Welcome to Cyber Security Today, the Week in Review edition for Friday November 13th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com. To hear the podcast click on the arrow below:
With me today is Dinah Davis, vice-president of research and development at managed cybersecurity provider Arctic Wolf. With the holiday period approaching lots of people will be shopping online, so we’ll talk in a few minutes about avoiding scams.
But first a roundup of the week’s news:
Microsoft has become the latest tech company to urge people using multi-factor authentication to stop getting security codes through text or voice messages on smartphones. A six-digit security code is an extra login requirement on top of a username and password. There are several ways of getting a code on a mobile device, but using an app that can’t be intercepted, like Google Authenticator or Microsoft Authenticator is safer than a text or voice message. For those who need the best login protection, use a special USB key like Google Titan or the Yubikey.
Owners of older Android phones and tablets running versions 7.1 or earlier of the operating system should think about getting new devices. That’s because starting in January they may have trouble accessing some websites. Those sites use a free security certificate system from a service called Let’s Encrypt and starting in the new year it won’t work with older devices.
IT administrators whose companies use Microsoft Teams have been warned to install the latest security patch from Microsoft’s website. There’s a scam going on pushing fake Teams updates that could allow crooks to eavesdrop on conversations and steal corporate data.
Luxottica Group, which owns several prescription eyeglass chains, has admitted a hacker got into the company’s online appointment scheduling app and got hold of customers’ personal information.
Finally, the FBI has warned software developers using the SonarCube platform for inspecting software code to install the latest security patches. A vulnerability is allowing hackers to break in and steal their code.
My guest analyst this week is Dinah Davis of Arctic Wolf.
We decided to talk today about online shopping. The holiday shopping season started November 1st and already online shopping is setting records. A website called Digital Commerce 360 cited research that in the first 10 days of the month U.S. consumers spent over $21 billion online, a 21 per cent jump over the same period last year. Adobe Analytics predicts American online holiday spending alone could hit $189 billion in part because COVID-19 will keep many people out of stores. But if you’re not careful you could be the victim of online scams. How can you be a smarter shopper?
“There’s a couple of really easy things you can do,” said Davis. “First of all, when you see an ad on social media is ask yourself, does this offer look too good to be true? Because if it does, it probably is. And then you can also take a quick look at the ad and see if there’s any spelling mistakes, or their URL is pointing to a weird place. If those are the case, then it’s best just to report and move on. But if it looks kind of okay you might still want to investigate that brand. You might have a fear of not missing out on a great deal. So, you know, you might want to, might want to double-check to see if it could be real.
“If it’s a brand you recognize, do not click the link, go to that brand’s website — for example, Lego.com if you’re seeing an ad that’s trying to sell Lego. Check if the deal is there, and if it’s not, well, too bad, you didn’t get the deal, but you’re safe from having hit a fraudulent site.
“But often the ad is from a third-party seller that also sells things like Lego and things like that. So what you want to do is not click the link — never click the link — but look and see what the URL of the website is. Then you can look it up on a website such as “www.islegitsite.com.” And it’ll tell you a couple of things about the site. One, it’ll tell you if that website has ever been blacklisted.
“So if it hasn’t had malware or spam activities or whatever, you want that to be green. If it’s not green, you’re not buying. You want to know when that domain name was created. If it’s been created within the last four months, probably not good. The other day I checked out a link and the website had been created two days before. Very bad, very, very bad, definitely not buying anything from there. You want to make sure there’s an HTTPS connection [to show there’s encryption] … And so these websites can really help you.”
What about online businesses? They can be stung by fraudsters posing as legitimate customers.
“There’s a few things that they can do,” Davis said. “One, if you’re a really small business then it’s a great idea to use online tools that exist already, like Etsy or Shopify, where they handle the payment structure and everything for you. And you don’t have to worry about it. But if you are going out and doing it yourself, then you want to make sure you’re using the address verification service at the checkout. It’s a service that you can use to check the address that the customer puts into your website against the address that’s on the credit card and make sure it’s the same.
“If it’s not the same you can decline the payment. You also want to check the [credit card’s] CVV at checkout. It is actually in the Payment Card Industry, or PCI, rules that you are not allowed to ever store the CVV along with the credit card number. So it makes it very hard for somebody who’s stolen the credit card online to actually have that unless they’ve stolen the physical card …
“One other thing you can do is ensure you have strong [administrative] passwords on your site so, at the very least it’s harder for people to take over your client’s accounts.”
To hear the full interview click the arrow above and play the podcast. For more of Dina’s advice, see this blog.
That’s it for Cyber Security Today. This podcast can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening.