Home » Security & Safety » Tips to Staying Secure While Online Shopping: Q&A With Professor Justin Cappos, NYU Tandon School of Engineering

Tips to Staying Secure While Online Shopping: Q&A With Professor Justin Cappos, NYU Tandon School of Engineering

Tips to Staying Secure While Online Shopping: Q&A With Professor Justin Cappos, NYU Tandon School of Engineering

*Editorial Note: The content of this article is based on the author’s opinions and recommendations alone. It has not been previewed, commissioned or otherwise endorsed by any credit card issuer. This site may be compensated through a credit card issuer partnership.

This article was last updated May 13, 2020. Terms and conditions may have changed. For the most accurate information, please consult the issuer website.

With many consumers staying at home as much as possible due to the COVID-19 pandemic, it is no surprise that online shopping has increased. However, online shoppers may not know how to protect themselves from becoming victims of cybercrime.

To provide practical tips to stay secure online, CompareCards turned to Justin Cappos, a cybersecurity expert, computer scientist and professor at NYU Tandon School of Engineering.

Outside the classroom, Cappos has worked in security and information technology for the military and has even written his own security systems. “With a little bit of ‘cyber hygiene,’ you can help to protect yourself and help prevent a future ‘cyber pandemic,’” said Cappos.


Professor Justin Cappos, NYU Tandon School of Engineering

The coronavirus pandemic has already changed the way employees work as most people are working remotely now. Virtual collaboration with communication technology like Zoom has become the standard.

In regards to cybersecurity during the pandemic, Cappos notes another shift: “The other shift is that people are panicking and desperately trying to learn ways to protect themselves. As a result, a lot of malware that is being spread is mentioning COVID-19 and trying to get people to open malicious documents. Psychologically, when people are frightened, they may make poor choices and these attacks are trying to capitalize on this.”

Q: You’ve been quoted saying that the No. 1 way to stay safe online is to constantly update software. Should consumers be concerned if they have technology that is several years old? 

Justin Cappos: It’s fine to have an older computer or phone, so long as you are still applying software updates on them. If you have a desktop or laptop, those basically always have updates available unless it is very old. Windows 10 and your Mac’s operating system are provided security patches by Microsoft and Apple. For smartphones and tablets, if you have an iPhone or other Apple device, those also will have updates available for an extended time. It’s really Android devices that you may need to worry about. Google puts out security fixes, but many manufacturers do not provide security updates or software updates in general for their devices, which is a big problem.

The reason why updates are so critical is that when a software weakness is discovered, there is a race between attackers trying to compromise systems that have the problem and defenders trying to secure systems to remove the problem. Defenders fix issues with a software update. Attackers can look at those updates and figure out how to attack systems that haven’t applied the update. So, it’s critical for people to apply updates quickly, certainly within a few days of being released.

This is so much more important than other things that most people think are important, such as purchasing anti-virus software, using a firewall, choosing a strong password, etc. So, if you will only do one thing to protect yourself, make it applying software updates.

Q: The fear of coronavirus exposure has led more consumers to use their devices to make payments instead of a physical card when paying for essentials in store. What risks are consumers subject to when using this payment method? How might the type of device factor into the level of risk? How can consumers minimize those risks?

Justin Cappos: From an actual health standpoint, having contactless payment with a smartphone is often better because you do not physically hand over a piece of plastic or a bunch of paper and metal as part of transactions. There have been a few attacks on Apple and Google’s payment methods, but these are quite rare and are often hard to pull off in practice.  The tech companies have done a pretty good job there and so attacks with those are not something most consumers need to worry about.

Q: What are some crucial ways to stay safe while online shopping during this pandemic?

Justin Cappos: I would recommend against using a lot of different online retailers. If you can limit your shopping to just a few, large retailers, that is likely to help to keep your information safer. If you were already doing business online with a site or company, it’s fine to stay with them. I would just be a bit concerned about new sites that pop up.

Q: What advice do you have for consumers looking to purchase from an online store that is brand-new? How might they be able to tell if the site is keeping their information secure or are there any red flags that are easy to identify?

Justin Cappos: If there is a brand-new site you may wish to purchase from, there are a few basics to consider.

  1. Make sure you have a secure connection to the site. The little lock icon (on most browsers) will show you are using a secure connection. If it’s not there, this is a big worry, but just because you see it, this doesn’t mean it is secure.
  2. Use a credit card if you need to shop there. If there is fraud, the burden and tasks you need to do to recover any losses are much less than with a debit card.
  3. Be sure to search a bit online and see what experiences others have had with the site. The Better Business Bureau (BBB) and other similar organizations often will let you know there is a scam. Of course, don’t trust the site you are considering shopping at to provide accurate testimonials.

Q: What precautions should consumers take before they download a retail store app to make purchases? Does the type of phone or tablet (iPhone versus Android) make a difference when using a retail store app?

Justin Cappos: I would be concerned in general about downloading retail store apps unless you absolutely need to. They tend to collect extra information about you that they sell to marketers. The company wants to know more about you to convince you to buy more products.  These apps are often not that well done from a security standpoint. I would avoid them if you have the option.

Q: How do credit cards help minimize the risk of electronic theft? Why is it better to use a credit card versus a debit card when shopping online?

Justin Cappos: Credit card fraud usually doesn’t cost the cardholder any money out of pocket since most credit cards have zero liability protections.  With a debit card, you (the consumer) have to do more work to get your money back. If you have overdrafts and other things in the meantime with the account linked to your debit card, you may be liable. So, really, using a credit card is a much better option.

Q: What advice would you give to businesses to help better secure their customers’ transactions online?

 Justin Cappos: Businesses should almost always use a third-party payment processor that specializes in securing transactions for your website. The advantage is that if they break into your site, the attacker will not get credit card numbers directly in this case. They usually just get some ID that you use with that third party if your site needs to do recurring payments, refunds, etc.

There are a number of these payment processors to choose from and they are likely to be much better at protecting your customers’ data than you will.

Q: What advice would you give to banks to better protect or educate their customers on electronic theft?

Justin Cappos: I would like to see more offerings like disposable credit card numbers or virtual credit card numbers. These let a consumer make charges using a one-time credit card number. Even if a site is hacked, this number being leaked won’t present a big problem since it’s unique to that transaction.

The only real downside is that if you need to use your card to verify a purchase (like movie tickets or airline tickets) or you need to request a refund, it may be more difficult to do so. However, they help protect your card’s security and also your privacy.

Honestly, banks are already doing a pretty good job though. Along with the major players in the tech industry, the financial industry is really leading the way in terms of security.

I think that their perspective on risk and fraud, along with the willingness to pay good salaries to get strong talent, has helped them be more effective than most industries.

Q: If consumers can only heed one warning, what should that be? 

Justin Cappos: Of course, the No. 1 tip is to update your software to have the latest security fixes. This will help to keep your computer, phone or tablet safe.

Q: What do you see as long-term changes to cybersecurity as a result of the coronavirus pandemic?

Justin Cappos: I see quite a few different things that may happen. I see a lot more organizations providing remote access opportunities. This is a trend that I think may continue for some time after this pandemic. So, I imagine companies will bolster their ability for people to work without being in the office.

This is both a good and a bad thing, as participants that are remotely accessing a service are harder to authenticate, monitor and control. I expect that organizations will try to beef up their multifactor authentication offerings, which really should not be simply a short message service (SMS).

On a related note, I also expect to see middleboxes like virtual private networks (VPNs) become more widespread.  These let a user remotely connect into a network as though they are on that network. It would not surprise me to see functionality for VPNs integrated into web browsers in a way that gives a great user experience.

Finally, I do also hope that average people pay a little more attention to experts. It seems like most people are now listening to doctors because they realize their life may be on the line if they do not.  Most experts are just trying to do their best to help as they can.

If this spills over into the cybersecurity space, then with a little bit of cyber hygiene, you can help to protect yourself and help prevent a future cyber pandemic.


Recommended Posts: