When you’re buying online, it can sometimes be hard to tell whether you’re dealing with a legitimate merchant or the online equivalent of that guy selling counterfeit watches on 33rd Street. Most shoppers focus on maintaining the privacy of their credit card data, and that’s good. But that’s not the only privacy concern you should have while shopping online.
The risk: Any time you use your credit card online, your identity is at risk. Organized crime factions from all over the world have streamlined the process of extracting your personal details from all sorts of places, especially shopping sites. These attackers can harvest thousands or even millions of credit cards in one fell swoop. That’s a problem for two reasons.
First, and most obviously, there’s the problem of having your credit card used to purchase all kinds of goods in places you’ve never been. Usually your bank protects you from such fraudulent charges. But it’s still a hassle to change your account numbers.
But these days, the bad guys aren’t satisfied with credit cards alone. In fact, individual card numbers aren’t worth that much. But when those numbers are combined with other commonly available bits of personal information—such as addresses and birthdays—attackers can then assemble a virtual dossier of your private information. Identity thieves can parlay that information to secure credit in your name. That credit can be more valuable to them than your credit card and far more difficult and expensive for you to fix: Bank protections focus on credit cards They are much less help when money is directly extracted from accounts, via debit cards or electronic fund transfers.
How to protect yourself:The best defense against identity theft is to do business only with reputable merchants. Apply the proverbial sniff-test when selecting an online retailer. Does it feel and look legit? Check the merchant at the Better Business Bureau, or look for their ranking on the Internet Retailer 500 list. Check out for feedback on opinion sites like (Epinions and bizrate). In other words, do your homework before you plunk down your credit card.
e-mail address, or
personally identifiable information; that should help you find out what a retailer plans to do with your information.
Assuming you are working with a reputable merchant, be sure you are actually on the correct site. A phishing attack or network redirection attack can direct you from e-mail or another Web address to a fake site (which may look exactly like the real thing). One Firefox plug-in, LocationBar2 can help: It makes clear what Website you are using.
Also, many attackers go to great lengths to make their domains look like something that plausible— http://amazon.com.itakeyourmoney.ru, for example, might look like the real Amazon at first glance, if you don’t check the end of that URL. And they’re never that obvious.
Regardless of your best efforts, your information may still be compromised. That’s why it’s also important to monitor your identity through services such as Debix, Citi IdentityMonitor, and Experian). They will alert you when any new credit requests appear in your file. Get into the habit of checking your credit card and banking accounts frequently to make sure there are no unauthorized charges.
The risk: It may be convenient when your favorite online merchants e-mail offers for products you were thinking about buying. But wait—how did they know that? Unfortunately, if you've been using Google to browse pages for similar products, or perusing the merchant's Website, it’s not a secret. You've been telling them what you like to buy and when—they're just listening.
With the advent of tracking technologies and sophisticated analytics, many Web merchants know exactly who you are and what you are most likely to buy. They know because you tell them through your buying and surfing patterns. This is valuable data, and merchants can (and do) sell it to each other.
How to protect yourself: As mentioned above, reputable retailers spell out how they use your information in their privacy policies. Check to see if your favorites sell your information to other merchants. If so, then see if you can opt-out of offers from third parties.
Consider connecting to the Internet through a VPN or private proxy, which will obscure your IP address and therefore your location. This is only effective when you’re browsing—once you decide to buy, your identity will be exposed.
Finally, if you’re really paranoid, shop at a variety of sites to limit the depth of knowledge about you that any one retailer can acquire. This has its risks, however; buying from that guy on 33rd Street just to avoid shopping too often at Nordstroms is counterproductive.
[Mike Rothman is an analyst at Securosis.com and author of The Pragmatic CSO.]