Bilderlings explains how to guarantee your security when making purchases online.
Your account with a financial institution (i.e. access to your bank account or any other account) is the main goal of cyber criminals. So the first thing you need to do is enable two-factor authentication to make it more difficult for fraudsters to gain access to your account.
Two-factor authentication: how does it work?
Two-factor authentication doesn’t just mean two steps – you have to enter data of two different types, using different data transmission channels (internet, mobile connection, apps, etc.).
Electronic payments in Europe are regulated by payment service directive PSD2. This document identifies three types of information, of which at least two must be used for secure authentication:
– information that only the client knows (unique customer number, password, PIN code, etc.);
– an item that belongs to the client (mobile phone or other device to which a unique code is transmitted);
– the client himself (biometric data).
So, a code card isn’t good enough anymore?
Until recently, a bank-issued code card was thought of as an acceptable second factor. But these codes are static information and in this respect they do not differ substantially from a password. The code that you receive via SMS or email is unique: it cannot be predicted or reused.
Is it worth it?
Two-factor authentication takes only a half-minute to perform, but it significantly reduces the risk of exposure of your financial data and money. Aren’t your savings worth the 30 seconds extra?
Does everyone offer two-factor authentication?
If your bank (or other financial institution) offers the option of two-factor authentication, don’t be lazy – take advantage. If the service that you use stores your financial data and doesn’t offer this option, then this might be a good reason to think about its reliability and conscientiousness.
I have two-factor authentication. So, I’m safe now?
Let’s assume that we have protected our account well enough. But this is not a panacea if we’re using an unsecured network. Any financial transaction, any log-in to your internet bank or personal account at FinTech platforms using public WiFi entails considerable risk of sharing your data with fraudsters.
What’s wrong with public WiFi?
The answer is: its general availability. Typically we do not know who controls it and how it’s protected. Firstly, you can mistakenly use the wrong network: a fraudster can easily come to a public place, create a WiFi-network with the name Public-Place-Free, start distributing wireless internet and see all your actions while connected to the network. Secondly, a real network to which you’re connected can be hacked. In both cases, fraudsters receive all the data that you enter on your computer.
This is the safest way to make financial transactions while in a public place. In this case, there is no intermediary between you and the communication provider guaranteeing security. But if you are afraid that an advanced hacker is specifically targeting you, then make payments from a mobile phone or tablet with a mobile internet SIM card.
A VPN is a virtual private network that not only helps to circumvent geographical and legislative restrictions but also protects your data from fraudsters who exploit a WiFi network vulnerabilities. The possibility of intercepting data prior to the VPN point of connection is excluded.
NB: take into account that some financial institutions block access through VPN.
Standard recommendations for protecting your home WiFi network:
– сhange the factory name of the network and the password; enter encryption (this can be done by entering a password – choose WPA2 or WPA2 AES);
– disable remote access to your router settings, if this is switched on;
– turn off the router during any long absence from home.
Phishing sites – what are they?
A phishing website pretends to be the site of your financial institution. It looks exactly like the site of your bank or FinTech platform. This is a simple technology: the internet is full of tools for cloning websites.
How does it work?
Say, for example, you receive an email from your financial institution with the following message: X has changed, please go to your account and change Y. A link follows. You click the link – everything looks fine, nothing out of the ordinary. The address line itself also looks “proper:” it is enough to change one letter to a similar-looking one, and you would never notice.
Next, you are asked to enter some data, and then some more; then an “error” message appears and a request to re-enter your data. If you have two-factor authentication, you enter the second unique code – and the hacker, who is stealing your data, signs his transaction with this code. The code that comes via SMS or email is valid for 30-60 seconds, but for a skilled fraudster, this is more than enough time.
How to recognize this nasty trick?
Log into your account not by clicking on the link but through the browser, as you usually do, or typing out the address manually. If the company has actually introduced some changes, you will most likely find the corresponding message in your personal account.
So, never enter any of your data on a page that you opened following a link from an email. The email could have been sent by anyone!
Additionally, you can always use the services of www.virustotal.com: at this site you can find out whether a specific link has a virus or not.
Is this the only danger associated with websites?
No! Sites where you complete a purchase can be a source of financial threat, these can be specially created by fraudsters to gain access to your account.
Let’s say, you wanted to buy a branded bag at a discount of 90%. You entered your card data, but something went wrong. The money hasn’t been withdrawn. You won’t receive the bag but your data has gone to some third party whose intentions are most likely, dubious.
How to distinguish
There are several indicators which can help you distinguish a reliable site from a suspicious one.
Secure Socket Layer is the most popular certificate to date, which, firstly, confirms the authenticity of the site, and secondly, guarantees secure data encryption.
You can see the green lock and the name of the company owning the site in the browser line (URL) of holders of the SSL certificate.
In addition, the SSL certificate gives the right to use the https protocol (“s” is added to http and stands for “secure”).
If you see red, orange or crossed out icons – this is a good reason to think twice and to abandon the transaction before it’s too late.
How else can you check the online store (and other sites through which you plan to transfer funds)?
Pay attention to card company logos: if the site is fraudulent, the Visa or Mastercard logo will differ from the original.
!! The useful service Who Is will help check for information about the owner of the site.
What should you do if you identify a fraudster?
Report them to the financial institution which the fraudster is impersonating. This is unlikely to be an isolated incident, and you will be helping prevent further attacks on the customers of that particular organization. In general, each country has special agencies that deal with cyber crime. For example, in Latvia, CERT is responsible for this.
And what is 3D-Secure? Does this protect me from something too?
3D-Secure is a special authorization protocol for online purchases – when you are making a payment for something on the supplier’s website you are transferred to the website of your financial institution. This is certainly more reliable.
Does it mean that I should avoid websites without 3D-Secure?
Not at all. By law, if an online merchant does not acquire 3D-Secure, he is financially responsible for the risk of leaking your data and must pay compensation to you for any purchases you did not actually make.
Some companies still don’t use 3D-Secure. Why?
The most frequent example is transport companies – the air carrier Ryanair, for example. The absence of 3D-Secure isn’t a reputational risk for them. It’s simple financial cost-benefit calculus: if the sums associated with claims payments do not exceed the cost of 3D-Secure technology, it’s more convenient for a company to work without it.
How to find out whether your financial data have been stolen?
Regularly check your account statements. Usually fraudsters make a large number of purchases in a very short time, and the cost of the purchases tends to increase in ascending order. The most frequent purchases: transport tickets, cosmetics, devices. Another great measure of control is SMS-notification for any write-off of funds.
These purchases are only made in online stores?
No, the stolen card data are easily embedded in a fake card. These are bought and programmed on the black market.
What should I do if my account is used by a fraudster?
Once you discover purchases on your account that you have not made, contact your financial institution immediately. First, you need to block the account, and second, write a statement to begin the investigation. If the purchases were made via websites without 3D-Secure, your money will be returned; in other cases, the financial institution will begin its investigation.
Other measures for protection of your data
Viruses are one of the main threats to financial security. Therefore, it is worth following all standard anti-virus measures.
Check the recipient of funds
If you use invoicing when making payments – i.e. when you are sent an invoice by email or SMS – do not forget to check the recipient of funds. With the help of viruses, fraudsters can track email, intercept a letter with an account number and change the number of a real supplier to their own.
Buy reliable antivirus software
Use licensed software
If you use pirated software, then every update, and every action in general is a potential risk: no one knows what is stitched into the code of the program and no one is responsible.
Do not take unnecessary actions
Do not download, install or run anything on your computer unless you are 100% sure that it’s not harboring a virus. Of course, we’re not talking about security updates for the operating system here!
Leave the website correctly
Close the website of your financial institution through the “Exit,” and not just by closing the tab or browser. This is especially important if you are using someone else’s computer or sitting in an internet cafe. Leaving your personal account, click on “Exit” or “Log Out” and not just on the cross in the upper right-hand corner. True, the fraudster couldn’t complete a transaction, but he would have access to your personal data, which today is as valuable as gold.
And the last but not the least, make sure that all of your passwords are safe. Sounds strange, right? But did you know that about 2 million people still use “123456” for their passwords? Bill Hess, the creator of PixelPrivacy.com, found inspiration to put together a comprehensive guide that covers everything you could imagine relating password security: the risks of using the same one multiple times, how to use a manager, and how to pick a secure, memorable phrase. Please visit https://pixelprivacy.com/resources/reusing-passwords/ to find out more, and stay safe.
Bilderlings is grateful to the company’s security department for helping to prepare this material.