Safe Online Shopping - Shop At Level Blue
Article by Rick Leinecker, March 13, 2006

Imagine a bookstore that has any published book - a bookstore where you can even get hard-to-find, out-of-print books. That's better than even the largest mega bookstore which has only a small fraction of the books that have been published. No need to pinch yourself, it's not a dream. It's an online bookstore. Don't get me wrong, I like to browse through bookstores and sip coffee. But I love to compare every possible title on a subject before I buy. And the same is true for CDs, DVDs, and many other products. Online stores can give you a complete range of options.

Then there's convenience. Instead of driving 30 minutes or so to browse a limited selection, I can go online, get exactly what I want, and have it on my doorstep in a few days without the driving and parking lot hassles.

You may be reading this asking "is it safe to shop online?" If so, you're not alone. What I want to do is give you some advice that reduces the risk to blue or guarded level. Blue, or guarded, is the homeland security second-to-lowest threat level indicator.

There's a maxim in computer security. Everything is a calculated risk. There's no such thing as zero risk unless you pull the plug. It's kind of like when you're in a restaurant and you give the waiter your credit card. You know that the waiter could write down the credit card information and use it fraudulently, but you've weighed the risk and deemed it acceptable because you want the convenience.

There are two main points of vulnerability of which you need to be aware. The area of greatest susceptibility is at the purchase point - the store side of the conversation. The main consideration is that the site where you're shopping must be safe. It's the difference between shopping at Macy's and buying a watch from a guy that walks up to you on the street. One is safe and one is questionable.

Of somewhat less concern is the vulnerability on your end. We talked several weeks ago about Spyware and the potential for a key logger to record your credit card information. You can easily mitigate that risk by keeping your system free of viruses and Spyware. The second threat, though, is that a rogue computer on your network can listen to traffic on the network in order to extract information. For most home networks, that's not an issue. It's more of an issue at work or in a public venue, especially if there are a lot of computers on the network.

The best tool to combat those who would steal your personal information is known as a certificate. Certificates do two things: they verify the identity of the party with whom you're dealing, and they allow data between you and that party to be encrypted. The way you know that a web site has a certificate is the gold lock in the browser status bar. If you're looking at pages that have a valid certificate, a gold lock will appear. The web address will also start with https instead of http.

If you go to Macys.com and see the gold lock, then you can be sure that they are indeed Macy's. A third party such as Verisign has collected enough information about them to verify their legitimacy. The data between you and Macy's will also be encrypted so that your vital information can't be read by someone listening on the network. This method of encryption has been found to be extremely secure, and it would take a super computer many years to break a single encrypted conversation.

Bear in mind that when you're on the Macy's web site, you won't be covered by a certificate unless you're in the areas where vital information is exchanged. That's because certificates slow things down. That means that each web site decides which of its pages are protected and which are not. The bulk of pages aren't certificate-protected and therefore not slowed down.

Be careful if you get a message that says a certificate has expired. This means one of two things: the web site has been careless and let their certificate expire (in which case you wouldn't do business with them online anyway), or you are victim to what's known as a "man in the middle" attack. In either case, run the other way - fast.

A very strong recommendation when shopping online is to use credit cards and not debit cards. Credit cards carry a substantial amount of protection against fraud. If someone uses your number without your authorization, credit card companies are quick to resolve the matter so that you aren't responsible. But debit cards rarely carry the same protection. If someone uses your debit card fraudulently, you will most likely have to bear the cost yourself.

For those of you who want the highest level of protection, you can get a single-use credit card. These are cards that your bank issues that can be used only once. You can use it without fear because anyone who captures your information and tries to use that credit card number after your single use will be denied.

Another strong recommendation is the same for online shopping as it is for normal "brick and mortar" shopping. Make sure the store appears legitimate. If you walk into a place and the guy behind the counter named Vinnie looks like he can bend steel rods with his bare hands and has cement caked on his shoes, find a different store. And the same goes for an online store. If it doesn't look professional and things just don't seem to work very well, you should look elsewhere.

I use PayPal for quite a few transactions, especially eBay sales and purchases. (And yes, I've heard the end-times prophecies and the mark of the beast comments a thousand times, but still think it's alright.) PayPal is very convenient and lets you pay from your bank account (without as much risk as using a debit card) or a credit card. It's a very safe and convenient way to pay for things online. You can get details at PayPal.com.

Those are the basics of safe online shopping.