Cybersecurity, the pandemic and the 2021 holiday shopping season: A perfect storm

Ping Identity executive advisor Aubrey Turner warns that eager cybercriminals are ready to exploit the current chaotic state of the world, and preparation is essential going into the holidays.

shutterstock-1818672221.jpg

Image: Shutterstock/Troyan

We’re heading into the holiday shopping season, and there will definitely be more than just the usual frozen, snowy bumps in the road to success. Supply chain interruptions and a continuing chip shortage have made things hard enough as it is, and that’s before you even stop to consider the cybersecurity and privacy concerns that have only been exacerbated by the state of things.

More about cybersecurity

Aubrey Turner, executive advisor at Ping Identity, says that the usual scams have only been amplified by a massive turn to online shopping due to the pandemic. “All these things have driven more people than ever to shop online, buy online, and that presents an opportunity for attackers and bad guys,” Turner said. 

SEE: Google Chrome: Security and UI tips you need to know  (TechRepublic Premium)

Those aforementioned supply chain interruptions have only widened the peak fraud time window for many attackers, who are keeping up with consumers who have started shopping earlier. In addition to starting early, many parents are in a desperate position in 2021: Will the toy their child wants even be available?

“Think about the past 20 Christmases: There is always some hot toy, from the Furby and Tickle Me Elmo, to Xboxes and PS4s. That creates an opportunity for an attacker to take advantage of somebody that wants to give that as a gift,” Turner said. 

In terms of specific threats that Turner said he’s noticed this year, two stand out: Card not present fraud, and non-delivery scams. Card not present fraud takes advantage of situations where a transaction can be run without possession of a physical card, while non-delivery scams are probably common to anyone who has an email address: They’re those phishy-looking emails you get from “FedEx” about a package you weren’t expecting being undeliverable.

There’s a common thread between those two common frauds: They’re variations on phishing themes, as are fake websites offering hard-to-find toys and gifts. “Some of the most unsophisticated, yet elegant, hacks have been perpetrated using social engineering,” Turner said. 

Pair that with over five billion sets of credentials and stolen bits of personally identifiable information available on the Dark Web and you have a serious risk for individuals and businesses alike that only gets worse during a time of year where people are spending money with their guards down.

How businesses can stay safe during the holidays

Stories of holiday fraud often focus on individuals being conned out of their money, but businesses can become victims of holiday-related fraud in several ways. Whether it’s an employee who has information stolen that allows an attacker access to a business network, or a bad actor impersonating your business, it’s essential to take steps toward preventing an incident. 

The solution, Turner said, is moving consumers and employees onto passwordless logins, or at the very least multifactor authentication. “We saw from our own data that 53% of consumers feel better using a site when logging in requires MFA,” Turner said. That indicates a willingness to adopt MFA (and by extension passwordless products like Ping, Turner said), but with an essential caveat: It has to be frictionless.

“The login process [must be] as easy and as fast as possible. That tells a story about your brand and it will become a competitive differentiator; some brands are embracing more frictionless experiences, and they will be differentiated from the brands that don’t,” Turner said. He summarized his advice on MFA thusly: “Meet your customers and users where they are” as opposed to imposing a new tool, which many people may avoid using if it isn’t a smooth experience. 

The pandemic accelerated a lot of discussion in the area of identity management and user security, Turner said, and the past year has given organizations the chance to step back and assess their responses to quick pandemic changes. “We’re in this second wave that is now looking at all these changes that were made quickly in the moment. Now is our chance to ask what we did right, what we did wrong, and how we can course correct for the future,” Turner said. 

Security tips for holiday shoppers

It’s going to be a rough year, especially with potential product shortages and shipping delays. It’s easy in this sort of situation to get complacent and not thoroughly check the legitimacy of online stores and offers, but there’s no more important time to be diligent than now.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

Turner said he recommends the following for anyone shopping online this holiday season:

  • Be sure all your devices are up to date, especially IoT devices on your home or business network that could be used as part of a botnet or otherwise compromised. 
  • Be wary of unsolicited text messages or emails saying you have a delayed package or that they have a special offer. Those sorts of messages are almost always scams.
  • Instead of clicking on a link in a message or email, go directly to the website the sender purports to be from, or call the business directly to ensure you’re speaking to the right people. 
  • Customer service agents should never ask for personally identifiable information. If someone does, don’t give it out and ideally hang up the phone or close the chat window. 
  • Use a digital wallet instead of inputting your bank or credit card info directly on a website—even a trusted one. PayPal, Privacy.com, and other products provide such services and are trustworthy and safe to use.
  • Engage the services of a credit monitoring agency for the holidays, or keep an eye on your credit history and bank statements yourself to be sure nothing seems amiss.
  • iPhones have a built-in service (which is also available from third-party apps) that will notify you when a set of your credentials is exposed on the Dark Web. Use one of those apps, or your phone’s built-in service, and don’t ignore a popup on your device that informs you that you’ve been compromised. Instead, take action by changing the password on that account and any that have the same combination of username and password.

Lastly, Turner says that this holiday season especially merits a sense of caution. “Be aware of tactics used by shady retailers or deals that look like they’re too good to be true. It’s probably some kind of scam and you’re just going to spend more time frustratedly trying to untangle the mess of a stolen identity.”

Also see