10 Commandments for Online Shopping
Robert Spotswood

Navigating the Minefield
Just as flies are attracted to a fresh pile of manure, so are criminals attracted to large amounts of money. With online shopping sales at an estimated $132 billion in 2006, the number of online crooks trying to steal from you has grown, too.
Body text: But just because there are crooks out there doesn't mean you have to give up online shopping. While there is no such thing as perfect security, and anyone who tells you differently is either lying or deluded, there are things you can do to stack the odds in your favor. The following 10 online shopping commandments will help you enjoy the benefits while minimizing the risks of online shopping.
I. Understand the Risks
If you get most of your information from the mass media, you will likely be sadly misinformed. While major data breeches make headlines, most identity theft sails under the media's radar. By definition, "news" means that it hardly ever happens. Despite the widespread belief that seems to be promoted by the mass media that identity theft occurs primary online, in truth, most occurs offline.
According to a 2004 study by Javelin Strategy & Research, 72% of the identity theft cases studied occurred offline, while only 12% started online, with the rest undetermined (www.identitytheft911.org/articles/article.ext?sp=29). Further, the study found that those who used the Internet to keep tabs on their bank accounts and credit cards lost only $551 on average, while those that stuck to more traditional paper statements averaged losses of $4,543.
As you can see, using the Internet to shop and for banking isn't automatically dangerous, and offline usage isn't automatically safe. While you should exercise care, don't let unfounded fears stop you from enjoying all the benefits of online shopping (and banking).
II. Keep your computer clean
Viruses, spyware, and trojans, oh my! If the bad guys have their software planted on the computer you use to go shopping (or banking), you lose. No matter how careful you are with your financial and credit card info on the Internet, if the bad guys can see your every move, every keystroke, then the bad guys win.
Start protecting yourself by having and regularly updating a virus scanner. Grisoft (free.grisoft.com/) offers both free AVG anti-virus software and an AVG anti-spyware program. Supplement the AVG spyware program with both Spybot (www.safer-networking.org/) and Ad-aware (www.lavasoftusa.com/). No one anti-spyware program catches everything, so you need to use multiple products to be really sure.
Don't use Internet Explorer, but use Firefox or Opera instead. Internet Explorer's bad track record plus being actively targeted make it an unsafe choice. While neither Firefox nor Opera are perfect, their track records are far better than Internet Explorer.
McAfee offers a neat, and free, plug-in for both Firefox and Internet Explorer called Siteadvisor (www.siteadvisor.com). McAfee has tested a huge number of websites for bad stuff. This plug-in shows you the results of those tests in a little bar at the bottom of the browser window. A green site was safe when last tested, while a red site has serious problems (stay away!), and a yellow site has some issues, but not bad enough to warrant a red rating. A few sites are gray, which means they haven't been tested. As Siteadvisor integrates with your browser, it will even add a color-coded rating symbol next to your search results if you use Google, Yahoo, or MSN. This helps you avoid problems, and malware, in the first place.
Stay up-to-date with your patches, and consider some sort of firewall software, even if it's an external device. Finally, never use a computer you don't trust for online shopping or banking, especially a public computer. You never know how well it's taken care of, and, being public, even the best care won't catch everything.
III. Shop around
Unless what you're looking for is obscure, there is going to be more than one store selling it. This is especially true with name brand, popular items. Remember that with online shopping, visiting multiple stores is quick and easy. The range of prices can vary considerably on the exact same item.
When comparing prices, don't forget to compare shipping costs and methods, too. Sometimes a company that charges a little more may offer free shipping, versus a company that charges less but has high shipping rates.
IV. Don't trust that lock
Just because your web browser shows the SSL symbol, such as a closed lock or key, that doesn't mean everything is safe. First, what type of encryption is being used? 128 bit is considered the minimum standard today, with some sites using 256 bit AES encryption, but that doesn't stop sites from using older, poorer encryption, such as 40 bit. If the website can't get at least 128 bit, don't trust them to do anything else correctly either.
SSL depends on certificates in order to work. Is the certificate issued to the company you think you're dealing with? For instance, Amazon.com's certificate says it was issued to Amazon.com Inc. This is what is expected. However, suppose the web site, buyme.cxm, certificate reads ABC company. Is something fishy going on? If you just looked at the lock, you might think everything is OK. Since very few people bother to check the certificate, a bad guy can cause your browser to display a legitimate lock, while you're at a different site than you think you are.. Anti-phishing tools are making this harder to do, but by no means impossible.
In one case, I wrote to a company I was going to order from because the certificate didn't match the company name it should. According to the reply I got back, the certificate was legitimate, and I was the first person to write them about it in the two years it had been up. The certificate was soon fixed.
However, just because the certificate name does not match the website name doesn't automatically mean something is wrong. Certificates are expensive. Sometimes companies will use their parent companies certificates to save money. Some websites use their web host's certificate to save money or if they don't really need SSL and the web host sets this up automatically.
You can see the certificate's details for yourself in Firefox by left clicking on the lock in the address bar. This opens a window where you then click on details to see the certificate information. In the pictures below, the SSL lock is there, but the certificate does not match the site name (ignore any warning that comes up for this example). This is because the SSL certificate belongs to the web host, and not the website. This is an example of the website owner not needing SSL, so he went with the web host's certificate. The figures were collected using Firefox.
image
Figure 1: To view the certificate, click on the lock

image
Figure 2: Click on view to see the names. Notice this certificate uses 256 bit encryption.

image
Figure 3: Do the names look correct for the website?

V. Check out the company
Unlike brick and mortar stores, where the purchase is pretty much a simultaneous exchange of money and goods, online shops demand payment upfront. They then ship the items to you in good condition, you hope. Thankfully, you are not defenseless.
There are more than a few sites out on the web that allow users to post reviews of not just the items, but the stores. Six such sites that do this are: www.amazon.com, pricegrabber.com, bizrate.com, pricewatch.com, www.google.com/products, and shopping.yahoo.com, where others who have bought from the company before you can post their experiences. However, you should never just look at the average rating to make your decision on whether or not to do business with this company. The ratings can be misleading.
The first thing to consider is how many ratings. The average of 1000 ratings is more telling of what to expect than the average of 2 ratings. But the number of ratings isn't the only thing to consider. How far back do the ratings go? A store that gets 1000 ratings but only goes back 2 months either does a huge amount of business, or is faking their own ratings, probably the latter.
Then you have to look at the ratings themselves. Scummy stores are not above posting positive ratings about themselves. One tell-tale sign of this is that many to most of the positive ratings all read the same, as if someone had copied and pasted. Detailed ratings have much more credibility. This is why it's important to scan the ratings, and sort from highest to low. If you see this sort of thing, stay away from the store! Any store that needs to post positive ratings about itself is a store you don't want to do business with.
The other thing to consider is the low ratings. Why were they given low ratings? Are the low ratings detailed, or do they look like they are copied and pasted? Rival stores (especially scummy rivals) are not above posting bad ratings about a good store to drive business away from the good store and hopefully to themselves.
Remember, just because the store is listed on one of the major shopping sites mentioned above doesn't mean it is a good store. Another way to check on a store is to use a major search engine like Google or Yahoo. If others have had bad experiences with the store, it's likely the search engines will find some mention of it.
VI. Use credit cards, not debit cards
It is important to understand that despite the Visa or MasterCard logo sported by almost all debit cards, they are not the same as credit cards, especially online. There are important protections you have by law with credit cards that don't apply to debit cards.
If you buy something that's damaged or defective and you use a credit card, you can withhold payment under the Fair Credit Billing Act, both online and offline. You must make a good-faith effort to solve the problem with the merchant first. However, if you can't resolve it, contact your credit card company and they will investigate the problem. If the card company sides with you, which will probably happen if you have a reasonable case, the charge won't be added to your bill. However, purchases made with debit cards are not covered under the Fair Credit Billing Act. Good luck getting your money back!
Some credit cards offer extended warranties and other protections for large purchases made on the card. This does vary by card, so check with all your credit card companies, if you have more than one, before buying to see which will give you the best deal. No debit card doing this could be found while researching this article.
Credit cards have a maximum of $50 liability if you report the problem promptly. While your maximum direct liability with a debit card is $500 by law, this only applies if you notify the bank more than 48 hours after you learn of the problem. Some banks promise to limit the liability to $50, but there are numerous reports that not all banks honor that promise.
But the real danger with debit cards is they are a direct line to your checking account. A thief can drain it all, including any overdraft line of credit. While you may get most of the money back, in the meantime, you don't have access to your money. It could take the bank 10 days or more to refund your money. In the meantime, you can have checks bouncing all over town, along with the bounced check fees, and possible embarrassment.
Blocking is also a bigger problem with debit cards than credit cards. Some places, such as hotels, gas stations, and rent-a-car agencies, among others, will contact the company that issued your card to give an estimated total of the bill, their estimated total. If the transaction is approved, your available credit (credit card) or the balance in your bank account (debit card) is reduced by this amount. That's a "block." Some companies also call this placing a "hold" on those amounts. Hotels and rental car companies often add anticipated charges for "incidentals" like food, beverages, or gasoline to the blocked amount. If you are close to your checking account limit, which is far more common than with credit limits of credit cards, you can bounce checks even with enough money in the bank, while waiting for the block to be released.
Credit cards offer you much better protection than debit cards, especially online. Never use a debit card for online shopping.
VII. Zero liability sounds better than it is
Protecting your credit card accounts is more important than most people realize. Some people think just because your liability with credit cards is limited to a maximum of $50, taking precautions isn't worth the effort. After all, that $50 is only if the card itself is stolen rather than just the number, and most credit card companies tend to waive that for good customers, although you might have to call and ask. So you might believe the maximum loss with a stolen credit card is only $50 as an extreme worst case scenario. Wrong!
Depending on how the card issuer handles things, they may close the current account and reopen a new, identical account for you, with a new card number (flipping the account). While to most people this is not a change in your credit status, it will affect your credit score. Your credit score is partially based on how long the various revolving accounts (like credit cards) have been open. Length of time accounts have been open makes up roughly 15% of your credit score. New accounts will actually cause your credit score to go down, especially if the previous account was open for years.
Your credit score touches more parts of your life than most people realize. Applying for a new car loan, home mortgage, or other loan? A flipped account means you could pay more or even not get the loan. Insurance companies are starting to base rates partially on credit scores. A flipped account means your rates can go up.
Some employers check credit scores before hiring or promoting. Having a flipped account could make the difference between getting and not getting that position you want. Your credit score is also looked at when you connect utilities, try to rent an apartment, or even buy a cell phone. Lower scores mean higher prices or you have to buy a lesser model, if the sale happens at all.
As you can see, even if your direct liability is $0, you still want to protect your account information. Having your number stolen can cost you indirectly in ways most people don't realize. Even if the new account isn't reported as new, you still have to wait for the new card to use it again. It is worth the effort to protect your card number.
VIII. Protecting Your Credit Card Online
So how do you protect your credit card number online? After all, you have to give them your card number to make the purchase, right? Well, for some cards, no. Let me explain.
Some credit card issuers have special programs where you can get "temporary" card numbers. By using these, your real number never goes out on the web, and hence is much harder to steal. This means you don't need to worry much about how secure the store keeps its servers. These numbers can also be canceled if the shop tries to play games with your number. For example, according to Thomas Hawk, PriceRitePhoto threatened to bill his credit card $100 if he posted a negative review (thomashawk.com/2005/11/priceritephoto-abusive-bait-and-switch.html). Using a "temporary" card number shuts these and other games down very quickly.
In addition, the "temporary" card numbers can be used for phone orders, or even mail orders, not just online orders. However, trying to use one at a brick and mortar store is not recommended. Cashiers really don't like it if you pull out a piece of paper with a credit card number written on it and try to pay with that.
Do not confuse the temporary card numbers with the "Verified by Visa" program. The Verified by Visa program does not work with all online stores, only those signed up for the program. It also doesn't help you with phone or mail in orders.
So how do you get a "temporary" card number? It depends on who issued your credit card. However, in every case, you must have a credit card with the bank, and must create an online account. Out of the 5 largest credit card issuers in the United States, neither Chase nor Capital One offer a temporary card numbers. Discover, Bank of America, and Citi all offer temporary numbers.
Discover Card (www.discovercard.com) offers Secure Online Account Numbers, which are temporary numbers linked back to your real number. The credit limit and expiration date are the same as your real card. The temporary number even includes the CVV code for websites that think it provides any real security. (The CVV is not random, but generated by a formula based on your credit card number. Do not assume the criminals don't know the formula.) According to the Discover Card website, "A secure account number can only be used at the retailer where it was first used—it can't be used anywhere else. If the secure account number is stolen, you can deactivate it without canceling your actual Discover Card Account." Of course, since it can only be used at one place, its value if stolen is far less than that of a regular number. These numbers can be used for recurring charges and automatic bill pay, provided the merchant does not change.
Unfortunately, the Secure Online Account Numbers page is rather hidden. To find it, you have to go the Discover Card home page, scroll down, then click on "Security Center". Scroll down on the new page and near the bottom you will find a "Create a Secure Number" button. Click on that to get started. A new window opens and the username and password are the same as your online account. This works with both Internet Explorer, Firefox, and even with Firefox on Linux. You should be aware that based on an admittedly small sample size, the first time you use one of these numbers, you will trigger a fraud alert with Discover. Be prepared for the phone call.
Bank of America (BoA) credit card holders can use BoA's Shopsafe program. With this program you have to sign in to Online Banking at www.bankofamerica.com or fiacardservices.com which is a redirect to https://www.ibsnetaccess.com (both are BoA sites). From there you can create the temporary card number. You can set the credit limit and expiration date for each number. It is only good for one merchant, but can be used for recurring charges at that merchant. It is known to work with Windows and Macs, and to work with Netscape 8.1, which is based on Firefox, so Firefox should work as well.
Citi refused to respond to questions about whether or not they even had a temporary number program. However, a HAL-PC member who has a Citi card did offer the following: "...I wanted to mention (since they didn't bother to respond to your question) that Citi does indeed have virtual credit card numbers...The card numbers have one-month expirations and can be closed by the card-holder once the transaction has been posted. They can be monitored and managed on-line through the Citi card holder's account." As these temporary numbers have one-month expirations, they are not suitable for recurring charges. It is also known that the Citi website does not work correctly with Firefox, and therefore Linux users are out of luck.
IX. Close the Browser
Due to the nature of the web protocol (AKA HTTP protocol), it is necessary to temporarily store your credit card information in a cookie. The cookie is encrypted, and almost never written to disk. When the session (think conversation) ends, the cookie is automatically purged and so is the key to decrypt it. So when you end your transaction, and leave the website, your credit card info is gone right? Not necessarily.
Welcome to the world of cross-selling. Cross-selling is where a legitimate merchant (or their shopping cart vendor, often without informing the merchant) cuts a deal with another company to add a link to the transaction complete page. But this is no ordinary link.
This link actually continues the session, so your credit card info is still available. The link may entice you with something like "Click here to claim your $10 Cash Back Reward on your next purchase!". If you click the link, buried somewhere on the page, usually you will have to scroll down to see it, is a checked box saying something like "Sign me up".
As if that wasn't sneaky enough, there is some JavaScript on the page so if you then close the browser or navigate away from the page, the on-exit script kicks in and completes your "order" with the credit card info from the legitimate merchant's session. Any e-mail they send you (as required by law), if they send one at all, has a subject line designed to trip every spam filter out there so you will never see it.
Usually there is a 60-90 day free trial before the billing starts in order to hide the source of the billing. The billing is small to avoid scrutiny, and the description is often obfuscated. The billing is also recurring. One company that does this is Webloyalty.com and the charges currently appear as WLI*RESERVATIONREWARDS.
There are two good defenses against this sort of scam. First, when the page comes up that says your transaction is complete, close the browser. Don't navigate to somewhere else, just close the browser and reopen it. Second, use temporary card numbers if possible. Since both Discover and BoA temporary card numbers are only good for one merchant, the billings will be automatically rejected. You can cancel that particular number for good measure if necessary.
X. Use common sense
Finally, consider the price. If one store is way below all the others selling the exact same item, there's a reason, and it is usually not a good one! Someone once told me the following about investing, "Lost opportunities almost always come round again, but lost money never does." It applies equally on online dealing. If it seems too good to be true, pass it by.
Robert Spotswood, a HAL-PC member, is active in the Linux SIG and a freelance computer professional. He can be reached at robert@spotswood-computer.net.