Everyone shops online these days, and every day more and more people come to depend on e-commerce. It isn’t just books from Amazon anymore — it’s groceries and movies, clothing and prescription drugs — pretty much anything and everything.
The sheer volume of online commerce is staggering. In 2013 (the latest year with available data), the total volume of online commerce in the US alone was 5.99 trillion dollars, accounting for 57% of all manufacturing and shipments. This is truly incredible.
And yet, it should also give us at least a moment’s pause to consider whether all this financial activity is safe, and how we can best protect ourselves against problems like fraud and identity theft.
What are the possible risks of online transactions
There are two major categories of risks in online transactions:
- Fraud — the risk that the other party in a transaction (the online store) is itself fraudulent, and will simply take your money without providing the goods or services you are paying for
- Breach — the risk that your payment information, or other sensitive personal data, may be stolen by a third-party
Each of these types of risks has to be dealt with differently.
Dealing With the Risk of Fraud
When you walk into a real-world store and pick up an item, you can be pretty sure that you’ll be able to walk out of the store with it after you pay. You might find out after getting it home that it doesn’t work or has some other problem, but at the very least you know that item really exists and that it is your possession.
Moreover, if there is a problem — if the item isn’t everything it seemed to be before you bought it — you can go go back to the store and attempt to deal with the issue. We tend to take this for granted when we are shopping, but there is a whole complex combination of factors that make us feel safe about buying things from a store.
“In 2013 the total volume of online commerce in the US alone was 5.99 trillion dollars“
We know that, given the cost and difficulty of setting up a business, renting space, and filling a store with inventory, it is unlikely that the stores we walk into are essentially scams — anyone willing to go to that much trouble would just set up a legitimate business. We also have a sense of permanence, or at least long-term stability, when we drive by a store (or imagine others doing so) day after day.
We know about zoning laws and business permits and safety inspections and the IRS — if not in detail, at least in general, enough to feel basically secure in the notion that something that looks like a respectable business would have a hard time fooling all the people and agencies that matter.
Online stores shouldn’t carry any of this credibility with them. It is very easy to set up a beautiful e-commerce site, and can be done for almost no investment at all. Sites we access from our homes in stable countries like the U.S. and England might just as easily be running on servers in Nigeria as in our home country. It’s not that hard to be anonymous online, and its incredibly easy to close up shop and disappear. There might be warehouses full of inventory, or there might not be — how would you know?
And yet, because of our mostly automatic trust of retail stores, we tend to trust online stores — as long as they are designed well and the buttons are pretty. But we shouldn’t just make these assumptions.
“It is very easy to set up a beautiful e-commerce site, and can be done for almost no investment at all…and it's incredibly easy to close up shop and disappear.”
The best way to be sure that an online store is “for real” is to see if other people are using it. Do a Google search for the name. Ask around. Visit their Facebook page and see if there is genuine activity.
Also — think about how you got to the store in the first place. Was it a banner ad on some random content site with lists about cats? Was it an unsolicited email? A recommendation from a friend? A search engine result?
Online shopping makes compulsive buying so much easier, but if that amazing product you just have to have is one a website that you’ve never seen before, and you can’t find anyone who has had a good experience, and the Facebook page seems mostly dead, and you heard about the whole thing in an email — well, maybe you should try to find another supplier.
Badges, Certificates, and Seals of Approval
It really shouldn’t have to be said, but — a picture of a gold medal, shield, or ribbon is hardly a guarantee of anything. Anyone who wants to lie about selling things probably doesn’t care if they are also lying about being certified by the Customer Response and Assistance Panel.
Dealing with Breaches
Most problems with online transactions don’t involve fraud. Generally speaking, if you can figure out how to get people to your website and sell them things, it’s easier to just actually sell them things rather than try to rip them off.
No, the more common issue is third party interception of your data. There are three places where your credit card numbers and other data are vulnerable:
- On your computer, when entering them
- In transit, when the data you have entered is being sent to the server
- On the company’s server
On the Company’s Server
The majority of major credit card information breaches have been attacks carried out against major retailers. But here’s the important thing — most of those breaches have impacted in-store retail customers.
Shopping online is safer now than ever before. Every time there's a major breach, major companies accelerate efforts to protect their data. So ecommerce tends to get safer over time.
Companies store and process your data the same way whether you purchased online or in the store. Once the data gets to them, it doesn’t really matter how it got there. It is just as vulnerable, or just as safe, either way.
While the news of several high-profile retail attacks in the last few years might seem like cause for concern, it actually likely means we are safer now than we were before. Every time something like that happens, major companies begin or accelerate efforts to protect their data. We tend to get safer over time.
Also, while in-store retail establishments have had to grow into caring about data security, online stores have had to consider it from the beginning. Which means that, other things being equal, online store data is probably safer — it would be much more surprising to see a data breach at Amazon than (for example) Radio Shack.
And smaller online retailers benefit as well because they don’t usually run their own transactions and keep their own customer credit card data. Smaller stores running PayPal or another highly-trusted payment processor are getting the security benefit of a major online company.
Intuitively, it would seem that the riskiest place for data like credit card numbers would be in transit between your computer and the website’s server.
That’s almost true. But because that is so obvious, because it would be so easy to intercept this data, this was the first place where serious security measures were implemented. And, since these security measures must be impervious to compromise (even if the data is intercepted), this is usually the safest time for data in the whole process.
The key safe data transit is a technology broadly known as Public Key Cryptography, which is implemented using SSL.
Never submit your credit card details, or any other sensitive personal information, unless you are connected to it with a valid https session.
Public key cryptography is mathematically complex, and was a major breakthrough in cryptographic science — but it isn’t that hard to understand. Each party has a pair of matched keys — a public key and a private key. Everyone has access to everyone else’s public key. If you want to send a message to someone, you encrypt it using the public key — this means running your message through a complex algorithm which include the public key as a variable. Once encrypted, only the private key can be decrypt it.
The private key can also be used to “sign” a message. The sender encrypts the message using the private key — only the public key can decrypt it. This means everyone can read the message, but only the owner of the private key can generate it — it cannot be forged.
When you connect with a website using HTTPS (secure HTTP, or HTTP with SSL), this technology is used to negotiate an encrypted session between you and the website server. The fact that you are talking a legitimate server in the first place (and not a spoof of a trusted website) is handled by third-party identification through SSL Security Certificates.
Your browser automatically checks for SSL and valid security certificates. You will see a warning from your browser if the security certificate for an HTTPS site is missing or invalid.
You can tell if you are using a valid SSL connection to a site by looking at your address bar in your browser. If the current session is secure, the URL will be prefixed by https, and there will usually be a small padlock icon.
Do not submit your credit card details, or other sensitive personal information, unless you are connected to it with a valid https session. This is one of the most important security precautions you can take.
Do not ignore warnings from your browser about invalid security certificates, and do not buy things online unless you are using an HTTPS session.
On Your Computer
When you are entering credit card information on a website, those numbers are accessible at several points on your computer. They are typed by your keyboard, they are stored in memory on your browser.
If your computer is compromised by a computer virus or other exploit, an attacker could gain access to your credit card number or other personal data. This might be done by a keylogger that is running on your computer, or some malware that has infected your browser.
In order to prevent this sort of thing from happening to you, keep the following security measures in mind:
- Use anti-virus software on your computer
- Use an up-to-date, modern web browser (not Internet Explorer)
- Do not use browser apps and plugins unless you trust the company that made them — these apps often have access to in-browser data
- Keep your browser up to data — install any recommended upgrades and security patches
- Keep your browser apps and plugins up to date — install any recommended upgrades and security patches
- Disable browser plugins when you aren’t using them
- Do not visit suspicious websites
Other Ways to Protect Yourself
Use Credit Cards, not Debit Cards
If you are a repeat customer of a trusted online merchant, it is probably safer to let them store your credit card information than to resend it to them every time you make a purchase.
If fraudulent charges do occur, it is much better for them to be associated with your credit card, rather than your debit card. A fraudulent charge related to your credit card is usually very easy to sort out, and the charges will usually be dropped. With debit cards, it is trickier because the money has actually been withdrawn from your account and needs to be credited back to you.
Most credit card companies have some kind of fraud detection and prevention service available, and you should use it. These systems monitor charge activity, looking for unusual patterns — like a charge at a store you never go to in a city you’ve never been in. The company will then hold the charge and contact you. This type of service is invaluable if you shop online.
Stored Credit Card Information
If you do a lot of your shopping at a large online store with a highly trusted approach to security, it is probably safer to let them store your credit card than it is to retype and send it to them every time.
Use Prepaid Cards
If you are really concerned, but have some need to run a credit card transaction with an untrusted seller, you could use prepaid cards. With this solution, you might lose the money you spent, but it would protect you personally from additional loss or fraudulent charges. If you can buy the cards with cash, you may even be able to use this as a method to protect your anonymity.
Bitcoin is an alternative currency based on public key cryptography and a distributed accounting system. All Bitcoin transactions must be verified by the buyer with their private key, which is never shared with anyone else. This provides a high level of security against future fraudulent charges. Bitcoin can also be used to lend a layer of anonymity.
When PayPal payments are an option, it is usually the safest way to send money to a seller — with PayPal, the seller never sees or processes your credit card information. The data transport security, and the data storage security, are all handled by PayPal.
Be careful, but Don’t Worry
It is important to be careful with online transactions — but the simple steps outlined above can bring your risk down to an acceptably low level. If you take the proper precautions, there’s no reason you can’t enjoy shopping online.