SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 165: Safe shopping for the holidays

Posted on November 29, 2019

This week’s Checklist gets you ready for the seasonal shopping rush (from a cybersecurity perspective, anyway). We’ll show you how to keep safe as you shop online; what gifts you might want to avoid; and how to make sure everything arrives as planned; and what to do when all the madness is over! 

This week’s Checklist covers:

  • How to shop
  • What (not) to buy
  • Deliveries and checkups

Shop smart, shop safe

Before you actually purchase anything online, there are a couple of basic precautions you should take — and one or two seasonal threats you need to be aware of. With that in mind, let’s get right into safe holiday shopping basics.

Update everything

We say it a lot, because it’s true: Regular updates are one of the best ways to protect yourself from malicious activity.

Hackers look for vulnerabilities to exploit. Tech companies and developers patch these vulnerabilities — often just in the nick of time. Then the cycle repeats itself. 

But if you’re up-to-date on your updates, you’re protected — which is why we stress the importance of regular updates so often on the Checklist as well as our blog.

Around this time of year, people are likely to be online more often as they shop for gifts, and cybercriminals, aware of this, are going to be more active than usual. This increased chance of exposure to bad actors means that your risk profile is higher during the holiday shopping season, which is why updates are even more important right now than they normally are.

Scan for keystroke loggers

A keystroke logger, or keylogger, is a type of malware that covertly records every key you press on your computer. That’s bad enough, but even more alarmingly, some keyloggers have the ability to transmit a record of your keystrokes back to a malicious actor. This obviously represents a huge threat if you’re, say, doing a lot of online holiday shopping and entering your credit card details again and again.

Hackers who build keyloggers design them to be extremely hard to detect (that’s part of their basic functionality, at least from a hacker’s point of view). This means that you will need to use specialized software in order to find them. Many of the general-purpose malware detection tools made for Windows operating systems also have keylogger detection. And if you have a macOS system, you can use our very own MacScan 3 to do hunt down keyloggers (even if you’re not a MacScan user yet, you can use the free trial version to run a quick scan before you shop).

Before you get started shopping this year, run a full scan of your system to make sure nothing nasty is hiding there. Then remember to set up regular scans (even daily scans to be really safe) to protect yourself going forward.

Manage your passwords

Online holiday shopping always seems to spawn lots of new accounts. Some retailers will offer discounts and incentives in exchange for signing up for an account, while others even make this a condition of purchase!

New accounts mean new passwords, and many people just slack off on cybersecurity when confronted with the daunting prospect of remembering lots of passwords — especially when these passwords are for accounts that they didn’t really want in the first place. This leads to poor security practices like reusing passwords across sites or choosing simplistic and easy-to-guess passwords.

Unfortunately, doing this puts you at risk, either from a direct attack on your account or indirectly through credential stuffing attacks after a retailer suffers a data breach. And of course, any time a malicious actor gets hold of your personal information, it increases the chance of identity theft.

There’s an easy fix for this problem, though: Get a password manager. Password managers like Dashlane or 1Password allow you to create complex, unique passwords for each and every site and service you use. This way, if you have to sign up for another new account while shopping, you can create secure credentials with the click of a button, and the password manager will remember them for you.

Use one credit card

Reducing points of vulnerability is a fundamental principle of cybersecurity. And believe it or not, it applies to holiday gift buying as well! 

We recommend using just one credit card to do all of your online shopping this year. Why? Because it means you only have one account to keep track of in order to check for suspicious or fraudulent activity.

Using a credit card (as opposed to a debit card) also makes it much easier to file fraud claims or perform chargebacks in the event that something goes terribly wrong and you find yourself the victim of illicit account use. Fairly or unfairly, banks tend to make it much harder on consumers who try to do this with debit cards, which is a good reason to use credit, at least where online shopping is concerned.

Think before clicking

Retailers will be sending you a lot of promotional emails starting around Black Friday and Cyber Monday and continuing until the end of the year. 

Lots of those deals and coupons will be completely legit — but mixed in there, you might find a few that look genuine, but are anything but. This is because hackers know that companies are sending out tons of these emails around this time of year, and that consumers are so overwhelmed that they may have their guard down. They take full advantage of this, sending out phishing emails with malicious links disguised as “can’t miss” offers.

So what can you do about this? It’s actually pretty simple: If you want to check out a deal, go directly to the source instead of clicking on a link that came via email. Just go to the company’s website directly in your web browser and find the offer there! 

Gifts to avoid

If you know how to shop safely, that’s half the battle. But you should also give some thought to what you’re going to be buying — and in particular, to which items are best avoided for security reasons.

Don’t buy off-brand 

It’s only natural to do a little bargain-hunting when it’s time to buy holiday gifts, and turning to third-party alternatives can be, in some cases, a good way to do this. But one area where you might want to avoid off-brand items is electronics.

Third-party vendors sell products that look more or less identical to the more expensive versions sold by famous manufacturers. The difference in price — and the similarity to the genuine article — can be pretty impressive. But when you’re talking about things like, for example, Mac peripherals, it can be hard to guarantee the security of some of these white-label products. 

Remember, that mouse or keyboard has firmware and software that’s just as vulnerable to attack as the Apple original — but does it have Apple’s team of engineers and security professionals keeping it safe, and updating it as often as needed? Unlikely, which is why it may be worth your while to pay the “Apple tax” and buy actual Apple products instead of less-expensive, less-secure alternatives. 

Be smart about smart things

Smart Things are popular gifts around this time of year, and while we’ve talked about their famously lax security in the past, we won’t spoil the holiday cheer and try to deter anyone thinking of giving an IoT device as a present.

That said, we will offer a word of caution: If you’re going to purchase an IoT thing, make sure it comes from a reputable manufacturer and is likely to be around and well-supported for the foreseeable future.

Unfortunately, clearance bin IoT products — while undoubtedly a great deal — are likely to receive few (if any) further security patches. After all, it’s in the clearance section for a reason: The device line may have been discontinued, or its manufacturer may even have gone out of business! 

This could lead to scenarios which you’d probably prefer to avoid: Everything from the embarassing (my IoT coffee pot stopped working), to the annoying (my IoT coffee pot is running slowly because it’s mining cryptocurrency), to the legitimately serious (my IoT coffee pot was part of a botnet attack).

So save the closeout deals for fuzzy sweaters and children’s toys, and make sure any IoT device that you buy is going to receive frequent updates.

Deliveries … and the aftermath

You’ve followed best practices for safe online shopping, you’ve chosen safe gifts, and you’ve finished all of your online shopping. The hardest part is now behind you — but there are one or two more things you’ll want to consider before all is said and done.

Holiday-flavored phishing (part 2)

In addition to the kinds of coupon and discount phishing scams that you need to watch out for around the end of the year, you should also be aware of a special kind of phishing email that preys on the anxieties of people who are still waiting for their orders to be delivered.

Malicious actors will often send out emails that appear to be from a courier or delivery service like FedEx or UPS, or from Amazon or a large chain retail store. These emails will claim that there is some issue with an order — perhaps something to do with availability or shipping. They will also contain malicious links disguised as tracking links, or ask you to provide your account details in order to deal with the “problem” as a way of stealing your credentials. 

Unfortunately, sometimes there are issues with orders and shipments, and you need to know about these — so you can’t just ignore everything that comes from a retailer or shipping company telling you about a problem. While phishing emails often contain dead giveaways like terrible grammar or links that point to odd domains (things that would never come from an actual large company), this isn’t always the case. As with emails offering deals, the best way to deal with order or shipment status emails is to go directly to the site or service in question, without using the provided link. Log in to your account area as you normally would and deal with the problem or track the package there.

Package theft

Assuming you’ve gotten this far, you still have one more hurdle to clear before your gifts are safe and sound and ready for wrapping: the actual delivery.

Alas, nowadays this isn’t as simple as it should be: Package theft is rampant, and doorbell cameras don’t seem to be doing much to deter the thieves.

The best way to avoid losing your order at the very last minute is to set up some sort of safe delivery method well ahead of time. 

Many vendors allow you to require a signature on your delivery, schedule a delivery time, or to set up in-store pickup at a nearby location. Having packages delivered to the office is a reasonable option for some folks as well. Whatever you do, don’t just allow packages to be left on your porch and assume that they will be safe. Unfortunately, many people have learned the hard way that this isn’t the case.

If you shop on Amazon, you can try their Amazon Hub Locker service. Amazon will ship your package to a nearby Hub Locker location and then email you with an arrival notification and pickup code. The lockers are self-service, so you can pick your package up whenever you like, as long as it’s during the location’s normal operating hours and as long as you collect your delivery within 3 days.

One last check

If you’ve done everything on this Checklist, you should be fine. But obviously, there are no absolute guarantees in life, and especially in cybersecurity. That’s why it’s always good to do periodic audits and checkups to make sure nothing has slipped through the cracks.

Once you’re done with your holiday shopping and the gifts are all wrapped, take a moment to double-check your credit card and relevant retail accounts for any sign of suspicious activity. In fact, you might want to take the extra step of performing a full credit check sometime in January to make sure no one has been trying to open accounts in your name.

If you do all of this, you can be reasonably sure that you’ll make it through the shopping season intact — at least for another year.

Join our mailing list for the latest security news and deals