Behind the scenes
Galaxus Internet: fast, no-nonsense, affordable home broadband
by Martin Jungfer
How to keep your account safe while shopping online
2.11.2022
Whether it’s a smartphone, pressure cooker or socks, the process is the same. Place your order, whip out that credit card and check the mailbox for your delivery. But what do you do when six computers you never ordered end up on your credit card bill? Two of our IT security specialists explain how secure online shopping works and what you can do to help keep your info safe.
Making life difficult for fraudsters and hackers and protecting customer accounts from unauthorised access is the job of Martin Wrona, Security Software Engineer, and Christian Margadant, Head of Engineering. In an interview with Sharon Zucker, they explain what customers can and should do to shop online safely with a credit card.
Hello Martin, hello Christian. How secure is customer data at Digitec Galaxus when paying by credit card?
Martin: We don’t keep credit card information on file. As with almost all payment methods, we rely on a reputable partner to process payments for us. So we never come into contact with the credit card data at all.
**Who is responsible for the security of credit card purchases? **
Chris: For the security of our customers, we require the bank that issues the credit card to use 3-D Secure. So to access their accounts or make a payment, users must in theory provide a secondary proof of identification, which the bank asks for. This could be in the form of an SMS code or fingerprint scanning.
What does «in theory» mean?
Martin: We can’t verify whether all banks require this second proof of identification. In the last spate of fraud, we unfortunately found that some banks don’t (always) fulfill their security obligations. Liability for fraudulent credit card payments then lies with the bank. However, they may assign the liability to the customer.
**But how do criminals even manage to order something via a customer account and pay by credit card? **
Martin: Many customers use the same code for their login and password – for example, the identical login for their e-mail account, e-banking and the order screen at their local beverage retailer. If cybercriminals steal all customer data from a beverage retailer, for instance, they automatically know the login of various other service providers of the customer. And that’s the problem. Such login password lists are sold on the Internet and used in cases of fraud. So if you always use the same code, you’re at risk of fraud.
Chris: Login password codes are also frequently obtained via private phishing emails or malware. For example, a scammer creates an email with the Digitec or Galaxus logo and writes: «Your order is ready, click here for pickup.» If you click on the link, you’ll be taken to a new, usually quite well-copied page of the supposed provider. If you then reveal your login data, «Login and password incorrect» often appears. But the data is actually stored by the criminals.
That’s why we always recommend activating a second proof of identification, so-called multi-factor authentication (MFA). Doing so can prevent savvy hackers from logging into a customer’s account and ordering anything.
Two levels of security on both the customer account and the credit card. Isn’t that a little too much? For the paranoid?
Chris: It’s most definitely safer. For example, if you receive credit from Digitec or Galaxus, you no longer have a bank involved asking for a second proof of identification when you place an order. So if someone knows or has stolen your login and password, they can use your credit and buy whatever they want. The criminals then typically buy digital credit cards, such as those from Apple. After all, you would have to have an iPhone or a game console sent to a physical address. Digital credits, on the other hand, work with codes that you can easily resell on the Internet.
Martin: At Digitec Galaxus, you can choose to activate this second proof of identification. This makes it almost impossible for unauthorised persons to access your customer account. The criminals would have to have access to your customer account and mobile phone at the same time. Moreover, in cases of suspicious login attempts, we send customers a OneTime password by e-mail to ensure that it’s indeed the account holder.
**Why do we put it on the customer to activate an additional level of security? **
Chris: For customers, MFA is another hurdle in the ordering process. Some are put off by this hurdle, others find it patronizing. Sure, we in IT Security would love to have a big, red, flashing warning sign saying, «Activate MFA.» But we can’t and don’t want to force that on anyone. Our fraud detection is effective and we’re constantly developing it. But it’s also clear that each additional layer of protection helps prevent data misuse. Here, more is actually more.
**What is the most important thing to do as a customer? **
Martin: Be sure to use a unique password (https://www.omnicalculator.com/other/password-entropy) of sufficient length and complexity. We recommend a minimum ten-character password with special characters and upper-lowercase letters for login. Even better would be 12 or more characters.
**Most online ordering services ask you at some point, «Do you want to save your password for this website?» Should you do that? **
Martin: Password security depends on the device itself. If there’s malware on a device, it «knows» for which website a password is stored and can thereby steal it. This means you should definitely keep your operating system and virus protection up to date. Personally, I never save passwords.
Chris: I do. Not for all websites, but for some. I have MFA configured everywhere I make a payment, such as for my online banking. And I don’t save my password there either.
**Having a lot of passwords is annoying... that’s why we often have only two or three, which tend to be pretty similar. Should you really have a separate password for everything? **
Chris: You’re by default better protected if you have a separate password for everything.
Martin: If that’s too complicated, you can use a password manager.
Every additional hurdle helps keep your account safe from scammers.
In summary, we can say that it’s the bank who’s responsible for the security of a customer’s data and credit card, and the customer who’s responsible for login security. So, to make sure that no one orders six computers at my expense to someone else’s account, I’d better be on my guard.
Martin: Correct. Even though at Digitec Galaxus we have very good technical protection measures that detect fraud attempts, every additional hurdle helps to protect a customer’s account.
Chris: We want to raise awareness about this issue and thereby get as many people as possible to activate MFA and overcome their reluctance to use it.
**Hopefully, many people reading this interview will do just that. How and where can they activate MFA at Digitec Galaxus? **
Martin: You can activate MFA in the settings of your customer account under «Password and Security». After that, click on «Enable two-factor authentication» and you’re all set.
Chris: It’s really not complicated and is doable for those who aren’t used to dealing with IT in their everyday lives.
Tobias Billeter
Head of Corporate Communications
Tobias.Billeter@digitecgalaxus.chMaking sure employees and media know what's up at Digitec Galaxus is my job. But without fresh air and a lot of exercise, I basically stop functioning. The great outdoors provides me with the energy I need to stay on the ball. Jazz gives me the tranquility to tame my kids.
Tech
Follow topics and stay updated on your areas of interest
31 comments
later