As the world continues to shift more towards online services, retailers and even grocery shopping is certainly no exception. The new mantra of the modern consumer seems to be, ‘By the time I get to the store to buy it, it’ll have arrived in the mail.’
With the advent of convenient and cost effective member services like Amazon Prime to virtually eliminate shipping costs, buying online isn’t just more convenient, it actually makes more financial sense in many cases.
With this abundant surge in the online marketplace though, have come some hurdles to get past, namely with information security.
Every year, more and more data breaches occur as hackers infiltrate connections and servers, stealing thousands of credit card numbers in one fell swoop. On top of issues of company security policies, most consumers give very little thought to the security of their payment information online.
I mean, it’s a legit store, so your information should be safe with them, right? Most of us know the basic rules for keeping our login information safe – use unique passwords, never share the information, and be wary of phishing attempts.
The Reality Check
But when it comes to actually running transactions online with our credit and debit cards, how do we keep that information secure? How do we shop online, make payments over the internet, and still keep those credit card numbers from falling into the wrong hands?
The internet is a vast ocean of information, and trying to monitor and protect our payment information has definitely become an uphill battle. Over the last few years alone, we’ve seen some major retailers get hit with data breaches.
A few months back, we had the data heist of Home Depot – 56 million credit card numbers were stolen by hackers. 56 million. I remember getting the call from my own bank, explaining to me why a new debit card had to be ordered for me.
It was unnerving, to think that I hadn’t even thought about the transaction in weeks, and someone out there was just sauntering off with my personal information.
Some other major data breaches have hit all across the board, to other retailers like Target, to companies that keep an exorbitant amount of your personal record on file, like health insurance giant Anthem.
What You Can Do
I’m a project person, and this month, I wanted to figure this out – was there anything that could be done on my side of things to keep my payment and personal information safe? With the holiday season already looming, Christmas shopping is just around the corner. I wanted to find out how I could do it without worrying about my debit card information getting stolen again.
In this month’s expert roundup, I put this question to a panel of industry professionals. They come from financial backgrounds, identity theft and fraud prevention, and cyber security, and together, they shared their tips for what you can do to make sure your payment information is never stolen online.
Here’s what we asked them:
What can I do to make online payments with credit and debit cards more secure?
Alan Yu – Business and Finance Blog
Our first professional comes to us from the realm of personal finance. Meet Alan Yu, personal finance and business blogger extraordinaire. He specializes in everyday tips for beginners that want to get savvy with managing their expenses, and help budding entrepreneurs find their start.
His blog on personal finance is chock-full of information and posts on topics ranging from spending tips, to scams and fraud alerts. Here’s what he had to say:
“I would say when shopping online don’t just focus on the price, but rather the company’s reputation before handing over things like your credit card number. There are a lot of sites designed simply to steal your information with the lure of cheap prices or free trials.
You should always be vigilant of the old saying where if it looks too good to be true it probably is. As well, using established third party payment processors such as PayPal can aid in making things more secure for you since your credit card or debit details will not be directly provided to the merchant – you are billed through the payment processor instead.”
Bruce Schneier – Schneier on Security
Bruce is a heralded guru in the field of cyber security, authoring several books and academic papers on the subject. His blog has a reader list of over 250,000 people, and he is a familiar face in the industry, frequently called as a guest to several TV and radio shows.
Bruce is the CTO of Resilient Systems, an incident response platform, and a heralded cryptographer. Here’s what he had to say about online payment security:
“Agitate for better laws and regulations. Really — that’s about it. The insecurities in credit and debit cards have nothing to do with you. They involve the merchants and the banks. They involve the cloud and the network. Your only real choice is whether you use your card or not. Once you use it, the security is largely out of your hands.
On the other hand, that’s really okay. Banks and merchants have gotten sophisticated enough to catch fraud early, and to refund your losses if your card number gets stolen.
There are exceptions, of course, but the insecurities in our payment systems largely don’t affect us. (Use a credit card rather than a debit card if you can — you have better protections.) But if you want the system to be more secure, you need to raise the costs of insecurity within the system. And that points directly to better security rules that banks and merchants need to follow.”
Craig Young – Tripwire: The State of Security
This active contributor to Tripwire is a computer security researcher for their Vulnerabilities and Exposures Research Team. His work in the field has been responsible for disclosing a considerable number of security risks with industry giants like Google, HP, Apple, and Amazon.
If anyone knows how to spot a weak point in a system, it’s Craig.
“Payment card security from a consumer’s perspective is a tricky subject, and no matter what precautions are taken, there is always the possibility for card numbers to be stolen.
As such the first and perhaps most effective countermeasure against fraudulent charges is the vigilant card holder. I recommend checking online card statements on a weekly (or at least monthly) basis and promptly alerting the card issuer of any unrecognized charges.
This is a general best practice for using payment cards but there are also some more specific precautions for eCommerce:
Avoid using debit cards online, as they do not always provide the same degree of fraud protection as a traditional card.
Avoid paying through services employing potentially custom payment processing applications. Wherever possible, select to make payments with well-known and presumably trustworthy payment processing services like Amazon, PayPal, and Google Wallet. This is often an option during check-out and allows the vendor to receive payment without directly accessing the consumer’s card data thereby minimizing points of theft or interception.
Use a specific credit card for online transactions, and nothing else. By consolidating charges to a particular card it becomes easier to review for and recognize fraudulent activity on the account. Some consumers go so far as to report cards as lost or stolen on a regular basis such as every quarter or every year.
The bank will generally not have a problem with issuing a new card if you report that you may have shopped on a site that has been breached. This greatly reduces the window during which stolen card data is useful to criminals.
Some banks offer extended authentication processes in which the consumer is redirected to the bank’s web page to confirm their identity with an online banking password before allowing the charge. Check with your card issuer to see if this feature is available and how it works.
Some banks/cards have begun offering real-time notification of charges. This can include notifications in a variety of situations such as card not present (online/phone) transactions, purchases exceeding a fixed amount, or other criteria with notifications generally being available via SMS, e-Mail, or even notification directly on a smartphone or smartwatch.
In some circumstances, a credit transaction can even require confirmation via a mobile app before the charge is approved.”
Dave Whitelegg – IT Security Expert Blog
With over a decade in information security experience, this next industry expert is particularly well versed in the problems facing digital consumers. He’s worked with a little bit of everything, taking is expertise to military, retail, and banking institutions.
Dave’s blog covers recent security topics, and dishes out information in a way that the everyday reader can make sense of. Here he explains what we can do on our side of things as online shoppers to protect ourselves.
“Security is an endless game of cat and mouse, with the good guys trying to keep a step ahead of the bad guys.
The payment card (i.e. credit & debit cards) security industry is no different, however the payment card issuers (i.e. card brands and banks) have stood still for far too long allowing cyber criminals to take advantage of generally weak payment card security.
For instance, all the plastic in your wallet still has a magnetic strip on the back – the payment card data can be easily read from it using a £10 reader. This is a piece of technology from the 1970s which has never evolved.
Chip & Pin (EMV), a ‘two-factor authentication’ system, has proven to be an effective way of drastically cutting ‘cardholder present’ fraud in Europe, yet the USA still drags its heals in adapting it. Card issuers have chosen to ignore adding two-factor authentication for ‘cardholder not present’ transactions (i.e. web and phone payments), yet the technology to display unique one time codes on the back of payments cards – thus proving the cardholder is in possession of the physical card not its stolen details -has been available for almost a decade.
Instead of innovating their security, the card issuers have decided to pass the cost of fraud and security onto the merchants and payment processors through mandating Payment Card Industry Data Security Standard (PCI DSS). If payment card industry chose to provide two-factor authentication for both cardholders not present and cardholder present transactions, there would be no need for anyone to protect payment card numbers, and there would be no reason for PCI DSS.”
Dr. Chase Cunningham – The Armor Blog
Dr. Cunningham is the Head of Threat Research and Development for Armor, a company specializing in cyber security and cloud services for businesses. Chase has an extensive and diverse background in the industry, including previous work with the US Joint Cryptologic Analysis Course in Pensacola.
His primary role with Armor is to analyze cybercriminal tactics, and evolve and innovate new techniques for handling them. Chase is also the co-author of the children’s comic series, The Cynja – a project designed to get kids mindful and thinking about their online privacy earlier in life.
“If you are speaking from the consumer point of view, then in reality the only thing you can do is make sure you visit sites that are validated and have at least some form of multi factor authentication combined with up to date SSL certificates and encryption. Really that is about it.
If you are looking from the provider side, the guys who are taking your payments, there is a lot they can do. They should be PCI compliant. They should have up to date patches on their systems, and they should have tested and vetted infrastructure through attack simulations that mirror the threat actors’ activities.”
Eric Knapp – Security Week
Our next expert is the Director of Cyber Security Solutions and Technology for Honeywell, a conglomerate company involved with everything from security systems to aerospace engineering. He’s also the Chief Technical Advisor for the Industrial Cyber Security Center.
He’s a well-known expert in his field, the author of two books, and a mover and a shaker. Eric is constantly pushing the envelope, striving to get industries to adopt new security innovations and strengthen their systems against threats. Here was his two cents on the subject of online payment security:
“To me, one of the best changes we could make to online payment security is to stop forcing users to offer up private personal information as ‘security questions.’
Most banks in particular ask for my mother’s maiden name, my first pet’s name, my favorite color, etc. — all stuff that I can find out about someone after a short visit to Facebook — and they consider the answers ‘proof’ that I’m me.
Because almost every site uses the same questions (or worse, all of them) it means the user either has to put him or herself at risk, or lie. Truthful responses put you at risk because the answers are easily guessable (or obtainable) and used consistently across all accounts. That sounds like bad password management to me, only these ‘identifiers’ are used with such authority that you can reset accounts with them.
For the second option (lying) the user is forced to remember what are basically additional passwords. I’m not sure what the right answer is, but forcing people to put private personal information online in some misguided attempt at security is a bad idea.”
Heather Dahl – The Cynja
Heather is the co-author and CEO of the cybersecurity comic book, the Cynja. Her blog and books aim to promote cybersecurity awareness in younger users, educating while engaging with vibrant art and engaging content.
Formerly, Heather was the Director of Global Analyst Relations at Neustar, a company specializing in technology and information telecommunication services. Before that, she even was a Senior Producer with Fox News Channel, and did similar work with CSPAN, NPR, and PBS.
“The availability of readily available public Wi-Fi connections is pretty awesome! It means freedom, speed, convenience and multi-tasking at its best. Having the ability to read the news while waiting in line for coffee—brilliant!
But the downside to this digital blessing is cyber criminals have caught on to the beauty of Wi-Fi and look to intercept data, including online payments with credit and debit cards from shared hotspots. Public Wi-Fi networks make it easy for everyone to connect.
As a result many security and encryption protections are disabled, allowing your data to travel unprotected. All a miscreant has to do is intercept your signal and—bingo—everything you’ve just transmitted, like your credit/debit card number, expiration date and CVV, is captured.
Don’t conduct financial transactions from unknown networks. Just wait to do your banking and shopping from a Wi-Fi you can truly trust. But believe me, I know that’s not always possible. For those situations, I have a credit card with a very low credit limit and that’s the only card I use on public Wi-Fi networks hosted by the businesses I frequent, like retail stores and coffee shops.”
Jeff Bertolucci – Kiplinger’s Personal Finance
Our next insider opinion comes from Jeff Bertolucci, a tech journalist that has made his mark on several sites concerning information security, including Information Week, DarkReading, The Saturday Evening Post, and Kiplinger’s Personal Finance Blog.
Though his work has primarily been with covering financial topics, the content he has been responsible for creating and the research involved with that has given him some perspective into the problems confronting consumers.
“Well, I’m no security expert, but I do know that credit cards are safer for online shopping than debit cards. As you probably know, legal protections limit your liability with a credit card to $50 — even if a hacker runs up hundreds or thousands of dollars in charges.
That’s not the case with a debit card, where your may be on the hook for hundreds of dollars or more. So my advice: Use your credit card for online shopping, and save your debit card for the physical world.”
Lance Cottrell – The Privacy Blog
Lance is the founder of the security company Anonymizer, and has since continued to evolve the companies strategies as security threats to grow and change. As Chief Scientist, his primary role it to make sure the company keeps abreast of security threats.
Lance holds an MS and BS in physics, and is a frequent speaker at conferences, as well as a touted expert in his field. He has also authored several internet security patents, during his work on his PhD in physics in the early 90s. He had similar advice to Jeff Bertolucci’s.
“The single most important thing is to use credit cards and not debt cards. No matter how the attacker gets access to the card numbers, with credit cards the damage is limited to $50, and usually is zero, while with debit cards there is typically no limit to the losses up to the total balance in your bank account.
Keeping your computer secure and using a VPN for public networks can help, but they pale in impact compared to avoiding debt cards.”
Lance Spitzner – Sans Institute Security Awareness Blog
Lance Spitzner is a certified instructor for the Sans Institute, an American company specializing in cybersecurity training. He’s worked with companies small and large all over the world, educating employees on how to improve the security of their systems.
He’s the author of several books and papers, and founder of the Honeypot Project – a non profit security research organization that provides information on security threats to the general public at no cost.
“My focus is on people. To make credit cards more secure, we have to make security controls simpler (I do not consider debit cards an option). The whole chip thing helps tremendously, but to be honest I’m a fan of Apple Pay as it takes things one step farther with bio metrics. To be honest, from a user perspective, I don’t see how we can do much better with Chip/ApplePay. After that it becomes a back-end technology issue.”
Lysa Myers – We Live Security
Lysa is a security researcher with We Live Security, an internet security blog, where she uses her 15 years of experience to contribute insight into current stories and topics.
Here motto for cybersecurity? “An ounce of prevention is worth a pound of cure.” Here’s what she had to say about the challenges of online credit and debit card payment security.
“From a practical perspective, there are a couple things people can do to improve security of online payments:
- Don’t make your online payments on Public Wi-Fi. You never know who’s sharing that coffee shop’s network connection with you, or what their intentions might be. It’s best to wait to make that payment when you’re at home, on your own (hopefully well secured) network.
- If you must, use the cellular network. Sometimes emergencies happen. If you forgot to make a payment while you’re at home and you absolutely, positively need to do it right away, it’s preferable to use the cellular network (e.g. 3G, 4G, or LTE).
- If you need to use your laptop rather than your phone, you may be able to tether your cellphone and use it as your modem.
- The “wave of the future” for online payments is two different techniques: Tokenized payment systems like Apple Pay, Google Wallet and CurrentC. If you’ve ever used 2-Factor Authentication, you’ve got a good idea of what this entails.
For each transaction, a “token” is created which is unique and only works for a very brief window of time.
- Sites which make a secure connection to your bank’s website. This sort of eliminates the middle-man for the payment, making it more difficult for attackers by requiring them to have significantly more information to successfully create a fraudulent charge.
While these technologies are already available, and already in common use in other countries, they’re not yet widely available in the US. But these things are showing great promise, and I would highly recommend people started talking with their financial institutions about them.”
Melanie Medina – Identity Force
Sr. Director of Digital Marketing at IdentityForce – Melanie is a native of Bolivia who lives in Boston with her husband, and she always makes time to travel, jog, read, and play backgammon.
Fueled by copious amounts of coffee, Melanie stays on top of her to-do list while also keeping abreast of identity theft issues. Serious data breaches are happening all the time in the U.S. and Melanie loves being part of a solution that brings peace of mind to families across the country.
“To make online payments with credit and debit cards more secure, there are several things you can consider, including the following tips:
- For extra protection against having your card number stolen, use one-time credit card numbers that you can set up with your card provider.
- Set up alerts so you are promptly notified of transactions that may be fraudulent, such as card not present or transactions over certain amount.
- Be sure anytime you make an online purchase you buy from a secure website that has a current SSL certificate and displays a lock in the address bar.
- You can also use PayPal which is a service that enables you to make a purchase without revealing your financial details. “
Neira Jones – Security Blog
Neira has the perfect combination of experience and expertise in both the financial and security sectors. She’s both a director for security firm Cognosec, and a payments innovator for Payment Gateway. She sits on several advisory boards, and is frequently called upon for her expert opinion on issues of cyber security and electronic payments.
Here she gives a beginner’s approach to online payment security, with years of real world experience to back up the importance of these precautions.
“As we take advantage of sales, let’s not forget to stay safe when shopping online:
1) Never make payments or shop online using public Wifi, more often then not, these free offerings are vulnerable and you risk getting your personal and financial information stolen.
2) Use multi-factor authentication where available. That extra layer of security may save you a lot of heartache (and money). If multi-factor authentication is not available, make sure you use strong passwords, and never, EVER, use the same password for different accounts.
3) Beware of emails purporting to be from your bank of other payments institutions, such as Paypal, asking you to click on links to disclose personal details. These organization would never ask you to do this via email and email phishing can look very convincing nowadays.
4) If you use a smartphone, make sure you only download apps from approved app stores. Untrusted apps can contain malware that would harvest your credentials, especially if you shop online using your phone.
5) Finally, make sure your devices are protected and keep your anti-virus software up-to-date.”
Raj Samani – Net Security
Raj is CEO and VP for Intel Security in Europe, Asia, Africa, and the Middle East. He volunteers as the Cloud Security Alliance EMEA Strategy Advisor, and is an advisor for several other security councils.
A noted expert in the field, Raj has also authored his book, ‘Applied Cyber Security and the Smart Grid’, and is a frequent contributor to McAfee’s blog as well.
“Much of the fraud for online payments happens because the systems people use are infected. This means that criminals capture credentials typed in when ordering, or checking their online balances.
We can discuss the need for better security on these systems, but what would be a better approach is to use stronger levels of verification. For example, a hardware root of trust (e.g. I know it’s you because we have used your face for authentication, but also this is definitely your device).”
Ron Woerner – Cyber Security Center
With over 25 years of experience in IT and cybersecurity, Rob Woerner is extremely qualified to take on the question of making secure payments online. He’s currently the director of Cyber Security Studies at Bellevue University, and has a long list of awards and certifications under his belt, along with both a BS and MS.
Here were his thoughts on the subject:
“Be careful when using public Wi-Fi. It’s a great convenience that so many places allow us to connect to the Internet using their free Wi-Fi. Keep in mind though that it’s like yelling in public; it’s not secret.
Malicious hackers can “sniff” the airwaves and steal your information. I don’t recommend using public Wi-Fi for anything sensitive. Use strong passwords and keep them safe. Passwords are our keys to our identity and personal data. Choose and use the wisely.
Don’t use the same password for all websites. That’s the same as having the same key for your house, car, office, safe, etc. Use different passwords, especially for sensitive areas like your financial institutions. Microsoft has a good, online password checker to help you select strong passwords.”
Sanjay Katkar – QuickHeal Blog
Sanjay is the Managing Director and CTO of QuickHeal, an IT security solutions provider. He’s received several awards for his work in the field, and holds both a bachelor’s and master’s degree in computer science.
“Don’t trust public Wi-Fi and avoid doing online payments on public Wi-Fi. Make sure you have registered your debit card or credit card for MasterCard SecureCode, or Verified by Visa services. This gives you an extra layer of security. It will be good to use the services from the bank/card provider who provides multi-factor authentication for every transaction, like the OTP over your mobile phone or email.”
Xavier Mertens – \dev\random
Xavier Mertens is a freelance security consultant. His job focuses mainly on protecting his customers’ assets by applying “offensive” (pentesting) as well as “defensive” security (incident handling, log management,SIEM, security visualisation). Xavier holds several certifications (GCIH, CISSP, CISA, CEH). In parallel to his daily job, Xavier is a SANS ISC handler, a security blogger, and co-organizer of the BruCON security conference.
“From a customer perspective, rely only on well-known e-commerce sites. Do not use your CC details on sites that you don’t know. If possible, do not use your CC but use an external service like PayPal.
Alternatively, you can use a prepaid CC for your online shopping sessions. You can also generate unique CC numbers for specific transactions (disposable CC numbers).
From a website owner perspective, do not reinvent the wheel. Managing online payment from A to Z is hard. Do not hesitate to outsource the transactions to a strong partner. This will prevent you to store CC and payments details in your infrastructure. In Europe, the Chip & Pin system is fully available for a while. CC transactions are validated by the bank which emitted the card and the user must use a hardware token to sign the transaction.
If you really need to handle the transaction from A to Z, you can aim to become PCI-DSS certified. About the website itself, keep it simple and easy to maintain. Log everything and implement multiple controls to detect suspicious activity. Store only the minimum required information about your customers!
At database level, encrypt everything.”