Back to Insights
Van Wyk: Take Steps to Protect Yourself as a Consumer
October 22, 2017 | Data Breaches
By Ken Van Wyk, IANS Faculty
With all the digital threats we face on a daily basis, it’s a miracle we haven’t all been hacked. Or perhaps we have…
So we should all just give up, right? Of course not. However, to ensure the odds are in your favor, there are some informed and well-planned steps you can take to take responsibility for your own safety. And yes, I’ve addressed this issue a few times over the years, but things change both on the threat side as well as the remediation side of things, so it’s a good idea to revisit this topic.
Like many others, I’ve found myself doing much more of my shopping online these days. I don’t care for the big mall experience, and even the big specialty stores give me the willies, so I turn to online transactions whenever I can. I’m also pretty careful about my online security and privacy, so I do my best to minimize my exposure.
But before I list things you should consider doing, let’s discuss the threat landscape. Online, we continue to see major security breaches at big-name companies. Some of these companies are consumer-facing, but others are less so. And no, as consumers, there’s nothing we can do to protect ourselves from those companies. Well, except for the fact that we have the “power of the purse,” as it were. We can shop somewhere else. In any case, I point you to the latest threat reports, such as Verizon’s Data Breaches and Incidents Report (DBIR), if you want to study these trends in detail.
It’s also worthwhile to point out some of the non-online threat trends. The biggest issues we as consumers face are skimming devices and malware on credit card point-of-sale (POS) equipment. These have continued to advance in both their technical capabilities as well as their frequency.
Skimming devices generally snap onto POS devices, especially ATMs and gasoline pumps. ATMs and gas pumps present favorable circumstances for many of the bad guys: they’re often unattended, and they’re out in the open. Skimmers can be attached to these devices, and then
\ collect hundreds or thousands of customer account data. Coupled with a video recording device, they can also collect debit card PINs. The most capable skimmers have Bluetooth or other remote access capability, so the bad guys can collect their ill-gotten loot remotely, without ever getting out of their cars. They just pull up to the gas station or ATM, grab their stolen data, and then drive away.
So, what’s a consumer to do? Here are some steps that are most worth the effort.
- Minimize your exposure. When purchasing online, favor “proceed as guest” without opening a user account on merchant sites. Even if you’re forced to register with a site, do not store your payment information. It might seem convenient, but that is a double-edged sword. The less information you store on a merchant site, the less exposure you have if that site is breached.
- Favor advanced payment options. More and more merchant sites are supporting payments that do not involve the merchant having access to your payment account information. These include PayPal, Apple Pay and Android Pay. Consider it part of minimizing your exposure, but opting for these types of payment services keeps your exposure down significantly. Apple and Android Pay, in particular, use a tokenization technique that provides payment data that only works for a single transaction, making replay attacks far more difficult. This kind of payment service has a double benefit in many cases: it’s more convenient and it’s more secure.
- Keep a record. If you do decide to store your payment information on a site, perhaps because they force you to or doing so really makes your life easier, be sure to record that (especially if it’s a merchant where you wish to shop frequently – sometimes storing payment information justifies the risk). I keep a running log of all the sites where I store my payment information. That way, when a credit card gets compromised, I can go to those sites and quickly update my payment information manually.
- Be selective. This is a tough one at times, but choose your merchants wisely. If you wouldn’t be comfortable walking into their store and handing over your credit card, don’t do it online. Some credit card issuers give consumers the option of setting up temporary or per-merchant credit card “accounts,” so that your real account isn’t directly exposed. For those cases where you might be a bit concerned about a merchant, you can provide them with a one-time account number. You can likely further limit the dollar amount and other attributes of the transaction as well. Ask your card issuer if they support these types of features.
These are just a few pretty basic things you can do. The bottom line remains: proceed, but with caution. Don’t just give out your information because a merchant “requires” it. Take a step back and ask yourself what your risks are, then plan how you can best protect yourself.
Any views or opinions presented in this document are solely those of the Faculty and do not necessarily represent the views and opinions of IANS. Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our written reports, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by the client in connection with such information, opinions, or advice.
| Tools & Templates
Post-Incident Q&A Checklist
| Faculty Reports
IANS Vulnerability and Breach Update: Q3 2018
| Tools & Templates
Tabletop Scenario Templates
| Tools & Templates
Incident Cheat Sheet: When to Contact Law Enforcement