An idiot’s guide to safe online shopping. You know, for your friends.
As we approach the holidays, let’s talk about some safe online shopping tips – for idiots. Around the world, November and December are the peak months for online shopping. In Asia, November 11th, or 11/11, is Singles’ Day – the largest single online shopping day in the world. And in the West, Black Friday and Cyber Monday – as well as the entire lead up through Christmas on December 25th – bring a steady stream of shoppers through e-commerce storefronts and digital marketplaces for a solid month.
I could waste a paragraph waxing poetic about how the crowds and inconvenience of interacting with other human beings in a mall or brick-and-mortar retail location is loathe to our modern day, digital sensibilities and that as a result online shopping has become ubiquitous – but you already know that.
You also already know that safe online shopping experiences are not a given. There are risks inherent to doing business online any time of year but the stakes are even higher around holidays and high-profile shopping days like Singles’ day, Black Friday and Cyber Monday. That’s because hackers and cyber-criminals are acutely aware that millions, potentially even billions of people will be making online purchases during these periods.
They are also acutely aware that a lot of people are idiots.
I’ve made a diagram to help visualize:
Suffice it to say that holiday season is also scamming season, and there are myriad possibilities for the enterprising cyber-criminal. Everything from phishing schemes to outright fraud is on the table. These ne’er-do-wells know that a ton of money is about to exchange hands and they want to get a piece of that action.
Just consider this:
- Cybercrime was a 1.5 Trillion dollar industry in 2018
- Last holiday season over 50 million cyber attacks were launched
- Over 1.4 million new phishing websites are created each month
- Nearly 1/3 of major US companies got a failing grade for connection security
The point isn’t to scare you, just make you aware of the stakes. And they’re pretty high. Fortunately, we’ve written this idiot’s guide to safe online shopping during the holidays.
Now, I know YOU’RE not an idiot. After all, you had the good sense to consult this guide. But we all know somebody that should probably not be allowed on the internet. And not just because of the fake news they peddle on Facebook.
To quote the great Gene Wilder:
You’ve got to remember that these are just simple farmers. These are people of the land. The common clay of the new West. You know… morons.
Morons with internet access.
So let’s talk about the holidays, safe online shopping and how to avoid losing your shirt on the internet during Single’s day, Black Friday, Cyber Monday or late one night when you’ve finished drowning your yuletide loneliness with a second bottle of Malbec.
Let’s hash it out…
S is for Security (also, shopping; and suckers)
As of July 2018, the entire internet should be using HTTPS. It should be the default setting now. The baseline. So any website that you arrive at that isn’t using HTTPS – especially in the context of holiday shopping – is not providing a safe online shopping experience and should be categorically distrusted.
Here’s why. For years, the internet has used the Hypertext Transfer Protocol or HTTP to communicate. This was fine because originally commercial activity was outlawed and the internet was used solely for the free exchange of information (typically between the government and academia). Obviously, because we’re having this conversation, commercial activity is no longer banned. And because of that we need a more secure method for communicating online. HTTP is not secure, it exchanges data in plaintext that can easily be read or even manipulated by a third party.
Most people don’t give a lot of thought to how a connection works on the internet, and from the standpoint of education we tend to stick with a very simple model where an internet user’s computer connects with the server hosting a website and that’s that. In reality, an internet connection has to pass through multiple (dozens) of different points before reaching its intended destination. That means with an HTTP connection your information passes through each one of those points in plaintext where it can be read and tampered with.
HTTPS fixes this by encrypting the connection using the SSL/TLS protocol so that the data is transmitted in digital ciphertext and is unreadable by anyone except for the intended party.
Ok, so now let’s apply that to our safe online shopping ambitions: only a website being served via HTTPS can ensure that the data you’re transmitting to it will be secure. That’s important for payment information and personal data, specifically. There is no guarantee that information will stay confidential with HTTP, which means that you just can’t trust it.
Fortunately, with the recent UI changes that most browsers have adapted, you’ll know pretty quickly when a website doesn’t have HTTPS. You’ll see a big ugly “Not Secure” badge in the address bar.
Just because a website uses HTTPS doesn’t mean you can trust it
Here’s part two of our HTTPS discussion. While HTTP is categorically bad, HTTPS is not categorically good. Secure doesn’t equate to safe in this scenario. So while you should expect every website you interact with to use HTTPS and SSL/TLS as a matter of course, not every website that uses HTTPS is actually providing a safe online shopping experience and can be trusted. Bad guys can get SSL/TLS certificates too.
So, you need to learn what to look for on an HTTPS website to get a better idea about its identity.
Unfortunately, right now SSL/TLS certificates are one of the only reliable mechanisms that companies and organizations can use to assert their identity. But many internet users (including the aforementioned group of idiots that most definitely doesn’t include you) don’t know how to look for this, which means that its potential goes largely unrealized.
There are three classes of SSL/TLS certificate when it comes to asserting identity:
- Domain Validation – These only authenticate a server, you get no information about who is running the server or the website. These are the kind of SSL/TLS certificate you can get for free.
- Organization Validation – The original kind of SSL/TLS certificate, these certificates provide some information about the organization running the website, but they still receive neutral browser treatment.
- Extended Validation – These SSL/TLS certificates require an organization to undergo extensive vetting, but because they assert identity so strongly, they receive unique browser treatment.
We’ll start with the unique treatment EV SSL certificates receive because it’s the easiest to explain. An Extended Validation SSL certificate contains a considerable amount of verified information about the organization it was issued for. This information sufficiently asserts the organization’s identity, so most browsers will display the name of the organization prominently in their address bar.
This has been called a number of things, it used to be called the Green Address Bar, but then Google and Microsoft changed the color to grey. Now we tend to refer to it as the EV Name Badge, but the effect remains the same: this is an unmistakable indication of identity. The only way a website can have the EV Name Badge is if a trusted Certificate Authority has vetted it. So if you see the EV name badge – and it matches the organization, or its corporate entity’s name – you can trust the website.
Determining Website Identity with OV and DV SSL
Now let’s talk about Organization Validation SSL and Domain Validation SSL, which share similar visual indicators but tell you different things. Both OV and DV activate the padlock icon in the address bar. Sometimes it’s green. Sometimes it’s grey. It’s always a padlock. And you need to click on that padlock liberally. If ever you question a website’s authenticity, your first click should be the padlock.
Let’s start with DV SSL.
There’s nothing wrong with DV SSL whatsoever. It facilitates the same strength of encryption as its OV and EV counterparts, it just asserts less identity. That’s not to say it asserts no identity though. It does tell you the name of the domain you’ve made a connection with. It’s just, most idiots don’t know what that means or even how to properly read a URL.
Fortunately, you’re no idiot.
Different browsers display this information in different ways. Firefox is among the best in terms of making the information accessible and understandable. Let’s use CNN as our example:
Here’s what Firefox shows you. Regardless of what page you’re on, as long as you’re still on CNN.com you’ll see this:
Google Chrome – at least its Windows version (it’s different on Mac) – makes the same information a little less explicit in terms of identity (it simply says the connection is secure, which is easy to understand on a homepage, but much harder once you start navigating to other pages). But to Google’s credit, Chrome provides a little more information on what a secure connection means:
Here’s what the SSL/TLS certificate is telling you: the connection your browser has formed with the listed domain (in this case CNN.com) will be encrypted and any data transmitted will be kept confidential between you and the site. So, as long as you know and trust the domain itself, which would likely be the case with CNN in this example, you can trust that your connection with it will be secure.
Where this gets dicey is when you don’t really know much about the domain. Because while your data may be secured from third parties, there’s no telling who the party at the other end of the connection is or what they may do with your data. All you know is the domain you’re connected to. It gets even murkier when you’re on a page with a complicated URL.
That’s why it helps to know a little more about URLs.
[Note: Let’s not get too into the weeds on nomenclature. We refer to WWW as a sub-domain because as an SSL/TLS service, that’s what it is to us – but we’ll also accept host, too.]
The most important part of the URL is the Domain Name and TLD. If you can identify those, you can identify the website. Criminals know how to create complex URLs that use sub-domains to try and fool people into believing they’re on other sites, but if you know how to find the domain name you’ll be fine.
Idiots have no idea how to identify a domain name.
Here’s an example:
The URL is designed to look like you’re on PayPal’s website. You’re not. The actual URL is VERIFY-PAGE-CONFIRMATION.com.
An idiot would completely miss this, and if they were using Chrome on Windows, even clicking the padlock and seeing that the connection is secure wouldn’t be enough to prevent them from being had. The connection is secure. It’s just that you’re not connected to PayPal.
A few things to remember about URLs and domain names:
- The Domain name will always be the last container before the TLD (.com, .org, .edu, etc.).
- Containers are always separated by periods, they can contain hyphens. Criminals love hyphens.
- If you have questions about whether or not something is a TLD, here’s a list.
Organization Validation/Checking Certificate Details
While checking connection security and verifying the domain is a surefire way to determine the identity of a website, it’s hardly the best way to determine who’s running the site. And while Extended Validation SSL certificates provide you with an instantly recognizable indicator, not all websites want or use EV SSL. A lot of websites, especially when you’re discussing Enterprise businesses, use Organization Validation SSL certificates that still provide some identity information, but not enough to avoid receiving neutral browser treatment.
While that information may not be plastered in the browser’s address bar, it is just a few clicks away for anyone that knows how to look for it. Unfortunately, idiots don’t know where to look.
Here’s a quick rundown of how to locate verified organizational information in a website’s security certificate on each browser:
- Click the Padlock Icon
- Click on “Certificate (Valid)”
- In the Details Tab, scroll down to “Subject”
- Click the Padlock Icon
- Click “More Information” at the bottom of the pop-up window
- Click “View Certificate”
- In the Details Tab, scroll down to “Subject”
Microsoft Internet Explorer
- Click the Padlock Icon
- Click “View Certificates”
- In the Details Tab, scroll down to “Subject”
- Click the Padlock Icon
- Click “View Certificate”
- Click the Padlock Icon
- Click “Show Certificate”
- Open the Details expander
- Navigate to “Subject”
If there is verified organization information, it will appear in the subject section. Particularly, the O: prompt is for Organization, and you may also get some information about the organization’s locality. Here’s an example of The SSL Store’s certificate details:
This can be important when you’re not dealing with a website you’re familiar with, and it can provide you with a starting point for some of your own research. Not using an SSL/TLS certificate that leverages business authentication is not, in itself, disqualifying for a website – it just means you’re going to have to do a little more legwork before deciding whether to do business with it.
Or you could just be an idiot and ignore the information provided in the certificate completely.
Slow down. They want you to feel a sense of urgency.
Urgency is one hell of a motivator. It can make rational people do stupid things and it can make idiots practically go broke. Hackers and cyber-criminals are well-versed in creating a sense of urgency, as is evidenced by the most successful phishing campaigns. The one-and-done, hurry-and-get-it-or-miss-out-big nature of online shopping holidays like Singles’ day and Cyber Monday lend themselves perfectly to creating the requisite sense of urgency that makes otherwise level-headed people act quickly and recklessly.
Don’t panic. Only idiots panic.
There are very few situations where you’re going to miss a truly great deal from a legitimate company if you don’t hurry and rush through the order process. If you’re not sure about the website you’re shopping at or the organization behind it – stop. Open a new browser window. It’s time to do five minutes of research. I promise you have five minutes.
Due Diligence is more than just the name of an old wooden ship
The beautiful thing about the internet is that nothing in it exists in a vacuum. A quick search is generally all it takes to figure out whether or not a website – and the organization behind it – is legitimate. But before you even leave the site, there are also some things that you can take a look at to help you figure out who you’re doing business with. If you can’t determine whether it’s safe to shop on a website from its URL and what information is contained in its security certificate, you’re going to need to gather some information from the site and verify it against trusted third-party resources. While it may be difficult for you to tell if a site is legitimate at a glance, it’s pretty easy to tell when one isn’t.
Look at the Shipping and Return Policies
Legitimate e-commerce businesses and other organizations that transact online are required to abide numerous industry and legal standards. While those may vary by country and economic sector, chances are there is some set of regulations or rules the company you’re dealing with has to follow. Beyond compliance, legitimate companies want to put your mind at ease about what rights and guarantees you’ll have if there is a mistake (or even if you’re not satisfied) with your order. They’re also going to make these policies easy to find because they want you to feel like you’re going to have a safe online shopping experience.
These mark a great starting point for your own research.
A legitimate organization is going to have an in-depth Shipping and Return policy. Take a moment and click on them, review the policies for any specific information regarding addresses, contacted numbers and employees that may be listed. Again, you may not know exactly what a GOOD Shipping or Return policy looks like, but you’ll be able to spot a fake one pretty quickly. The less information there is, the more suspicious you should be. If the policies pass the eye test, verify some of the information contained in them with a quick web search. See if the address and phone number match up. If not, run.
If an organization is required to abide any industry or government regulations, they typically have to indicate that in the policy. And many of these programs keep public registries that can be used to verify the companies. Take for instance EU-US Privacy Shield, a US program that certifies organizations have adequate safeguards in place for GDPR-compliant cross-border data transfers. There is a publicly accessible Privacy Shield list. It’s illegal to claim you’re a participant in a program like Privacy Shield if you aren’t in fact certified. Searching these databases is a great way to determine the legitimacy of an organization.
How you connect is important, only use trusted apps and no Public Wi-Fi
Public Wi-Fi is not secure. Only an idiot doesn’t realize that. As much as we love public Wi-Fi, we should keep its use limited to text messages – maybe not even that. But when it comes to sending your sensitive information to a website/app – using public Wi-Fi networks is a terrible idea. It took just 10 minutes for a 7-year-old kid to hack into a public Wi-Fi.
Seven year-olds: 1. Idiots: 0.
So, categorically: NEVER SHOP ON PUBLIC WI-FI.
Next up, don’t download apps from untrusted sources. This is really more for Android users. As we all know, it’s much easier to install unauthorized, 3rd party applications on Android than on other platforms. There are no guarantees that these apps are safe, that they will make secure connections or that they can facilitate a safe online shopping experience. So, always insist on using official apps downloaded from authorized platforms.
Safe Online Shopping is harder on mobile
Nowadays the smart phone is the most commonly used device to access the internet. And for many people, mobile internet is the only internet. But, if possible, do your online holiday shopping on a desktop computer. There are a couple of reasons that this is preferential. For one, you generally have more control over the network you’re using from a desktop computer. Ideally, your home network should be secure and your OS should be up-to-date and running a good antivirus program. This should be standard security for any desktop computer. Mobile security is a bit spottier. Some of this is owed to the fact that strong security on a mobile phone can slow down other functions and that’s not desirable with the way most people use their smart phones.
The other issue is more space-related. Mobile browsers must be much more creative in the way that they elide and display URLs. As we just discussed, the URL is one of the best ways to determine the identity of a website, so complicating the way we see URLs makes determining identity harder.
The example below is on Safari mobile. And this is not the real PayPal.
It’s also more difficult to access certificate details on a mobile browser. For some people it may not be an option, but if it is – it’s easier to have a safe online shopping experience on a desktop computer.
Email Tips for Idiots – Safe Online Shopping in your Inbox
Many people know that 1 in every 101 emails is malicious. And about half of all emails sent are spam. But did you know that once every 18 seconds an idiot gets duped by following the links in their inbox? You should almost never click on the links included in an email unless you are 100% certain of the sender’s identity. In some cases, like if you’re on a website’s mailing list and have whitelisted the address it sends from, you can probably trust those emails. But no email – no matter how good the deal is – should ever be trusted if you don’t know the sender. And definitely don’t follow the links. Some people may tell you to hover over the link with your cursor, don’t waste your time. Never follow links from unknown emails.
If you think the offer may be legitimate or you’re interested in the product, open your own browser window and navigate there manually. Do. Not. Click. Links.
Alternative payment methods are shady as hell
One of the lesser advertised benefits of the payment card industry is that, in order for a business to accept payment cards it has to abide certain standards and practices. Now, these regulations are nothing unreasonable. In fact, they’re mostly just best practices that all legitimate businesses should abide anyway.
If a company does not accept payment cards, it is not bound by those industry standards and that is immediately suspect. Legitimate companies want to make it easy for you to pay. They want it to be quick, easy and they want you to feel confident about it.
If you’ve got to jump through hoops to pay for something, that’s an indication that something shady might be going on.
Only an idiot pays via:
- Western Union
- iTunes Gift Cards
Also, be suspect of PayPal. Some legitimate companies do use it, but if you’re being asked to send money to a random email address on Yahoo or GMail, you’re about to get scammed.
Idiots have no common sense
As we said earlier, by design these online shopping holidays like Singles’ day and Cyber Monday create a sense of urgency in shoppers. Time is limited. These deals expire. You might miss out. Cyber-criminals are well versed in leveraging urgency, so this plays right into their hands.
But despite the feeling you may have, there’s really no need to rush. You have a few minutes to step back and make sure everything checks out. That starts with identifying the website and the organization behind it, but you also need to be using your common sense filter. There is no such thing as a $20 iPad. Most of these contests are just a pretext to collect your personal information. And unless you’re buying directly from a vendor – or shopping at an online marketplace with legal guarantees – you have no guarantee that the hot ticket item you’re being resold is going to be legitimate.
So use your common sense.
- Try to limit your online holiday shopping to trustworthy companies and websites.
- Don’t fall for gimmicky promotions and flashy banners.
- Definitely don’t send anyone any money unless you’ve got some kind of guarantee you’re going to receive exactly what you’ve paid for and have recourse in the event you don’t.
- Don’t wire money or pay in cryptocurrency.
Remember, this goes back to some of the points we made earlier. A safe online shopping experience includes guarantees about shipping and returns, assurances about your privacy, and it comes from a reputable source.
Only an idiot keeps shopping on a website that doesn’t check all those boxes.
As always, leave any comments or questions below…