Security

‘Tis the Season for Safe Holiday Shopping

While recent reports don’t predict a major recovery for retailers this holiday season, the outlook for e-commerce sites is slightly more optimistic: 2009 will post an 18 percent increase in online holiday shopping over last year, according to Information Resources. For many consumers, though, the convenience of online shopping comes with a hefty price: their identity.

Holidays are when the majority of online identity theft problems occur, according to the Identity Theft Resource Center (ITRC), a nationally recognized expert on identity theft prevention. This is especially disconcerting considering that nearly 10 million Americans were victims of ID theft in 2008 and more than 200 million files have been exposed by data breaches in 2009 to date, according to the Javelin Strategy & Research Center.

The number of identity theft victims is likely to rise this year. There is little doubt that fraudsters can — and will — take advantage of increased shopping activity during the holiday season to prey on online shoppers who may not take precautions to protect themselves.

The real key to effective protection is to prevent the transmission of sensitive information in the first place. The word “prevention” is often used to describe benefits provided by security products; however, many products that claim to prevent identity theft do not prevent consumers’ sensitive information from being transmitted and stored in databases — where it is most vulnerable to theft and fraud.

Secure Payment Agents

To proactively protect against online identity theft and credit card fraud, the ITRC has called for the development of a new category of products it calls secure payment agents, or SPAs. What’s different about secure payment agents is that they are designed to protect all of a consumer’s personal and financial information by replacing it with anonymous, untraceable information each time a purchase is made.

The ITRC’s basic criteria for what constitutes an SPA provide a great place to start if you are evaluating tools to help you shop safely online this year. An effective SPA should

  • replace the consumer’s real personal identifying and financial information with anonymous data that is untraceable back to the consumer;
  • authenticate the user prior to use through mutli-authentication techniques;
  • eliminate phishing both when visiting Web sites and receiving incoming email;
  • verify both consumer and device (your computer) before allowing access to or use of the secure payment agent;
  • store user data so it becomes useless if the database storage system is breached; and
  • ensure merchant payment without disruption to the purchase or its confirmation.

In addition to protecting your personal and financial information using technology solutions such as secure payment agents, there are a few other things you can do to stay safe while shopping online this holiday season: Avoid phishers; use secure usernames and passwords; and reduce your credit card risk.

Protect Yourself From Phishing Sites

Phishing sites are fraudulent Web sites that look just like the real ones they impersonate. They try to lure consumers in with the same look and feel of popular sites, and then ask for sensitive personal or financial information. Often, they trick consumers through legitimate looking emails. (Example: “The credit card we have on file has expired. Please go to [insert name of merchant] and update your information.”) The link goes directly to the phishing site where you may be asked for credit card information, bank account numbers, and even your Social Security number.

There are several ways to protect yourself from being phished:

  1. Be suspicious of any email that asks you for sensitive information and includes live links to Web sites. Reputable companies will not do this. It is always a good idea to check the URL you are sent to by live links before proceeding. If you see something suspicious, type in the correct URL yourself or contact the company by phone.
  2. In all cases, before giving up any sensitive personal or financial information carefully check the URL entered in the browser address bar. If something isn’t spelled correctly (example: citibanc instead of citibank), then it is likely a phishing site.
  3. Be aware of sites that have not been audited and qualified as an Extended Verification SSL (EVSSL) site. Extended Validation SSL Certificates give high-security Web browsers information to clearly identify a Web site’s organizational identity. Depending on what browser you use, the site’s URL may be highlighted in green, notifying users that it is unlikely to be fraudulent.
  4. Go to a secure payment agent Web site and download a free browser add-on. Once installed, it will automatically appear at most popular shopping and billpay sites to let you know they are real and not phishing sites. Using these add-ons to enter your username and password at Web sites provides further protection from phishing, because they will only allow you to fill in information at legitimate sites.

Secure Usernames and Passwords

This is a two-part challenge: 1) creating strong passwords; and 2) being able to remember them when needed.

Creating strong passwords is not difficult. They should contain both upper and lower case letters and at least one number, and they should be difficult to guess. You can test the strength of your passwords for free here. It’s good to apply the same “strong principles” to usernames, but it is essential for passwords.

Remembering strong passwords and usernames is the hard part. We are all tempted to use them repetitively, but that’s a bad idea. If fraudsters get their hands on them, they will have access to several of your accounts. This becomes an even bigger problem if they ever gain access to your computer and you bookmark the sites you visit most often.

There are many free tools available to help you store and manage your passwords. However, secure payment agents can both generate and securely store unique and strong passwords and usernames for every Web site you visit, and they may even fill them in automatically.

Reduce Your Credit Card Risk

Choosing low-limit credit cards for online shopping can help mitigate risk, as there is less damage that can be done if a card is stolen. Also, you should avoid using your debit card or checking account online. If these numbers are stolen, fraudsters may be able to draw funds directly from your bank account.

This not only puts you at risk of losing money, bouncing checks and overdrawing your account, but also may delay fraud detection, because checking accounts are often not monitored as closely as credit cards.

Secure payment agents issue anonymous one-time-use replacement cards that allow consumers to charge the amount back to their own credit or debit card, or bank account. These cards are accepted at any site that accepts credit cards, reducing liability or exposure if they are stolen or misused. They expire after just one use and therefore become worthless if stolen. One-time-use cards are issued by a number of different credit card associations and banks.

Stop Identity Theft Before It Begins

Credit-monitoring services are great tools for keeping track of your credit score and making sure only those who are authorized are looking at your credit rating. They can serve as a valuable early warning signal and allow you to take steps to prevent or limit potential problems.

Unfortunately, however, credit-monitoring services cannot prevent fraud or identity theft that originates with the financial or personal information you supply when shopping online.

Your goal should be to prevent your personal and financial information from ever being transmitted over the Internet or stored in databases in the first place. That’s the main reason it makes sense to use a secure payment agent. If your information doesn’t enter a database, it can’t be stolen or traced back to you.


Steve Bachenheimer is the founder and CEO of Kemesa, a security software company whose flagship product, Shop Shield, promises complete protection against online fraud and identity theft.

1 Comment

  • Thanks Steve- well done! The growth in the EV SSL market comes not a moment too soon, especially with the holiday online shopping rush coming up. You bring up the green url bar, but a lot of people don’t realize that EV SSL certs are a lot harder for companies to obtain –there are some instances where the cert issuer has to meet a rep from the company in person. So if a business is worthy of EV SSL, they are typically worthy of trust. And, as you mention the Green URL provide an obvious visual cue for consumers to tell the difference. Hopefully more consumers will insist on this level of security and will become more of a standard for ecommerce over time.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

E-Commerce Times Channels