Page 2 of 3
Random Musings
Vol. 1, No. 3: Online Shopping: Bankruptcy Is Just a Mouse Click Away

Inherent Dangers in Online Shopping

Any online activity carries considerable risk. Whether using one's computer for email, browsing, or other simple tasks, it is important to take steps to protect against viruses, phishing (attempting to fraudulently obtain passwords, card numbers, etc.), complete takeover of one's computer, and other evils. Eric Vaughan and Al Weil have written an excellent guide on the steps a home user can take to secure themselves from such threats. This article will not attempt to expand or improve on their outstanding advice, but will instead focus on a few of the potential pitfalls unique to online shopping.

The dangers of shopping online keep many people from doing so. Although it is impossible to estimate how much more online shopping would be done if the public could be more assured of safe shopping, it is almost certain that the figures above would be several times higher without the real and perceived dangers involved.

The potential for fraud is significantly increased by shopping online. Much of this increased danger is the result of consumers failing to take the most basic steps to protect themselves. The Federal Trade Commission reported total fraud loss from online shopping as $437 million in 2003, 55% of the total of all consumer fraud. Considering that online purchases accounted for only 1.6% of retail sales, that number is truly frightening. The average loss per incident was $193. Fraud in online sales, as with all consumer fraud, is a two-way street, with purchasers often engaging in fraudulent activities. The danger of fraud has led many U.S. etailers to restrict or completely eliminate sales outside the country.

Online shopping provides a fertile field for phishers, identify theft, and similar activity. Phishing usually involves phony emails sent that request details concerning a consumer's bank account, credit card number or other information helpful to theft. Often such emails appear to be authentic, bearing an address, logos, and other details that make it appear they come from a business from whom the user has previously made purchases.

Unexpected emails from a retailer should not even be opened in most instances. No information should ever be given in response to an email seeking credit card numbers, passwords, etc., and the user should not click any links in the email if it is opened. Very few, if any, reputable businesses will seek this information. Such activity should be reported to the business immediately.

A consumer should also exercise care in choosing an online vendor. As is the case in any consumer transaction, one should be guided by the principle that if a deal is too good to be true, it probably is. Purchasers dealing with a vendor not familiar to them should check many of the online ratings of vendors such as bizrate.com, or resellerratings.com. An article at pcworld.com examines the methods used by several raters and wisely suggests viewing ratings at several online sources. Friends, associates, and forums such as ABX can provide information concerning the experience of others with a particular merchant.

The vendor's website itself can often provide clues to trustworthiness. A single page site offering a terrific deal with little detail about the vendor is not one that should be trusted. The vendor should also accept credit cards. Despite the many fears of purchasing by credit card online, it does in fact provide some protection as U.S. law limits the liability of a user whose card number is stolen. Such protections are less when one's bank account is invaded.

Vendors should also provide secure sites for ordering and providing details such as name, address, credit card number and other required information. Although total security is impossible, such secure sites do provide a measure of safety.

Many vendors offer options that seem convenient, but can provide many opportunities for the crackers. For example, many vendors make the buyer's email address the account name by default. Users should pick a unique account name, both to make guessing the name more difficult and to avoid one more avenue for the harvesters of email addresses.

Similarly, some vendors offer to keep the buyer's credit card number on file, eliminating the need to enter the number with each purchase. While typing in the long string of numbers can be a pain, particularly when one orders repeatedly from the same vendor, purchasers should not elect this option. In one case, a cracker was found to have thousands of account names, credit card numbers, passwords, and other vital information. Fortunately, this person had cracked a site "only to see if he could," and had not used the information which he had obtained many months earlier.

A further word about passwords. The guide referenced above describes in some detail how to select a password that will be difficult to guess or otherwise become available to the nefarious among us. The same care should be taken in selecting a password for a user account with a vendor. Additionally, using the same password for everything is simply begging for problems. Passwords for Windows logon, email, vendor accounts, and other things requiring security should all be different. Organizing and remembering a long list of passwords can be even more of a pain than entering that long credit card number. Using the same password for everything, however, means if someone is able to discover it, none of your secure places are any longer secure.

The bottom line is that online shopping provides ample opportunity for the dishonest. That fact should not prevent one from taking advantage of the ease and the savings available from online shopping. Exercising one's common sense and taking basic steps to protect against fraud and theft can make the online shopping experience timesaving, moneysaving, and relatively safe.