As we increasingly make use of our smartphones to satisfy our shopping needs, let’s shine a light on how these hubs of our digital lives can be used to shop securely, on and around a day dedicated to online deals.
Let’s get a bit statistical first. On Cyber Monday in 2017, smartphones and tablets accounted for almost one-third of online sales, according to Adobe Digital Insights (ADI). With that proportion rising in recent years, a not-too-dissimilar picture is expected to be painted during the 2018 edition of Cyber Monday, which ADI expects to be the largest single online shopping day, ever, in the United States. The importance of taking precautions while grabbing those bargains via our mobile devices cannot be overstated.
Of course, much of the general guidance for safe online shopping that we published last Friday applies equally to smartphones. However, the use of these miniaturized computers for e-commerce can have some serious security implications that don’t stem only from the nature of the devices themselves. Human nature can often be at play, too, and it’s worth considering what we need to be wary of when using our smartphones while we chase all those discounted designer duds and other incredibly irresistible items at incredibly irresistible prices.
Imagine you’re out and about and, your guard is down: a message from whom you think is your Facebook friend tips you off to a lush-sounding pair of audiophile headphones whose “special price” will, of course, be gone before you can blink. Flushed with excitement, you go on to tap on the supplied link and “bag the bargain”. After all, in a world that cherishes ubiquitous connectivity and where everything is just a few taps away, it’s all too easy to dutifully follow such a recommendation and, ultimately, satisfy our need for instant gratification.
However, the trouble is that, unbeknownst to you, the friend’s account was compromised and the link led you to a site aimed at stealing your payment card details. As a result, some of your most sensitive personal information is now in the hands of fraudsters.
Faced with the prospect of a “deal” that will inevitably be available for little more than a fleeting moment, it is no surprise that we may be prone to losing focus and to not hitting that mental pause button. And our propensity for failing to apply forethought before we act is just one of our inherent foibles that con men exploit by the use of devious social engineering.
To keep phishers at bay, never click on a message that sounds too good to be true. If it appears to come from a friend, you should verify that it came from the apparent sender. Either way, it’s always safer to navigate to the retailer’s app or website to double-check whether or not the offer is legitimate.
In the example above, you could just as well become the victim of SMS-borne phishing (aka smishing) and, for example, end up downloading a Trojanized version of a popular legitimate mobile application, modified to steal your personal data or implement screen-locking capabilities. Or it could just as well be one of those would-be Black Friday- or Cyber Monday-themed apps that are particularly likely to flood unofficial, and often dodgy, app repositories in the run-up to and during the shopping season, seeking to ensnare their victims under the guise of massive discounts or freebies. The same goes for bogus versions of normally paid-for and/or long-anticipated apps that may be peddled especially enthusiastically and assiduously during this season. The list goes on…
Whatever the pretext under which that app aims to make its way onto your phone, your best bet to steer clear of trouble is to stick to Google Play or the App Store. Also, all major retailers have dedicated official apps for both Android and iOS, and even though impostor and other shady apps can still sneak into the platforms’ storefronts (yes, even into the App Store), paying attention to the app’s description, negative reviews and requested permissions will go a long way towards helping you stay safe.
This all, of course, assumes that you haven’t jailbroken your iPhone or rooted your Android device. Ditching the “shackles” of Google’s and Apple’s operating systems may have given you endless possibilities for software customization, but that “brave new world” can easily morph into a frontier of threats.
Given our smartphones’ portability, we may expose ourselves to trouble when we connect to Wi-Fi networks that aren’t ours. We long for a connection, but public Wi-Fi hotspots – which aren’t often underpinned by at least WPA2 encryption – can be hotbeds of trouble. This includes situations when, for example, an attacker sets up an “evil twin” access point: i.e. an access point that looks like and even has the name of its legitimate “sibling”. When you connect to such a rogue hotspot, which can be set up without too much effort, the crook can snoop on the traffic or set up phishing pages with the ultimate aim of stealing usernames and passwords. In this sense, the same risks apply as with laptops.
In general, the simplest countermeasures against such attacks rest on you using the data network of your mobile carrier, a reputable virtual private network (VPN) service or, at the very least, on staying away from websites that require login credentials or that aren’t secured by the encrypted HTTPS protocol. Put differently, entering private information on a public Wi-Fi network is an out-and-out no‑no. Also, make sure that your smartphone isn’t configured to join open networks within range automatically, as well as ensuring that your Wi-Fi connection is off when it’s not in use.
Of course, at no point should you lose sight of other precautions that should be part of your “holistic” approach to staying out of harm’s way – and not only when you go shopping online. Those include keeping your operating system, apps and security software updated, utilizing a secure authentication method to unlock your device’s screen, making sure to use device encryption if it’s not turned on by default, and enabling two- or multi-factor authentication on all of your online accounts, or at any rate all those that support it. Just as importantly, many of us have yet to begin to think of smartphones as small computers that store some of our most valuable data – and that needs to change.
written by Tomas Foltyn, ESET We Live Security