Holiday shopping season is game time for hackers. International criminals have spent months doing the cyber equivalent of pushups, wind sprints and other technical training that will be used to steal information on millions of holiday shoppers who do their purchasing online. If past years are any indication, it won’t be a fair fight.

An October survey from the National Retail Federation found that 46 percent of all holiday shopping this year is expected to take place online. But some of the biggest players in e-commerce, including Amazon and Walmart, failed a basic Internet security test, and cybersecurity researchers just announced the discovery of what looks like the most sophisticated strain of malicious software ever to target U.S. retailers. The good news is that following just a few basic security practices could be enough for online shoppers to avoid getting caught up in the next data breach.

Fix Your Password. Seriously.

When the password security company Dashlane surveyed the top 25 e-commerce sites last week, researchers found that 80 percent don’t meet the minimum secure password threshold, 72 percent don’t require passwords with a capital letter and a number or symbol, and 32 percent permit customers to use the 10 most common (and vulnerable) passwords, like “password.” Apple, Target, Best Buy and Newegg were among the top performers, but Amazon, Walmart, Macy’s, Cabela’s, Staples and others failed miserably.

The biggest takeaway? Customers should take care of themselves.

  • Use a password that’s at least eight characters long. Include capital letters, numbers and punctuation marks.
  • Don’t use a single word that can be found in a standard dictionary. Hackers use tools that automatically try to log in to user accounts thousands of times, first using the most commonly used passwords (like “123456,” or “password1”) then trying every word in the dictionary. Instead, use a random phrase with meaning only to you.
  • Never use the same password for multiple sites. It’s the equivalent of using the same key for the house, car and office. Losing one means losing them all, and if it happens online it could lead an attacker to banking information, credit card numbers, private correspondence, secret business information and anything else.

“If you think you came up with one rule for all your passwords, the chances are hundreds of people have already thought of the same thing,” said Emmanuel Schalit, CEO of Dashlane. “We’re all humans, and unfortunately we all think the same way. Hackers do something very simple in that they just rely on the assumption that most humans are lazy.”

Look For The Lock

It’s never wise to input payment information into any website that doesn’t use an encrypted Secure Sockets Layer (better known as SSL) connection. The easiest way to check is to look in the browser’s search bar for an HTTPS, instead of the usual of HTTP, and make sure that little lock is in place. That lock is essentially an Internet browser’s way of saying, “You can trust that your connection to this site is private,” and that outsiders aren’t lurking on the network waiting to steal financial information.

SSL authentication is also the quickest way to verify that a site is what it appears to be. The number of phishing sites typically surges between Black Friday and Christmas, with fraudsters using fake emails to point customers to “deals” too tempting to resist. Instead of forking over a pile of cash to a gang of international thieves, though, first look for the lock to make sure the deal is all it appears to be.

Breaking Into Your Account Is Someone’s Job

Criminal gangs in the former Soviet states often employ dozens of skilled, educated workers who work in nondescript office buildings in eight-hour shifts. It’s the sole responsibility of these employees to get between Western Internet users and their credit and banking information.

One of the best ways to avoid being victimized is to avoid leaving a data trail whenever possible. Some tips for minimizing risk:

  • Delete unused accounts. Sites often require shoppers to create a new account, even for one-time purchases. Users will enter a new username and password, buy a gift for Mom, then leave that account open forever without a second thought. If that site is breached months or years later, it's possible attackers will have access to leftover transaction information.
  • Don’t fill out any unrequired information fields at checkout. That’s just dumb.
  • Use two-factor authentication whenever possible. It’s a process that requires users to prove their identity twice -- by entering their log-in credentials, then entering a code sent via text message, for example -- and has been adopted by Amazon, eBay, Etsy and dozens of other big names.

Pay With A Credit Card -- Or Just Use Cash

Sure, dealing with a stolen credit card is annoying, but it’s nothing compared to a lost debit card. Fraudulent credit charges can be disputed and often eliminated altogether. A criminal with access to debit card information, though, has a better chance of withdrawing funds directly from an account, which helps explain why thieves are targeting ATM machines now more than at any other time in the past 20 years.

That risk isn’t limited to Internet purchases. Cybercriminals used Target’s cash registers during the 2013 holiday season to prove they could steal information on tens of millions of shoppers by infecting point-of-sale software.

The pressure is on again after the cybersecurity firm iSight announced it found ModPOS, which one researcher told Fortune “is by far the most sophisticated point of sale malware we’ve seen to date.” It’s a strain of malware that exploits the software used to power checkout registers. It includes tools that enable a hacker to remotely manipulate the machine’s operating methods and log keystrokes performed on the machine, helping thieves collect more customer information while avoiding detection.

The company hasn’t disclosed which retailers have been affected, saying only that the attack is likely ongoing, but there’s only one sure way for customers to stay safe: Pay in cash.