Black Friday: What to watch out for when you hit the stores


Here’s the first of three pieces we’ll be publishing this Thanksgiving weekend.

That’s the weekend that brings us Black Friday, a shopping day so busy in the USA that it is said to mark the point for many retailers at which their accounts for the year move into profitability, thus getting them out of the red and into the black.

And if that’s not enough, the online era has brought us Cyber Monday, when you can catch up online and buy all the bargains you missed in store over the Black Friday weekend.

In other words, this is a great time for us to offer you advice that will not only improve your cybersecurity over the coming weekend, but also keep you more secure through Christmas and the holiday season, all the way into the New Year and beyond.

Here’s what we’ve got lined up:

  • Tuesday 22 Nov 2016 (today): Black Friday: What to watch out for when you hit the stores.
  • Wednesday 23 Nov 2016 (tomorrow): Cyber Monday: What to watch out for when you hit the web.
  • Thursday 24 Nov 2016 (Thanksgiving Day): Facebook Live Video: Don’t be a security turkey this Thanksgiving.

The Facebook Live video is scheduled for 16:00 UK time (4pm), which is 11am on the US East Coast and 8am on the West Coast.

If you can tune in to our Naked Security Facebook page at that time and join in, we’d love to have you; if you can’t make it, the video will be available to watch any time afterwards.

Here we go.

Four tips to keep you safe on Black Friday.

1. Keep control of your credit card

If you have a Chip and PIN card (or Chip and Signature in the US), use the chip and avoid swiping the card.

For most point-of-sale devices, that means inserting the card into the slot at the bottom rather than swiping the magstripe of the card along the side of the machine as in the old days.

Chip and PIN isn’t perfect, but the data on your card’s chip is almost impossible to clone, whereas the magstripe is read in its entirety every time you swipe, and is trivial to skim.

Skimming is where crooks make an unauthorised copy of the data on your card, for example using a tiny additional magnetic read head hidden in the skimming slot, and use that data to make a working facsimile of your card.

Chip transactions also provide better protection against the sort of hack that saw tens of millions of credit cards skimmed at Target stores in the US around Thanksgiving in 2013.

The Target hack involved malware on each cash register that watched out for magstripe data appearing in the computer’s memory.

In contrast, during a chip payment you can’t “sniff out” card data from cash register’s memory because the data in each transaction depends on one-off cryptographic calculations done inside your card.

That makes each transaction a bit like two-factor authentication (2FA), where each login code is unique and can’t be used again.

Don’t forget to cover your PIN hand completely while you’re typing in your code.

Shielding your typing hand is a simple precaution to protect your PIN from shoulder surfing (where the person behind gets a clear view of your typing) and any video cameras that might be in the vicinity.

Sadly, many merchants in the US have adopted chip readers in order to reduce their liability, but nevertheless actively try to discourage you from doing chip transactions.

If you think you’re going to be faced with stores that simply won’t let you pay by chip, consider taking your business to retailers who will, or using cash instead, or buying a prepaid debit card in advance with as much balance on it as you’ll need on Black Friday

Apparently, the reduction in liability comes from having the reader installed, not from actually using it. Swiped purchases apparently still go through faster in the US than chip transactions; in a busy retail period such as Thanksgiving and the holiday season, shorter waiting times keep both shopkeepers and customers happy. In other words, there’s not much incentive for retailers to encourage customers to get into the habit of chipping, or for customers to insist on it.

2. Check your statements promptly

If you go on a retail outing during the holiday season, you’ll probably end up doing lots of small transactions along with any significant purchases you might make.

Even if you’re really careful about keeping track of how much you’ve spent, the final amount may well vary from what you expect.

For example, there’s the coffee shop you stopped at to decide if $1499 was too much to spend on a new bicycle, there’s the impulse decision to take a taxi back to the station instead of trying to get your new bike on the bus, and so on.

If you end up $9 over what you figured, it’s easy to assume it was a small miscalculation and to shrug it off as an absorbable side-effect of your Black Friday session.

However, if it wasn’t a miscalculation, then it was a fraudulent transaction instead, and whether it’s $9 or $999, it’s still makes you a victim of cybercrime.

If you’ve ever been skimmed or “carded” before, you’ll know that bogus transactions often happen in bursts, and in varying amounts; the sooner you spot that something is wrong, even if it’s just a modest amount, the sooner you can raise the alarm.

So don’t forget to go through your statements carefully to make sure that the only charges are ones that you incurred yourself.

If your bank supports SMS-based notifications for transactions against your account, consider enabling that feature.

That way if someone manages to pickpocket or clone your card, you’re likely to receive an alert as soon as they try to use it at an ATM or in a store.

3. Slim down your radio footprint

If you’re like most people, you may very well leave location services turned on all the time on your mobile phone.

That means you can quickly find yourself on the map if you get lost, re-orient yourself, and figure out a new route to your destination.

Modern mobile phones typically use a cocktail of signals to pinpoint where you are, and regularly call home to Apple, Google, Microsoft and various other app vendors.

The signals used to track you include GPS (which gives an absolute location but doesn’t work terribly well inside modern buildings like shopping malls), Wi-Fi and Bluetooth.

Wi-Fi and Bluetooth can’t compute your actual position, but they can call home with a list of other wireless devices in the vicinity, including indoors.

This provides a relative location that can be compared with a central database to see if there’s an earlier record of an absolute location for any of the devices you’re near right now.

For example, if Google StreetView recorded the exact location of the ACME Coffee Shop Wi-Fi access point last year, then that’s a good first guess for where you are now if you are in range.

Likewise, tiny Bluetooth beacons from companies like Apple and Google can track you indirectly.

These beacons transmit unique identifiers that your phone picks up, for example as you walk around a store; the manager of the store registers each beacon’s identity and location with the vendor’s database; and your phone then calls home with those unique identifiers as it encounters them.

The beacon vendor therefore acts as a sort of “location tracking broker” between you and the store, allowing the store to paint a possibly very precise picture of where you went and what you did as you passed through.

Indeed, in a busy shopping mall, stores may be actively competing for your business based on where you’ve been, where you are now, and where you might go next.

The problem with letting anyone and everyone track you wherever you go is that the more data that’s needlessly collected about you, the more likely it is to get breached at some stage.

Our recommendation, this Black Friday, is to try turning off location services altogether and seeing if your retail experience is any different.

If it isn’t, or ends up being even better because you’re hit up with fewer targeted ads you don’t like, you will have learned a usable technique to improve your privacy in the future.

4. Cybersecurity is for life, not just for Thanksgiving

We say this at every special holiday, major sporting event, and more.

Black Friday would, indeed, a bad day to be incautious about security, but the advice we’ve given here won’t lose its value when the Thanksgiving weekend is over.

If you decide to use Black Friday as a reason to take cybersecurity more seriously…

…we urge you to make that a lasting digital lifestyle choice!