We take online safety and security seriously, which is why we would like you to read through this page. We try to do our part to keep you safe, but we also want you to do your part to keep you, and us, safe.
Our security measures
Our website and IT systems are actively managed through https://weboteeq.co.za, a sub-division owned by Bounteeq that also owns Holisteeq. Together, we take great effort and pride to ensure information and cyber security. Below is a list of things being done on our side. Although this list is not exhaustive, it is constantly updated as best-practise security measures evolve.
- Incident management process defined, along with incident prevention strategy.
- Annual in-house security policy and process audits.
- Annual independent website security implementation audits, including an extensive security penetration test with test report and in case of failures, fixes to be implemented and re-tested.
- Secure Socket Layer encryption protection for the website and all cyber services associated with our IT systems.
- Strong passwords, secure password managers and password sanitising.
- Professional level anti-virus, anti-malware, firewalls and intrusion protection on the website, servers and IT systems.
- Remote and physical access control to IT equipment and services, with authorisation and authentication checks.
- Secure off-site information back-ups, including redundancy back-ups.
- Updates, updates! There’s a fine balance between updating to the latest software versions to fix bugs and vulnerabilities, and inadvertently installing a new update that has as-yet undiscovered loopholes (as some recent high-profile security incidents has demonstrated, new updates are sometimes to blame for incidents, not only out-of-date versions). We try to find that balance, even though it is difficult.
- Professional, secure Virtual Private Network (VPN) encryption to thwart snoopy digital eyes.
- Minimal hard-copy paper trails, so no documents lying around for snoopy real-life eyes.
- We do not, and never will, store any customer’s banking details on our website or other IT systems, our payment gateways handle customer banking details on our behalf. Suppliers’ banking details are restricted to our online banking profile and our payment gateway providers, who are authorised financial service providers, compliant to the strict financial security certification standards.
We take cyber security seriously. We are taking all reasonable measures to protect everyone involved. Even so, incidents may still occur, as hackers and thieves keep finding new ways to circumvent security. Be assured if it does, we will handle it with the utmost care and are prepared to bring in professional services, should it be needed. In the meantime, we try our best to prevent security incidents, and we still believe when done right, online shopping is much more secure than shopping with cash.
We also need you to play your part, however.
What security measures can you take?
The short version that underpins all other measures listed below: vigilance!
When we try to protect our bodies from viruses, we sanitise our hands and physical spaces. When we try to protect our data, we need to sanitise the keys that keep us safe! Here’s how:
Choose strong passwords
Your email account contains a lot of personal information about you, and is usually linked to other online accounts you use. If your email account is compromised, all your other passwords can be reset. So, it’s important you secure your email account with a strong password that is different to all your others.
To create one, we recommend the ‘3 random words’ method: simply connect three random, memorable words that mean something to you together – the longer and dafter the better.
For example: BrighterCuratorRabbit.
Many sites require the combined use of upper and lower case characters, symbols, and numbers. It is convenient to use leetspeak (or l337$p3@k) notation, for example ‘$’ replaces ‘S’, ‘3’ replaces ‘E’, etc. But many password breakers are also tuned in to this notation in their algorithms.
If you need to change your password on your email account to make it stronger, just click here:
Choose unique passwords
Over the years, hackers build up databases from previously compromised accounts and passwords. If your password was hacked from one attack on one website in 2012, and you use that same password on every other website, that means hackers have access to all your data, on all the websites you have used, since 2012. Let that sink in. Change your passwords, and make each one unique, so that if one is compromised for whatever reason, the rest of your data is not affected by it.
Use a password manager
Yes, it’s difficult to remember a unique password for every site you use. We know! Humans are bad at remembering that stuff. But machines are great at remembering that stuff. We recommend getting a free, secure password manager, that can generate randomised passwords, have a vault for storage / retrieval, and have two-factor authentication generators. Then all you have to do is remeber one master password – the one password to rule them all.
Some examples of password managers we like:
Turn on 2-factor authentication
You could use Google’s 2FA, or your password manager’s, or another provider, but it really is recommended as an extra layer of security, especially for logging in to sensitive sites from a new device for the first time, e.g. your online banking profile, your email provider, etc.
Keep your passwords secret! Do not share!
Well, that should be a self-explanatory heading.
Make regular backups of your precious data
We cannot stress this enough. If there is data you do not want to lose, it should be backed up. At least twice. Where one of those times is off-site (in case the building catches fire or theft or something). Also remember to label each backup with the date and time, in case you need to recover it. Make sure you have tested your recovery mechanism – last thing you need is backups you thought you know how to recover but it doesn’t work in practise.
Keep your device software up-to-date
Many software updates contain bug fixes and security fixes. Make sure to read the release information to understand what the updates are about. Try to read online about issue reports of new versions before updating to a new major versions.
Restrict access to your device
Well, this should be obvious, but a chain is only as strong as its weakest link. If you leave your laptop, PC, phone etc. unattended with open access, anyone who walks by can get any information they want from it, implant keyloggers, viruses, or other malware, delete precious data, or even worse, attempt to reset your passwords so you cannot gain access again. Always password-lock your device when you are not actively using it.
Do not send passwords or sensitive information over public WiFi
Public WiFi’s rarely use good encryption schemes, so almost all data you send over these networks can be sniffed and interpreted by the baddies. Do not send banking passwords, etc. over such networks.
Use anti-virus and anti-malware scanning
This includes all your devices with internet access, including your mobile phone. If it is connected to the internet, it is exposed.
Do not install apps from dubious sources
Yes, yes, we all like free stuff, but sometimes, there’s no such thing as a free lunch and free apps can cost you dearly. Often, viruses, malware, ransomware, etc. is shipped into “free” apps, as a means of distributing the malicious code. And one day… BOOM, you lost. Think about the apps you install and research them thoroughly.
Be wary of scams, fraud and security breaches!
Avoid phishing, vishing and smishing
Be aware of suspicious requests pushing you to give away your personal details, or offering you something that seems too good to be true. It’s usually a scam. If the request came by email, it is called phishing, if it came by telephone it is called vishing, or if it came by mobile text (like SMS), it is called smishing. Regardless, the requester aims to gain information he can use to gain further details, or goes for gold pretending to be an employee of the bank, revenue services, or other authorities, asking for your bank passwords or PINs.
Keep your personal information private
There’re some obvious details that an online store will need, such as your address and your card details, but be cautious if they ask for details that are not required for your purchase such as your mother’s maiden name, the name of your first pet, the name of the hospital you were born in, or the name of your primary school. This is the typical security challenge questions that many websites employ for password recovery. If you are asked these questions during a check-out process or some other activity that does not entail your password recovery for that particular site, you are most likely being duped into compromising your own password recovery information that can be used by harmful actors to break into your other accounts.
Only use trusted, secure sites
Make sure you see the padlock symbol next to the website address in your browser’s address bar. Example below:
This means the website encrypts the data exchange between you and the site, and network traffic snoopers will not be able to easily understand the data exchange. On the other hand, without that padlock symbol, if you for instance log in, your password is probably sent in plain text and snoopers will be able to intercept your data and use it.
Make sure you are at the correct address. Many scammers buy similar looking domains as legitimate sites, to try and con people into visiting their fraudulent sites by accident. For instance, https://holisteeqq.co.za looks almost the same as the real address of https://holisteeq.co.za but it might be owned by a scammer, not us. The same principle applies to all websites you visit. Be vigilant!
If you land on a website that you are sure is correct, but some dodgy looking banners jump out at you with balloons and confetti and garish bright colours, saying YOU WON, and all you have to do is enter your info to claim your prize, this is a sure fire way of knowing the site you are trying to visit has been hacked and taken over by scammers. Just leave the website.
On that note, many, many websites get hacked on a daily basis. If you choose to give sensitive information to a legitimate website, make sure you understand their stance in trying to keep their website, and your data, secure. Even if you are doing business with a legitimate site, if that site gets hacked, your information is at risk. Make sure you understand the risks, and that you are comfortable with what that website is doing to mitigate the risk of hacks, data leaks and other cyber threats.
Get a virtual credit card (VCC) or PayPal for online shopping
Many major credit card providers have insurance against credit card fraud, and may refund you if your card becomes compromised and abused. However, this is not always the case, and it can be a big hassle to stop and replace a compromised card. To address this, many banks have started issuing virtual credit cards (a digital token that acts as a credit card, in that you can create payment links to that card, but you can create and destroy it on the go, and still retain your physical card). It is a good idea to use such a virtual credit card for online shopping, as you can load just enough funds for your purchases onto the card, so there are no funds to steal, should the card somehow get compromised, and that does not affect your physical card at all. You could also create a PayPal account and use it in the same way, to the same effect.
Do not give out your EFT banking details indiscriminately
In South Africa in particular, we have seen a scourge of debit order fraud, where a fraudster gets hold of someone’s EFT details and submit a debit order request for those details. Because of insufficient checks and balances in bank approvals of debit orders, these debit orders go through and are very, very difficult to stop. Therefore it is advisable to not give out your EFT bank details to any John Doe and his buddy. Again, be vigilant!
South Africa will soon be implementing DebiCheck, an effort by the banks to better control these unsolicited debit orders, but it is unclear how effective it will be, and in what ways it can be circumvented or exploited. Therefore, stay vigilant!
Do not expose / save sensitive data on shared devices
Do not auto-fill or remember card information or credentials on a shared device. Log out of your account after every session on a shared device.
Monitor your banking activity and balance
Check your bank statements online often and report any anomalies to your bank. If you notice suspicious activity, notify the bank immediately. In most countries, you should also report this to the police. You may be asked to provide your card number by telephone, and this is fine (as long as you do not provide your pin), but do not put your card number in writing (whether on email or on paper).
Before reporting / escalating, make sure the activity is not part of a debit order you authorised, legitimate purchases made from another card linked to this account, or purchases made by a loved one with whom you share your banking details.
Report incidents and vulnerabilities
Report and cancel a stolen, lost or otherwise compromised bank card I.M.M.E.D.I.A.T.E.L.Y!
Again, IMMEDIATELY, as soon as you realise your bank card is lost, stolen or compromised in any way, report it to your bank and request that they stop the card A.S.A.P. (as in, immediately). If you are lucky, no damage has been done… yet. If you are unlucky, you may be too late and the bank may not be able to recover funds stolen from you via your compromised card. Hence the haste needed.
Report suspected fraud and scams to the relevant authorities
Every country has their own authority structure that deals with fraud, scams and cybercrime.
In South Africa, the unit that deals with cybercrime is SABRIC (South African Banking Risk Information Centre). Their contact details are here: https://www.sabric.co.za/contact-us/
Report website vulnerabilities to the website owners / managers
If you find vulnerabilities on Holisteeq’s website, please disclose it confidentially to us so we may address it before it gets exploited. Please send an urgent priority email to our Information, Privacy and Security Officer, at firstname.lastname@example.org, with as much details of the vulnerability as possible, especially what we need to know to reproduce the issue and validate it.
We expect legit security researchers to avoid privacy and security violations; not destroy or corrupt our precious data; and not interrupt or degrade our valuable services; and not waste our limited time. We only read reports that have been encrypted using our PGP public key, so make sure you download the Bounteeq PGP Key for your report:
-----BEGIN PGP PUBLIC KEY BLOCK----- Comment: User-ID: Bounteeq Comment: Created: 02/04/2021 22:44 Comment: Expires: 02/04/2023 12:00 Comment: Type: 3,072-bit RSA (secret key available) Comment: Usage: Signing, Encryption, Certifying User-IDs Comment: Fingerprint: 7361E4AB541D82AB1932D9B99477A120C1FF89E1 mQGNBGBngjIBDADVwdsFRTLhMwoIhgUPLmGxfHhk6JJVEtjKIE3mp51QfP3cnGqJ 5XQgbNmT9my2VVkWbV4ry8GNOqDf/Y8tjUW1zzSjFg+61EHLld+1R/RG7gQRYYP4 N6e9F1PPKZEiSqzBpWJKAYOC2+pKwbuKtw+r+pfT/28ZGrgwPSe066klxDzYiZi6 JPnmIAwqrWtMF5H4q5e3rmZK3RUmx3rKxLm5c2pNlgNA4lpTfrVgEAg4mKY0FMC5 M48///MURMWxmHlqQFjZ9giNenyDZW8ts7qiW6/0t7voc1DRZmt/XfLSKI/nS32R gjYmMT8Lr1OKitxJUwazlFoU3/9QbjZxQ4c+Wcgvs29HRCF3n9BXxcWchDH9vUwK kWnpPnS2npfDoaTyHCJprurDZz0X85HpKr8XSCchStxABt3PeRTjAXHEFEVj0qIV CY5R4jKzOx5D7dEH92UMrG33WdARtqUoIXPlhUg8oHxEvMqtGyttrs+jfHH841Pu nVW9HyR1K+KZgQEAEQEAAbQIQm91bnRlZXGJAdQEEwEIAD4WIQRzYeSrVB2Cqxky 2bmUd6Egwf+J4QUCYGeCMgIbAwUJA8HP7gULCQgHAgYVCgkICwIEFgIDAQIeAQIX gAAKCRCUd6Egwf+J4cj2C/9ZMXzMzYyXZjqS5CR4hrMjfNre15j2/6a32KXUdqI3 3VP2az172gCWastYgv2YRtZRQnU3y33IBaExmCrSkEasOyaDkklaq7Q0m8pKZsKx MhY2dn8+qiw8DJQNuONoUBGqa3umGC9sFMZeRPWvvg9xVqxtJYQd9/0RHPotF1nK fmO+7q0FqWt32wA/CKHFqNK2Uyg0NaVy7pqGr967mOOGxG0JgpL0YwUVd9z6vg+d /ilCGR4EiKOyJ1c4N0ez42Tg27jCegHNJNUTB69d7BgE/ZQM+eaMzYH/fvY+rUCw oYilDHVFVUKZX54GjzUjUMMMFyU3WGvoiB85Msv6pzRDfhlsJEaD9N5eLjfU05lR eTSeAr5OG4O8LYEOGHeLOAltvt7wu81fSGbScyGiiWgUpFqQMt74WvtJuqWC9Eop 0Cr7u4ZRQgFMzA7uRPRKv/QT5GhcrRbA/pQiLhJv9l0KihKLG9EHLRfOYeUEZDdO EZh/kkzhOvrxgUF1gS8OOpy5AY0EYGeCMgEMAM6FXSc8jQDMwAcVNWpui0xvrigW LvNCxDGsGGdartGaJ3PsgZdT9StFVtrWWY1vuyaBI2Y+3ZBqO2CD5Iq7Fc9gdTzS npwUvC8oBfd5X+w1wqQDvIyyYCWkcNR0aiXHQC6R8HiDttpj7JmlwRkIxdKJVnL2 rcU/BuiXIEi3/mA1YRATxKUf6cQef538u+JsYN3E/6vQA+ifr6KvnZ5dY/0OUmDd Nwhs3sWPfr2h/5Cru3ltrtZOcyojmd4IGj+gadKbShFgaK69qEwWIFxHlitZKqk7 fuXrsoK+120KOpZWbFbLlLiv6LrH1zUAqM9ESWgsPb1Y4J7y9KJr24f0JmiptGDk C+F0Dc7k+KgvyXLG2W6nfuh2qayE2vRTzpJvNolRMWJmMKH9eRUnUTVlJM/1tE6W WZDkbYW2cIDCfBAVrRKEx6e3UvrLqTvlB5r8eWqEGQdrgkim6GBl0Te3zGrnBDXr mHsJOm54LFTpksJbSvRF51Qu/HklaLRJuW4VdwARAQABiQG8BBgBCAAmFiEEc2Hk q1QdgqsZMtm5lHehIMH/ieEFAmBngjICGwwFCQPBz+4ACgkQlHehIMH/ieFqPgwA ksaxb3pHZyRWgO0CaWQG6OBmRv9G2A0HYeOhX5pjRFJGi9NIxjpuSaxgiGH+NS8F c1cEmoX161tUY2uldu4obOwx9mO7k1yGA3q4CznT0leHRiZii0otk2CESRbNtk5k cApq3DctEuHUpG4fT9sB/Wcb50/AcPCAYY6RGVnLRgJkSPQT0bQtehsqjTGcXX8+ nRLjKDZh4dZw3BWtofCXiGYuEDg0QNyEie33mIt3K2f6K4Jyu6LcbEj6woSCDnD5 1eudJxJqj7Wt4/mi6vvpwOc3M3T+KIVgYfojQ5gmRftQoDPRD0Epzg0lvlFndsK8 gRbieohmVXdyACuKp8fkBtVU8TRnWvZgdNAk3pNnCE9Zgk/PgfSNE0HgPNHeBCUw +CVTY8HVLXDSGJhJ+ScqReJVEHRRjcyWeAmj+6r+7Ez4mSrSsfrRg7K1sMUV8KBv oujnYIo3TwJoMsFEPWruRFLDkJZdbSNtIFXdkqkt+0vzkqVkqoBU2OnXDtCtLoXt =llsb -----END PGP PUBLIC KEY BLOCK-----
There is a ton of information available online to highlight everyday, small things you can do to protect yourself and your data.
In particular, for Saffas, SABRIC (South African Banking Risk Information Centre) has a wealth on their website, suited to the flavour of scams we experience on a local level. Feel free to read more at https://www.sabric.co.za/