Leadership compare

Five tips to ensure safe online shopping

Online shopping is convenient. Unfortunately, that convenience can put your personal and financial information at risk. Michael Kassner shares some lessons he had to learn the hard way.

I am writing this because I need a refresher course in how to shop online. I recently made some mistakes. I was in a hurry, and my credit card information was stolen. It's embarrassing when the bank calls, asking if I really want a paid subscription to a Web site of ill repute.

The bank closed the account and sent me a new credit card, no big deal. Or so I thought. I managed to forget about the monthly charges associated with the card. Enlightenment came when I received a call from my YMCA representative. She wanted to know why the charges were not going through. Oops.

Recently, I've been writing quite a bit about debit/credit card scams. So it seemed like a good idea to cover the risks of online shopping and share what I learned from my research and my real-world teaching moment.

1: Use a credit card provider that offers one-time credit card numbers

This is where I got sloppy. I normally use a credit card provider that offers one-time numbers. But I was in a hurry and didn't. What I gained at the moment was lost times 10 when I had to clean up my mess. Using my one-time credit card number would have removed any possibility of someone reusing the stolen information.

2: Make sure the Web site is valid and trustworthy

I recently wrote a piece on Blackhat SEO and how criminals are subverting real Web sites with malware or creating believable copies of real Web sites loaded with malware. I suggest using one or more of the site-rating Web-browser extensions. If the site is problematic, you will know.

Some of the better-known extensions are Web of Trust, LinkExtend, and McAfee SiteAdvisor. You also have the option to check questionable domains on the extension developer's Web site.

3: Check to see whether the Internet connection is secure

This may seem obvious, but people get lulled into complacency. I have to remind myself to double-check that a closed padlock is displayed, that https is used, and that the certificate is valid -- ideally, an EV certificate. Each Web browser uses a slightly different approach, so make sure you understand how your browser advertises secure Internet connections.

4: Beware of deceptive or disguised offers

Last year, I wrote an article about coupon-click fraud and how people were unknowingly signing up for programs or offers they did not want. When you're filling out the information required to make an online purchase, carefully read what all the check boxes represent, regardless of whether they're selected. Opt-in and opt-out wording may be interchanged.

5: If actively shopping on the Internet, check often for unusual debit/credit card transactions

This tip is important. In almost all cases, discovering fraudulent charges early will lessen the impact of the problem. In fact, financial institutions usually absorb the charges if they're reported within a few days. So check often and know the liability limits used by your debit/credit card provider.

Extra tip: Call the order in if there is any doubt

Sounds simple enough, but many people don't think of it. If I have any concerns at all, I will call the order in. The company may still have problems, but you don't have to worry about its Web site being malicious or phishing for your financial information.

Another extra tip: Keep track of monthly or revolving debit/credit card charges

I now have a list of all my monthly charges, like the YMCA. I hope I won't need it, but if my credit card information is compromised again, I will know who to contact.

Final thoughts

I got caught, giving convenience the nod over security. The above advice should prevent a reoccurrence. I hope l take it.


About

Information is my field...Writing is my passion...Coupling the two is my mission.

49 comments
Taobaobuying
Taobaobuying

taobao is the largest online shop now.it is very popular all over the world.more and more foreigners want to buy from taobao.but there are always barriers between them and taobao because taobao has no english version.and taobao sellers won’t provide english service for them.so they always buy the items with a expensive price. because taobao seller will provide the price so now you need a taobao agent Taobaobuying agent is a experienced, professional and efficient group.We help people in overseas to buy goods from China shopping website.Low service fee,cheap international shipping cost with high quality service.Don’t hesitate any more!To be your taobao agent,enjoy your taobao shopping! more informations,pls view our website: http://www.taobaobuying.com Email: taobaobuyingservice@gmail.com

temgirevikas
temgirevikas

Good blog on Online shopping and those 5 tips must take in consideration

jimmeq
jimmeq

Good advice. While I've been an "on line" shopper since the Mail-Order days back in the Seventies, I still read articles on buying securely. Note to the author and others that even calling in an order has its security issues. The person you gave your CC info to can use it, sell it, etc. Last report about ID theft stated it is still largely "physical matter" such as records thrown out not shredded, and so forth. So far I have been lucky as I do shop on line quite a bit.

Snuffy09
Snuffy09

I never buy anything from a homemade / shady looking site. they always seem to have such great deals too. like 10$ for a new wireless mouse but shipping is 15$ :^/ Even when buying from normal sites you have to look out for ads at the check-out where you can save 5-10 bucks the next time you shop if you sign up for their "offer" deep in the fine print it talks about charging you 2bucks a month in fees. everyone is out to get something for nothing... now more than ever since nobody has a JOB!

ellings
ellings

your bank offers free checking: Open a 2nd checking account, request they NOT mail checks -- just a VISA Debit card for it. Before you shop, transfer an appropriate amount of $$ into the 2nd account. If account info for your 'dummy' account falls into the wrong hands, very little damage is done, and it is easy to close it and open a new checking account.

TobiF
TobiF

Does the online shop offer any contact details? Web contact form: 1 point email address: 2 points phone number: 3 points Postal address: 4 points Street address: 5 points Online branch of a well-known brick&mortar (and you got the address from the real shop): 20 points Oh: If they say, we're secure, because we use SSL: -30 points! (Because this is a paraphrase for "We have no clue")

TobiF
TobiF

There are a couple of big players offering payment handling. If the shop has one of these as an option, then that could be a good choice for you as a buyer. I wouldn't say that I'm overly happy to share my card details with Google, but if that allows me to NOT SHARE my details with Nice-Office-Import-Export.com, then I don't need to think long.

Frugal1
Frugal1

Good stuff. Also, always look for merchant reliability indications (aka merchant certifications) so you know that you're dealing with a reputable retailer. SortPrice.com, for example, recognizes retailers who offer honesty and good customer service with a seal next to the merchant's name on the site. Always good to look for these kinds of things!

merlock
merlock

One of the biggest ways to protect yourself is to never, *EVER* use your bank's debit/check card online. While you just don't pay (and properly dispute) bad credit card charges, if the bad guys get your debit card, the money is gone from your account(s) right then. The bank will probably make you whole, but how many checks will bounce/online bills bounce, associated fees and credit reports posted? personally, I've almost totally gotten away from the debit card totally, except at the bank ATM.

cbader
cbader

Can you recommend a service to use?

Jaqui
Jaqui

again, the pre-paid credit cards available from some banks. [ or the Titanum Plus Visa and Mastercard from Money Mart here, backed by a credit union ] prove their value for online transactions. use of such a card means in this case you would have had no problems, the charge for the website of ill repute would have failed, notification of the attempt emailed to you, and no lost finances, or hastle from changing cards.

cperry
cperry

Often when you call in the order, the person on the other line (who may or may not directly work for the company you are buying from) is simply putting your credit card information into their website anyway. How does that really increase security?

AnsuGisalas
AnsuGisalas

We need sluices. Like, having an account partition that holds the net banking and its verified transactions. Then, a different partition that holds the credit card transactions, and these cannot be upped into the regular partition, except via the netbank. Then you could flush the card account partition, keeping your regular stuff unharmed.

Michael Kassner
Michael Kassner

You are correct it expressing concern about any check boxes when you are finalizing the transaction. Watch out for opt-in and opt-out switching.

Michael Kassner
Michael Kassner

I guess I would never know what the appropriate amount would be.

Michael Kassner
Michael Kassner

I learned something else today. I was hoping this piece would bring out all sorts of other solutions.

Michael Kassner
Michael Kassner

Good point, not many realize all the other stuff that gets messed up, unless you have overdraft insurance.

prince324
prince324

I've used this feature for years with my AT&T Universal Personal card. There is both an online generator and a downloadable app that can sit in the Notification Area for very quick access. The app can fill in the whole order form too. https://www.accountonline.com/cards/svc/OutsideView.do?forward=Index&siteId=AC&langId=EN PayPal is terminating their very nice feature of generating a one-time-use Mastercard linked to the PayPal account. They also offered both web driven and a downloadable plugin. This did not require a formal Mastercard contract with them; it was just a code linking to the PayPal acct. I've now gone back to my AT&T Universal card.

Michael Kassner
Michael Kassner

Is the one I use. In fact, the card is only used for online transactions. They have an client (not so crazy about) or you can log into their web site. I will say that I have the premium addition of this anti-keylogger on my system too: http://www.qfxsoftware.com/ Stay tuned for an article about it.

Michael Kassner
Michael Kassner

The reason this helps is it removes compromise of your web browser, Man in the Browser, and MitM attacks from play.

Michael Kassner
Michael Kassner

It isn't getting any easier out there. I am researching where second-factor authentication via a mobile phone is under attack.

Michael Horowitz
Michael Horowitz

A nice feature of Firefox is that with a little tweaking, it can be made to display every secure HTTPS web page with a green address bar. This makes is easier to be aware of secure vs. insecure pages. See http://blogs.computerworld.com/make_firefox_flag_secure_web_pages_as_green The problem, however, with all secure web pages is that the trust in SSL is basically a scam. Any of hundreds of organizations can issue certificates - for anyone or anything. For example, the real amazon.com certificate may come from Verisign, but you can view a scam secure page at amazon.com where the certificate comes from spyagency4. Nothing anywhere says that only Verisign can certify amazon.com. So, its not sufficient to simply know that a page is HTTPS, you also need to know which organization (CA being the lingo, for Certifcate Authority) is vouching for the page/site. Unfortunately, this information is not front and center. And, even it was easily visible, there is no way to know if CA3 is supposed to verify website5.

techrepublic@
techrepublic@

My bank provides a optional service where an e-mail warning is sent on bank account or credit card movements. Recently, in early July, I think, one of these e-mails helped me notice a credit card transaction that I had not authorized. I immediately called my bank to check on it, and about 20 minutes later had the transaction cancelled. The best way to catch unauthorized transaction is constant vigilance, and this kind of service helps.

seanferd
seanferd

Thank you for sharing. Every little bit helps people understand better how to protect themselves.

ellings
ellings

If I'm heading off to a bohemian Saturday Market (sooo insecure), who knows how much I'm going to spend (maybe nothing), so I login and transfer more than I think I'll spend into my 'dummy' account before I go. When I get back home, I transfer back all but about $20. More often than not, I know what I'm shopping for, so right before I click "Buy Now", I login to my bank and transfer what I need just to cover my purchase. If I'm shopping for multiple items (ie, Christmas shopping), by the time I've decided and price-compared, I know what I'm about to spend and transfer accordingly. The idea is to keep the least amount in your 'dummy' account as possible, and don't let transferred funds stay there very long. Either way, your 'real' funds/account are never at risk. My bank offers free checking accts AND transfers between them. Yours 'should' too! Shelly

Michael Kassner
Michael Kassner

I did not know about at&t having a one-time card number system.

Jaqui
Jaqui

aren't perfect, but they do severely limit the damages possible. here, the pre-paid Mastercard is a 7.95/mo feee. the Visa is 9.95/mo plus a 1.50 transaction fee. these are the only 2 pre-paid cards readily available in Canada. [ since the store gift cards are useless for online purchases, but are effectively non-refillable, no fee, pre-paid cards for the store issuing them ]

Jaqui
Jaqui

but then, if you don't put a lot of money on it at any time, that loss in minimized. I use one for online transactions, and usually only put 5 or 10 dollars more than I know I'll be using on it, just before doing the transaction. so I could lose 5 to 10 bucks.

mla_ca520
mla_ca520

If the person you are calling is entering order and card info into a web site, there is a decent chance that they are falling prey to Man in the middle or something like that. We simply don't know who we are calling or what type of security is implemented on their system. Could be a work at home order taking college student with no mind towards security.

AnsuGisalas
AnsuGisalas

Not that I've ever wrinkled my nose at cash. But it's hard to shop online with cash, that's a fact. How does PayPal line up security-wise?

AnsuGisalas
AnsuGisalas

How hard would it be to have a list where CAs and their clients come clean on their relation? Then an app could check against that list to verify a secure website as legit... Still not scam-free but at least it cuts out some of the fog, and protects website owners against counterfeiting.

TobiF
TobiF

Customers love it, of course. And some banks even charge some small money for the cost of sending the text messages. But the real winner is the bank. In case of fraud, they're almost guaranteed to quickly get a call from the customer.

Michael Kassner
Michael Kassner

I should have mentioned that. My bank does that, but I don't know if other credit card companies do.

Michael Kassner
Michael Kassner

It is interesting, when you fall into the do as I say, not as I do trap.

Michael Kassner
Michael Kassner

Seems like you have a good system. I will check into it.

Michael Kassner
Michael Kassner

I was in Sweden a few months ago and my credit card didn't work. I then realized that I forgot to tell my bank that I was there. They received a request from the rental car place and immediately blocked it. That was my bank credit card, I had another one that did not have that problem. Not sure why one worked and the other didn't.

thomaskent
thomaskent

A few years ago, my Wife used her debit card to order a "medic-alert" bracelet. The same day, she used it to order a set of hospital scrubs. One of the two online businesses compromised her debit card number and the next thing I knew, someone in Paris, France had ordered an upgrade for World of Warcraft with her debit card number. They had also ordered some piece of electronic equipment. We've never been to Europe, much less France. Fortunately, since I check our bank account online almost everyday, I spotted it and printed out my statement and took it to my bank. They contacted my banks' fraud division, who investigated it and ultimately reversed the charges - Including the overdraft charges. (It came to $74.00). Since then, I have alerts for deposits, withdrawals and charges sent to my email account. You can set the limit for the alerts at any amount you feel comfortable with. I have mine set at $1.00, so I'm alerted WHENEVER I (or anyone else) makes a transaction. This is with Wells Fargo Bank.

homeclown
homeclown

how many of these order takers are prisoners - or is that an urban legend?

Michael Kassner
Michael Kassner

I made an assumption and that maybe a wrong move. Businesses are slowly being regulated to protect PII, so I would hope those sorts of things would come into play.

Michael Kassner
Michael Kassner

I still like the idea of only one place having my credit-card info.

Murfski-19971052791951115876031193613182
Murfski-19971052791951115876031193613182

PayPal used to offer the one-time credit card, but they quit doing it. I keep a certain amount on my PayPal cash account and use that when the vendor accepts PayPal. If I run short, I add some from my bank account. It also discourages impulse purchases, because it takes a couple of days to effect the transfer.

Michael Kassner
Michael Kassner

I like the fact that only one place has your financial information, albeit credit card only. I did not setup my actual bank accounts with them. They need competition to keep them honest. It is a pain, but I still think my credit card with one-time numbers is the best bet. I do use PayPal when it is the only option though.

Michael Kassner
Michael Kassner

Email and SMS messages. I wish other companies would do that as well.