There’s no two ways about it: the holidays are a crazy time of year, especially for shoppers. And whether you’re scouring the stores for the best deal on the year’s hottest toy or surfing the Web for deals in your pajamas, chances are you’re more focused on frugality than security.
And that, my friends, is exactly what identity thieves are counting on, according to LifeLock chairman and CEO Todd Davis. Davis sat down with me for a brief conversation about what kinds of fraud holiday shoppers should be wary of and how they should protect themselves.
Below is an edited version of our conversation.
Why are the holidays such a vulnerable time for this sort of crime?
Your credit card companies have an algorithm in place to detect fraud based on what works for you and how you shop. They look for unusual patterns, so they know if they need to touch base and make sure there’s no fraud. But they have to edit those algorithms during the holiday season because otherwise everything would grind to a halt. You may buy two or three iPods for gifts, or an iPad — purchases that would normally trigger these things. But at the holiday season, big purchases aren’t unusual. People are buying electronics, plasma TVs, gift cards...and criminals know that. They know that this is their best chance to go undetected, take your information and monetize it.
What information do they want and why?
If I’m a criminal, I normally want to do one of three things with your information. I can sell your information to other people, for one. There’s essentially an eBay of personal information out there, forums were people are selling this kind of data and trying to buy blocks of identities to sell to other criminals. All they’re doing is selling a copy of information they have on you. I could also apply for new credit card or new services posing as you if I can take your financial information. Or I can use the card number until you catch on to the fact that I’m using it, and you shut it down. That’s normally the most painless type of fraud, since if you catch it within 30 days, the banks can’t hold you accountable for more than $50 of charges. Then again, criminals know that you're probably not going to notice that extra charge at Best Buy or whatever during the holidays.
How do they get this information?
There are a couple of ways. For one, during the holidays, the people working in the malls, in the stores, are often temporary employees, and so they may be more motivated to do these kinds of things. They could be skimming your card information: there are devices I could hold in my apron at the register or wherever, and when you hand me the credit card, I can swipe it on my skimming device. I’m still processing the transaction as normal, but I’m also keeping a copy.
Or we see people modifying the devices at the point of sale, where they will attach the skimming device with a Bluetooth unit on it, so that when it runs the card it also is storing a snapshot of the magnetic strip. Then, people can download hundreds to thousands of cards at a time from these stored devices.
You also see people doing phishing or spear phishing campaigns that are targeted toward individuals, which can be especially bad around this time of year. Sometimes it’ll be an e-mail card, or it looks like an invitation or a happy holidays card, and they can embed viruses that can keylog or otherwise infect your computer. Or, and this is really despicable, they’ll send out fake charity e-mails that will direct you to a site to donate “just five dollars” or whatever to an organization, and they will collect credit information from there. At this time of year, we’ll see people opening cards from people they wouldn’t have opened before because the subject line will say something like “Happy Holidays.”
It’s the time of year: people are moving fast, feeling more generous. Credit card companies aren’t paying as much attention, stores aren’t paying as much attention, and you’re not paying as much attention.
How can people protect themselves?
You’ve got to be extra careful. I recommend to folks that they use their credit cards and not their debit cards. You want to make sure that criminals can’t get access to other accounts. That way, if you’re compromised, they won’t have direct access to your funds — restoring that can take a long time. I also say that maybe people could go get a gift card ahead of time and use that to get goods at the stores. Even at retail stores, don’t just swipe at the standalone machine, hand your card to the clerk. It’s much harder for criminals to get access to the cash register, as opposed to the consumer-facing machine.
When shopping online, think about whether you went to their site or if things came to you, be particularly aware of pop-ups or deals that seem too good to be true. And when sites are asking for payment information, look for “https” in the address bar and look for the lock in the corner. Also, be careful on public wifi networks. It’s easy for criminals to do a man-in-the-middle attack on those networks, to pop into the middle as you think you’re going to to a retail Web site and actually take you through a criminal gateway. If you’re at Starbucks, don’t be checking personal account information at your bank, or even using social networking or e-mail because people typically use the same log-in on all their accounts. If I’m a criminal, I can take those credentials and try it at the Wells Fargo, Chase, or Bank of America Web sites until I find a match.
What about mobile security?
We’re still seeing this as a burgeoning industry, that is, malware on mobile devices. It’s not at epidemic proportions, but we haven’t seen this level of activity in the past before. Apply the same rules as online shopping, and also know that if you have Bluetooth enabled, realize that anyone else with a Bluetooth in close proximity can connect to that device and potentially take information from it.
Also, have your password or passcode enabled. Criminals are looking for path of least resistance, and if you don’t have that code on there’s nothing stopping me from getting the key information I want from your phone.
Overall, just be a little more conscious. Do shop online, use the technology around you. You can still shop, just take these steps and protect your information.
If you put roadblocks in their way, they’ll move on to other people.