Black Friday Tips for Keeping Your Data Safe When Shopping Online
Defying the general economic gloom, US and global eCommerce sales have continued to grow year over year. According to online metrics company ComScore, as of Q3 2012 the US eCommerce sector has shown over twelve consecutive quarters of positive year-over-year growth and eight consecutive quarters of double-digit growth.
As avid adopters of online shopping ourselves, with a vested interest in the health of the US economy generally, we’re thrilled with this trend. As security people though, we look at it with some trepidation. In the holiday classic movie It’s a Wonderful Life, Zuzu’s teacher tells her that “Every time a bell rings, an angel gets its wings.” In the world of online commerce, every time a virtual cash register rings, a password gets its wings.
Each sale to a new customer or to an existing customer who has shifted his or her buying to the online channel means a high likelihood that that customer has had to create a new account and password to remember. Which he/she won’t—can’t actually. There are just too many of them. As long ago now as 2007 (only on the Internet could you say that phrase without a sense of irony), a Microsoft study of over 500,000 users showed that users accessed an average of about 25 password-protected accounts during the 85-day study period but used only about seven distinct passwords.
Very few eCommerce websites offer two-factor authentication to their shoppers on their consumer-facing website. Some have adopted two-factor authentication in their back offices to protect cardholder data and personally identifiable information (PII), but not enough yet in our opinion.
So what can a security minded online shopper do, other than giving up the convenience and selection of online shopping? Here are a few of our best tips for protecting your online identity from your online shopping when strong authentication options aren’t available.
1. Don’t use your primary email address to create online shopping accounts
The practice of using your email address as your username for shopping accounts has become increasingly common. The advantage of doing so is that it’s at least memorable for you and allows for password resets to be sent to you. The disadvantage is that if this is also the email address you use elsewhere in your digital life, a breach could provide access to more than just your purchase history on a specific website.
If possible, have an email address that’s not associated with any of your important accounts (work, banking, social media, main personal use) that you use only for online shopping. This will reduce the risk of an attacker gaining access to any of your other accounts if a particular retailer’s data is breached.
2. Don’t reuse any of your existing passwords for shopping accounts
Password reuse is one of the biggest dangers associated with data breaches. If you reuse passwords on several websites, gaining access to your password on one could provide unfettered access to an attacker on another of your accounts, even if you have a different username or email there. If you do reuse some passwords (because realistically, we know people do), never reuse the passwords you use for your most important online activities (like banking or your primary personal identity) on less protected, less critical websites, like shopping sites.
3. Use a password management tool to generate and store secure passwords for you
Password managers that can create, store and manage secure passwords for you have become increasingly powerful and easy to use. Some are even free. Password managers allow you create long, unique passwords that you don’t have to remember. Look at tools like LastPass, RoboForm, Kapersky Password Manager, and many others to create a secure lockbox for your many many passwords.
4. Or create a password root that you use only for your holiday shopping
You really should create unique passwords for every account and use a password management tool to help you keep track of them. But if that’s not something you’re comfortable with yet, you might also consider creating a password root for this year’s holiday shopping that you can vary a bit and reuse on the sites from which you purchase. This isn’t a security best practice by any means, truly unique passwords for each account are better. But, it is perhaps realistic and obtainable for shoppers not using a password manager, and your security measures only need to be commensurate with the sensitivity of the information being secured. You be the judge.
5. Actively delete any personal information you don’t want stored
After you’ve purchased and received your goods, log back onto that eCommerce website and review what personal information is stored in your online account/profile area. Delete anything you wouldn't want someone to see if a breach did occur. For some this might be partial credit card numbers (last 4 digits in clear text is extremely common), but for others it could be everything including your billing and shipping addresses. Again, you be the judge. The principle here is that you should make which information about you is stored your choice, rather than the online retailer’s.
6. Consider alternative payment methods that offer two-factor authentication protection for your personal data
Some payment methods offer two-factor authentication to their account holders. While the implementations are still a bit rough around the edges and adoption isn’t widespread, it’s a great start and allows you to have more control over how your personal data is secured. Notables here include PayPal and Visa.
7. Start telling your favorite eCommerce websites that you want strong authentication for web accounts and in their back office
The era of password-only protection is over. Passwords alone have never been that great at protecting accounts, but they’ve become weaker even as we make them stronger. Recent large-scale data breaches have resulted in tens of millions of usernames and passwords being dumped online. This has given hackers the unique opportunity to refine their algorithms for cracking passwords on huge datasets of actual in-use passwords. Any trick you can think of, like cartoon characters, letter/number substitutions, foreign words, etc., they can now as well.
Online retailers will only take protecting your personal data as seriously as you do. So let them know you’re concerned and that there are better ways to defend against account takeover and data theft than weak passwords. We, of course, endorse using two-factor authentication, but other strong authentication techniques are also available and online retailers just need to start adding them. Send an email to support@Your_Retailers_Name.com requesting a more secure experience.
So as online shopping grows and Thanksgiving apparently morphs into being called “Grey Thursday,” enjoy the season and shop safely. But be proactive about protecting your online identity and data and start the call for more protection from the websites you do business with in 2013. We at Duo will make it easy for them to comply!