My Guest Blogger Eddie Block (CISSP, CIPM, CIPP/G, CISA, CEH) is a senior attorney in Gardere’s Litigation Group and member of the Cybersecurity and Privacy Legal Services Team who focuses on all aspects of information cyber security, including credentialing functions, firewall and IDS deployment and monitoring, and penetration testing, and related complex litigation.
As we welcome the winter holidays, purchasing gifts online is expected to increase this year by 7 to 10 percent according to the National Retail Federation. This is a boon to the online retail community. It can also be a boon to data thieves.
As consumers wander the mall looking for the perfect gift or travel to relatives houses, they bring a myriad of electronic devices. Laptops, gaming systems, and the ever present smartphone all attempt to make life easier by connecting to WiFi networks. Legitimate WiFi networks provide a great service allowing consumers to evaluate pricing and the availability of gifts. Attackers are also known to setup their own WiFi networks to trick unsuspecting users into passing their information in clear view of the attacker.
In many cases these fraudulent networks will look similar to legitimate networks with names like “Free Store_Name WiFi”, “Free Airport_Name WiFi”, or “Hotel Guest Wifi”. Data thieves will use these networks to perform what is called a “Man-in-the-Middle” attack. In this scenario the consumer connects to the attacker’s fraudulent network and the attacker connects to the Internet. So, to the consumer, it appears that they are using the Internet as normal. By forcing you through their network, though, the attacker can monitor, collect, and store usernames, passwords, credit card data, and other confidential information.
Usually employees of the store, airport, or hotel will know the legitimate network, but what if you just can’t tell? There are a few things that anyone can do to protect themselves:
- Verify connections to websites are secure and use SSL for online shopping. The easiest way to check is to look in the website’s address for “https://”. Sites using https:// are protecting their customer’s information by encrypting the consumer’s information as it passes across the Internet.
- Make sure you are actively checking credit card statements. Don’t wait until the end of the month if you have online access to your transaction history.
- NEVER use the public use computers in hotels for anything confidential. These systems have been targeted by identity thieves in the past, since they are easy to compromise and attract many different individuals. Even using SSL connections mentioned in point 1 is pointless on these systems because attackers can capture the information directly from the attached keyboard.
- Use a Virtual Private Network (VPN) connection if possible.
Watch out while shopping online now and in the future.