Best Practices for Safe and Secure Shopping on Cyber Monday

Helpful Security Tips for Online Holiday Shoppers

CHICAGO (November 23, 2010) -   As retailers ready for Cyber Monday, an online sales event that helps kick-off the holiday shopping season, predictions are being made that holiday spending will be higher this year than last. But as consumers get ready to surf and shop the Internet, SpiderLabs, the advanced security team within Trustwave responsible for application security, incident response, penetration testing, physical security and security research, is warning shoppers about a new potential cyber scam aimed at stealing credit card data and other personally identifiable information.

Shopping for that perfect holiday present is exciting, though consumers often let personal security fall by the wayside as they bargain hunt for the best deals available. But as the holiday shopping season gets underway, the risk of cyber attacks and cyber scams increase. This year consumers should be particularly wary of social networking-based scams, such as "coupon codes," that provide links for heavy discounts at popular stores or for popular toys.

With many more consumers using social media such as Twitter and Facebook, this type of scam can quickly spread via innocent Tweets and Facebook posts by bargain hunters who believe they're providing friends with legitimate money saving opportunities. Clicking on the link could send the shopper to a site before redirecting them to the real online store that contains drive-by malware or botnet installation, which could lead to all sensitive data and user activity on the consumer's personal computer being harvested.

"This could easily pop-up and become viral on social networks and increase the number of people affected," said Nicholas J. Percoco, senior vice president and head of Trustwave's SpiderLabs. "This type of activity could happen at any time, but around the holidays people are looking for the best deals and could become easy prey."

Below are several best practices to follow when shopping online to help avoid this and other types of scams:

• Links provided in e-mail, IM, social media and other communication mediums should not be trusted. If contacted via any of these online mediums with live links, do not provide any information. Instead, visit the retailer's Web site directly, on your own, to find out if they in fact have the "special" or "deal" being advertised.
•  
• During the checkout process, a consumer should never be asked for information other than billing, shipping and credit card information. If asked for government identification number, driver's license number, mother's maiden name, debit card PINs, etc, it is either a scam or the transaction is being tampered with by a possible data harvesting malware on the consumer's computer.
•  
• Do not inherently trust online communication more than a random phone call or random stranger on the street.
• If someone calls and asks for personal information or credit card information, just say "no." Once personal information is provided, it cannot be retracted.
•  
• If any personal information or password has been provided, notify all potentially effected accounts immediately. In the case of online bank accounts and similar other online systems, change passwords and contact the administrator of the system immediately.

After investigating more than 1000 cases of stolen credit card information from businesses including e-commerce sites, Trustwave has developed a list of general best practices for online shoppers to ensure their information is secure. The following list represents "trust" indicators that consumers should try to identify on Web sites before beginning their shopping experience and before they enter any personally identifiable information on the site. Identifying the presence of these trust indicators will help shoppers protect their identity and ensure their credit card information is secure throughout the transaction process.

• SSL Certificates: Encrypts personal information from a web browser to the site's server. The presence of an SSL certificate can be identified by a lock in the web address bar and an "s" after the "http" in the web address bar. An EV SSL certificate, an enhanced SSL certificate that includes a rigorous process to validate the organization's identity, can be identified by the web browser address bar turning green.
•  
• Privacy policy: A page on the web site should disclose some or all the ways the e-commerce site retains, processes, discloses or purge's personal customer information.
• Review return policy: A page on the web site should provide information on actions to take should a good arrive damaged, defective or not usable.
• Reputation: Consumers should research the e-commerce site to ensure they are shopping with a reputable company with which other shoppers have had good experiences.
• Company Information: Confirm the e-commerce site has a physical location and valid phone number should there be a need to make actual contact.
• Web site trust indicator: Site seals, when clicked, provide current information about an underlying certification and reassures shoppers that the e-commerce site abides by certain requirements or standards, similar to Trustwave's Trusted Commerce seal. If the site seal is not clickable or does not render, Trustwave recommends that consumers avoid shopping at these sites.
•  

Should a consumer experience a fraudulent charge on their credit card, they should call their card issuer immediately and tell them about the charge. More often than not, consumers are not held liable for those charges.

"Cyber scams and attacks are not limited to the holiday shopping season; cyber thieves can strike at any time," said Robert J. McCullen, chairman and CEO of Trustwave. "Consumers should follow these best practices throughout the year to help ensure their personal information and card data remain secure."

About Trustwave

Trustwave is a leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper® compliance management software and other proprietary security solutions including SIEM , WAF , EV SSL certificates  and secure digital certificates . Trustwave has helped hundreds of thousands of organizations-ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers-manage compliance and secure their network infrastructures, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, Asia and Australia. For more information, visit https://www.trustwave.com/en-us/.