Discussion on:

Five tips to ensure safe online shopping

Read on so you don't make the same mistakes I did.

Thank you for sharing. Every little bit helps people understand better how to protect themselves.

It is interesting, when you fall into the do as I say, not as I do trap.

check how popular the site is and how old the website is.

i use http://reviewandjudge.org/ to check it.

I certainly will check it out.

My bank provides a optional service where an e-mail warning is sent on bank account or credit card movements.

Recently, in early July, I think, one of these e-mails helped me notice a credit card transaction that I had not authorized. I immediately called my bank to check on it, and about 20 minutes later had the transaction cancelled.

The best way to catch unauthorized transaction is constant vigilance, and this kind of service helps.

I should have mentioned that. My bank does that, but I don't know if other credit card companies do.

Customers love it, of course.
And some banks even charge some small money for the cost of sending the text messages.

But the real winner is the bank. In case of fraud, they're almost guaranteed to quickly get a call from the customer.

Email and SMS messages. I wish other companies would do that as well.

A nice feature of Firefox is that with a little tweaking, it can be made to display every secure HTTPS web page with a green address bar. This makes is easier to be aware of secure vs. insecure pages. See

http://blogs.computerworld.com/make_firefox_flag_secure_web_pages_as_green

The problem, however, with all secure web pages is that the trust in SSL is basically a scam. Any of hundreds of organizations can issue certificates - for anyone or anything.

For example, the real amazon.com certificate may come from Verisign, but you can view a scam secure page at amazon.com where the certificate comes from spyagency4. Nothing anywhere says that only Verisign can certify amazon.com.

So, its not sufficient to simply know that a page is HTTPS, you also need to know which organization (CA being the lingo, for Certifcate Authority) is vouching for the page/site. Unfortunately, this information is not front and center. And, even it was easily visible, there is no way to know if CA3 is supposed to verify website5.

We need sluices.
Like, having an account partition that holds the net banking and its verified transactions.
Then, a different partition that holds the credit card transactions, and these cannot be upped into the regular partition, except via the netbank.
Then you could flush the card account partition, keeping your regular stuff unharmed.

It isn't getting any easier out there. I am researching where second-factor authentication via a mobile phone is under attack.

Not that I've ever wrinkled my nose at cash.
But it's hard to shop online with cash, that's a fact.
How does PayPal line up security-wise?

I like the fact that only one place has your financial information, albeit credit card only. I did not setup my actual bank accounts with them.

They need competition to keep them honest.

It is a pain, but I still think my credit card with one-time numbers is the best bet. I do use PayPal when it is the only option though.

PayPal used to offer the one-time credit card, but they quit doing it. I keep a certain amount on my PayPal cash account and use that when the vendor accepts PayPal. If I run short, I add some from my bank account. It also discourages impulse purchases, because it takes a couple of days to effect the transfer.

Often when you call in the order, the person on the other line (who may or may not directly work for the company you are buying from) is simply putting your credit card information into their website anyway. How does that really increase security?

The reason this helps is it removes compromise of your web browser, Man in the Browser, and MitM attacks from play.

If the person you are calling is entering order and card info into a web site, there is a decent chance that they are falling prey to Man in the middle or something like that. We simply don't know who we are calling or what type of security is implemented on their system. Could be a work at home order taking college student with no mind towards security.

I made an assumption and that maybe a wrong move.

Businesses are slowly being regulated to protect PII, so I would hope those sorts of things would come into play.

how many of these order takers are prisoners - or is that an urban legend?

A few years ago, my Wife used her debit card to order a "medic-alert" bracelet. The same day, she used it to order a set of hospital scrubs.

One of the two online businesses compromised her debit card number and the next thing I knew, someone in Paris, France had ordered an upgrade for World of Warcraft with her debit card number. They had also ordered some piece of electronic equipment. We've never been to Europe, much less France.

Fortunately, since I check our bank account online almost everyday, I spotted it and printed out my statement and took it to my bank.

They contacted my banks' fraud division, who investigated it and ultimately reversed the charges - Including the overdraft charges. (It came to $74.00).

Since then, I have alerts for deposits, withdrawals and charges sent to my email account. You can set the limit for the alerts at any amount you feel comfortable with. I have mine set at $1.00, so I'm alerted WHENEVER I (or anyone else) makes a transaction. This is with Wells Fargo Bank.

again, the pre-paid credit cards available from some banks.
[ or the Titanum Plus Visa and Mastercard from Money Mart here, backed by a credit union ]
prove their value for online transactions.
use of such a card means in this case you would have had no problems, the charge for the website of ill repute would have failed, notification of the attempt emailed to you, and no lost finances, or hastle from changing cards.

You will lose the value of the card though.

but then, if you don't put a lot of money on it at any time, that loss in minimized.

I use one for online transactions, and usually only put 5 or 10 dollars more than I know I'll be using on it, just before doing the transaction.
so I could lose 5 to 10 bucks.

Mostly the fees. http://www.thestate.com/2010/10/04/1496154/a-look-at-the-terms-for-3-prepaid.html

Can you recommend a service to use?

Is the one I use. In fact, the card is only used for online transactions. They have an client (not so crazy about) or you can log into their web site.

I will say that I have the premium addition of this anti-keylogger on my system too:

http://www.qfxsoftware.com/

Stay tuned for an article about it.

I've used this feature for years with my AT&T Universal Personal card. There is both an online generator and a downloadable app that can sit in the Notification Area for very quick access. The app can fill in the whole order form too.
https://www.accountonline.com/cards/svc/OutsideView.do?forward=Index&siteId=AC&langId=EN

PayPal is terminating their very nice feature of generating a one-time-use Mastercard linked to the PayPal account. They also offered both web driven and a downloadable plugin. This did not require a formal Mastercard contract with them; it was just a code linking to the PayPal acct.

I've now gone back to my AT&T Universal card.

One of the biggest ways to protect yourself is to never, *EVER* use your bank's debit/check card online. While you just don't pay (and properly dispute) bad credit card charges, if the bad guys get your debit card, the money is gone from your account(s) right then. The bank will probably make you whole, but how many checks will bounce/online bills bounce, associated fees and credit reports posted? personally, I've almost totally gotten away from the debit card totally, except at the bank ATM.

Good stuff. Also, always look for merchant reliability indications (aka merchant certifications) so you know that you're dealing with a reputable retailer. SortPrice.com, for example, recognizes retailers who offer honesty and good customer service with a seal next to the merchant's name on the site. Always good to look for these kinds of things!

There are a couple of big players offering payment handling.
If the shop has one of these as an option, then that could be a good choice for you as a buyer. I wouldn't say that I'm overly happy to share my card details with Google, but if that allows me to NOT SHARE my details with Nice-Office-Import-Export.com, then I don't need to think long.

Does the online shop offer any contact details?

Web contact form: 1 point
email address: 2 points
phone number: 3 points
Postal address: 4 points
Street address: 5 points
Online branch of a well-known brick&mortar (and you got the address from the real shop): 20 points

Oh: If they say, we're secure, because we use SSL: -30 points! (Because this is a paraphrase for "We have no clue")

your bank offers free checking:
Open a 2nd checking account, request they NOT mail checks -- just a VISA Debit card for it. Before you shop, transfer an appropriate amount of $$ into the 2nd account. If account info for your 'dummy' account falls into the wrong hands, very little damage is done, and it is easy to close it and open a new checking account.

I guess I would never know what the appropriate amount would be.

If I'm heading off to a bohemian Saturday Market (sooo insecure), who knows how much I'm going to spend (maybe nothing), so I login and transfer more than I think I'll spend into my 'dummy' account before I go. When I get back home, I transfer back all but about $20.

More often than not, I know what I'm shopping for, so right before I click "Buy Now", I login to my bank and transfer what I need just to cover my purchase. If I'm shopping for multiple items (ie, Christmas shopping), by the time I've decided and price-compared, I know what I'm about to spend and transfer accordingly.

The idea is to keep the least amount in your 'dummy' account as possible, and don't let transferred funds stay there very long. Either way, your 'real' funds/account are never at risk. My bank offers free checking accts AND transfers between them. Yours 'should' too!

Shelly

I never buy anything from a homemade / shady looking site. they always seem to have such great deals too. like 10$ for a new wireless mouse but shipping is 15$ :^/

Even when buying from normal sites you have to look out for ads at the check-out where you can save 5-10 bucks the next time you shop if you sign up for their "offer" deep in the fine print it talks about charging you 2bucks a month in fees.

everyone is out to get something for nothing... now more than ever since nobody has a JOB!

Good advice. While I've been an "on line" shopper since the Mail-Order days back in the Seventies, I still read articles on buying securely.

Note to the author and others that even calling in an order has its security issues. The person you gave your CC info to can use it, sell it, etc. Last report about ID theft stated it is still largely "physical matter" such as records thrown out not shredded, and so forth.

So far I have been lucky as I do shop on line quite a bit.

Good blog on Online shopping and those 5 tips must take in consideration