Introduction

Online holiday shopping continues to grow in popularity. According to American Express,

for the first time, more people are expected to shop online on Cyber Monday than visit
brick and mortar stores on Black Friday. 1 Shoppers are expected to spend nearly $62
billion online throughout the holiday season this year, up more than 15% from 2012. The
use of mobile devices for online shopping (mcommerce) is projected to reach almost $10
billion for the 2013 holiday season2. More consumers are using these devices to
compare prices, research products, locate stores, and make purchases to a larger degree
than ever before.
This increased use of mobile devices and reliance on technology brings new risks.
Several of these emerging technologies, the risks associated with them, and how to
protect yourself are highlighted below.

New and Emerging Trends in Mobile Online Shopping

Mobile Devices:
The use of mobile devices, such as smartphones and tablets, to shop continues to grow
in popularity. Shoppers use these devices to not only visit retailers’ web sites but also to
research products, search for other related products, opt into promotional emails and get
tips and advice from friends on social media. A recent Nielsen study found that "en route
to the store, 70 percent of smartphone shoppers use a store locator to plan their
shopping trip. Savvy mobile shoppers use their devices to check prices, and the majority
of smartphone (63%) and tablet (53%) owners search and scan their way to savings,
though more smartphone owners do this while in a retail store."3
As these devices continue to gain popularity for shopping, so will the volume of attacks
targeted to these devices. Every new smart phone, tablet or other mobile device provides

1 http://amexspendsave.mediaroom.com/index.php?s=34135&item=22#assets_123

2http://www.emarketer.com/Article/Mobile-Devices-Boost-US-Holiday-Ecommerce-Sales-Growth/
1010189

3 http://www.nielsen.com/us/en/newswire/2013/a-mobile-shoppers-journey--from-the-couch-to-the-
store--and-back.html

Center for Internet Security -- December 2013

New and Emerging Trends in Mobile Online Shopping: How to Minimize Risks
another window for a potential security compromise, such as cyber criminals creating
applications that look legitimate, but are malicious. These applications could steal credit
card and other sensitive information.

Mobile Card Readers

Square, PayPal, Intuit, and other services offer devices that plug into a supported
smartphone or tablet and read the magnetic stripe of a debit or credit card, thus enabling
merchants to accept debit and credit cards on their mobile devices.
Risks related to the use of mobile card readers could include a compromise of the mobile
device itself and/or an application on that device. Another potential attack vector could
include a compromised card reader that becomes a “skimmer” used to capture swiped
card’s magstripe data that could then be used to make purchases in the card holders’s
name.

Mobile Payment Systems and Virtual Wallets

The need to provide a physical credit card is being reduced and replaced by mobile
payment systems and virtual wallets. For example, by tapping your phone on a
contactless pay terminal in a shop or cafe, your account will be identified, and you will be
able to pay for items through your mobile device, without ever having to display your card.
Starbucks, for example, allows its customers to pay via the Starbucks app on their mobile
phone, no cash or card is needed. The Starbucks app generates a barcode, and a
customer positions their phone close to the barcode reader located at the point-of-sale.
terminal. By scanning the barcode, the payment system deducts the cost of the
purchase from the payment method stored on the customer’s app. According to a recent
report, Starbucks conducts about 10 percent of its US in-store purchases using this app. 4
Another mobile payment option is through the use of Near Field Communications (NFC).
NFC allows wireless data transmissions and works on the same principles as WiFi and
Bluetooth. Put simply, it transmits payment using a mobile device to the retailers’ point-
of-sale system, while just being a few centimeters apart from each other. Google Wallet,
for example, uses NFC technology and is accepted at participating stores where there is a
MasterCard PayPass terminal. Retail establishments such as CVS, Walgreens, New York
and Company, and Aeropostale currently accept payments via this method, and this trend
is expected to grow.

4 http://techcrunch.com/2013/07/26/mobile-payment-at-u-s-starbucks-locations-crosses-10-as-more-
stores-get-wireless-charging/

Center for Internet Security -- December 2013

New and Emerging Trends in Mobile Online Shopping: How to Minimize Risks
 What Can You Do to Minimize these Risks?

Mobile Devices and Shopping Applications

When considering downloading a mobile app for online shopping, make sure you
actually need that app, and only download from trusted sources. Every time you
download an app you could open yourself to potential vulnerabilities.
Take time to read the app's privacy policy. Check to see if the installation and/or use
of the app requires access to your private and personal information (such as GPS
coordinates, contacts, photos, etc). You should be aware of what information the app
is accessing, and what is being done with that data.
Update all devices and apps, including operating system and other apps when
prompted.
Password-protect your mobile device with a strong password. Set your device to auto-
lock after a few minutes of inactivity.
Use security software. While software security solutions that are available for
desktops and laptops are not as widely available for smartphones yet, there are
solutions available. A key protection is to use mobile security software and keep it up-
to-date. Many of these programs can also locate a missing or stolen device, will back
up your data, and even remotely wipe all data from the device if it is reported lost or
stolen.
Do not use public wireless access for your online shopping. Public Wi-Fi hotspots are
potentially insecure. Criminals may be intercepting traffic on public wireless networks
to steal credit card numbers and other sensitive information. Care should be taken
that the settings on your device prevent it from automatically connecting to Wi-Fi
hotspots.
Disable Bluetooth and Near Field Communication (NFC) capabilities when not
needed. They can provide an easy way for a nearby, unauthorized user to gain access
to your data.
Enable encryption. Enabling encryption on your device is one of the best ways to
safeguard information stored on the device. On iOS devices, such as iPhone and
iPads, the feature is automatically turned on as long as the password feature is
enabled. For Android devices, the feature has to be manually activated.
Be alert to changes in your mobile device's performance. If you download an app, and
your device starts performing differently (for example, responding slowly to
commands or draining its battery faster) that could be a sign that malicious code is
present on the device.

Center for Internet Security -- December 2013

New and Emerging Trends in Mobile Online Shopping: How to Minimize Risks
Mobile Card Readers, Payment Systems and Wallets
Regardless of whether you are paying using a mobile card reader, payment system or
virtual wallet, pay by a credit card, not a debit card. Credit cards are protected by the
Fair Credit Billing Act and may reduce your liability if your information was used
improperly.
When using virtual wallets, secure your virtual wallet account with a secure
password, which should include mixed case letters, numbers and special characters.
Additionally, enable the two-factor authentication service where available. This
feature creates random security codes that have to be entered along with a
username and password. This randomly generated key is typically sent to the user on
their mobile device via a text message.
Be vary of phishing scams targeting mobile payment systems and virtual wallets. For
instance, a legitimate email sent from these services will never ask for sensitive
information such as your password or Social Security number. Similarly, these
services never send emails with attachments. These phishing attempts are all tactics
hackers use to infect your device.
Beware of linking your bank account to payment systems and virtual wallets; instead
use a credit card when using these systems. You would not want a cyber criminal to
have unlimited access to all of your bank account funds in the event that security of
these systems is breached.

The Bottom Line

The use of mobile devices for online shopping is expected to be near $10 billion this
holiday season. Cyber criminals will be attempting to leverage that volume by conducting
a variety of scams.
Follow the tips discussed here, take the proper precautions, and educate your friends
and family about these emerging trends and risks. You will greatly decrease the chances
of being a victim of a scam or having your information compromised.

Center for Internet Security -- December 2013

New and Emerging Trends in Mobile Online Shopping: How to Minimize Risks