For as long as consumers have been able to make purchases online, there’s been concern over how to keep payment information safe. Buyers are concerned about things like credit card numbers being skimmed across the web. Fortunately, much of that responsibility falls onto web developers, and consumers only need to be aware of a few tips to avoid getting scammed online.
Look for a Valid Security Certificate
When making payments online, always look for https in the URL. Most browsers will also reflect this with a green lock in the address bar.
This indicates that a website has a valid security certificate (SSL) installed, providing encryption of your data. If a website is asking for card details without a valid SSL, don’t enter your card details.
To clarify, a site without a valid SSL certificate may direct you to a secure processor such as PayPal, Stripe, or another payment processor that does have a valid security certificate. In this case, you’re safe. If you don’t recognize the processor, do a quick Google search to verify its legitimacy.
Use a Credit Card When Possible
Most credit cards offer much stronger protections against consumer fraud than your average debit card. When possible, use a credit card to make online purchases rather than your debit card.
Shopping Online Via Public WiFi
We used to have to worry about a thing called “sidejacking”. Sidejacking is when one computer copies the information that another has saved in the browser as it travels between a website and your computer. That information could be harmless, like “This user has now visited this page before”, but it could also be the bits of information that tell a website “I’m logged in and this is who I am!” This unique state of identifying information is called your “session”.
Your session with a website could be faked well after you close your laptop to convince the site that the computer being used is still you. In a world of things like Amazon’s 1-click checkout, it’s possible that your session data would be enough to check out with a hefty purchase! Please note that Amazon itself is not currently known to be vulnerable to such an attack.
Browser extensions available to the public have made sidejacking login sessions on public WiFi (and even wired connections) easy for anyone to do if a website isn’t protected correctly.
Sidejacking isn’t possible when a site is properly using an SSL. However, due to a common myth that SSL security validation slows down websites, some site owners began to encrypt data only during the login process or other transfers of sensitive information. While the original information, like a password or card number, was protected, the temporary unique session data was available on later transfers of information.
The myth of an SSL slowing down your website, of course, is false in any practical sense. Fortunately, we’ve seen a movement away from this practice, with Google encouraging SSL certificates to improve SEO. Most browsers are also flagging sites asking you to login without one.
The Firesheep article linked to above is a bit dated, and most sites have addressed this issue. That being said, if you’re feeling skittish, avoid entering passwords or financial information on networks where you don’t know everyone. Then, explicitly log out when you’re finished, as this should invalidate your session data if anyone happens to grab it.
Know Your Seller
Of course, the most basic way to get someone’s credit card number is to set up a fake website. When shopping or sending money online, keep an eye out for scams like these.
Never click on links in emails that are unfamiliar and give them your personal information. You didn’t win a contest you never entered. There is no Nigerian prince gifting you cash. Your long lost nephew or granddaughter is not being held for ransom.
Promotional emails from an unknown retailer could also be a scam. Even if the email appears to be from a well-known retailer, if you don’t normally get email from them, navigate to their website yourself to find the big sale.
That said, if you find yourself shopping from an unfamiliar retailer, it isn’t necessarily a scam. I’ve shopped for tough-to-find editions of items from obscure, foreign stores. It’s easy for anyone to set up an eCommerce website today selling their products. Rather than abandon the purchase altogether, do a quick Google search to see if you can verify the seller. Google reviews and social media accounts are good signs that this is a legitimate retailer. As long as they have an SSL certificate installed, go for it. If things seem fishy, however, and you find evidence it may be a scam, find somewhere else to buy.
Keep Devices Updated
Last year, a new security flaw was discovered in WiFi protocol that makes most client-side devices potentially insecure (that is to say, your phone, which receives internet service, rather than your router, which broadcasts it). Fortunately, such things will be patched sooner than later. Repeat after me: there’s no reason to panic.
This is a great reminder to always update software on your devices when possible: your phone, your home computer, your Blu-Ray player and more. If your device no longer supports new updates, it’s probably time for a new device.
Don’t Let Security Concerns Deter You
Bluntly, the only way to protect your money for certain is to put it in gold and bury it somewhere.
Don’t do that.
The internet is growing every day. The ease of selling products online has allowed folks who could never afford retail space to advertise and sell their goods. If your card information comes to someone in plain-text emails after checkout (something that we actually saw at a company I worked at), they’re most likely an idiot, archaic, or a combination of both, not a bad actor.
Keeping your financial information under wraps online is pretty easy if you stick to these tips. Financial institutions are always working to be one step ahead. So don’t stop online spending altogether. Instead, celebrate how easily you can shop from independent sellers and artists.