Malware probably isn’t on your Christmas list, so here’s how to avoid it while shopping online this holiday season

This holiday season, millions of shoppers will take to the web in an attempt to avoid the craziness that is the mall at Christmas time. However, while shopping at the mall may result in a claustrophobic reaction as you wade through the sea of people or heightened levels of stress as you wait in a 30 minute line to checkout, it most certainly will not result in a Trojan, bot-net or some other form of Malware taking over your computer. So for those doing their shopping online this year, keep your computer and your data safe from viruses and scams by following the tips below, provided by Ronnie Flathers, an associate security consultant for security and risk management company Neohapsis.

  1. Use Good Password Practices – No surprise here – it seems to be on the top of every list of this kind, but some still don’t follow it. Passwords are still (and will continue to be) the weakest form of authentication. The two main rules for passwords are: (1) Make them complex; and (2) Make them unique. Complex doesn’t necessarily mean you need thirty random character monstrosities that only a savant could remember, but avoid dictionary words and don’t think that you’re safe by just adding numbers or special characters (“password1989!” is just as insecure as “password”). Lastly, passwords should be unique to each site.
  2. Store Sensitive Data in Secure Locations – Hopefully, you’ve followed the first rule and have unique, complex passwords for every site you visit. Now, how to remember them all? This is where I love to recommend password managers. Password managers securely store all your log-in information in an easily accessible location. I emphasize “securely” here, because I see far too many people with word documents called “My Passwords” or the like sitting on their desktops. This is a goldmine for any attacker who has access to it! With password managers, you encrypt your “wallet” of passwords with one very secure password (the only one you ever need to remember), and can even additionally encrypt them with a private key. A private key works just like a physical key – you need a copy of it to access the file. Keep it on a USB stick on your keychain and a backup in a fire-proof safe.
  3. Use HTTP(S) – Ever notice how some sites start with https:// as opposed to http://? That little ‘s’ at the end makes a whole world of difference. When it’s present it means you’ve established a trusted and encrypted connection with the website. Its security purpose is two-fold: (1) All data between you and the site is encrypted and cannot be eavesdropped; and (2) You have established through a chain of trust that the website you are visiting is, in fact, who it says it is.
  4. Install Those Nagging Updates – Microsoft actually does an excellent job of patching vulnerabilities when they arise — the problem is most people don’t install them. Every other Tuesday, new patches and updates are released to the public. Microsoft will also release patches out-of-bounds, meaning as needed and not waiting for the next Tuesday, for serious vulnerabilities. These patches are a great way to fix security holes but also offer a nasty catch: Attackers use these patches to see where the holes were. Every “Patch Tuesday” attackers will reverse engineer the Windows updates to discover new vulnerabilities and then attempt to target machines that have not applied the update yet. This is why it’s imperative to keep your computer up-to-date. So the next time your computer asks you to restart to install updates, go grab a cup of coffee and let it do its thing. It’ll save you in the long run. (Note: Mac users are not exempt! Install those updates from Apple as well!)
  5. It’s Okay to Be a Little Paranoid – My last tip is more of a paradigm shift than a tip: It’s okay to be a little paranoid. The old mantra “if it’s too good to be true, it probably is” has never been more applicable when it comes to common phishing schemes. I’m sure most people know by now to not trust a pop-up that reads “You’ve won an iPad – click here!” – but modern phishing techniques are much more subtle, and much more dangerous. It’s okay to mistrust emails and links. If something seems phishy (pun intended) then exit out. Services like Paypal and online banks will never ask for personal information over email, chat, or any avenue besides their main website. Your bank account information won’t be deleted and nothing bad will happen if you don’t immediately update your password, so take a second to make sure what you’re doing is actually legit.