Skip Navigation
BlackBerry Blog

Defensive Shopping

FEATURE / 11.26.14 / Brian Wallace

This year there has been an almost constant reminder of point of sale malware affecting enormous amounts of people and retailers. While it is the responsibility of the retailers to protect the shoppers, self protection is not completely out of your hands as shoppers. In this post, I will cover the threats being faced when shopping at retailers, as well as multiple mitigation strategies to consider.

The goal of this post is to prepare you enough that you will be relatively safe from fraud during this holiday season while shopping. The focus is on shopping at brick and mortar stores, but online shopping tips will be covered very briefly. With the past year of point of sale compromises, this information is needed to minimize your exposure to attackers, limit how much can be stolen, and maximize how much you can get back if fraud happens. It is clear that there will be more point of sale breaches, and are probably a large number of active ones, so you should be prepared for the inevitable.

Online shopping is heavily suggested with some restriction. It is suggested you stick to more reputable sites when purchasing items online this holiday season. They have a large budget to maintain their security, and are more likely to respond to a large scale compromise. Not responding responsibly would cause serious damage to their reputation. An additional key to shopping online is to use a payment service. Payment services such as PayPal and Google Wallet help protect your payment details when purchasing online, which make fraud more difficult.

The name of the game with defensive shopping is minimizing risk. There will always be some form of risk, but the criminals are looking for big scores. This means their targets will include the easiest to abuse marks as well as the most common targets. In order to help you minimize your risk, I'll explain some of the threats you'll face, then cover the safest methods.

Threats

There are only a few types of major threats but knowing basics of how they work may help protect yourself this holiday season.

The most common type of point of sale malware, otherwise referred to as RAM scrapers, infect the point of sale terminals where payments are made. They function by looking in all the running processes' memory for credit card information, which can be fairly easy to identify. They often limit what credit cards they take by the service code (which defines the type of credit card). For debit cards that act as credit cards, they are still capable of stealing the card. This malware is very simple to develop, and it is possible that an attacker would be able to create a new family of point of sale malware in under two weeks. It should be noted that point of sale malware can also affect restaurants.

Skimmers are devices which are installed on ATMs. Their purpose is to scan your debit card as well as steal your PIN code, so your debit card can be used fraudulently. Skimmers are often very elaborate ruses, as their effectiveness is strictly based on how many people they can convince. The process of installing a skimmer generally requires that the ATMs are somewhat isolated, but its not improbable that an ATM installed on the property of a bank branch could be compromised. Brian Krebs, a wonderful resource to look to for the latest trends in computer fraud, has a somewhat dated but still relevant post on skimmers here.

One of the biggest threats in computer security is the unknown. Not knowing if something is secure, or not knowing if it has even been thoroughly vetted means there could be low hanging vulnerabilities that can be exploited. While these are the things that keep the security industry up at night, there is a pretty simple way to avoid issue with most of these. Avoid new payment methods where possible. If the payment method is relatively new or has not been widely adopted, you are putting yourself at unnecessary risk.

Safest Method

I would be remiss if I didn't define at least some best practices that you could be proud of using. If these are too inconvenient, as quite a few methods of protecting yourself can be, you should use the knowledge from the rest of the post to weigh the pros and cons to protect yourself with in your level of risk tolerance.

The safest method, at least from a computer security perspective, is to just use cash. Not particularly convenient, but safe in most cases. Avoid getting the cash from ATMs, but instead withdraw through a bank teller. This method can be reasonable if you know exactly what you want ahead of time, but far less convenient for impulse shopping for your cousin you only see once a year.

To make this method work more for you, a similarly safe method is to buy gift cards (using cash), and use them for purchases. One option with this method is to buy gift cards for the stores you plan on shopping at. This can cause issues with having spare money on the cards, and really limits your options. You can potentially get some of the money back off these gift cards, but there are easier options.

A far nicer alternative is prepaid debit cards, which certain credit card distributers sell. These can be used as credit cards, but have no line of credit, and are limited to only the money you put on them. The advantage of these is they are often ignored by point of sale malware, and even if they were not, you control how much could be stolen by limiting how much money is available from the card. This could also be a great way to keep your holiday spending in reason, as it would make sense to budget approximately how much you wanted to spend before you went out.

Things to Avoid

More important than anything, there are methods and situations that put you at a strong disadvantage.

When using your debit card, you may have limited protection from fraud. Many banks provide protection, but at a price. While one may or may not have this protection, it is commonly limited to a particular amount. Even if there is a daily limit, it could be days before you or the bank acknowledge the fraud, and you could be not reimbursed a large amount of money. Even if you are reimbursed, this could make you late on various payments if it is your only bank account.

While there are multiple mobile device based payment methods designed for convenience, they are not battle tested, and who is responsible for fraud is unclear. For instance, Apple Pay recently was released with the usual fanfare of an Apple product launch. Even though it is based on the preexisting NFC technology, there are still large parts that have unknown risk. An attacker planning to exploit Apple Pay would have not exposed their attack before this holiday shopping season as that would allow for fixes to be applied by retailers and Apple. Not to mention there have already been technical issues with Apple Pay double charging some users. CurrentC is another alternative that came off to a very rocky start when their user database was exposed by attackers even before the launch. At Pwn2Own Mobile this year, Android devices were exploited via NFC, the technology behind Google Wallet's predecessor to Apple Pay. While those issues are being resolved, it shows the technology is still not reasonably safe.

ATMs in isolated areas or hard to see areas are far more likely to have skimmers installed. If you believe you could possibly use a screw driver on the ATM without being noticed by personnel or caught on camera, there is increased risk of a skimmer being installed. Since skimmers rely on deception, there is limited advantage gained by studying existing skimmers. If forced to use an ATM, keep to ATMs that require a bank card to get physical access to.

Nobody is Perfect

If you insist on continuing to use a normal credit card, there are some ways to do this reasonably. Using a credit monitoring service can be useful, as well as ample fraud protection. As these are both reactionary, you also want to avoid using a single high limit credit card. Spreading your spending to particular cards with lower limits will decrease your risk. If at all possible, try to use only one credit card per retailer. This way if any of the retailers you use are compromised, the exposure is limited, and will not be a major damper on your holiday season.

Chip and PIN secured credit cards are more secure than normal credit cards. There are some well known attacks against the Chip and PIN technology. These attacks are far less common, but so are retailers that actually accept this technology in the US.

Summary

Shopping in this day and age has inherent risk. Mitigating this risk can be done in various ways, with varying degrees of effort required. The risks of shopping online are much easier to mitigate. Using cash or prepaid debit cards is your safest option if obtained and used responsibly. Payment methods such as Apple Pay should be avoided until they have been around for much longer. Chip and PIN is an improvement to standard credit cards, but there are known attacks against them, so there is still some risk. Happy holiday shopping!

Brian Wallace

About Brian Wallace

Lead Security Data Scientist at Cylance

Brian Wallace is a data scientist, security researcher, malware analyst, threat actor investigator, cryptography enthusiast and software engineer. Brian acted as the leader and primary investigator for a deep investigation into Iranian offensive cyber activities which resulted in the Operation Cleaver report, coauthored with Stuart McClure.

Brian also authors the A Study in Bots blog series which covers malware families in depth providing novel research which benefits a wide audience.