Skip to main content

Obama’s cybersecurity commissioner offers advice on how to keep safe when shopping online

cybersecurity amazon shopping
Image used with permission by copyright holder
Shopping is a big part of the holidays, whether you’re heading to the grocery store for a festive feast, or trawling Amazon for last minute gifts. Online criminals are aware that people might let their guard down, given the many other stresses of the season, so they’re on alert for potential targets.

It’s not impossible to get through the end of the year without becoming a victim, but your chances of doing so are much improved if you take the proper precautions. Digital Trends caught up with former cybersecurity commissioner to President Obama, Eric Cole, to get some insight on the best ways to stay safe and secure.

Digital Trends: What sort of things can consumers do to stay safe while shopping online?

Eric Cole: First and foremost, use common sense. I know people are always wanting these crazy, high-tech pieces of advice from me, but they’re not practical. What I always say is that cybersecurity is not about doing crazy, complex things. It’s doing simple things in a consistent manner. If we just used basic common sense online, we would be much safer.

Cybersecurity is not about doing crazy, complex things. It’s doing simple things in a consistent manner.

For example, one of the big hacks we’ve seen this year is that adversaries will buy ads on search engines like Google. Now, you’re looking for that perfect gift, you go to Google and put in the search term, and the second, third item that appears up in that search shows the items for 80 percent off.

You can’t believe your eyes, right? This item is hard to get, nobody’s discounting it, and here it is for 80 percent off. You just can’t help yourself. You click on the link, and in those three seconds where you’ve clicked on the link, boom – your computer is compromised, your identity is stolen, your credit card information is gone. It’s that easy. One click is all it takes, so you want to be very careful about where you’re going.

Stick to those mainstream sites, and remember. deals that seem too good to be true are too good to be true. I’ve heard very, very, very few cases where seeing these crazy discount sites pays off for consumers. Be smart, look at the big sites, and be careful about giving out your personal information.

Is there a greater threat of being subjected to an attack at this time of year?

Yes, and there are three reasons. One, the adversaries are more active. Remember, adversaries don’t typically target an individual, they target a number. They don’t care if you’re Bill Gates or Bubba Gates, what they want is 10,000 credit cards. They want 10,000 identities . During the holiday season, because there are so many more people online, there’s a lot more people they can compromise.

cybersecurity dr eric cole
Former C.I.A. Technology Director, Dr. Eric Cole
Former C.I.A. Technology Director, Dr. Eric Cole (credit: Security Haven)

Second, people have such large amounts of transactions during the holiday that they don’t really check their credit card statements as closely as they should. At the end of the year, for Christmas, they might get two, three, or four pages. They’ll glance through it, but for most people, when they think fraudulent credit card activity, they’re looking for $20,000 purchases. That’s not reality. Most adversaries will do a $2 or $3 purchase here and there. So, if you just scan your credit card statement quickly, you will miss those fraudulent charges.

The trick with that is, contact your credit card company to do real-time alerting. I use this feature, and it’s awesome. Now, whenever my credit card is used for any purchase in a restaurant or in a store, I get an alert, and then I approve that this is authorized or unauthorized. A lot of people go, “oh, but Eric, that’s going to take two to three more seconds every time I approve a purchase.” Yes, but I will tell you that the probability of having credit card fraud is high, and that will probably cost you 300 to 400 hours. Do you want to take two seconds now, or 400 hours later, when your credit card gets compromised?

Does the Equifax breach demonstrate that we need to be less trusting of how others use our data, as well as keeping an eye on our own activity?

Some people get upset with me when I say this, but security is your responsibility.

Yes! This is one that I’ve been pushing for a while, and some people get upset with me when I say this, but security is your responsibility. It’s terrible that our information was in Equifax, it’s terrible that it happened, but that is ultimately your responsibility. Cybercrime has a high payoff and very low risk, so this problem is going to get a lot worse before it gets better. You cannot rely on third parties to protect you.

If you want to make sure that you protected, you segment out your life. For example, I have six different credit cards. I have one just for gas, one just for Amazon, one just for bill paying. And by doing that, now if there’s an issue, it’s not only contained and control, but it’s much easier for me to go in and get a new card.

How much of an impact does a person’s digital footprint have on their tendency to be attacked? Does having a greater amount of active accounts equate to greater risk?

Having a bigger digital footprint does increase your tendency, but it’s basically your public digital footprint. Every time you go to a site and you want to download a document, or somebody’s gonna give you a free gift, or they’re gonna give you a PDF, and they say, “please enter your name, your email address, and your phone number,” those are the things that really increase your probability of being a target. Some of those are good, lots of them are bad.

cybersecurity craigslist
Image used with permission by copyright holder

Adversaries will try every place they can to get that information. We’ve seen a lot of attacks where people on Craigslist will give their name, their phone number, and their email address. That’s public information, that anyone can see. Setting up an account isn’t really gonna increase your risk, if those are private accounts, if those are different passwords, if those are strong passwords. That’s OK. It’s the public information, the social media. The things you put out there that anyone can find will put a much bigger target on your back for a cyber criminal to come after you.

People often think about cybersecurity as someone taking control of an email account or similar, rather than compromising a physical token like an ATM card. How can we protect against credit and debit card fraud, whether online or in person?

First and foremost, repeat after me – credit cards are good, debit cards are bad; credit cards are good, debit cards are bad. You want to stay away from debit cards. If you want to use a debit card to go to the money machine and take money out, that’s one thing, but you do not want to use debit cards online, in stores or anywhere else.

There are laws that protect you on credit cards. Debit cards have no such laws.

The reason is, one, there are laws that protect you on credit cards. Debit cards have no such laws. Yes, many banks are usually nice about it, but they don’t have to be. If there’s a fraudulent charge on my credit card, it doesn’t come out of my account. It goes out of the credit card company’s account, and now if I debate it, or I contest it for six months while they investigate, they’re out the money and not me. If somebody uses your debit card, it immediately comes out of your bank account. Now, if you contest it for six months, you’re out the money for six months.

Also, be very, very careful of public wireless. Only use wireless in your trusted home. If you’re going to a store, what I do is, as soon as I leave my house, I just turn off wireless. It’s not worth the risk. It’s not worth that exposure. But once again, the most important thing is just common sense. Don’t trust anyone, and be careful of when and where you give out your information.

What are some of the similarities and differences of personal cybersecurity, compared with some of the other roles you’ve filled in your career?

Interestingly, in the last year, we’ve seen two things happening. One, more and more services moving to the cloud. Now that services are moving to the cloud, we can do some oversight of the cloud provider, but really, it’s all about the endpoint. Whether it’s a big company or a small company, or an individual, they all access servers from the internet, so it all comes down to making sure that endpoint is properly protected.

Second, adversaries are realizing that yes, there’s cases like Equifax where their servers were quite vulnerable, and it was very easy to break in, so they went after the servers, but in most cases the weakest link in any organization is the individual. So, the number one method of compromise for an organization is sending a legitimate-looking email to an employee and tricking them into opening an attachment.

Five, ten years ago it would have been extremely different. Today, because both attacks are on the individual, most services are being accessed from the internet, adversaries are doing phishing attacks that look legitimate to trick people. They’re much more similar than they used to be.

Responses were edited for length and readability.

Brad Jones
Former Digital Trends Contributor
Brad is an English-born writer currently splitting his time between Edinburgh and Pennsylvania. You can find him on Twitter…
Rest in pieces: Nvidia is finally ditching GeForce Experience for good
The Nvidia app on the Windows desktop.

We've had the Nvidia app for a while, but now, it's available officially. About a year ago, Nvidia launched the Nvidia app into beta as a one-stop-shop for managing some of its best graphics cards, including grabbing new drivers, messing around with different features, and optimizing your game settings. Now, it's out of beta, officially replacing the legacy GeForce Experience and Nvidia Control Panel apps, and with some new features in tow.

One of the biggest draws of the Nvidia app initially was driver downloads. It may seem mundane, but you'd previously need to download GeForce Experience and create an Nvidia account for GPU driver updates. If you didn't, you'd have to search and install your drivers manually. The Nvidia app gives you access to new drivers, and notifies you when they're ready, all without an Nvidia login. Now, signing in is optional for "bundles and rewards" offered by Nvidia.

Read more
Microsoft is, once again, trying to force users into using Edge
Microsoft Edge on a laptop on a couch.

Microsoft has deployed no shortage of tactics to get Windows users onto its Edge browser, and although some of the more nefarious methods of trying to force users to pick up the browser have failed, the company is still experimenting with new methods. The latest route launches Edge automatically on your PC on startup and prompts users to continually import data from Chrome, including your history, bookmarks, and tabs.

Richard Lawler from The Verge spotted the prompt, which showed up earlier this year without explanation before disappearing. It's back now, and in an official capacity from Microsoft. "This is a notification giving people the choice to import data from other browsers," said Microsoft's Caitlin Roulston in a statement to The Verge.

Read more
M4 chip: here’s everything we know about Apple’s latest silicon
The Apple M4 series chips, including the M4, M4 Pro and M4 Max against a black background.

With the launch of the latest iMac, the redesigned Mac mini and the souped-up MacBook Pro, Apple has just unveiled new Macs equipped with its latest M4 chip, which brings more powerful performance and extra features to its computers. But this won't be the first time the M4 has made an appearance -- it's already out in the latest iPad Pro.

Is the M4 chip any good? Should you upgrade your Mac or iPad to take advantage of it? And what new features does it bring to your devices? We've set out to answer these questions and more, blending together what we've learned from the M4 Macs and the iPad Pro with information sourced in our own reviews. That should give you everything you need to know about Apple's latest chip.
Price and release date

Read more