It’s around the corner and South African consumers are frantically making their wishlists: another Black Friday, when – for once – the rule that says, ‘If it looks too good to be true, it probably is too good to be true’ just might not hold. Black Friday, after all, represents the silliest day of shopping’s end-of-year ‘silly season’.
At the same time though, while it is true that you can genuinely bag unbelievable bargains, online consumers are still urged to beware of scams, because cybercriminals are also gearing up for this bumper shopping mini-season. They, however, are ‘shopping’ in a different way – for your identity and data information.
So says Stefan van de Giessen, General Manager: Cybersecurity at value-added distributor Networks Unlimited Africa. “Black Friday shoppers really need to protect themselves and beware of potential scams,” he advises, “because cybercriminals are also looking to take advantage of one of the busiest online shopping periods of the year.
“At the same time, this is one of the few days of the year when too-good-to-be-true bargains might, in fact, just be the real deal! And so there are a number of best-practice scenarios that need to be considered, both from a consumer perspective as well as from those who are offering e-commerce sites.”
Advice for consumers
Van de Giessen says consumers should look for certain credentials when they are buying from online sites. “A reputable site will be enabled by reputable companies such as PayFast, Visa, American Express and so on. Look out for these icons on the website. It’s important to be very vigilant about the payment gateway to ensure that it is secured by a provider of good standing. It’s also a good idea to create a separate e-mail address when signing up for Black Friday alerts, rather than using your work or personal e-mail. If possible, you can also use a separate credit card for online purchases to limit your losses if you are attacked.
“Another important point to consider is whether the online experience offers two-factor authentication – a security process in which the user provides two different authentication factors to verify themselves, and in this way better protects both their credentials as well as the resources the user can access. If two-factor authentication isn’t offered, flag this online transaction opportunity. Similarly, if you are sent an e-mail for payment, don’t reply if the e-mail looks suspicious.”
Other tips for the consumer to consider include the following:
· Shop on trusted sites and go straight to the retailer’s website instead of clicking on links. A link embedded in an e-mail or text message could be false, and take you to a phishing site where your credentials – username, password, payment details – will be stolen.
· Secure important accounts with strong passwords and two-factor authentication – the latter makes it harder (although not impossible) for criminals to use your username and password against you if your credentials have previously been stolen.
· Stay up-to-date with the latest software and app updates.
· Try not to create new accounts if possible, unless you plan on using the site a lot in the future.
· Don’t share too much information about yourself online – hackers and phishers can user this information to breach your systems.
· Look out for spelling errors in e-mails – they often indicate fraudulent sources.
· Check the sender’s e-mail address – a reputable e-commerce vendor won’t send you an e-mail from a Gmail account, for example, they will use their own domain.
· Keep an eye on your bank and credit card sysems and remain vigilant against any unexpected payments.
· To make sure that attackers can’t break into your personal network via insecure IoT devices, make sure that you secure your smart gadgets.
Van de Giessen advises that a recent trend from hackers is the abuse of SSL certificates in phishing attacks. A Secure Sockets Layer (SSL) certificate is a protocol that ensures that hackers cannot intercept information which a user enters on your website using their browser.
“The icon of the padlock on a website is a third-party verification that a site is secure,” he explains, “and Google’s algorithms tend to indicate websites without an SSL certificate as being insecure. Hypertext Transfer Protocol Secure (HTTPS) for accessing websites – compared to the more basic HTTP, which is the plain text version – makes use of Transport Layer Security (TLS) or SSL certificates to encrypt traffic between web servers and clients. However, hackers are making use of the SSL certificates on their own websites, in an attempt to make their fake websites look authentic.
“Earlier this year, the FBI issued an alert warning that the sight of the HTTPS and a padlock icon in the address bar did not necessarily prove the authenticity of a website, and that phishers were more frequently incorporating website certificates of their own when sending their potential victims e-mails that were imitating trustworthy companies or e-mail contacts. In other words, they are being lured to a malicious website that looks secure. From a consumer perspective, it is important to be aware of overly long URLs that re-direct to strange-looking domain names – look for red flags and be vigilant about typing in the name of the e-commerce provider you want, directly into the browser.”
Advice for e-commerce providers
“Online shopping is an important facilitator of the economy today,” says Van de Giessen. “But its growth for both e-retailers and consumers is also dependent on the security, convenience and trust that every transaction offers. This means that a strong threat management strategy is essential for successful e-commerce. There are various parameters that e-commerce providers need to be aware of, and which Networks Unlimited Africa is able to facilitate.
“For example, e-commerce providers are handling people’s sensitive data, so they need to have Payment Card Industry (PCI) compliance – this refers to the technical and operational standards that a business must follow to ensure that credit card data provided by cardholders is protected and kept private and secure.
“An e-commerce provider also needs to have a secure e-mail gateway in place, with anti-spam and anti-virus protection, and other advanced protection on your mail system. It is also essential to have web application load balancing, meaning the process of distributing network traffic across multiple servers, to ensure that no single server bears too much demand, and in this way make sure that your system is capable of handling the traffic and enable the e-commerce transactions taking place.”
Van de Giessen adds that e-commerce providers should mandate that customers use strong passwords to help mitigate risk. “Your website developer can set a minimum length for all user passwords, and also offer suggestions on how users can create stronger passwords. And finally, it goes without saying that an e-commerce provider should regularly check for and install system updates.”
“Being an e-commerce merchant today can certainly bring business rewards,” says Van de Giessen, “but not without carrying out serious security precautions, for the sake of both the business as well as its customers – as well as ensuring your customers’ trust, of course. It’s also important to remember that threats are always evolving, and so staying on top of your cybersecurity needs is an ongoing process, and professional assistance is very necessary.
“On the consumer side, it’s also important for employers to carry out regular security awareness training to empower their employees to better spot potential cyberthreats and not unwittingly give up their data,” he continues. “During high-risk periods such as Black Friday, unaware users -perhaps via their work e-mail addresses – could expose an organisation to unwanted cyber risk. At these times, it’s even more important for a company to make sure it has introduced effective, modern training techniques, as well as next-generation security measures on the actual network,” he concludes.