Tips for shopping online safely

11 Jan 2011

Often times I think about how secure it is to shop online and talking to some family members I get the feeling that they may not fully trust shopping online, which in reality, is a good thing since you should always side on the cautious side with online transactions. I figured this could be a good post that will give some insights on the world of secure online shopping.

Warning: Some of the following information is a bit technical. I have written the technical stuff in blue font so you can skip it if you just want to get to the main points.

First off, I’m not a security expert, nor should you expect that if you follow everything written here that you will be 100% safe. I live life by the 99.9% certainty, that is, there is always that outlier that you forget about or just simply don’t know about that will can get you. That being said, knowing the following information that I’ll give you here will give you will get you up into that 99% area of security.

SSL/Https

The first thing is that you should always..ALWAYS, yes I used all capital letters so it is very important, ALWAYS make sure that you see https and that lock symbol in your address bar when logging in as well as when you are checking out or putting any kind of personal information that you don’t want anybody else to know.

Normally when you view pages you use an address that looks similar to this:

http://www.gmail.com

Notice at the front it has http. This means that when you view that page, all the information going from your computer to www.gmail.com is in clear plain text. You can use a semi-truck example. Lets say the truck has to travel down the Internet super highway carrying data from your computer to the website. The truck can either carry your data in a normal trailer or it can carry your data in a glass walled trailer that every body on the same highway can see into.

HTTP means that you are telling the truck to use a glass trailer. HTTPS means you are telling the truck to use a normal covered trailer that has a lock on the back so that nobody can sneak aboard your truck mid highway and steal something from it or even put something else bad inside it, like a virus.

Now if we put a lock on the trailer, how can the website know how to unlock the trailer?

This is actually an interesting, but simple problem.

First you send the truck to the website with a glass trailer containing a lock that your browser has a key to and a message stating that the rest of the trailers should be covered trailers with locks.

The website then sends the truck back with a covered trailer locked with the lock you sent. Inside the trailer is a lock that the website only has a key to.

When the truck arrives you unlock the trailer with your key and pack it full of your sensitive data as well as your lock again. You lock the doors with the lock that the website gave you and send it to the website.

The rest of the data you send back and forth from your browser to the website are all handled through the same key/lock mechanism.

You have now just completed a secure data transaction using a semi-truck example.

I made a simple Google Drawing to show this transaction.
alt

Password Strength

Usually when you decide to purchase a product online, when you go to checkout the site will ask you to register a new username and password with their site. In this step you again need to make sure that when you click submit, or create account that the address bar has that https symbol. Why? Well if you load that truck with your username and password and send it across the Internet super highway and it has that glass trailer, Mr. Hacker is going to be peering into that trailer and will follow the truck to its destination. He can then use your username and password to gain access to your account on that site.

Now, to the point of this section, your password.

12345 is not a password

A simple password is just a speed bump for somebody trying to access your account. Hackers can use a method called a dictionary attack, to try and hack into websites. This method is very simple. They have a file on their computer with thousands to millions of common phrases and words which they try each one for your username/password until they gain access to the site. So if you use an easy password of kitten or 12345, there is a good chance that your account could be accessed.
The other common attack is called brute force, where the hacker simply tries every combination of the alphabet and numbers until they gain access. 1. 12. 123. 1234. 12345……a. ab. abc. abcd…..

Here is a great page to show you how long it could take to crack your password.

http://www.lockdown.co.uk/?pg=combi

It is really up to the website to make sure that they do things to help protect your password, but often times websites don’t do these things, or they store your password in a way that is easily accessible by others.

An easy suggestion to make your password more complex, but still fairly easy to remember is this:

  • Replace all of the vowels with other characters and add uppercase letters in random places. kitten could be come k1TT3n or K1Tt3N.
  • Always try to have a password that is greater than 8 characters long(12 – 14 is optimal).

One last thing about usernames and passwords. It is best not to have the same username and password for every website you use on the Internet. If you have a super complex password that is virtually uncrackable, but you go to some goofy website that emails you cute kitty pictures. Then you create an account there with that password and they don’t store your username and password securely you are just creating a domino effect lineup for all the other websites you use.

Debit Card vs. Credit Card

While debit cards are very awesome in that they give you access to your money without using checks, there are some issues that are hidden in the background.

Everybody knows that the big Credit card companies(VISA, MasterCard, Discover, American Express) have great guarantees on the security of your account. If somebody steals your card or even just the number on the card and uses it, you should get refunded which is great. I think all debit cards are VISA or MasterCard and they hold the same guarantee as a credit card so why worry?

I had this same thought, until a coworker that used to work as a tech security officer at a bank changed my view quite quickly.

Say you are shopping online and your debit card or credit card number gets stolen. Then the thief starts buying things on behalf of you. They can only buy things to the maximum limit of the card. The maximum limit of your credit card is set at some limit that is dependent on the card and your credit. What is the maximum limit of your debit card? The amount in your bank account or more?!? Say you have $10,000 in your account and they start buying and buying and even if your bank catches on or you catch on, maybe they have spent $10,000 or maybe they start over drafting your account. Typically you find out when you overdraft your account and get mad at the bank wondering how you can overdraft $10,000 which is when you get that not so good news about the activity on your account. Regardless of how you found out, you now have either $0 or minus $$$ in your account. I suspect this is up to the bank, but when will they put the money back into your account? Today? Tomorrow? When the case goes to court and the thief is found guilty plus X amount of days for the paperwork to be filed?

The short of this is, if you shop online, you should probably use your credit card unless you are very confident of the website you are shopping on.

Alternative Payment Methods

So now that I have scared you about using your debit card or maybe I have scared you from shopping online at all, lets look at some other ways to shop online very safely.

There are some others, but quite frankly, I don’t know of them and these two are the most commonly used. Both of these services are payment systems that websites use to get paid with. You set up an account with the payment system and link it to your bank account and then when you go to a website that supports them, you can securely pay the website without giving anybody else your credit card number.

At first you are probably weary about linking a website to your bank account number which is a good thought. There are some drawbacks by using these systems as well, but I’m not really versed enough in financial law to be able to tell you exactly what they are. I only know, that there could be some loopholes with them as I don’t think they are considered TRUE financial companies like banks are. That being said, I personally think they provide options that are far securer with online transactions than using a credit card online.

Website Selection

This is an easy one. Do not buy from sites that you do not feel comfortable giving personal information to. If you find a place on the internet that has some item that you want and it is super cheap, but the website has that ‘look’ to it that you are not sure about. Do not buy from them! Look somewhere else even if you have to pay a few more dollars for your item. The only reason I ever buy from a ‘shady’ site is if they accept PayPal or Google Checkout as I know that there are added guarantees for my safety and I’m not potentially giving a website that is written by somebody that does not know enough about security, my information.

In general, if the site does not look that great, chances are they are not practicing good security measures for your data.

Conclusion

Shopping on the internet really can be quite safe as long as you follow some basic guidelines and pick sites that have a good reputation for keeping customer data safe. Really there are just a few easy things that you can do to help maximize your online safety.

  • Complex password with 8-14 with a mix of letters, digits and symbols
  • Make sure your browser has the https + lock symbol
  • Try to avoid using your debit card
  • In general use your gut feeling about a websites security

Hopefully this will help at least somebody out there. I’m sure I’ve missed a few points, but feel free to leave comments or questions.

«« Previous Post Next Post »»