Obama’s cybersecurity commissioner offers advice on how to keep safe when shopping online

cybersecurity amazon shopping

Shopping is a big part of the holidays, whether you’re heading to the grocery store for a festive feast, or trawling Amazon for last minute gifts. Online criminals are aware that people might let their guard down, given the many other stresses of the season, so they’re on alert for potential targets.

It’s not impossible to get through the end of the year without becoming a victim, but your chances of doing so are much improved if you take the proper precautions. Digital Trends caught up with former cybersecurity commissioner to President Obama, Eric Cole, to get some insight on the best ways to stay safe and secure.

Digital Trends: What sort of things can consumers do to stay safe while shopping online?

Eric Cole: First and foremost, use common sense. I know people are always wanting these crazy, high-tech pieces of advice from me, but they’re not practical. What I always say is that cybersecurity is not about doing crazy, complex things. It’s doing simple things in a consistent manner. If we just used basic common sense online, we would be much safer.

Cybersecurity is not about doing crazy, complex things. It’s doing simple things in a consistent manner.

For example, one of the big hacks we’ve seen this year is that adversaries will buy ads on search engines like Google. Now, you’re looking for that perfect gift, you go to Google and put in the search term, and the second, third item that appears up in that search shows the items for 80 percent off.

You can’t believe your eyes, right? This item is hard to get, nobody’s discounting it, and here it is for 80 percent off. You just can’t help yourself. You click on the link, and in those three seconds where you’ve clicked on the link, boom – your computer is compromised, your identity is stolen, your credit card information is gone. It’s that easy. One click is all it takes, so you want to be very careful about where you’re going.

Stick to those mainstream sites, and remember. deals that seem too good to be true are too good to be true. I’ve heard very, very, very few cases where seeing these crazy discount sites pays off for consumers. Be smart, look at the big sites, and be careful about giving out your personal information.

Is there a greater threat of being subjected to an attack at this time of year?

Yes, and there are three reasons. One, the adversaries are more active. Remember, adversaries don’t typically target an individual, they target a number. They don’t care if you’re Bill Gates or Bubba Gates, what they want is 10,000 credit cards. They want 10,000 identities . During the holiday season, because there are so many more people online, there’s a lot more people they can compromise.

cybersecurity dr eric cole
Former C.I.A. Technology Director, Dr. Eric Cole
Former C.I.A. Technology Director, Dr. Eric Cole (credit: Security Haven)

Second, people have such large amounts of transactions during the holiday that they don’t really check their credit card statements as closely as they should. At the end of the year, for Christmas, they might get two, three, or four pages. They’ll glance through it, but for most people, when they think fraudulent credit card activity, they’re looking for $20,000 purchases. That’s not reality. Most adversaries will do a $2 or $3 purchase here and there. So, if you just scan your credit card statement quickly, you will miss those fraudulent charges.

The trick with that is, contact your credit card company to do real-time alerting. I use this feature, and it’s awesome. Now, whenever my credit card is used for any purchase in a restaurant or in a store, I get an alert, and then I approve that this is authorized or unauthorized. A lot of people go, “oh, but Eric, that’s going to take two to three more seconds every time I approve a purchase.” Yes, but I will tell you that the probability of having credit card fraud is high, and that will probably cost you 300 to 400 hours. Do you want to take two seconds now, or 400 hours later, when your credit card gets compromised?

Does the Equifax breach demonstrate that we need to be less trusting of how others use our data, as well as keeping an eye on our own activity?

Some people get upset with me when I say this, but security is your responsibility.

Yes! This is one that I’ve been pushing for a while, and some people get upset with me when I say this, but security is your responsibility. It’s terrible that our information was in Equifax, it’s terrible that it happened, but that is ultimately your responsibility. Cybercrime has a high payoff and very low risk, so this problem is going to get a lot worse before it gets better. You cannot rely on third parties to protect you.

If you want to make sure that you protected, you segment out your life. For example, I have six different credit cards. I have one just for gas, one just for Amazon, one just for bill paying. And by doing that, now if there’s an issue, it’s not only contained and control, but it’s much easier for me to go in and get a new card.

How much of an impact does a person’s digital footprint have on their tendency to be attacked? Does having a greater amount of active accounts equate to greater risk?

Having a bigger digital footprint does increase your tendency, but it’s basically your public digital footprint. Every time you go to a site and you want to download a document, or somebody’s gonna give you a free gift, or they’re gonna give you a PDF, and they say, “please enter your name, your email address, and your phone number,” those are the things that really increase your probability of being a target. Some of those are good, lots of them are bad.

cybersecurity craigslist

Adversaries will try every place they can to get that information. We’ve seen a lot of attacks where people on Craigslist will give their name, their phone number, and their email address. That’s public information, that anyone can see. Setting up an account isn’t really gonna increase your risk, if those are private accounts, if those are different passwords, if those are strong passwords. That’s OK. It’s the public information, the social media. The things you put out there that anyone can find will put a much bigger target on your back for a cyber criminal to come after you.

People often think about cybersecurity as someone taking control of an email account or similar, rather than compromising a physical token like an ATM card. How can we protect against credit and debit card fraud, whether online or in person?

First and foremost, repeat after me – credit cards are good, debit cards are bad; credit cards are good, debit cards are bad. You want to stay away from debit cards. If you want to use a debit card to go to the money machine and take money out, that’s one thing, but you do not want to use debit cards online, in stores or anywhere else.

There are laws that protect you on credit cards. Debit cards have no such laws.

The reason is, one, there are laws that protect you on credit cards. Debit cards have no such laws. Yes, many banks are usually nice about it, but they don’t have to be. If there’s a fraudulent charge on my credit card, it doesn’t come out of my account. It goes out of the credit card company’s account, and now if I debate it, or I contest it for six months while they investigate, they’re out the money and not me. If somebody uses your debit card, it immediately comes out of your bank account. Now, if you contest it for six months, you’re out the money for six months.

Also, be very, very careful of public wireless. Only use wireless in your trusted home. If you’re going to a store, what I do is, as soon as I leave my house, I just turn off wireless. It’s not worth the risk. It’s not worth that exposure. But once again, the most important thing is just common sense. Don’t trust anyone, and be careful of when and where you give out your information.

What are some of the similarities and differences of personal cybersecurity, compared with some of the other roles you’ve filled in your career?

Interestingly, in the last year, we’ve seen two things happening. One, more and more services moving to the cloud. Now that services are moving to the cloud, we can do some oversight of the cloud provider, but really, it’s all about the endpoint. Whether it’s a big company or a small company, or an individual, they all access servers from the internet, so it all comes down to making sure that endpoint is properly protected.

Second, adversaries are realizing that yes, there’s cases like Equifax where their servers were quite vulnerable, and it was very easy to break in, so they went after the servers, but in most cases the weakest link in any organization is the individual. So, the number one method of compromise for an organization is sending a legitimate-looking email to an employee and tricking them into opening an attachment.

Five, ten years ago it would have been extremely different. Today, because both attacks are on the individual, most services are being accessed from the internet, adversaries are doing phishing attacks that look legitimate to trick people. They’re much more similar than they used to be.

Responses were edited for length and readability.