17 Dec, 2014

5 Tips for Secure, Online Shopping

by John Poulin

With the holiday season in full swing, more folks are shopping online than any other time of the year. With the recent breaches of Target and Home Depot, many consumers are beginning to understand the need for exercising caution when shopping online.

This blog post will highlight a few tips and tricks to help consumers stay secure when shopping online.

1) Only Use Trusted Sites

When shopping in person, there’s a growing tendency to shop at local mom and pop shops as opposed to large chains. When shopping on the internet, however, I recommend only making purchases at trusted and well-established stores.

Since you’re reading this blog post, it’s probably safe to say that you’d like some recommendations for sites to use.

Amazon.com

Amazon, which most of you have heard of by now, offers a great solution. They have a well-tested and established marketplace that allows vendors (including mom and pop shops) to sell products.

Etsy.com

Etsy is an interesting tool that allows users to “Turn (their) Passion Into a Business,” essentially allowing anyone to open an online marketplace to sell products. Payments and transactions are handled by the Etsy infrastructure. This is a great way to provide business to smaller shops in a safe and secure manner.

Google Trusted Stores

The Google Trusted Store is a rating that Google places on stores that they considered trusted. This ranking indicates that the web store is reliable… reliable enough for Google to offer $1,000 of purchase protection. It’s worth mentioning, though, that the Google Trusted Store ranking does not offer any guarantees relating to the security of the store (expect a blog post in the near future ;) ).

Google Trusted Stores can be identified by the logo appearing on the application. Generally, this is placed in the footer but may also be placed anywhere within the application.

Unfortunately for us, it doesn’t appear that Google provides a list of Trusted Stores. Users must therefore discover these resources on their own.

2) Ensure That You’re Browsing the Secure Site (SSL/TLS)

For years we have been taught that padlock icons indicate a website is secure. This is incorrect. The only padlock icon that indicates anything can be found in the URL bar (which may appear different, depending on your browser):

But what does this padlock mean? It means that the website is leveraging SSL/TLS. Simply put, your information is encrypted before being transported; this helps keep other users on your network from reading the data you submit to the website.

It’s important to ensure that the application is leveraging SSL when browsing the following areas of the website:

  • Account Creation
  • Login
  • Checkout

Just take a look at the URL bar in your browser. Look for the padlock. If the padlock is red or the browser issues any warnings, do not use that site. Either of these conditions indicate that there is a problem with the implementation, and any data you transmit may be intercepted.

One thing worth noting: if padlock icons appear on the webpage itself (not in the URL bar of the browser), it indicates nothing about the site’s security. They can be placed on the page by the administrator or via other means and can be used in an effort to trick victims into thinking that the site is secure.

Just seeing the green padlock icon isn’t always enough of a verification. Websites can implement SSL/TLS in a large number of ways, some which are inherently insecure and offer little protection. If you want to know for sure how well a site utilizes SSL/TLS, run a test via SSLlabs.com. This service will attempt to rate/grade the SSL/TLS implementation of the provided website.

I would only recommend using sites with an overall rating of C or better.

Unfortunately, SSL/TLS doesn’t protect from all malicious cases. It may still be possible for attackers to hijack your session or intercept sensitive data. Be sure to read tip #5: Shop from Home.

Keep in mind, online shopping requires the use of your personal computer or mobile device. Without those, you can’t shop online! This, however, introduces more risks that are often overlooked. If your device is not secure, it doesn’t matter how secure/safe the site or service is, your information may still be compromised.

Ensure that your computer is up to date before creating accounts or making purchases. Perform regular virus scans using a tool such as Avast and use ad-blocking plugins such as Adblock Plus to prevent malicious browser advertisements.

If your device is already riddled with malware, your credit card information has likely already been compromised. Keep an eye on your bank account statements. Look for suspicious transactions, particularly those less than $20.00. Fraudulent charges occur frequently in small denominations to avoid detection.

4) Don’t Use Your Debit Card!

In the security community, we always consider the worst-case scenario. Always assume that you will be compromised, so have a backup plan. As we saw with Target in 2013 and Home Depot in 2014, it’s quite likely that at some point your billing information may be exposed.

Credit cards generally offer more assurance in the event that your information is disclosed, such as automated fraud protection and charge disputing. With debit transactions, you may be liable for all unauthorized charges.

For more information on when to use credit cards versus debit cards, please refer to this Lifehacker article.

For the truly paranoid, I recommend using pre-paid debit cards that you can purchase at any retailer/gift card vendor. When these cards are compromised, big deal. You’re only on the line for as much $ as you loaded on the card.

Another great service to consider trying is Bank of America’s ShopSafe or a similar alternative. This service is only available to Bank of America account holders, and it can generate a temporary 16-digit account number which can be used in online shopping transactions. This removes the risk of compromising your account.

5) Shop at Home, Not in Public

Although it may sound nice to head down to your local cafe and do some last minute online holiday shopping, please, don’t do it! Most cafes offer free Wi-Fi, many of which are considered “secure” by requiring users to enter a password before connecting.

Many users are not aware of the risks associated with using wireless internet.  It’s scary how much information a malicious user can obtain by sniffing the internet in a cafe. If you’re not sure what I mean, read the article Here’s Why Public Wi-Fi is a Public Health Hazard. In summary, attackers can generally hijack your account, steal information, and make purchases on your behalf.

So even though it’s very tempting to kill 30 minutes doing some online shopping, please wait until you get home.

Conclusion

When you’re about to dig into online shopping, please remember the tips outlined in this guide: only use trusted sites; ensure that you’re browsing the secure version of the site (SSL/TLS); update your computer and perform regular maintenance; use credit cards instead of debit cards; and shop at home.