExec function. The WinWord.exe payload serves to extract and execute the BlackEnergy Lite dropper. At the same time, another document is exploiting CVE-2014-1761.
The danger of this malware lies in network discovery and remote code execution for collecting data off the targets' hard drives. The document is also caught in the act of exploiting the CVE-2014-1761 vulnerability in Microsoft Word, and was spotted in other attacks, including MiniDuke.

Win32/Crowti 

A real "trick-or-treat" for your computer is Crowti, a family of ransomware that tries to encrypt the files on a user's PC or block a user's access to the computer and ask for payment to unlock it. The fraud-scheme is classic: Win32/Crowti makes you pay for restoring your PC. This malware knocks on users' doors in the form of spam email campaigns and exploits.
Moreover, this threat can be downloaded by other malware, such as TrojanDownloader:Win32/Onkods or TrojanDownloader:Win32/Upatre. The attachment is usually hosted in a zip archive that triggers malware action when opened. Win32/Crowti is also spread through exploit kits such as Nuclear, RIG, and RedKit V2 that may take advantage of Java and Flash vulnerabilities. Win32/Crowti can be also installed via other malware, such as Upatre, Zbot, and Zemot.

Andr/BBridge-A 

Last but definitely not least is mobile trojan Andr/BBridge-A, blamed for exposing users' personal data (in particular, subscriber's ID, IMEI, phone number, network country ISO, phone model, Android OS version and Sim Card info) on a specific server relying on HTTP to communicate with it.
The trojan may be distributed as an Android installation package with an enticing file name such as "anserverb_qqgame.apk." Dropping its payload (located in "assets/anServerB.so" in the original package) as com.sec.android.bridge.apk, the malware snaps a button asking users to install it. Andr/BBridge-A also sends, scans and removes text messages (SMS) from phones.

Conclusion: Know Your Enemy

With the rapid growth of information technologies and online data storage, maintaining security at the necessary level has become a real challenge. Staying alert is a large part of staying secure, so keep up with the new security challenges that arise and know your enemy to win the security battle.

 

American Express aims to dump credit card numbers for tokens

         

In an effort to make to make Internet and mobile transactions more secure, American Express has launched a new service that aims to replace payment card numbers with unique tokens.E-commerce sites and digital wallet applications that use the company’s new token service won’t have to store customers’ card details. Instead merchants, banks and payment processors will be able to work with digital tokens that are mapped to real payment card accounts.The payment tokens can be tied to specific merchants, transaction types or payment devices, limiting the ability of cyber criminals to misuse them if compromised. This means that widespread adoption of tokenization for card-not-present transactions would likely reduce fraud.Unlike payment card numbers, if tokens are compromised, they can easily be revoked and replaced without the need to physically reissue the cards they link back to.The American Express Token Service is based on the Payment Tokenization Specification and Technical Framework published this year by EMVCo, the organization that maintains the EMV standard for chip-enabled payment cards. It is already available in the U.S. and American Express plans to start rolling it out internationally in 2015.The service’s release comes at a time of growing mobile payments adoption, partially driven by the launch of Apple Pay, which also uses tokenization. Major U.S. and international banks are also planning to launch their own mobile payments apps next year.Those apps will likely use a technology called Host Card Emulation (HCE) that is present in NFC-enabled mobile devices running Android 4.4 “KitKat.” American Express has also developed network specifications for HCE to enable its card-issuing partners to use the technology.