Americans will line up around stores and standby their computers or smartphones to take advantage of Black Friday and Cyber Monday deals, but protecting their private information should also be priority for shoppers.

During the holiday season many shoppers are harmed by failing to take simple precautions, says Gene Richardson, COO of Experts Exchange, a network for technology professionals.

In Store Vs. Online

Retail stores are one of the top areas identity thieves go after, Richardson said in an email to the IBTimes. A large number of some of the biggest identity thefts in the past few years were at large retail stores, he says.

Long lines and busy cashiers could potentially put your private information at risk.

“All the clerk cares about is getting you through the line as fast as they can so they can deal with the next customer and hope that none of you are angry,” says Richardson. “So, if there is a hiccup with your transaction, they will take “backup” paths to complete your transaction like entering your credit card number by hand.”

Richardson, who is also the former head of the data security teams IBM, Charles Schwab and Motorola, says customers should never give their credit card to someone to perform a transaction by entering a card number.

“Hand transactions are a huge risk for identity theft,” he says.  

Customers should also avoid buying if a cashier’s computer is down or too busy, unless it’s with cash, or try to go back later.

Credit card scanners are also a threat to customers, as some of them may be rigged to copy a person’s information so that a duplicate credit card can be made. People may be less exposed to this action in large retail stores, but the risk is higher in smaller boutiques shops, says Richardson. Customers should also make sure their credit card number is not printed on receipts and should instead have XXX's where the number is displayed.  

But online purchases can be riskier because of all the extra information customers hand over, like their name, address, phone number, credit card information, expiration date and CSV.

“They ask for so much more information from you to validate who you are than a purchase in a retail store,” says Richardson. “You have no control of who or where that information is going.”

Tips to Protect Yourself

Here are Richardson’s tips for shoppers on how they can protect themselves on Black Friday and Cyber Monday:

  • Ensure that the website address is secure and has a valid encryption certificate. It will usually display a “locked, green” indicator in front of the website name.  If it doesn’t have that, it does not have a higher level of security that has been guaranteed by a known entity like Verisign, Symantec and others.

  • Ensure your system has the most recent recommended system and security patches.

  • Always use a credit card that is not tied directly to your personal bank account(s), even if you are using PayPal, Bitcoin or some other payment method.

  • Never give anything other than name, address and phone number. You should not need to answer security or privacy questions when making a purchase or checking out.  If they ask, see if you can checkout as a “guest” instead.

  • Monitor your credit through a third party for identify theft and have SMS and email alerts sent to you immediately.

  • Set-up alerts with your credit card company that send both SMS and emails when any purchases are made and the credit card was not scanned (meaning, it wasn’t in someone’s hand when the charge was made). Set them as low as $25 per purchase.  Also, set-up alerts for total purchases over $500 in a billing period to protect multiple $24.99 purchases. And if possible, a maximum amount of purchases allowed in a billing period such as $1500 before card will get declined.

  • Ensure that you have a reputable Antivirus program running on your computer and that your browser has an Ad blocking plug-in. (Richardson recommends Norton, McAfee or ESET.)

  • Ensure that the network your computer/device is on is secure and you know who has access to your network. This is usually done with your router. You want to lock down your router so that traffic can be initiated from the inside-out but you do not want traffic to be initiated from the outside-in. If you are using a WiFi connection, make sure that network is also secure and requires a password to join.  If it is a public WiFi network that doesn’t require a password, then the traffic coming from your device can be monitored and stolen. (Link to onsite how-to article?)

  • Any passwords that you use should be strong, hard to guess ones.  Or, even better, hard to guess, but easy to remember.

  • Don’t click on unfamiliar links to sites advertising sales, coupons, etc.

  • Use two-factor authentication/verification, if it is offered.

Shopping on Mobile Devices

One in 10 mobile apps that are found through searching “Black Friday” are blacklisted as malicious, according to cyber security company RiskIQ

An estimated 30 percent of purchases will be made on mobile devices, RiskIQ says. Shopping on mobile devices can substantially increase the risk of encountering phishing pages, malicious apps, and viruses that infect customers’ smartphones and tablets to steal money and private information. There are also fake apps out there that contain malware that can steal customers’ data or lock the device until the user pays a ransom, says RiskIQ. Other malicious apps may ask consumers to use their Facebook or Gmail logins, which could compromise their private information.

Tips For Safe Shopping on Mobile Devices

Here are some tips from RiskIQ:

  • Ensure that you are only downloading apps from official app stores such as Google or Apple  

  • Be wary of applications that ask for suspicious permissions, like access to contacts, text messages, administrative features, stored passwords, or credit card info.  

  • Just because an app appears to have a good reputation doesn’t make it so. Rave reviews can be forged, and a high amount of downloads can simply indicate a threat actor was successful in fooling a lot of victims. Before downloading an app, be sure to take a look at the developer—if it’s not a brand you recognize or has a strange appearance or spelling, think twice. You can even do a Google search on the developer for more clues about its reputation.  

  • Make sure to take a deep look at each app. New developers, or developers that leverage free email services (e.g., @gmail) for their developer contact, can be enormous red flags— threat actors often use these services to produce mass amounts of malicious apps in a short period. Also, poor grammar in the description highlights the haste of development and the lack of marketing professionalism that are hallmarks of mobile malware campaigns.

  • Check website addresses after following links on Twitter, Facebook, or other social media channels to be sure you end up on the true website of the retailer you want.  

  • Look for the “S” in HTTPS when you visit shopping sites. Beware of shopping sites that do not use HTTPS in their website addresses or do not display the symbol of a lock next to the web address. Secure sites use HTTPS, and without that, you’re dealing with unsecured connections or weak encryption of personal data.  

Protect Yourself From a Major Headache

For those who might not want to go through the hassle of setting up credit card alerts on purchases or locking down their router, it’s important to remember that it can and save consumers from a major headache.

“Identity theft could cost you several thousand dollars in actual money and can cost you a lot more in your personal time and future anticipated losses cleaning up after the fact,” Richardson said.

“The impact of identity theft could last years as you personally have to work to call all your creditors to fix your credit, loss of credibility for future purchases of a home, car, etc. as your credit scores will have been impacted, the effect on future employment opportunities as background checks are run and many, many more,” he added.