Security for Your Online Purchases

    Implementing safe online shopping practices lowers the risk that you will be the victim of identity theft and fraud. Identity theft occurs when your personal information, such as your name, email address, payment information, or social security number, is obtained by an unauthorized person. Using that information, criminals can make purchases under your name with your payment information.

    Before purchasing online, you should assess the security of both your computer and the seller's systems. You can limit the risk of identity theft by shopping only on websites that disclose an effective data security policy. A data security policy explains how an online seller aims to protect your personal information. When guarding yourself against Internet crimes, also consider your payment options, account security, and malware protection.

    How can I tell how an online seller secures my personal information?

    Many online sellers describe their methods of protecting your personal information in the security, privacy, or FAQ section of their website. Typically, the description of a data security policy discusses technological security, physical security, and other relevant issues.

    What happens if my personal information is stolen from an online seller that I have done business with?

    Most online sellers will notify customers, affected businesses, and law enforcement agencies when a data breach occurs. The notification letter to customers usually describes how personal information was compromised and the seller's response to the data breach. While federal law generally does not mandate data breach notification to consumers, most states do require such notification.

    What should I do if I am notified of a data breach?

    Once you receive notification of a data breach, you should immediately place a fraud alert on your credit files. Instructions for placing a fraud alert can be found here. You should also monitor your accounts for evidence of unauthorized transactions. Some sellers offer free credit-monitoring services after a data breach to mitigate its effects. Check with the seller to find out if it offers these protections.

    What if there are unauthorized charges on my credit card?

    If you find charges on your credit card statement that you do not recognize, you should contact the issuer of the credit card. Federal law allows you to dispute and obtain records of the fraudulent actions resulting from the theft. The Fair Credit Reporting Act requires the seller (and other targeted businesses) to provide you and/or law enforcement agencies with transaction records related to the identity theft within 30 days of your written request.

    How does the payment method I use affect the security of online shopping?

    When selecting a payment method, you should give some thought to security. Most online sellers accept a variety of payment methods to make purchases, such as credit cards, debit cards, checks, prepaid cards, and gift cards. Some sellers accept payment through third-party payment processors such as PayPal, Google Wallet, and Amazon Payments.

    Third-party payment processors pay the seller directly so you can avoid submitting payment information to the seller, which reduces the risk of dealing with a seller you are not familiar with.

    Some credit card companies allow you to reduce the risk of fraud by offering single-use or virtual credit card numbers. Most major card issuers offer zero-liability policies, so that if your card is used fraudulently you will not have to pay anything. This goes beyond the requirements of federal law, which limits your liability to $50.

    If you are uncomfortable submitting your payment information online, some sellers allow you to pay by phone or fax, or through the mail (a small additional fee may be assessed). Keep in mind that any payment information you submit offline likely is stored on the seller's servers.

    Why does password security matter?

    Your accounts with online sellers generally require a password for access. Anyone who obtains your password can access the account and make purchases without your knowledge, or acquire your personal information. So guard your accounts with strong passwords, and never disclose a password except when accessing the account yourself.

    How do I create a strong password?

    Strong passwords take hackers longer to crack than weak passwords. The most important factor in creating a strong password is its length. You can create a strong password by following these guidelines:

    • Create a password that has at least 10 characters composed of alphabetic (uppercase and lowercase), numeric, and special characters. An example is "9@jeg2H54!w".
    • One way to create a memorable password is to take the first letter of each word in a meaningful (but not overly common) phrase, and add numbers and punctuation. For example, "3+RiffMs!2" is derived from "rhythm is food for my soul."
    • Avoid weak passwords such as dictionary words, names, biographical information, numbers, and identifiable patterns or phrases. These are easy to guess. Thus, you should avoid passwords such as "doglover", "Nicholas", "Miami1964", and "123456."

    Create a different password for each website account, your computer, and your wireless network. If you use the same password for multiple accounts, a person who steals it will gain access to all of your accounts instead of just one.

    When you register with a website, you may be asked to create security questions and answers to verify your identity if you lose your password. Your answer should not be obvious to people who know you and are familiar with your pet's name, favorite color, and birthplace. Information of this sort may even be visible on your social media webpages.

    Create responses for the security questions that only you can answer. For example, if the security question asks you to name your birthplace, enter the name of your favorite cookie instead.

    How can I keep track of my passwords?

    With the number of password-protected accounts you have, it is unlikely that you will remember all of your strong passwords. Secure password management systems are the most advanced way of keeping track of your passwords, but there are still risks. You should only use an online password manager if it requires a strong master password to view your other passwords and encrypts the passwords it stores. Similarly, you should ensure that your browser password manager does not display passwords in plain text. Another option is to write down your passwords on a piece of paper and keep it in a secure place.

    What is a web browser?

    A web browser is software on your computer that allows you to connect to websites. Mozilla Firefox, Internet Explorer, Apple Safari, Google Chrome and Opera are common browsers. Because the browser directly connects your computer to the Internet, you should ensure that your browser protects against attempts to steal your personal information.

    How can I tell if my web browser is secure?

    Your web browser shows how your personal information is secured during your online shopping. To optimize browser security, you should take the following actions:

    • Use the most current version of your browser. The most current version of a browser is likely to be the most secure, because older versions may have security holes. Go to your browser's website to get the current version. For the same reason, update your browser's plug-ins and extensions.
    • Check for "https" in the web address. The security of a webpage is signified by "https" (rather than just "http") at the beginning of the website address. The "s" means secure and indicates information is transmitted using Secure Sockets Layer encryption, which is the industry standard.
    • Look for the lock icon in the address bar. The lock icon further informs you about the webpage's security. A closed lock indicates that the information is encrypted during transmission. A broken lock indicates that information is not encrypted. Avoid purchasing through webpages with a broken lock.

    What is malware?

    Malicious software, or malware, can compromise the security of your personal information. Malware infects computers through email attachments, online advertisements, downloads, web browsing, and computer media. Common types of malware include viruses, worms, Trojan horses, spyware, adware, rootkits, and bots.

    How does malware make my personal information vulnerable to fraud?

    Some malware is designed to obtain your personal information by accessing your computer. For example, worms and Trojan horses serve as a vehicle for other malware, such as keyloggers and backdoors. Keyloggers record each key you type and take screenshots of what is displayed on your monitor. Backdoors provide an easier way for hackers to avoid authentication processes. You may not know malware is infecting your computer until your personal information has been used fraudulently. To lower the risk of malware infecting your computer, you should do the following:

    • Scan your computer with updated anti-malware software. New malware surfaces daily and good anti-malware software is updated just as frequently to protect against the newest threats. Forgoing routine scans for your computer (and any attached media and hardware) with the current software leaves your computer vulnerable to attack.
    • Use a firewall. A firewall is software or hardware that makes it harder for malware to gain access to your computer. Firewall software is part of the current Windows and Apple operating systems. You can also purchase third-party software. Some routers also include firewall protection.
    • Set your computer to update your operating system automatically. Operating systems have security vulnerabilities, and the updates fix these vulnerabilities. Failure to routinely update your operating system, which may include your firewall, leaves your computer vulnerable to attack.
    • Secure your wireless network. Protect your wireless network with a strong password and encrypt your network with WPA2, which offers protection superior to that of older alternatives WEP and WPA. Additional information can be found here.
    • Avoid risky webpages. Certain websites exist primarily to infect your computer with malware. Some pop-up advertisements and webpage ads are examples of this. Some file-sharing websites, which allow people to pass files from one computer to another, have also been known to spread malware. You should download files only from reputable websites.
    • Avoid opening emails from unknown senders. Unknown senders may use the email links, attachments, and images in the body of the message to download malware to your computer.
    • Avoid opening unfamiliar files. Even files sent to you by friends can contain malware without their being aware of it. Scan incoming email with your anti-virus/anti-malware software first.
    • Disable cookies. Enabling cookies allows websites to monitor your website browsing. A hacker could use your history to access your personal information.
    • Avoid phishing and spoofing scams. Phishing and spoofing emails are ones that resemble those from a legitimate sender, such as a bank, and try to trick you into accessing a fraudulent website. These websites can compromise your personal information by downloading malware to your computer or getting you to submit your personal information. Look for signs of legitimacy such as a security policy, About Us page, phone number and addresses, correct spelling, and additional identifying information. Before clicking on a link in an email message, hover your cursor over the link text and check whether the address that the link connects to is the same as that of the link text.

    Is it risky to make online purchases using public computers and networks?

    Public computers and networks are subject to heightened data security threats, simply because more people can access them. They include not only computers and networks accessible to the public at large, but also those at your place of employment. If you choose to make online purchases using public access methods, here are some suggestions:

    • Use private browsing. Modern web browsers permit you to visit webpages without the browser storing your web history or tracking cookies. But private browsing does not prevent other computer applications from tracking your web behavior. Nor does it prevent remote monitoring of your computer (and personal information).
    • Minimize the amount of personal information submitted. Enter only as much personal information as is necessary for your purpose. Don't save any account or log-in information to the computer.
    • Be wary of public wi-fi networks. Anyone may view the information you submit via open public networks because these networks generally do not encrypt information and the networks are accessible to anyone. You should only visit fully encrypted websites.

    For the Lawyers

    Placing a fraud alert on an individual's credit report

    Obtaining a free credit report

    FTC's Business Guide to Data Security

    What to do in case of identity theft

    Information about identity theft and data breaches

    State data breach notification laws

    State computer hacking and unauthorized access laws

    State anti-phishing laws