Welcome to the first article in the Staying Cyber Secure series, a series in which I show the tools and techniques to stay secure when going about your daily life.
Shopping is an important part of our lives. With the current risks associated with it, it is important to know how to mitigate said risks. This article breaks down the tools and techniques to make you confident when shopping both online and in-store.
Shopping Online
Shopping from the convenience of your personal device is a luxury as everything is just a swipe or touch away. But in an online landscape, you can be compromised using a variety of methods. Here are some strategies to prevent someone getting access to your financial details:
Dynamic CVC/CVV
On every credit card, you have a 3 or 4 digit code called a CVC or CVV. This code is used to help verify transactions just like how you would use a pin with a physical card in store.
Since this always stays the same, if a website were to get compromised or you have your card details phished (tricked into giving details) or key logged (spyware that records your inputs), bad actors have enough details to make a fraudulent purchase as if they had possession of the card physically.
Using a dynamic CVC/CVV will allow you to make purchases with a code that routinely changes. The time the CVC/CVV changes is dependent on your bank. This helps reduce fraud by minimising the time the bad actors have to use the stolen credit card details. To access this feature, your bank will need to support it and you will need to have your bank's app installed on your mobile. From there, you can access a digital card where the dynamic CVC/CVV will be shown.
Since not all banks have this facility, they instead rely on other means to mitigate fraud such as an ID check, a one-time code sent to a mobile number and location factors just to name a few.
Westpac, a bank in Australia observed an 80% fraud rate reduction for customers using a dynamic CVC/CVV compared to using a static CVC/CVV. So, if you use your credit card online, consider using a dynamic CVC/CVV for an additional layer of protection.
Online Wallets
Instead of checking out using a credit card you can use an online wallet to complete the transaction. Online wallets work by initially saving the customers details including financial details. From there you can make a purchase by signing into that wallet and giving authorisation to the website. While the merchant will receive the transaction amount, they never see the financial details of a customer.
While most websites abide by a standard to securely store payment data called PCI DSS which stands for the Payment Card Industry Data Security Standard, there is a possibility that they may mishandle customer data. For example, Twitter/X had a glitch that stored passwords in plain text before masking possibly exposing 330 million users.
Having one company store your financial details versus many reduces the risk of stolen financial details. With the rise in data leaks using online wallets such as PayPal, Afterpay and more is another way to secure your online shopping experience.
Online wallets may also come with guarantees such as PayPal’s Global Purchase Protection which provides buyer protection if the item doesn’t arrive or doesn’t match the seller’s description.
Virtual Cards
A virtual card is a credit card that has been generated to make purchases online generally for a single purpose. Users who use these cards take advantage of the following:
- Subscription trials
- Purchasing from a new merchant
- Budgeting
Virtual cards are not tied to the customer’s financial details and allow you to place limits on where, how much and how often the card can be used. So, if the virtual card were to get compromised, you should not incur any monetary loss if you have set up the card with said limits. As with online wallets, your financial details are never shared with the merchant.
Privacy.com is a straightforward way to get started with virtual cards. If you are a business, you can contact your bank and see if they offer virtual cards which you can use for procurement or travel.
Shopping In-Store
While shopping online is getting more popular, shopping in-store offers the customer the ability to see, feel and gather information about a product. While it is less risky to be compromised in-store, you should consider or be using the following strategies.
Tap, avoid inserting but never swipe when using a credit card
Credit card technology has evolved thanks to the cooperation of major payment facilitating companies. An example of this is the EMV chip which stands for Europay, Mastercard and Visa, could not be more of a boring name if they tried but they did spearhead the development of the technology.
Before the introduction of the EMV chip, credit cards would use a magnetic stripe to process a transaction from a customer. Unfortunately, this magnetic stripe stores the data unencrypted meaning it is prone for duplication and a malicious technique called skimming which involves placing a device in front of a legitimate payment terminal to steal data. You should never swipe when making purchases and this is backed by payment facilitator Mastercard phasing out magnetic stripes by 2033.
EMV chips on the other hand are more secure because they do not transmit the card details but instead replace the card details with a unique token. The real card number is never transmitted. This token is then passed to the payment terminal via inserting or tapping. The token is then verified by a pin or without one if the tap purchase is below a certain threshold. Once confirmed the token is sent to the payment processor for authorisation.
While EMV chips are far more secure than magnetic stripes, it is prone to a malicious technique called shimming which involves placing a device directly into the chip reader of a terminal. While the chip cannot be cloned, the data harvested from it can be used to create a magnetic stripe version of the card which is still in use today. Shimming is harder to detect as the device is a slim piece of metal and cannot be seen to the naked eye.
So, to fully stay secure tapping is the best method. While inserting is still very secure, shimming while not common is a threat.
Mobile Wallets
Mobile Wallets work by creating a virtual version of a existing card that uses a virtual account number instead of the credit card number. Your actual payment card details are never stored on device. Mobile wallets use the same process as an EMV chip to authorise transactions via tapping.
A notable difference is that you use your device’s locking capabilities such as passwords, pins, biometrics, or others to verify the transaction. If we are being paranoid, cameras can pickup card details if accessed by a hacker or you may lose your card. Using a mobile wallet prevents these scenarios. No one can access your cards without unlocking the device.
Notable wallets include Apple Pay, Google Pay and Samsung Pay all of which are extremely secure.
While the security benefits are better than a physical card, there are 3 downsides:
- Mobile wallets require support from your bank to function
- Mobile wallets only work on payment terminals that accept tapping
- Mobile wallets require token keys to function which need to be refreshed after a number of transactions using the internet
Cash
As our lives become increasingly reliant on digital payment solutions, cash is still important to some customers and is still accepted by most stores.
Payment terminals are dependent on internet. If there is an issue with the terminal or the connecting servers, the store cannot process payments. In Australia, we recently saw this when Optus, a telecommunications provider had an outage that affected all their sim cards impacting payment terminals across the country.
Cash avoids these issues by being physical. While small cash payments are harmless, being visible with many notes could lead to a criminal trying to acquire your money in a physical manner.
Additional Tips
- Do not save credit cards and gift cards on websites. While it does offer convenience, recently some Australian brands were attacked using stolen login details.
- Lower your credit card daily limit to a reasonable amount. If you need to make a large purchase, raise the amount then lower it back. This will prevent large fraudulent transactions from going through if your details are compromised
- Do not talk about your financial details with anyone other than trusted friends or family
- If you know vulnerable people in your life, talk to them about these strategies
- When withdrawing cash at an ATM, request a cash code from your bank app if supported. These allow you to enter a code rather than using your card removing the risk of skimming/shimming
Conclusion
While we are inundated with the ways we can go about shopping alongside various technologies that also means that there are risks associated with it. Consider each of these strategies and see which of them best suit your lifestyle. You can be secure using all these strategies although some are stronger than others.
Let me know if any of these strategies have made you feel more comfortable shopping or share your current methods of staying secure.