Online shopping is increasingly replacing browsing and shopping at malls and stores. The convenience of browsing a wide variety of goods, configuring options for customized purchases, clicking the “pay” button, and then seeing the products arrive in a matter of days at your door, can be a mesmerizing experience for many.

And online shopping keeps improving in amazing ways, with single clickthroughs, intelligent suggestions for complementary and alternative products, discount coupons, and extensive customization.

The Nightmare of Credit Card Fraud

An avid online shopper has shopped online for the past 15 years. He still shops at retail outlets and malls, so his credit cards are used both online and offline. Though banks have replaced credit cards with smart chip versions with better security compared to mere magnetic stripes, credit card fraud is still prevalent.

Though a veteran in online shopping and works in IT with a good knowledge of security, he still had his credit card details compromised twice.

When he spoke to the banks, he could not unravel what exactly happened, and why the card details were used thousands of miles away in actual physical outlets, right after one particular physical transaction at a small retail shop. Having read about PoS malware situations, he speculated that perhaps that retail shop had its PoS systems compromised without their knowledge.

Thankfully, the banks replaced the cards, negated the transactions, and life went on.

But this does not inspire confidence for the shopper, who lamented that increasingly, given the PoS malware situation reported in foreign media, has decided to use more cash for purchases, or to reduce purchases, or switch to intermediary payment gateways such as Paypal.

Point-of-Sale (POS) Malware Hell

The advisory reported through the US-CERT and the National Cybersecurity and Communications Integration Center (NCCIC) analyzed the “Backoff” malware that infected and targeted point-of-sale (PoS) systems, and estimated that over 1,000 American businesses have been infected. This malware steals credit and debit card information from vulnerable systems that may be running remote desktop software and then use brute-force password guessing to hack through the terminals or systems to retrieve the card information.

The basic suggestions by US-CERT is to lock out remote access accounts after failed logins and erect better firewalls.

The traditional approach of retroactively patching a system if a vulnerability is discovered after an attack, is increasingly outmoded and can present grave security challenges. What’s worse, in the context of Advanced Persistent Threats (APTs), which can stealthily hide beneath application layers for months or years in a dormant state, and only activating sporadically before going to “sleep” again, such threats may go undetected for a long time. And the threats keep coming with greater ferocity and sophistication, confounding many security administrators.

Against the onslaught of evil hackers attacking every public-facing web property, there are an equal and opposite fighting force of “superheroes” trying their best to fend off hacking attacks, constantly researching, testing and deploying new defenses to help organizations stay safe online. The good folks report their findings on websites and forums, send email reports and advisories to national cybersecurity teams (CERT), and so on. However, there are just so much hacking going on incessantly, that all the good information laboriously filed and shared online become lost and unused.

What can we do?

Consumers like us are entangled with cash and credit cards. If you talk to a regular cabbie, he would say that many riders use credit or cash cards to pay for their fares rather than in cash these days. So what precautions can we talk to protect ourselves?

1) Chip-capable cards. Upgrade to the chip-capable cards. Banks are already implementing this in Asia (America is probably one of the most behind). These cards are harder to replicate compared to those with mere magnetic strips.

2) Shielding. Chipped cards are not foolproof either. You may need to provide shielding to protect your cards. A simple tin foil may work, though failing in aesthetics. Or you can use commercial wallets with shielding. Even passport covers are available with shielding these days, since many passports are now biometric capable and can be scanned by hackers, just like chipped credit cards.

3) Transaction alerts. You can subscribe to a service by your credit card provider, where every transaction above a certain value will trigger an alert to your smartphone, usually through Short Message Service (SMS) or email. I would recommend paying for such service, and setting the lowest value of transaction to say, $1. In this manner, those hackers who have somehow managed to breach your details and used your card for testing, would immediately trigger an alert. On seeing such alerts with unknown vendors or locations (places you were not at), you can then immediately alert your bank and suspend your card.

4) Selective shopping. If at all possible, shop at large establishments. There may be a perceived higher pricing for products, but you get peace of mind. And some large establishments do have great bargains, or even allow negotiable pricing to some extent. If you have to go to shops you have never visited before, use a credit card with very low credit ceiling, or a cash card, or simply cash. Remember to religiously scrutinize your credit card and bank statements every month, and raise flags with your bank immediately if needed. When going overseas (or even locally), refer to point (2) on shielding.

5) Mobile security. Your smartphone is increasingly a part of the payment mechanism, if at least to hold some important personal details. There are many who store bank details on their smartphones. What happens when your smartphone is lost or stolen? Use whole-device encryption (for both Android and iOS), select good passwords, and turn on “remote wipe” when your device is lost or stolen. Check the app permissions and turn off as many permissions as necessary to allow such apps to continue to work. For example, if you have a hybrid HTML5 reading app (simply static content encased within a Webkit browser), there is no real reason for the app to access your contacts, your camera, your location, and so on. If in doubt, uninstall these apps and find alternatives, or use web versions instead. Use firewalls and VPNs whenever possible (even on 3G/LTE), and avoid using public WIFI unless you are secured and anonymized.

Preparedness and Confidence

Imagine any retail customer, who would use his credit cards in both retail and online situations. The card information can be misused by hackers simply because a retail PoS was compromised by malware like “Backoff”. The anxiety such a customer faces, the hours spent trying to communicate with the card issuing banks, and working through credit card statements with the bank on the phone, are major nerve-wrecking headaches. If we cannot always rely on providers upstream to take care of us, then we have to rise up to take care of ourselves.

Treat your smartphone basically as “naked” to the world, and protect it to the fullest possible. Seek, ask, and implement any security you can. After all, your smartphone is closer to you in your whole day than your laptop.

To be paranoid is to survive.