Consumers must ensure that the payment gateway is secure, while a strong threat management strategy is essential for successful e-commerce providers.
t’s around the corner, and South African consumers are frantically compiling their wish lists: another Black Friday when, for once, the rule that says, “If it looks too good to be true, it probably is too good to be true”, just may not hold. Black Friday, after all, represents the silliest day of shopping’s end-of-year “silly season”.
At the same time, though, while it is true that you can genuinely bag unbelievable bargains, online consumers are still urged to beware of scams, because cybercriminals are also gearing up for this bumper shopping mini-season. They, however, are “shopping” in a different way: they’re shopping for your identity and data information.
So says Stefan van de Giessen, General Manager: Cybersecurity at value-added distributor Networks Unlimited Africa. “Black Friday shoppers really need to protect themselves and beware of potential scams,” he advises, “because cybercriminals are also looking to take advantage of one of the busiest online shopping periods of the year.
“At the same time, this is one of the few days of the year when too-good-to-be-true bargains may, in fact, just be the real deal! And so there are a number of best-practice scenarios that need to be considered, both from a consumer perspective and from those who are offering e-commerce sites.”
Advice for consumers
Van de Giessen says consumers should look for certain credentials when they are buying from online sites.
“A reputable site will be enabled by reputable companies such as PayFast, Visa, American Express and so on. Look out for these icons on the Web site. It’s important to be vigilant about the payment gateway to ensure that it is secured by a provider of good standing.
“It’s also a good idea to create a separate e-mail address when signing up for Black Friday alerts, rather than using your work or personal e-mail. If possible, you can also use a separate credit card for online purchases to limit your losses if you are attacked.
“Another important point to consider is whether the online experience offers two-factor authentication: a security process in which the user provides two different authentication factors to verify themselves, and in this way better protects both their credentials as well as the resources the user can access. If two-factor authentication isn’t offered, flag this online transaction opportunity. Similarly, if you are sent an e-mail for payment, don’t reply if the e-mail looks suspicious.”
Other tips for the consumer to consider include the following:
- Shop on trusted sites and go straight to the retailer’s Web site, instead of clicking on links. A link embedded in an e-mail or text message could be false and take you to a phishing site where your credentials, such as your username, password and payment details, will be stolen.
- Secure important accounts with strong passwords and two-factor authentication. The latter makes it harder (although not impossible) for criminals to use your username and password against you if your credentials have previously been stolen.
- Stay up-to-date with the latest software and app updates.
- Try not to create new accounts, if possible, unless you plan on using the site a lot in the future.
- Don’t share too much information about yourself online. Hackers and phishers can user this information to breach your systems.
- Look out for spelling errors in e-mails; they often indicate fraudulent sources.
- Check the sender’s e-mail address. A reputable e-commerce vendor won’t send you an e-mail from a Gmail account, for example, they will use their own domain.
- Keep an eye on your bank and credit card systems, and remain vigilant about any unexpected payments.
- To make sure that attackers can’t break into your personal network via insecure IOT devices, make sure that you secure your smart gadgets.
Van de Giessen advises that a recent trend from hackers is the abuse of Secure Sockets Layer (SSL) certificates in phishing attacks. An SSL certificate is a protocol that ensures that hackers cannot intercept information which a user enters on your Web site using their browser.
“The icon of the padlock on a Web site is a third-party verification that a site is secure,” he explains, “and Google’s algorithms tend to indicate Web sites without an SSL certificate as being insecure. Hypertext Transfer Protocol Secure (HTTPS) for accessing Web sites, compared to the more basic HTTP, which is the plain text version, makes use of Transport Layer Security (TLS) or SSL certificates to encrypt traffic between Web servers and clients. However, hackers are making use of the SSL certificates on their own Web sites, in an attempt to make their fake Web sites look authentic.
“Earlier this year,” says Van de Giessen, “the FBI issued an alert warning that seeing the HTTPS and a padlock icon in the address bar did not necessarily prove the authenticity of a Web site, and that phishers were more frequently incorporating Web site certificates of their own when sending their potential victims e-mails that were imitating trustworthy companies or e-mail contacts.
“In other words, they are being lured to a malicious Web site that looks secure. From a consumer perspective, it is important to be aware of overly long URLs that re-direct to strange-looking domain names. Look for red flags, and be vigilant about typing in the name of the e-commerce provider you want directly into the browser.”
Advice for e-commerce providers
“Online shopping is an important facilitator of the economy today,” says Van de Giessen. “But its growth for both e-retailers and consumers is also dependent on the security, convenience and trust that every transaction offers. This means that a strong threat management strategy is essential for successful e-commerce.
“There are various parameters that e-commerce providers need to be aware of, and that Networks Unlimited Africa is able to facilitate. For example, e-commerce providers are handling people’s sensitive data, so they need to have Payment Card Industry (PCI) compliance. This refers to the technical and operational standards that a business must follow to ensure that credit card data provided by card holders is protected and kept private and secure.
“An e-commerce provider also needs to have a secure e-mail gateway in place, with anti-spam and anti-virus protection, and other advanced protection on your mail system.
“It is also essential to have Web application load balancing. This refers to the process of distributing network traffic across multiple servers, to ensure that no single server bears too much demand, and in this way make sure that your system is capable of handling the traffic and enabling the e-commerce transactions that are taking place.”
Van de Giessen adds that e-commerce providers should mandate that customers use strong passwords to help mitigate risk. “Your Web site developer can set a minimum length for all user passwords, and also offer suggestions on how users can create stronger passwords. And finally, it goes without saying that an e-commerce provider should regularly check for and install system updates.”
“Being an e-commerce merchant today can certainly bring business rewards,” says Van de Giessen, “but not without carrying out serious security precautions for the sake of both the business and its customers, as well as to ensure your customers’ trust, of course. It’s also important to remember that threats are always evolving, and so staying on top of your cybersecurity needs is an ongoing process, and professional assistance is necessary.
“On the consumer side, it’s also important for employers to carry out regular security awareness training to empower their employees to better spot potential cyber threats and not unwittingly give up their data,” he continues.
“During high-risk periods such as Black Friday, unaware users could expose an organisation to unwanted cyber risk, perhaps via their work e-mail addresses. At these times, it’s even more important for a company to make sure it has introduced effective, modern training techniques, as well as next-generation security measures on the actual network,” he concludes.