• United States




Your guide to safe and secure post-holiday shopping

Dec 25, 20126 mins
CybercrimeData and Information SecurityE-commerce Software

In search of hot online deals? A few simple steps can reduce your risk as you boost the economy through extravagant e-commerce

The truth is you didn’t get a 60-inch LCD TV as a gift this holiday season. You’ll have to buy it yourself. And most likely, you’ll go to the last remaining big-box store, compare picture quality, and return home to your computer to find the best deal online.

Still feel a little nervous buying a big-ticket item over the InterWebs? Keep in mind it’s at least as safe as handing your credit card to a complete stranger for five minutes every time you eat in a restaurant. Nonetheless, you can take several steps to reduce the risk.

[ Security expert Roger A. Grimes shares more Internet safety tips in “Do’s and don’ts for online traders.” | Keep up with key security issues with InfoWorld’s Security Central newsletter. ]

The first rule is obvious: If a computer shows the slightest sign it could be infected, don’t use it for any type of transaction. Telltale symptoms include weird slowdowns, system error messages, unexpected sounds, and alerts that a program you don’t recognize is trying to connect to the Internet. The cure? It’s painful: Back up all your data, do a clean re-install of the operating system, re-install your programs, restore your data, and begin anew.

Assuming that, one way or another, you’re squeaky clean — and you have the sense to avoid the most common cyber attacks — you’re ready for some personal shopping safety advice.

Stick with popular e-commerce sites The most popular e-commerce sites have the best security and best reasons to protect your financial data. You can worry less right out of the gate. On the other hand, sometimes only an obscure site has the stuff you want. If you’re poised to do business with an e-commerce site neither you nor your friends have heard of, use more caution. I often look for a local phone number to call. Calling and getting a human voice on the other end of the line doesn’t mean the site is safe, but it does means you have another trackable presence to support its legitimacy.

Don’t trust “safe” seals Many computer security organizations offer “safety seals,” which are supposed to indicate that an e-commerce site’s security has been analyzed, verified, and approved. Unfortunately, the bad guys often steal or mimic these seals, and even when they’re legitimate, they only mean the site met some very basic requirements at a particular point in time. Thousands of sites verified by safety seal services have ended up serving malware to customers or have had their customer databases stolen.

Don’t leave credit card info behind Most e-commerce sites offer to save your credit card information so that you can buy quicker next time. Unless you’re on a site you purchase from all the time, say no. If the site doesn’t store your credit card data, there’s no way for a hacker to get it and use it.

Use websites that ask for info each time you use your card I love e-commerce sites that always ask for some bit of information only I should know before they’ll process my credit card. Many don’t store all the digits of my credit card number and ask for me to fill in the missing ones — or at least ask for my CVV code.

Use websites that double-check when you ship to a new address My favorite e-commerce sites require additional verification if I try to ship to a nonstandard mailing address. Hackers often buy stuff using your credit card and ship to a temporary address where they can get away with the goods. Most e-commerce sites know this and flag any purchase to be sent to a nonstandard address — and ask a couple of questions only you know the answers to.

Try alternate payment systems If you’re worried about someone stealing your credit card number, don’t use your credit card; alternatively, use a credit card with a low maximum balance. Even better, use an online payment service, like PayPal, that you trust. PayPal is often the subject of spammers and phishers, but I’ve never been burned when using PayPal in a legitimate transaction. PayPal and services like it have their problems and critics, but their biggest benefit is that you’ll never be out more money than what you’ve allocated to the service. In addition, many services offer virtual or one-time credit cards that are good for only a single use. If you have lingering doubts about a site, don’t use your credit card.

Use strong passwords I wrote on about this topic recently. Remember, it’s easier than you think to create a long password that’s easy to remember, particularly if you use a variation of my strong password creation trick.

Regularly change your passwords Many hacked e-commerce sites have been found to contain user passwords that were never changed since the first user transaction. Don’t be one of those people. Instead, change all your passwords at least once per year, if not more frequently. That way, if bad guys hack into a site, there’s less time for them to be able to use your password.

Don’t share passwords among sites This is a big one. When you share passwords among websites, the security of your most important transaction is limited by the lowest security of the most insecure site. Hackers frequently break into seemingly inconsequential websites, grab users’ email addresses, log-on names, and passwords, and use them to log on to more popular websites. And they’re often successful.

Don’t answer your password reset questions accurately Recently, as part a password reset routine, a website asked my grandfather’s occupation. I entered “tiredtired.” Never answer password questions accurately. It’s far easier for a hacker to guess legitimate answers to password reset questions than it is to guess your password. Instead, make up some nonsense. For greater protection, and as a memory aid, vary your password reset answers based on the website name: for example, tiredtiredamazon, tiredtiredfidelity, tiredtireditunes, and so on.

Check your accounts frequently Examine your checking and credit card balances online no less than once a week. If a suspicious transaction appears, you’re on top of it rather than waiting for the bank to call.

Set up monitoring thresholds These days, many banks and credit card services enable you to setup transaction thresholds, which, if exceeded, generate an email or a request for an approval. Others send you an alert if the transaction occurs overseas or exhibits an unusual pattern not indicative of your normal behavior.

Follow all these recommendations all the time and you’ll reduce your online security risk significantly. Nothing will guarantee that you’ll never be exploited, but it decreases the odds that you’ll be a victim.

This story, “Your guide to safe and secure post-holiday shopping,” was originally published at Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at For the latest business technology news, follow on Twitter.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author