Safer Online Shopping

Woman using a laptop and holding a credit cardTHE BASICS

Keep your computer secure and protect your identity.

Utilize good-quality anti-virus and anti-malware products, anti-phishing filters or a security suite, as well as hardware and software firewalls.

Keep these tools and your browser up-to-date with the latest security patches. Never use unsecured networks (such as public wireless networks) or public computers for making online purchases.

If the vendor requires you to create an account, use a strong and unique password.


Almost all reputable vendors have registered domain names that match their company name, like http://www.<companyname>.com/. But make sure you spell it correctly, since subtly different misspellings are often snatched up by Web impostors seeking to lure you to bogus websites. Locate and type in website addresses directly, or use your own bookmarks.

When considering new vendors, do some homework. Are they accredited by the Better Business Bureau [1]? Do they comply with privacy policies from TRUSTe [2]? Be sure to click on accrediting logos to verify that they’ve not been lifted from another vendor’s site, or are not just passive images–two sure signs of fraud.

Check what other people have to say about the vendor. Look for positive and negative comments from other consumers on sites dedicated to searching online retailing [3]. Get recommendations from friends and colleagues. Don’t assume that prominent placement on a search engine’s hit list means that the vendor is legitimate and trustworthy. The Bad Guys are skilled at manipulating the system to artificially enhance the position of their websites on the results page.

Always use encrypted websites (shown in most browsers with an https address and a padlock icon) for sending a payment or personal information to the vendor. But don’t assume that an encrypted website alone is sufficient evidence of a merchant’s integrity. Encryption helps protect information in transit, but it doesn’t say anything about a merchant’s business practices. Legitimate-looking certificates can be obtained or created fraudulently.


Be sure that the vendor is selling the current model and not last year’s overstock. Is it new, used, returned, cosmetically defective, or refurbished? Pay careful attention to how the vendor uses a term like “refurbished.” Ask what was wrong with the product and what’s been done to make it right. Shop around to determine a reasonable price for the item; deals that are too good to be true often are. Make sure that you’re buying a version of the product with a valid, local warranty. This is particularly true with cameras and electronics sold in the U.S. where there’s an extensive “gray market.”


Determine the bottom-line price before committing to your purchase. If you can’t calculate the total cost in advance, choose another merchant. The merchant’s website should tell you if the product is in stock, give you a choice of shipping methods, and state when you will receive your purchases. Many people assume that buying online exempts them from paying sales tax – probably not. If your state has a sales and use tax, you are required by law to report purchases you make in other jurisdictions and pay sales tax on them voluntarily. Failure to do so could be regarded as tax evasion.


Avoid using personal checks, bank checks, money orders or debit cards for purchases, and NEVER send cash or cash equivalents. Credit cards provide some protections by law, and the issuer may provide others spelled out in the terms of service. If a vendor will not accept a credit card, find another vendor. The safest way to make a purchase, especially if you are dealing with a smaller vendor, is to use a third-party payment service, such as Paypal [4], AmazonPayments [5] or Google Payments [6]. These services act as middlemen so you don’t have to give your credit card information to the vendor.

Fees for the payment services mentioned here are the responsibility of the seller, but that may not hold true for others. Prospective buyers should consult the details in the terms of service (“the fine print”) and verify who pays for what before making a purchase. Reputable payment services provide information about their member merchants’ standing, and whether or not complaints have been filed against them. Consider dedicating one credit card to making all of your online purchases. Monitor your credit card account activity frequently, and report unauthorized charges promptly. Using a prepaid credit card and a gift card can limit your losses if the card number is stolen or intercepted. Some card companies offer onetime use credit card numbers.


Many people do research as part of their shopping in brick ‘n mortar stores where they can examine products firsthand and ask questions of the sales staff, but then proceed to make their purchases from an online retailer at a lower price. If a salesperson or a company has been particularly helpful to you, consider rewarding them with your business, even if it does cost you a bit more. Information adds value.


Before you make your purchase, understand your rights with respect to returns, exchanges, refunds, and credits. These should be readily available on the merchant’s website. Understand whether you can obtain support from the merchant, or if repairs and replacements are handled by the original manufacturer. Are there shipping and restocking charges associated with returning a product?

Problems with online purchases should be handled in the traditional way. Start by contacting the vendor or the manufacturer about it. If the issue remains unresolved to your satisfaction, contact your credit card company and file a dispute regarding the purchase. If things still aren’t right, contact your local consumer protection authorities. If you feel you’ve been defrauded, file a complaint with the Federal Trade Commission and your local police department.

More Information:

[1] Better Business Bureau

[2] TRUSTe

[3] Vendor ratings
– BizRate
– Epinions
– PriceGrabber
– Google Product Search

[4] PayPal

[5] Amazon Payments

[6] Google Payments

reprinted from the June 2010 edition of the SANS Institute Security Newsletter OUCH!

Posted in Fall 2010 Edition, Safe Computing | Comments Off on Safer Online Shopping