• United States



5 Reasons It’s Riskier to Shop In Person Than Online

Dec 18, 20075 mins
Data and Information SecuritySecurity

With the number of online shoppers growing each year and the biggest shopping days of the year in our midst, the safety of online shopping is often called into question. But what about security when it comes to shopping at your local mall? Which is actually safer–shopping online or in person?

The answer, of course, is it depends. But experts point out one big difference in how you load up your shopping cart: The biggest risks from online shopping come from factors you can, for the most part, control, while the threat from in-store transactions is largely out of your hands–and in those of the retailer.

The biggest online threat stems from falling victim to ads that take you to illegitimate sites, says Avivah Litan, a vice president at Gartner. There are many ways criminals can lure you to these sites, but the most common are through phishing or by high-jacking your browser through malware downloaded onto your machine. “Online, you run the risk of giving your money to an illegal business where someone is capturing your information as you enter it,” Litan says. In other words, it’s up to you to make sure you’re spending your money in the right places.

In-store risks, on the other hand, stem largely from how merchants handle data. And so, amidst the usual holiday hand-wringing over risks with online shopping, we offer five ways that going to a store actually presents a bigger risk.

1. Stores may have wireless networks that aren’t secured.

Perhaps the best-known risk of in-store shopping is the possibility of an insecure wireless network. Sensitive customer information can be accessed through a store’s wireless network if it has a weak encryption key. According to a November study by wireless security product vendor AirDefense, half of the 3,045 retailers surveyed use wireless data systems that are susceptible to hacking. Of the wireless access points studied, 25 percent didn’t have any encryption at all, and 25 percent were using the Wireless Equivalent Privacy encryption method (WEP), which is outdated and easily cracked.   

At the time of one of the largest security breaches in history, TJX  was using WEP; the breaches that occurred at DSW, OfficeMax and BJ’s also resulted from a cracked WEP key. Barak Engel, former director of security at WebEx and co-creator of, says that when TJX implemented the encryption key, WEP was standard and recommended. While more merchants are starting to switch to newer methods of encryption, such as Wi-Fi Protected Access (WPA), he says that it is an “often costly and resource intensive affair.” And if the store where you’re shopping hasn’t made the switch? There’s little way for you to do much about it, or even know.

2. Stores may have a harder time implementing good data practices.

Once the credit or banking card data is collected, there’s no reason to keep transaction data in the store for very long. But Engel says that many merchants store data unnecessarily, which creates a greater security risk. “Retailers may want to keep some for a month, for operational processes that require the data to be held, like returns, but not beyond that,” he says.

What’s more, Litan says, online stores actually may be better equipped to consolidate storage of their data. That’s because the area of their network is smaller than a large retail chain with thousands of stores and different legacy systems.

3. Your banking account information and PINs may be at risk in a store.

When you purchase something with a check, you make your account number visible and available, says Litan. Likewise, using a debit card and entering your PIN into a point-of-sale device also puts your information at risk. Although Litan says it is generally difficult for a hacker to obtain a user PIN, there are ways to do it–and if someone does manage to steal it, they can wipe out your account through ATM withdrawals and make it difficult for you to get your money back, she says.

For that reason, Litan recommends using cash or your credit card–just like you do online. “If someone steals your credit card,” she points out, “you won’t be liable for any of it.”

4. The magnetic stripe data gathered in stores is more appealing to thieves than just a card number.

When thieves steal data from an in-store transaction, they may be taking data from the magnetic stripe, Litan says. This data can be used to produce counterfeit cards, which has more grievous implications both for retailers and customers. Even if a customer whose card is forged isn’t ultimately liable for the charges, he still has to go through the hassle of cancelling an account and opening a new one.

5. Online you can use a temporary credit card.

Although online and in-store shopping are both risky, Engel says there is a way to virtually eliminate the threat online: by using a virtual card number. Engel, who says he has not used his real credit card number for an online transaction in years, instead uses a downloadable tool from his bank, which allows him to log in and generate a temporary number with a transaction limit and a time limit. A virtual credit card number is then generated, which can be used for no more than the specified amount, at no merchant other than the specified merchant, and no longer than the specified cutoff date.

Of course, that’s more work (and, as columnist Scott Berinato points out this season, we may be too lazy for that). But at least it’s an option. “If consumers decided to take responsibility for their own security,” Engel says, “there would be almost zero danger of doing transactions online–and still quite a bit in-store.”