Buyer beware: How to secure your online purchases this Cyber Monday
Over a quarter of UK and US-based shoppers would proceed with an online bargain purchase without first checking if the website is secure.
The mania of Cyber Monday is now just days away and the British public is gearing up to spend an estimated £600 million on online bargain purchases. Coupled with online sales in the US, which are expected to reach $3 billion on Cyber Monday alone, November 30th is set to become one of the largest single days for online sales in history.
A survey conducted by Opinion Matters on behalf of WhiteHat Security, the application security company, found that more than a quarter of UK and US-based online shoppers would proceed with a bargain purchase without first checking if the website is secure. The survey also revealed that shoppers in the US are more likely to put themselves at risk than those in the UK, with more than a third of US-based respondents admitting that they wouldn’t check the website’s security before purchasing. This is particularly worrying given that more than half of shoppers are expecting to use their credit or debit card to purchase goods this Black Friday weekend.
The consumer survey also found that a third of UK and US-based shoppers are not sure, or definitely do not know how to identify if a website is secure.
Of course, the retailers themselves have a big part to play in website security. Threat researchers from WhiteHat Security analysed retail websites between July and September 2015 and found that they are more likely to exhibit serious vulnerabilities compared to other industries. The most commonly occurring critical vulnerability classes for the retail industry were:
- Insufficient Transport Layer Protection (with 64 percent likelihood): When applications do not take measures to authenticate, encrypt, and protect sensitive network traffic, data such as payment card details and personal information can be left exposed and attackers may intercept and view the information.
- Cross Site Scripting (with 57 percent likelihood): Attackers can use a vulnerable website as a vehicle to deliver malicious instructions to a victim’s browser. This can lead to further attacks such as keylogging, impersonating the user, phishing and identity theft.
- Information Leakage (with 54 percent likelihood): Insecure applications may reveal sensitive data that can be used by an attacker to exploit the target web application, its hosting network, or its users.
- Brute Force (with 38 percent likelihood): Most commonly targeting log-in credentials, brute force attacks can also be used to retrieve the session identifier of another user, enabling the attacker to retrieve personal information and perform actions on behalf of the user.
- Cross Site Request Forgery (with 29 percent likelihood): Using social engineering (such as sending a link via email or chat), attackers can trick users into submitting a request, such as transferring funds or changing their email address or password.
Jeremiah Grossman, Founder at WhiteHat Security commented:
“This research suggests that when it comes to website security awareness, not only is there still some way to go on the part of the consumer, but the retailers themselves could benefit from re-assessing their security measures, particularly when considering the volume and nature of customer information that will pass through their websites this Cyber Monday.”
According to Grossman, there are a few simple tricks that can help shoppers stay safe online over the next few days:
- Look out for ‘HTTPS’ when browsing: HTTP – the letters that show up in front of the URL when browsing online – indicates that the web page is using a non-secure way of transmitting data. Data can be intercepted and read at any point between the computer and the website. HTTPS on the other hand means that all the data being transmitted is encrypted. Look out for the HTTPS coloured in either green or red and a lock icon.
- Install a modern web browser and keep it up to date: Most people are already using one of the well known web browsers, but it is also very important that they are kept up to date with the latest security patches.
- Be wary of public WiFi: While connecting to free WiFi networks seems like a good idea, it can be extremely dangerous as it has become relatively easy for attackers to set up WiFi hotspots to spy on traffic going back and forth between users and websites. Never trust a WiFi network and avoid banking, purchasing or sensitive transactions while connected to public WiFi.
- Go direct to the website: There will be plenty of ‘big discount’ emails around over the next few days that will entice shoppers to websites for bargain purchases. Shoppers should make sure that they go direct to the site from their web browser, rather than clicking through the email.
- Make your passwords hard to guess: Most people wouldn’t have the same key for their car, home, office etc., and for the same reason, it makes sense to have hard-to-guess, unique passwords for online accounts.
- Install ad blocking extensions: Malicious software often infects computers through viewing or clicking on online advertisements, so it is not a bad idea to install an ad blocking extension that either allows users to surf the web without ads, or completely blocks the invisible trackers that ads use to build profiles of online habits.
Stick to the apps you trust: When making purchases on a smartphone, shoppers are much better off sticking to apps from companies they know and trust, rather than relying on mobile browsers and email.
WhiteHat Security offers WhiteHat Sentinel, a security-as-a-service platform that enables businesses to develop secure software. All vulnerabilities reported by the Sentinel platform are verified by security experts in the company’s Threat Research Center (TRC), an elite team of the industry’s top security experts who verify all vulnerabilities reported by the Sentinel scanner using customised tests and algorithms, delivering near zero false positives. This combination of technology and human expertise is unique in the application security market, and results in an unparalleled level of accuracy.
For more information on the most prevalent vulnerabilities, download the 2015 Website Security Statistics Report, or sign up for a free website security risk assessment.