As shoppers whip out the plastic for online deals, the holiday angst only heightens when it comes to threats to your credit card accounts and other personal information.
Even consumers who shop online through a major retailer, like Macy’s, can fall victim to some of these incredible hacking incidents.
During a one-week period in early October, for example, sophisticated intruders targeted online shoppers at Macys.com to secretly collect addresses, emails, names, credit card numbers and other personal information.
As a shopper, you would have had no idea there was any sort of trouble when you used your card to buy merchandise. Later down the line, though, you likely received a letter from Macy’s explaining that you were a victim of this limited data breach.
The Macy’s breach mirrors a proliferation of specific e-skimming attacks outlined earlier by the Federal Bureau of Investigation.
The danger of this latest cyberattack: Cyber criminals are getting our data in real time, which can make that information more valuable in the underground market.
Such theft can happen whether you’re buying something online through a legitimate website or mobile app.
• How e-commerce attacks work: Fraudulent websites, apps, emails and texts are particularly dangerous on big shopping days, when everyone’s in a rush to quickly snag the best bargains.
The attack on e-commerce sites, like the one experienced by Macy’s, is known as Magecart, a scam that skims card numbers of online shoppers using widely distributed malicious software. In the Macy’s breach, the criminals were able to access information when customers used credit card data at the checkout page and the “place order” button was hit.
The skimming code would capture your information in real time and send it to remote server where the data is collected by the criminals behind the scene. The consumer’s credit card data would either be sold or used to make fraudulent purchases from that point going forward.
• Data from initial hack can be used later: Given that the Macy’s attack exposed customer names, addresses, email addresses and phone numbers, those customers could see more phishing attempts later, said Adam Levin, founder of CyberScout.
• What you can do to protect data, money: The proliferation of cyber crime gives consumers more reason to lock their doors, if you will, to their personal information.
Consider the following tips:
• Nearly half of Americans admit to using one password when logging in to various accounts, according to a new study from PCI Pal, a payment compliance provider. Changing your password — and using different passwords for different accounts — becomes even more important if you are planning to shop online during the holidays. You can check out various password managers online that can help ensure unique and random passwords.
• Don’t use your birthday, phone number or even the last four digits of your Social Security number.
• Another obvious point: Change your passwords if you are alerted that you’ve been involved in any sort of data breach or identity theft. Attackers who steal data from companies know that you’re only using the same password over and over again.
• You don’t want to access sensitive information, such as payment information, by using the free Wi-Fi at the coffee shop. There’s a risk that such information could be stolen “in transit.”
• As much as they tell us not to click on links or attachments, people keep doing it anyway, according to the PCI Pal research. Almost a third of those surveyed admit they can’t resist on clicking on attachments — which could explain why the scammers keep sending them.
• Use credit cards when shopping online. “There is generally more protection with a credit card because when using a credit card, it’s not your money,” Levin said.