Black Friday, the day after Thanksgiving, is America's biggest shopping day, but Cyber Monday is catching up. Why camp outside a store for limited-quantity "door buster" deals when you can get goods online, snug on your couch with a cup of cocoa? However, you don't want to avoid the mall circus only to get your personal or financial info trampled by an insecure site. Here's how to shop more safely online.
Alternative payment methods
One of the best ways to protect your payment info is to simply not give it to an online store. If the store's website gets hacked, payment info stored in your account may get stolen. Multiply that risk by however many sites you've given your credit card details. Instead, use PayPal as a middleman. There's no additional fee (though PayPal usually charges the store) or additional processing time. You can also enable two-factor authentication on PayPal.
If you're using plastic, a credit card offers more protection than a debit card. With debit cards, payment is directly deducted from your checking account, and if there's a problem with the transaction or the goods, it can be more difficult to recover your money. Credit card charges, on the other hand, can simply be reversed before you pay your credit card bill.
Gift cards are another good option. An online store will treat a gift card with the Visa or MasterCard logo like a credit card. However, there are a few limitations: You may have to pay an activation fee of $5 to $10; the card can only be used with a payment processor physically located in the United States; and it can be tedious to track how much money remains on the card.
Alternatively, you can get a store-specific gift card, like one for Amazon or Best Buy. These have no activation fee. However, they may have expiration dates, so you could lose the stored value if you wait too long. Sometimes the date is on the card itself; other times it's buried in the fine print.
As long as the gift card is not expired, a purchase made with it should never be declined. Even if you have plenty of credit or money in the bank, credit and debit cards can be declined or frozen if you have simply made too many purchases within too short a time, which can easily happen during the week of Cyber Monday.
A double layer of account security
Two-factor authentication (2FA) does a second check to help prevent the use of stolen credit cards and account information. For example, an Amazon transaction requires your password (the first factor). If you enable 2FA on Amazon, it will send a single-use code (the second factor) to your mobile phone via text message, which you enter after you've signed in to the website. Your phone is the only device to receive the code, so even if someone has stolen your username and password, they would still need physical access to your phone to complete a transaction. Two-factor authentication doesn't make unauthorized use totally impossible, but it creates a higher barrier to entry for hackers or people who've nicked your account info.
Setting up Amazon's two-factor authentication
Our example is real, by the way: this week, without fanfare, Amazon added two-factor authentication. To set it up, log in, go to your account page, click Change Account Settings, go to Advanced Security Settings at the bottom, click the Edit button on the right, then select a mobile phone number where Amazon can send SMS messages. When you enter the code Amazon texts you, you'll have two backup options: an alternative phone number or an authenticator app. Selecting the app option displays a QR code that can work with Google Authenticator, Authy, or another such app.
With Google Authenticator, you open the app, tap the settings icon (three stacked dots in the upper right-hand corner), select Set Up Account, choose Scan a Barcode, and hold your phone's camera up to the QR code provided on Amazon's 2FA setup page. This will give you a six-digit code that you enter on the website to link the app to your device. When you do that, Amazon will ask you to confirm that you want to enable 2FA, and it will give you the option to skip 2FA on the device that you've just used to set this system up. The option is enabled by default.
With the authentication app backup, you can enter codes even when your mobile device doesn't have cell reception. So it's good to have this as a plan B for when Wi-Fi or Ethernet are your only options. If you expect to be in a situation where you won't have the app or a network connection, you can tell Amazon to call a landline number and have an automated voice read a code to you. This option is also handy if your device is not set up to receive SMS messages, or if it has a limit on the number of messages you can receive every month.
Whichever method you choose, Amazon's 2FA is free and does not require a Prime membership.
Mobile device security
Phones get lost and stolen, and if you don't have a security filter or two, your efforts setting up online shopping protections could all be for naught. Your first line of defense is usually a PIN code. iOS defaults to four digits, but with iOS 9 Apple has started asking for six digits, which is preferable because it's harder to guess. You can also use a pattern unlock, but those are easier to guess. Facial recognition is more reliable than pattern unlocks, but many phones don't have that option, and the tech may need bright light to work, which isn't always available.
If your device has a fingerprint reader like Apple's Touch ID, that's arguably the best method for most people. Fingerprint info can be faked, but the level of hassle and ingenuity required puts that tactic out of reach of most unauthorized users. Fingerprints contain a lot more unique information than a PIN code or a pattern, yet they can be used much more quickly, combining security and convenience.
Dealing with a lost 2FA Android device
If you do lose your device, there are ways you can lock it out of your personal accounts. Android users have the Android Device Manager (ADM), which you need to set up beforehand. The process is more involved than we'd like on the Android side. iOS users have it easier (explained in the next section). Regardless of platform, it's important to enable device management to protect your personal info, and you only need to set it up once per device.
Android users start by going to the ADM website and logging in to their Google account. Click the Add a Device button, which will display a QR code. Scan this using a QR code app installed on your 2FA device, and it will provide a link to the Google Play store for the Google Apps Device Policy (GADP) app. This may already be installed, in which case you will see an Enable button on the app store page instead of Download or Install. When you tap Enable, an Update button may appear to the left. If so, tap Update first, wait for the update to complete, then tap Open.
GADP will give a brief explanation of what it does. When you're finished reading, tap Next at the bottom of the screen, and GADP will prepare to get registered with your device. Before you can do that, GADP will explain the functions of your device that it wants access to. These are the functions that Android Device Manager can use to protect the personal info on your Android device if the device gets lost or stolen.
When you tap Activate, GADP will tell you that it is about to enforce a higher degree of security for this device. It's important to go over each item. For example, if your Android device is protected with a PIN or a password, GADP will automatically wipe the device if the PIN or password is entered incorrectly 10 times in a row. (iOS users can also enable a 10-try wipe function in the Settings menu.) If you use a password to lock your device, GADP will enhance the password rules, refusing to let you use only letters or only numbers. GADP will also enable you to locate your device on a map, force your phone to ring loudly (even if it's set to silent or vibration mode, which is handy when you can't find it but know that it's nearby), reset the password or PIN, or lock it.
Of course, your lost or stolen device needs to be connected to a cellular or Wi-Fi network if you want to locate it, force ringing, reset PINs and passwords, or lock the screen. Because those commands are being sent by you from another device via the Android Device Manager website (or via the ADM app installed on another Android device). So if the unauthorized user has the device set to airplane mode, you're out of luck. You may also need Location Services enabled.
If you have GADP set up correctly at this point, the ADM website should show your device when you refresh the page, and show the options to reset your PIN or password, make it ring, or lock the screen. If you use this method to lock the screen, even a device with a fingerprint reader cannot use that reader to undo the remote lock. You'll need to use the backup unlock method that you created when you originally set up the reader. So you can use this method if you believe that someone has lifted your print and can use that to unlock your device.
Dealing with a lost iPhone, iPad, or iPod Touch
During setup, you associate your Apple device with an Apple ID. You can use this account name and password to log in to iCloud, where you'll find a big button labeled Find iPhone. If your device is connected to a cellular or Wi-FI network, Find iPhone should be able to locate it in about 10 seconds, then place a pin on a map showing where it is, with some margin of error. If you click the pin and then the "i" button, you will get three options in the upper right-hand corner of the screen: Play Sound, Lost Mode, and Erase iPhone (or iPad or iPod, depending).
The Play Sound and Erase options are pretty self-explanatory, but Lost Mode may be a mystery to you. It's actually pretty sophisticated. When you enable Lost Mode, a series of options kicks into gear. First, you can create a special message to appear on the device's screen, such as a notification that the item is lost, and your phone number, so someone can call you to let you retrieve it. Second, the device will go into a special silent mode where it won't ring or display notifications. And third, it will try to suspend any payment options that you've set up in Apple Pay.
As with Android devices, it's possible to prevent Find iPhone from communicating with and locating the device if someone blocks its network connectivity, so the system isn't foolproof. And the finder function can be individually disabled in the device's settings. But you at least have some ways to protect your credit cards and other things you'll use to buy stuff online. You can also force your device to use two-factor authentication when it attempts to connect to your Apple ID (like when you make a purchase in iTunes). However, there's a 72-hour waiting period to set up 2FA on Apple devices, so don't wait until the last minute to get set up properly for Cyber Monday.
Strong passwords and password managers
We created guides to passwords and password managers a few months ago, and not much has changed since. The upshot: Use a password manager to automatically generate and store passwords that are very difficult to guess. If you use a cloud-based manager like LastPass (Windows, Mac, iOS, Android) or Dashlane (Windows, Mac, iOS, Android), you can streamline the sharing of that library across devices. If your device has a fingerprint reader, LastPass can use that to unlock your library, instead of requiring a master password each time.
With strong account passwords, payment protections, two-factor authentication, reliable locks on your devices, and a gameplan for handling a lost or stolen phone, you should be well-positioned for safe spending on Cyber Monday.