AA
Welcome Shopper
 
back to main page

SECURITY TIPS

Security is an essential part of online shopping to protect customers personal information from third parties. Not only is it important that websites provide the necessary secuirty, but provide its customers with the knowledge to help them protect themselves.

1. Introduction

With just a click of the mouse, shoppers can buy nearly any product online -- from groceries to cars, from insurance policies to home loans. The world of electronic commerce, also known as e-commerce, enables consumers to shop at thousands of online stores and pay for their purchases without leaving the comfort of home. For many, the Internet has taken the place of Saturday afternoon window shopping at the mall. Consumers expect merchants to not only make their products available on the Web, but to make payments a simple and secure process. However, the same things can go wrong shopping in cyberspace as in the real world. Sometimes it is simply a case of a computer glitch or poor customer service. Other times, shoppers are cheated by clever scam artists.

An April 2004 survey by AC Nielsen found that the top security concerns of America's online shoppers were

* Not receiving the items purchased, or receiving items different from what was described.
* Email addresses being sold to third parties.
* Fears about personal or financial information being stolen.
* E-mail scans known as "phishing" or "spoofing" in which consumers receive messages from dishonest sources disguised as messages from trusted retailers or financial institutions.

More recent surveys have found that the number of people who shop online around the globe is increasing dramatically. (Trends in Online Shopping: A Global Nielsen Consumer Report (Feb. 2008), www2.acnielsen.com/reports/documents/GlobalOnlineShoppingReportFeb08.pdf

Just as shoppers should take measures to protect themselves in brick-and-mortar stores - such as protecting their PIN numbers when checking out and not leaving purses unattended - online shoppers also need to take sensible precautions. This guide offers advice on how to make your online shopping experiences enjoyable and safe.

2. Shop at Secure Web Sites

How can you tell if a Web site is secure? It uses encryption technology to transfer information from your computer to the online merchant's computer. Encryption scrambles the information you send, such as your credit card number, in order to prevent computer hackers from obtaining it en route. The only people who can unscramble the code are those with legitimate access privileges. You can tell when you are dealing with a secure Web site in several ways.

*First, if you look at the top of your screen where the Web site address is displayed, you should see https://. The "s" that is displayed after "http" indicates that Web site is secure. Often, you do not see the "s" until you actually move to the order page on the Web site.
*Another way to determine if a Web site is secure is to look for a closed padlock displayed at the bottom of your screen. If that lock is open, you should assume it is not a secure site.
*The third symbol that indicates you are on a secure site is an unbroken key.

Of course, transmitting your data over secure channels is of little value to you if the merchant stores the data unscrambled. You should try to find out if the merchant stores the data in encrypted form. If a hacker is able to intrude, it cannot obtain your credit data and other personal information. Be sure to read the merchant's privacy and security policies to learn how it safeguards your personal data on its computers. (See tip 4 below.)

3. Research the Web Site Before You Order

Do business with companies you already know. If the company is unfamiliar, do your homework before buying their products. If you decide to buy something from an unknown company, start out with an inexpensive order to learn if the company is trustworthy.

Reliable companies should advertise their physical business address and at least one phone number, either customer service or an order line. Call the phone number and ask questions to determine if the business is legitimate. Even if you call after hours, many companies have a "live" answering service, especially if they don't want to miss orders. Ask how the merchant handles returned merchandise and complaints. Find out if it offers full refunds or only store credits.

You can also research a company in Internet yellow pages, through the Better Business Bureau (see listing below), or a government consumer protection agency like the district attorney's office or the Attorney General. Perhaps friends or family members who live in the city listed can verify the validity of the company. Remember, anyone can create a Web site.

4. Read the Web Site's Privacy and Security Policies

Every reputable e-commerce Web site offers information about how it processes your order. It is usually listed in the section entitled "Privacy Policy." You can find out if the merchant intends to share your information with a third party or affiliate company. Do they require these companies to refrain from marketing to their customers? If not, you can expect to receive "spam" (unsolicited e-mail) and even mail or phone solicitations from these companies.

You can also learn what type of information is gathered by the Web site, and how it is - or is not - shared with others. The online merchant's data security practices are also often explained in the Privacy Policy, or perhaps a separate Security Policy.

Look for online merchants who are members of a seal-of-approval program that sets voluntary guidelines for privacy-related practices, such as TRUSTe (www.truste.org), Verisign (www.verisign.com), or BBBonline (www.bbbonline.org).

However, be aware that a strong privacy policy and membership in a Web-seal program don't guarantee that the Web merchant will protect your privacy for all time. Policies can change. The company can file for bankruptcy and sell its customer data base. The Web merchant might be purchased by another company with a weaker privacy policy. And the company's data can be subpoenaed for law enforcement investigations or civil cases. You have little control over the use of your customer data in such matters.

Given all of these uncertainties, you will want to think about the sensitivity of the data that is being compiled about you when you shop online. We cannot prescribe the best approach to take. Each consumer has a different interpretation of what is considered "sensitive."

5. Be Aware of Cookies and Behavioral Marketing

Online merchants as well as other sites watch our shopping and surfing habits by using "cookies," an online tracking system that attaches pieces of code to our Internet browsers to track which sites we visit as we search the Web.

"Persistent" cookies remain stored on your computer while "per-session" cookies expire when you turn the browser off. Online merchants use cookies to recognize you and speed up the shopping process the next time you visit. You may be able to set your browser to disable or refuse cookies but the tradeoff may limit the functions you can perform online, and possibly prevent you from ordering online.

Privacy advocates worry that as more and more data is compiled about us - without our knowledge or active consent - it will be combined to reveal a detailed profile, even our actual identities. This data is often collected to market goods and services to us, encouraging us to buy them. There are a number of companies that specialize in targeted online advertising called "behavioral marketing." Companies say consumers benefit by being exposed to more targeted advertising and that online merchants can make more money more efficiently by targeting the right shoppers.

For example, you might buy a book on golf from Amazon, visit the Professional Golfer's Association site, purchase golf shoes at Zappos, and search online for golf courses near your home. When you do, your computer's Internet Protocol (IP) number could be used to generate golf-related ads. When you open the USA Today site to read the morning news, you may see an ad offering you a new set of clubs at a discount. When you go back to Amazon later that day you might be offered a biography of Tiger Woods.

What if your behavioral marketing profile is shared with others, without your permission? You might not care if a drug company shares your prescription drug information with a coupon service to save you money. But what if that same information were obtained by your employer, resulting in more expensive health insurance coverage?

Consumer groups have asked the Federal Trade Commission (FTC) to require companies to get consumers' permission (opt-in) before collecting or sharing any personal information about them, such as their computer's IP number. Many of these groups also recommend creating a "Do Not Track" list for those who do not wish to be followed online, patterned after the widely used Do Not Call list. www.worldprivacyforum.org/pdf/ConsumerProtections_FTC_ConsensusDoc_Final_s.pdf

6. What's Safest: Credit Cards, Debit Cards, Cash, or Checks?

The safest way to shop on the Internet is with a credit card. In the event something goes wrong, you are protected under the federal Fair Credit Billing Act. You have the right to dispute charges on your credit card, and you can withhold payments during a creditor investigation. When it has been determined that your credit was used without authorization, you are only responsible for the first $50 in charges. You are rarely asked to pay this charge.

We recommend that you obtain one credit card that you use only for online payments to make it easier to detect wrongful credit charges. For more information on credit card consumer protections, see http://www.privacyrights.org/fs/fs32-paperplastic.htm#3

E-commerce shopping by check leaves you vulnerable to bank fraud. And sending a cashier's check or money order doesn't give you any protection if you have problems with the purchase.

Make sure your credit card is a true credit card and not a debit card, a check card, or an ATM card. As with checks, a debit card exposes your bank account to thieves. Your checking account could be wiped out in minutes. Further, debit and ATM cards are not protected by federal law to the extent that credit cards are.

7. Never Give Out Your Social Security Number

Providing your Social Security number is not a requirement for placing an order at an e-commerce Web site. There is no need for the merchant to ask for it. Giving out your Social Security number could lead to having your identity stolen. (See PRC Fact Sheet 17a, "Identity Theft: What to Do if It Happens to You," www.privacyrights.org/fs/fs17a.htm.)

8. Disclose Only the Bare Facts When You Order

When placing an order, there is certain information that you must provide to the web merchant such as your name and address. Often, a merchant will try to obtain more information about you. They may ask questions about your leisure lifestyle or annual income. This information is used to target you for marketing purposes. It can lead to "spam" or even direct mail and telephone solicitations.

Don't answer any question you feel is not required to process your order. Often, the web site will mark which questions need to be answered with an asterisk (*). Should a company require information you are not comfortable sharing, leave the site and find a different company for the product you seek.

9. Keep Your Password Private

Most reputable e-commerce web sites require the shopper to log-in before placing or viewing an order. The shopper is usually required to provide a username and a password.

Never reveal your password to anyone. When selecting a password, do not use commonly known information, such as your birthdate, mother's maiden name, or numbers from your driver's license or Social Security number. Do not reuse the same password for other sites. The best password has at least eight characters and includes numbers and letters.

10. Check the Web Site Address

Above the web site at the top of your screen is a rectangular window that contains the web site address (also called the URL, or Uniform Resource Locator). By checking that address, you can make sure that you are dealing with the correct company.

Don't click on any link embedded within a potentially suspicious email. Instead, start a new Internet session by typing in the link's URL into the address bar and pressing "Enter" to be sure you are directed to a legitimate Web site.

11. Don't Fall for "Phishing" Messages

Identity thieves send massive numbers of e-mails to Internet users that ask them to update the account information for their banks, credit cards, online payment service, or popular shopping sites. The e-mail may state that your account information has expired, been compromised or lost and that you need to immediately resend it to the company.

Some e-mails sent as part of such "phishing" expeditions often contain links to official-looking Web pages. Other times the e-mails ask the consumer to download and submit an electronic form. The National Research Center of Consumer Reports magazine, found that 8 percent of respondents provided personal information after receiving phony e-mail messages. www.consumerreports.org/cro/money/news/september-2006/dont-bite-at-phishers-e-mail-bait-9-06/overview/0609_dont-bite-at-phishers-email-bait_ov.htm

Remember, legitimate businesses don't ask for sensitive information via email. Don't respond to any request for financial information that comes to you in an email. Again, don't click on any link embedded within a suspicious email, and always call the retailer or financial institution to verify your account status before divulging any information.

For more information on phishing, visit www.antiphishing.org, and www.onguardonline.gov.

12. Always Print Copies of Your Orders

After placing an order online, you should receive a confirmation page that reviews your entire order. It should include the costs of the order, your customer information, product information, and the confirmation number.

We recommend you print out at least one copy of the Web page(s) describing the item you ordered as well as the page showing company name, postal address, phone number, and legal terms, including return policy. Keep it for your own records for at least the period covered by the return/warranty policy.

Often you will also receive a confirmation message that is e-mailed to you by the merchant. Be sure to save and/or print this message as well as any other e-mail correspondence with the company.

13. Shop with Companies Located in the United States

When you shop within the U.S., you are protected by state and federal consumer laws. You might not get the same protection if you place an order with a company located in another country.

14. Pay Attention to Shipping Facts

Under the law, a company must ship your order within the time stated in its ad. If no time frame is stated, the merchant must ship the product in 30 days or give you an "Option Notice." This gives you an opportunity to cancel the order and receive a prompt refund, or agree to the delay.

Here are key shipping questions to ask:

*Does the site tell you if there are geographic or other restrictions for delivery?
*Are there choices for shipping?
*Who pays the shipping cost?
*What does the site say about shipping insurance?
*What are the shipping and handling fees, and are they reasonable?

15. Learn the Merchant's Cancellation, Return and Complaint-Handling Policies

Even under the best of circumstances, shoppers sometimes need to return merchandise. Check the Web site for cancellation and return policies.

*Who pays for shipping?
*Is there a time limit or other restrictions to the return or cancellation?
*Is there a restocking charge if you need to cancel or return the order?
*Do you get a store credit, or will the company fully refund your charges to your credit card? If the merchant only offers store credits, find out the time restriction for using this credit.

Don't expect less customer service just because a company operates over the Internet. This is especially important if you are buying something that may need to be cleaned or serviced on occasion.

*Does the merchant post a phone number and/or e-mail address for complaints?
*How long has the company been in business?
*Will they still be around when you need them?
*Is there an easy, local way for you to get repairs or service?
*Is there a warranty on the product, and who honors that guarantee?
*What are the limits, and under what circumstances can you exercise your warranty rights?

16. Use Shopper's Intuition

Look at the site with a critical eye. And heed the old adage, "If it looks too good to be true, it probably is."

*Are there extraordinary claims that you question?
*Do the company's prices seem unusually low?
*Does it look like the merchant is an amateur?
*Are there a lot of spelling or grammar errors?
*Does the company's phone go unanswered?
*The use of a post office box might not send up a red flag, but a merchant who does not also provide the company's physical address might be cause for concern.

If any of these questions trigger a warning bell in your head, you will be wise to find another online merchant.

17. Be Wary of Identity Theft

As e-commerce becomes more common, there will be more cases of identity theft committed over the Internet. Imposters are likely to obtain their victims' identifying information using low-tech means like dumpster diving, mail theft, or workplace access to SSNs. But they are increasingly using the Web to apply for new credit cards and to purchase goods and services in their victims' names.

The same advice for avoiding low-tech identity theft applies to shopping on the Internet. Many are mentioned in the above tips. Most important: Be aware of who you are buying from. And use true credit cards for purchases, not debit cards.

We recommend that you check your credit card bills carefully for several months after purchasing on the Internet. Look for purchases you did not make. If you find some, immediately contact the credit card company and file a dispute claim.

Order your credit reports at least once a year and check for accounts that have been opened without your permission. (See PRC Fact Sheet 17a , "Identity Theft: What to Do if It Happens to You," www.privacyrights.org/fs/fs17a.htm.)

18. Consider Using Single-use Card Numbers

Consumers using some brands of credit cards can get "virtual credit cards," or single-use card numbers, that can be used at an online store. The randomly generated substitute 16-digit number can also be used to buy goods and services over the phone and through the mail but can't be used for in-store purchases that require a traditional plastic card.

With this free service, you never need to give out your real credit card number online. Among the card companies offering it are Citibank and the Discover card.

19. Be Cautious with Electronic Signatures

A federal law enables shoppers to verify online purchases with merchants using an electronic signature. Usually, this process is nothing more than clicking on a box that says you accept the terms of the order.

The Electronic Signatures in Global and National Commerce Act, also known as the E-Sign Act, is a complex law. It states that electronic signatures and electronic records used in interstate and foreign commerce will not be denied validity just because they are in electronic form. Further, the law says that online purchases do not need to be accompanied by the more traditional handwritten signature on a paper document.

Consumer advocates opposed the law because it lacks important safeguard against fraud. For example, the law does not require online merchants to comply with such standards as message integrity (security and accuracy in transmission), privacy of customer data, and authentication of sender.

The faults of the E-Sign Act require you to shop cautiously on the Internet. The tips offered in this guide will help you make sure the online companies you choose are secure and honest.

20. Know How Online Auctions Operate

Online auctions connect buyers and sellers, allowing them to communicate in a bidding process over items for sale. Many people are drawn to online auction sites because they allow you to buy items at discounted prices. And they offer a chance to sell some of your unneeded or unwanted possessions to raise extra money. For the most part, online auction sites are a safe way to exchange goods. But it makes sense to be cautious and aware.

The first step in safely using an online auction site is to read the terms of use, which will outline key issues such as whether or not the seller or the site is responsible for any problems that arise. Learn a site's return policy, as it may be difficult to return merchandise bought at auction. It's critical to check the policy, because you may be required to follow the seller's refund policy, rather than that of the auction site.

Once a consumer has agreed to a price with a seller, the buyer and seller arrange for payment and delivery of the product. Successful bidders can usually choose among several payment options, such as credit card, online payment service, debit card, personal check, cashier's check, money order, or escrow service.

If a seller requests payment in cash by private courier, or by check or money order through an overnight delivery service, you have a right to be suspicious. This could signal an attempt to commit fraud by taking your money without delivering the merchandise.

It always makes sense to pay by credit card because you'll have an option to seek a credit from the credit card issuer (also known as a "charge back") if the product isn't delivered or isn't what you ordered. For more information on credit card consumer protections see www.privacyrights.org/fs/fs32-paperplastic.htm#3

To protect both buyers and sellers, some auction sites prohibit the use of wire transfers as a payment method. The Federal Trade Commission recommends that buyers do not pay by wire transfer because if something goes wrong, you are left with no refund and no recourse.

Another popular way to pay at auctions is with online payment services, such as PayPal. In this scenario, the buyer and seller set up accounts that allow them to make or accept payments. Buyers provide payment information, like bank account or credit card numbers, and sellers give information about where payments should be deposited. Some online payment services offer protection if the seller doesn't ship the goods.

Sellers can be scammed too. Fake check scams are the most common problem, although they can be avoided by not accepting checks, especially cashier's or certified checks, as payment, and by waiting to ship the goods until you get your payment in a reliable form.

If a buyer offers you a cashier's (or certified) check for more than the amount of the item, and asks you to wire them the excess amount, don't do it. This it is a classic example of a fake check scam.

If you encounter a problem with a buyer or seller at an online auction site, such as eBay, it's important to report the problem to the site right away. You are probably not the only person being taken advantage of and you could help shut down illegal or unethical sellers by alerting the site to the problem. For more information on online auctions, see www.consumer-action.org/news/articles/internet_commerce_issue_spring_2008/#Topic_07

21. Understand Your Responsibility for Sales and Use Taxes Online

Generally Internet shopping is sales tax free, but there's a catch. If an online merchant has a physical presence in your state, it is required to charge you sales tax. In most sates, consumers are required to pay tax on online purchases, even if the store doesn't collect it. Most states call this a "use tax." Efforts are underway to simplify the sales tax issue in many states.

22. Additional Resources

Listed below are Web sites that provide additional information about shopping online.

www.bbb.org and www.bbbonline.org - The Better Business Bureau certifies web merchants with a privacy seal of approval. You can research merchants through the BBB and also report e-commerce fraud problems at these sites.

www.fda.gov/oc/buyonline - Created by the U.S. Food and Drug Administration to provide shopping tips for buying online prescriptions and over-the-counter drugs on the web.

www.ftc.gov/bcp/conline/pubs/alerts/glblalrt.htm - The Federal Trade Commission's online shopping advice.

www.ftc.gov/bcp/edu/pubs/consumer/tech/tec07.shtm - The Federal Trade Commission's tips on Internet auctions.

www.ic3.gov - The FBI's Internet Fraud Complaint Center allows you to report suspected cases of Internet and e-commerce fraud.

www.lookstoogoodtobetrue.com - Federal law enforcement and industry task force helps prevent consumers from becoming victims of an Internet fraud schemes.

www.onguardonline.gov - FTC, other federal agencies, and the technology industry offer advice on identity theft, phishing, spyware, spam, online shopping and more.
www.safeshopping.org - Online shopping tips provided by the American Bar Association.

Reference: Privacy Rights Clearinghouse. August 2008. Online Shopping Tips: E-Commerce and You. http://www.privacyrights.org/fs/fs23-shopping.htm (accessed June 30, 2009).

back to main page