Security Tools

Patch Tuesday Lowdown, October 2019 Edition

On Tuesday Microsoft issued software updates to fix almost five dozen security problems in Windows and software designed to run on top of it. By most accounts, it’s a relatively light patch batch this month. Here’s a look at the highlights.

Happily, only about 15 percent of the bugs patched this week earned Microsoft’s most dire “critical” rating. Microsoft labels flaws critical when they could be exploited by miscreants or malware to seize control over a vulnerable system without any help from the user.

Also, Adobe has kindly granted us another month’s respite from patching security holes in its Flash Player browser plugin.

Included in this month’s roundup is something Microsoft actually first started shipping in the third week of September, when it released an emergency update to fix a critical Internet Explorer zero-day flaw (CVE-2019-1367) that was being exploited in the wild. Continue reading →

Security Tools — 52 Comments
3
Sep 19

Spam In your Calendar? Here’s What to Do.

Many spam trends are cyclical: Spammers tend to switch tactics when one method of hijacking your time and attention stops working. But periodically they circle back to old tricks, and few spam trends are as perennial as calendar spam, in which invitations to click on dodgy links show up unbidden in your digital calendar application from Apple, Google and Microsoft. Here’s a brief primer on what you can do about it.

Image: Reddit

Over the past few weeks, a good number of readers have written in to say they feared their calendar app or email account was hacked after noticing a spammy event had been added to their calendars.

The truth is, all that a spammer needs to add an unwelcome appointment to your calendar is the email address tied to your calendar account. That’s because the calendar applications from Apple, Google and Microsoft are set by default to accept calendar invites from anyone.

Calendar invites from spammers run the gamut from ads for porn or pharmacy sites, to claims of an unexpected financial windfall or “free” items of value, to outright phishing attacks and malware lures. The important thing is that you don’t click on any links embedded in these appointments. And resist the temptation to respond to such invitations by selecting “yes,” “no,” or “maybe,” as doing so may only serve to guarantee you more calendar spam.

Fortunately, the are a few simple steps you can take that should help minimize this nuisance. To stop events from being automatically added to your Google calendar: Continue reading →

A Little Sunshine / Security Tools — 128 Comments
22
Jul 19

What You Should Know About the Equifax Data Breach Settlement

Big-three credit bureau Equifax has reportedly agreed to pay at least $650 million to settle lawsuits stemming from a 2017 breach that let intruders steal personal and financial data on roughly 148 million Americans. Here’s a brief primer that attempts to break down what this settlement means for you, and what it says about the value of your identity.

Q: What happened?

A: If the terms of the settlement are approved by a court, the Federal Trade Commission says Equifax will be required to spend up to $425 million helping consumers who can demonstrate they were financially harmed by the breach. The company also will provide up to 10 years of free credit monitoring to those who had their data exposed.

Q: What about the rest of the money in the settlement?

A: An as-yet undisclosed amount will go to pay lawyers fees for the plaintiffs.

Q: $650 million seems like a lot. Is that some kind of record?

A: If not, it’s pretty close. The New York Times reported earlier today that it was thought to be the largest settlement ever paid by a company over a data breach, but that statement doesn’t appear anywhere in their current story.

Q: Hang on…148 million affected consumers…out of that $425 million pot that comes to just $2.87 per victim, right?

A: That’s one way of looking at it. But as always, the devil is in the details. You won’t see a penny or any other benefit unless you do something about it, and how much you end up costing the company (within certain limits) is up to you.

The Times reports that the proposed settlement assumes that only around seven million people will sign up for their credit monitoring offers. “If more do, Equifax’s costs for providing it could rise meaningfully,” the story observes.

Q: Okay. What can I do?

A: You can visit www.equifaxbreachsettlement.com, although none of this will be official or on offer until a court approves the settlement.

Q: Uh, that doesn’t look like Equifax’s site…

A: Good eyes! It’s not. It’s run by a third party. But we should probably just be grateful for that; given Equifax’s total dumpster fire of a public response to the breach, the company has shown itself incapable of operating (let alone securing) a properly functioning Web site.

Q: What can I get out of this?

A: In a nutshell, affected consumers are eligible to apply for one or more remedies, including:

–Free credit monitoring: At least three years of credit monitoring via all three major bureaus simultaneously, including Equifax, Experian and Trans Union. The settlement also envisions up to six more years of single bureau monitoring through Experian. Or, if you don’t want to take advantage of the credit monitoring offers, you can opt instead for a $125 cash payment. You can’t get both.

–Reimbursement: …For the time you spent remedying identity theft or misuse of your personal information caused by the breach, or purchasing credit monitoring or credit reports. This is capped at 20 total hours at $25 per hour ($500). Total cash reimbursement payment will not exceed $20,000 per consumer.

–Help with ongoing identity theft issues: Up to seven years of “free assisted identity restoration services.” Again, the existing breach settlement page is light on specifics there.

Q: Does this cover my kids/dependents, too?

A: The FTC says if you were a minor in May 2017 (when Equifax first learned of the breach), you are eligible for a total of 18 years of free credit monitoring.

Q: How do I take advantage of any of these?

A: You can’t yet. The settlement has to be approved first. The settlement Web site says to check back again later. In addition to checking the breach settlement site periodically, consumers can sign up with the FTC to receive email updates about this settlement.

Update: The eligibility site is now active, at this link.

The settlement site said consumers also can call 1-833-759-2982 for more information. Press #2 on your phone’s keypad if you want to skip the 1-minute preamble and get straight into the queue to speak with a real person.

KrebsOnSecurity dialed in to ask for more details on the “free assisted identity restoration services,” and the person who took my call said they’d need to have some basic information about me in order to proceed. He said they needed my name, address and phone number to proceed. I gave him a number and a name, and after checking with someone he came back and said the restoration services would be offered by Equifax, but confirmed that affected consumers would still have to apply for it.

He added that the Equifaxbreachsettlement.com site will soon include a feature that lets visitors check to see if they’re eligible, but also confirmed that just checking eligibility won’t entitle one to any of the above benefits: Consumers will still need to file a claim through the site (when it’s available to do so). Continue reading →

Security Tools — 54 Comments
28
Jun 19

Microsoft to Require Multi-Factor Authentication for Cloud Solution Providers

It might be difficult to fathom how this isn’t already mandatory, but Microsoft Corp. says it will soon force all Cloud Solution Providers (CSPs) that help companies manage their Office365 accounts to use multi-factor authentication. The move comes amid a noticeable uptick in phishing and malware attacks targeting CSP employees and contractors.

When an organization buys Office365 licenses from a reseller partner, the partner is granted administrative privileges in order to help the organization set up the tenant and establish the initial administrator account. Microsoft says customers can remove that administrative access if they don’t want or need the partner to have access after the initial setup.

But many companies partner with a CSP simply to gain more favorable pricing on software licenses — not necessarily to have someone help manage their Azure/O365 systems. And those entities are more likely to be unaware that just by virtue of that partnership they are giving someone at their CSP (or perhaps even outside contractors working for the CSP) full access to all of their organization’s email and files stored in the cloud.

This is exactly what happened with a company whose email systems were rifled through by intruders who broke into PCM Inc., the world’s sixth-largest CSP. The firm had partnered with PCM because doing so was far cheaper than simply purchasing licenses directly from Microsoft, but its security team was unaware that a PCM employee or contractor maintained full access to all of their employees’email and documents in Office365.

As it happened, the PCM employee was not using multi-factor authentication. And when that PCM employee’s account got hacked, so too did many other PCM customers.

KrebsOnSecurity pinged Microsoft this week to inquire whether there was anything the company could be doing to better explain this risk to customers and CSP partners. In response, Microsoft said while its guidance has always been for partners to enable and require multi-factor authentication for all administrators or agent users in the partner tenants, it would soon be making it mandatory. Continue reading →

A Little Sunshine / Ne'er-Do-Well News / Security Tools — 33 Comments
30
May 19

Canada Uses Civil Anti-Spam Law in Bid to Fine Malware Purveyors

Canadian government regulators are using the country’s powerful new anti-spam law to pursue hefty fines of up to a million dollars against Canadian citizens suspected of helping to spread malicious software.

In March 2019, the Canadian Radio-television and Telecommunications Commission (CRTC) — Canada’s equivalent of the U.S. Federal Communications Commission (FCC), executed a search warrant in tandem with the Royal Canadian Mounted Police (RCMP) at the home of a Toronto software developer behind the Orcus RAT, a product that’s been marketed on underground forums and used in countless malware attacks since its creation in 2015.

The CRTC was flexing relatively new administrative muscles gained from the passage of Canada’s Anti-Spam Legislation (CASL), which covers far more than just junk email. Section 7 of CASL deals with the alteration of transmission data, including botnet activity. Section 8 involves the surreptitious installation of computer programs on computers or networks including malware and spyware.

And Section 9 prohibits an individual or organization from aiding, inducing, procuring or causing to be procured the doing of any of the above acts.

CRTC Director Neil Barratt said this allows his agency to target intermediaries who, through their actions or through inaction, facilitate the commission of CASL violations. Businesses found to be in violation of CASL can be fined up to $10 million; individuals can face up to a $1 million fine.

“We’re dealing with a lower burden of proof than a criminal conviction, and CASL gives us a little more leeway to get bad actors off our networks in Canada and to ultimately improve security for people here and hopefully elsewhere,” Barratt said in an interview with KrebsOnSecurity.

“CASL defines spam as commercial electronic messages without consent or the installation of software without consent or the intercepting of electronic messages,” Barratt said. “The installation of software is under Section 8, and this is one of the first major investigations under that statute.” Continue reading →

Security Tools — 59 Comments
11
Apr 19

Android 7.0+ Phones Can Now Double as Google Security Keys

Google this week made it easier for Android users to enable strong 2-factor authentication (2FA) when logging into Google’s various services. The company announced that all phones running Android 7.0 and higher can now be used as Security Keys, an additional authentication layer that helps thwart phishing sites and password theft.

As first disclosed by KrebsOnSecurity last summer, Google maintains it has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes.

The most commonly used Security Keys are inexpensive USB-based devices that offer an alternative approach to 2FA, which requires the user to log in to a Web site using something they know (the password) and something they have (e.g. a one-time token, key fob or mobile device).

But Google said starting this week, any mobile phone running Android 7.0+ (Nougat) can serve the same function as a USB-based security key. Once a user has enrolled their Android phone as a Security Key, the user will need to approve logins via a prompt sent to their phone after submitting their username and password at a Google login page.

Many readers have expressed confusion or skepticism about how Security Keys can prevent users from getting hooked by phishing sites or clever man-in-the-middle attacks. This capability was described in far greater visual detail in this video last year by Christiaan Brand, product manager at Google Cloud.

But the short version is that even if a user who has enrolled a Security Key for authentication tries to log in at a site pretending to be Google, the company’s systems simply refuse to request the Security Key if the user isn’t on an official Google site, and the login attempt fails.

“It puts you in this mode….[in] which is there is no other way to log in apart from the Security Key,” Brand said. “No one can trick you into a downgrade attack, no one can trick you into anything different. You need to provide a security key or you don’t get into your account.”

Google says built-in security keys are available on phones running Android 7.0+ (Nougat) with Google Play Services, enabling existing phones to act as users’ primary 2FA method for work (G Suite, Cloud Identity, and GCP) and personal Google accounts to sign in on a Bluetooth-enabled Chrome OS, macOS X, or Windows 10 device with a Chrome browser. Continue reading →

A Little Sunshine / Security Tools / SIM Swapping — 86 Comments
17
Mar 19

Why Phone Numbers Stink As Identity Proof

Phone numbers stink for security and authentication. They stink because most of us have so much invested in these digits that they’ve become de facto identities. At the same time, when you lose control over a phone number — maybe it’s hijacked by fraudsters, you got separated or divorced, or you were way late on your phone bill payments — whoever inherits that number can then be you in a lot of places online.

How exactly did we get to the point where a single, semi-public and occasionally transient data point like a phone number can unlock access to such a large part of our online experience? KrebsOnSecurity spoke about this at length with Allison Nixon, director of security research at New York City-based cyber intelligence firm Flashpoint.

Nixon said much of her perspective on mobile identity is colored by the lens of her work, which has her identifying some of the biggest criminals involved in hijacking phone numbers via SIM swapping attacks. Illegal SIM swaps allow fraudsters to hijack a target’s phone’s number and use it to steal financial data, passwords, cryptocurrencies and other items of value from victims.

Nixon said countless companies have essentially built their customer authentication around the phone number, and that a great many sites still let users reset their passwords with nothing more than a one-time code texted to a phone number on the account. In this attack, the fraudster doesn’t need to know the victim’s password to hijack the account: He just needs to have access to the target’s mobile phone number.

“As a consumer, I’m forced to use my phone number as an identity document, because sometimes that’s the only way to do business with a site online,” Nixon said. “But from that site’s side, when they see a password reset come in via that phone number, they have no way to know if that’s me. And there’s nothing anyone can do to stop it except to stop using phone numbers as identity documents.”

Beyond SIM-swapping attacks, there are a number of ways that phone numbers can get transferred to new owners, Nixon said. The biggest reason is lack of payment for past phone bills. But maybe someone goes through a nasty divorce or separation, and can no longer access their phone or phone accounts. The account is sent to collections and closed, and the phone number gets released back into the general pool for reassignment after a period of time.

Many major providers still let people reset their passwords with just a text message. Last week I went to regain access to a Yahoo account I hadn’t used in almost five years. Yahoo’s forgot password feature let me enter a phone number, and after entering a code sent to my phone I was able to read my email.

So, if that Yahoo account is tied to a mobile number that you can receive text messages at, then you can assume control over the account. And every other account associated with that Yahoo account. Even if that phone number no longer belongs to the person who originally established the email account.

This is exactly what happened recently to a reader who shared this account:

A while ago I bought a new phone number. I went on Yahoo! mail and typed in the phone number in the login. It asked me if I wanted to receive an SMS to gain access. I said yes, and it sent me a verification key or access code via SMS. I typed the code I received. I was surprised that I didn’t access my own email, but the email I accessed was actually the email of the previous owner of my new number.

Yahoo! didn’t even ask me to type the email address, or the first and last name. It simply sent me the SMS, I typed the code I received, and without asking me to type an email or first and last name, it gave me access to the email of my number’s PREVIOUS OWNER. Didn’t ask for credentials or email address. This seriously needs to be revised. At minimum Yahoo! should ask me to type the email address or the first and last name before sending me an SMS which contains an access code.

Brian Krebs (BK): You have your own experiences like this. Or sort of. You tell.

Allison Nixon (AN): Any threat intelligence company will have some kind of business function that requires purchasing burner phones fairly frequently, which involves getting new phone numbers. When you get new numbers, they are recycled from previous owners because there probably aren’t any new ones anymore. I get a lot of various text messages for password resets. One I kept getting was texts from this guy’s bank. Every time he got a deposit, I would get a text saying how much was deposited and some basic information about the account.

I approached the bank because I was concerned that maybe this random person would be endangered by the security research we were going to be doing with this new number. I asked them to take him off the number, but they said there wasn’t anything they could do about it.

One time I accidentally hijacked a random person’s account. I was trying to get my own account back at an online service provider, and I put a burner phone number into the site, went through the SMS password reset process, got the link and it said ‘Welcome Back’ to some username I didn’t know. Then I clicked okay and was suddenly reading the private messages of the account.

I realized I’d hijacked the account of the previous owner of the phone. It was unintentional, but also very clear that there was no technical reason I couldn’t hijack even more accounts associated with this number. This is a problem affecting a ton of service providers. This could have happened at many, many other web sites. Continue reading →

A Little Sunshine / Latest Warnings / Security Tools / The Coming Storm — 104 Comments
8
Mar 19

MyEquifax.com Bypasses Credit Freeze PIN

Most people who have frozen their credit files with Equifax have been issued a numeric Personal Identification Number (PIN) which is supposed to be required before a freeze can be lifted or thawed. Unfortunately, if you don’t already have an account at the credit bureau’s new myEquifax portal, it may be simple for identity thieves to lift an existing credit freeze at Equifax and bypass the PIN armed with little more than your, name, Social Security number and birthday.

Consumers in every U.S. state can now freeze their credit files for free with Equifax and two other major bureaus (Trans Union and Experian). A freeze makes it much harder for identity thieves to open new lines of credit in your name.

In the wake of Equifax’s epic 2017 data breach impacting some 148 million Americans, many people did freeze their credit files at the big three in response. But Equifax has changed a few things since then.

Seeking to manage my own credit freeze at equifax.com as I’d done in years past, I was steered toward creating an account at myequifax.com, which I was shocked to find I did not previously possess.

Getting an account at myequifax.com was easy. In fact, it was too easy. The portal asked me for an email address and suggested a longish, randomized password, which I accepted. I chose an old email address that I knew wasn’t directly tied to my real-life identity.

The next page asked me enter my SSN and date of birth, and to share a phone number (sharing was optional, so I didn’t). SSN and DOB data is widely available for sale in the cybercrime underground on almost all U.S. citizens. This has been the reality for years, and was so well before Equifax announced its big 2017 breach.

myEquifax said it couldn’t verify that my email address belonged to the Brian Krebs at that SSN and DOB. It then asked a series of four security questions — so-called “knowledge-based authentication” or KBA questions designed to see if I could recall bits about my recent financial history.

In general, the data being asked about in these KBA quizzes is culled from public records, meaning that this information likely is publicly available in some form — either digitally or in-person. Indeed, I have long assailed the KBA industry as creating a false sense of security that is easily bypassed by fraudsters.

One potential problem with relying on KBA questions to authenticate consumers online is that so much of the information needed to successfully guess the answers to those multiple-choice questions is now indexed or exposed by search engines, social networks and third-party services online — both criminal and commercial.

The first three multiple-guess questions myEquifax asked were about loans or debts that I have never owed. Thus, the answer to the first three KBA questions asked was, “none of the above.” The final question asked for the name of our last mortgage company. Again, information that is not hard to find.

Satisfied with my answers, Equifax informed me that yes indeed I was Brian Krebs and that I could now manage my existing freeze with the company. After requesting a thaw, I was brought to a vintage Equifax page that looked nothing like myEquifax’s sunnier new online plumage.

Equifax’s site says it will require users requesting changes to an existing credit freeze to have access to their freeze PIN and be ready to supply it. But Equifax never actually asks for the PIN.

This page informed me that if I previously secured a freeze of my credit file with Equifax and been given a PIN needed to undo that status in any way, that I should be ready to provide said information if I was requesting changes via phone or email.

In other words, credit freezes and thaws requested via myEquifax don’t require users to supply any pre-existing PIN.

Fine, I said. Let’s do this.

myEquifax then asked for the date range requested to thaw my credit freeze. Submit.

“We’ve successfully processed your security freeze request!,” the site declared.

This also was exclaimed in an email to the random old address I’d used at myEquifax, although the site never once made any attempt to validate that I had access to this inbox, something that could be done by simply sending a confirmation link that needs to be clicked to activate the account.

In addition, I noticed Equifax added my old mobile number to my account, even though I never supplied this information and was not using this phone when I created the myEquifax account.

Successfully unfreezing (temporarily thawing) my credit freeze did not require me to ever supply my previously-issued freeze PIN from Equifax. Anyone who knew the vaguest and most knowable details about me could have done the same.

myEquifax.com does not currently seek to verify the account by requesting confirmation via a phone call or text to the phone number associated with the account (also, recall that even providing a phone number was optional).

Happily, I did discover then when I used a different computer and Internet address to try to open up another account under my name, date of birth and SSN, it informed me that a profile already existed for this information. This suggests that signing up at myEquifax is probably a good idea, given that the alternative is more risky.

It was way too easy to create my account, but I’m not saying everyone will be able to create one online. In testing with several readers over the past 24 hours, myEquifax seems to be returning a lot more error pages at the KBA stage of the process now, prompting people to try again later or make a request via email or phone.

Equifax spokesperson Nancy Bistritz-Balkan said not requiring a PIN for people with existing freezes was by design.

“With myEquifax, we created an online experience that enables consumers to securely and conveniently manage security freezes and fraud alerts,” Bistritz-Balkan said..

“We deployed an experience that embraces both security standards (using a multi-factor and layered approach to verify the consumer’s identity) and reflects specific consumer feedback on managing security freezes and fraud alerts online without the use of a PIN,” she continued. “The account set-up process, which involves the creation of a username and password, relies on both user inputs and other factors to securely establish, verify, and authenticate that the consumer’s identity is connected to the consumer every time.” Continue reading →

A Little Sunshine / Data Breaches / Security Tools — 82 Comments
1
Dec 18

What the Marriott Breach Says About Security

We don’t yet know the root cause(s) that forced Marriott this week to disclose a four-year-long breach involving the personal and financial information of 500 million guests of its Starwood hotel properties. But anytime we see such a colossal intrusion go undetected for so long, the ultimate cause is usually a failure to adopt the most important principle in cybersecurity defense that applies to both corporations and consumers: Assume you are compromised.

TO COMPANIES

For companies, this principle means accepting the notion that it is no longer possible to keep the bad guys out of your networks entirely. This doesn’t mean abandoning all tenets of traditional defense, such as quickly applying software patches and using technologies to block or at least detect malware infections.

It means accepting that despite how many resources you expend trying to keep malware and miscreants out, all of this can be undone in a flash when users click on malicious links or fall for phishing attacks. Or a previously unknown security flaw gets exploited before it can be patched. Or any one of a myriad other ways attackers can win just by being right once, when defenders need to be right 100 percent of the time.

The companies run by leaders and corporate board members with advanced security maturity are investing in ways to attract and retain more cybersecurity talent, and arranging those defenders in a posture that assumes the bad guys will get in.

This involves not only focusing on breach prevention, but at least equally on intrusion detection and response. It starts with the assumption that failing to respond quickly when an adversary gains an initial foothold is like allowing a tiny cancer cell to metastasize into a much bigger illness that — left undetected for days, months or years — can cost the entire organism dearly.

The companies with the most clueful leaders are paying threat hunters to look for signs of new intrusions. They’re reshuffling the organizational chart so that people in charge of security report to the board, the CEO, and/or chief risk officer — anyone but the Chief Technology Officer.

They’re constantly testing their own networks and employees for weaknesses, and regularly drilling their breach response preparedness (much like a fire drill). And, apropos of the Marriott breach, they are finding creative ways to cut down on the volume of sensitive data that they need to store and protect.

TO INDIVIDUALS

Likewise for individuals, it pays to accept two unfortunate and harsh realities:

Reality #1: Bad guys already have access to personal data points that you may believe should be secret but which nevertheless aren’t, including your credit card information, Social Security number, mother’s maiden name, date of birth, address, previous addresses, phone number, and yes — even your credit file.

Reality #2: Any data point you share with a company will in all likelihood eventually be hacked, lost, leaked, stolen or sold — usually through no fault of your own. And if you’re an American, it means (at least for the time being) your recourse to do anything about that when it does happen is limited or nil.

Marriott is offering affected consumers a year’s worth of service from a company owned by security firm Kroll that advertises the ability to scour cybercrime underground markets for your data. Should you take them up on this offer? It probably can’t hurt as long as you’re not expecting it to prevent some kind of bad outcome. But once you’ve accepted Realities #1 and #2 above it becomes clear there is nothing such services could tell you that you don’t already know.

Once you’ve owned both of these realities, you realize that expecting another company to safeguard your security is a fool’s errand, and that it makes far more sense to focus instead on doing everything you can to proactively prevent identity thieves, malicious hackers or other ne’er-do-wells from abusing access to said data.

This includes assuming that any passwords you use at one site will eventually get hacked and leaked or sold online (see Reality #2), and that as a result it is an extremely bad idea to re-use passwords across multiple Web sites. For example, if you used your Starwood password anywhere else, that other account you used it at is now at a much higher risk of getting compromised. Continue reading →

Latest Warnings / Security Tools / Web Fraud 2.0 — 70 Comments
23
Nov 18

How to Shop Online Like a Security Pro

‘Tis the season when even those who know a thing or two about Internet scams tend to let down their guard in the face of an eye-popping discount or the stress of last-minute holiday shopping. So here’s a quick refresher course on how to make it through the next few weeks without getting snookered online.

Adopting a shopping strategy of simply buying from the online merchant with the lowest advertised prices can be a bit like playing Russian Roulette with your wallet, for the simple reason that there are tons of completely fake e-commerce sites out there looking to separate the unwary from their credit card details.

Even people who shop mainly at big-name online stores can get scammed if they’re not wary of too-good-to-be-true offers. For example, KrebsOnSecurity got taken for hundreds of dollars just last year after trying to buy a pricey Sonos speaker from an established Amazon merchant who was selling it new and unboxed at huge discount.

I later received an email from the seller, who said his Amazon account had been hacked and abused by scammers to create fake sales. Amazon ultimately refunded the money, but if this happens to you around the holidays it could derail plans to get all your shopping done before the expected gift-giving day arrives.

Here are some other safety and security tips to keep in mind when shopping online:

-WHEN IN DOUBT, CHECK ‘EM OUT: If you don’t know much about the online merchant that has the item you wish to buy, take a few minutes to investigate its reputation. After all, it’s not uncommon for bargain basement phantom Web sites to materialize during the holiday season, and then vanish forever not long afterward.

If you’re buying from an online store that is brand new, the risk that you will get scammed increases significantly. How do you know the lifespan of a site selling that must-have gadget at the lowest price? One easy way to get a quick idea is to run a basic WHOIS search on the site’s domain name. The more recent the site’s “created” date, the more likely it is a phantom store.

-USE A CREDIT CARD: It’s nearly impossible for consumers to tell how secure a main street or online merchant is, and safety seals or attestations that something is “hacker safe” are a guarantee of nothing. In my experience, such sites are just as likely to be compromised as e-commerce sites without these dubious security seals.

No, it’s best just to shop as if they’re all compromised. With that in mind, if you have the choice between using a credit or debit card, shop with your credit card.

Sure, the card associations and your bank are quick to point out that you’re not liable for fraudulent charges that you report in a timely manner, whether it’s debit or a credit card. But this assurance may ring hollow if you wake up one morning to find your checking accounts emptied by card thieves after shopping at a breached merchant with a debit card.

Who pays for the fees levied against you by different merchants when your checks bounce? You do. Does the bank reimburse you when your credit score takes a ding because your mortgage or car payment was late? Don’t hold your breath.

-PADLOCK, SCHMADLOCK: For years, consumers have been told to look for the padlock when shopping online. Maybe this was once sound advice. But to my mind, the “look for the lock” mantra has created a false sense of security for many Internet users, and has contributed to a dangerous and widespread misunderstanding about what the lock icon is really meant to convey.

To be clear, you absolutely should run away from any e-commerce site that does not include the padlock (i.e., its Web address does not begin with “https://”). But the presence of a padlock icon next to the Web site name in your browser’s address bar does not mean the site is legitimate. Nor is it any sort of testimonial that the site has been security-hardened against intrusion from hackers.

The https:// part of the address merely signifies that the data being transmitted back and forth between your browser and the site is encrypted and can’t be read by third parties. Even so, anti-phishing company PhishLabs found in a survey last year that more than 80% of respondents believed the green lock indicated that a website was either legitimate and/or safe.

Now that anyone can get SSL certificates for free, phishers and other scammers that ply their trade via fake Web sites are starting to up their game. In December 2017, PhishLabs estimated that a quarter of all phishing Web sites were outfitting their scam pages with SSL certificates to make them appear more trustworthy. According to PhishLabs, roughly half of all phishing sites now feature the padlock. Continue reading →