Shopping on the Internet
The Internet's explosive growth in recent years has largely been fueled by e-commerce and e-tailers. The term e-commerce is taken from the phrase electronic commerce. Shopping done over an electronic medium such as the Internet can be called e-commerce, just as an online retail store can be called an e-tailer, short for electronic retailer. Nearly anything can be bought online, from jewelry, books, and music to groceries, movies, and cars. The auction craze has also boomed. eBay has lead the way, with many other popular sites like Amazon following right behind. On auction sites, consumers can sell or buy anything from knick knacks to rare paintings.
Shopping on the Internet has many benefits. Using your home computer is much more convenient than driving, finding parking, and standing in line at a retail store. Using the Internet, you can browse through multiple stores, search for the best prices, and buy nearly anything imaginable from anywhere in the world, anytime of day. Even if you decide that you must purchase from a traditional retail store, you can use the Internet to get your research done before ever getting in your car. Indeed, the benefits of shopping on the Internet are great, yet many people are still reluctant to dive in and make their first purchase.
The problem most people have with shopping online is that they do not want to give out their credit card information. The fears of credit card fraud are valid; however, most people forget that they are just as valid with traditional shopping. Many of the online shopping dangers are the same as traditional shopping dangers. Just as your credit card number can be stolen by Web site employees, it can be stolen by a store employee, as well. In the online world, however, an e-commerce site stores many credit card numbers in a single database. This database can be a juicy target for criminal hackers active in credit card fraud.
Recent years have proven that the hackers of organized crime are going after the big catch. They are not after individual home computers and individual transactions. The organized criminal hackers are after a company's database, where thousands of credit card numbers and transactions might be stored.
The FBI and Secret Service were involved in what the SANS Institute for security research and education (http://www.sans.org/newlook/alerts/NTE-bank.htm) called “the largest criminal Internet attack to date.” During 2000 and 2001, more than 40 sites in 20 states were attacked and more than one million credit card numbers were stolen. The criminal hacker organizations were announced as being from Russia and the Ukraine. These groups were able to exploit vulnerabilities in the Microsoft Windows NT operating system as well as the Microsoft Internet Information Server (IIS) software. (IIS is the software that powers many Web sites on the Internet, providing the capability to host Web sites and interact with client Web browsers.) These vulnerabilities were publicly known for almost two years, and Microsoft had released patches to fix the problems years before these incidents. The problem was not necessarily that the Microsoft software was vulnerable; the problem was that the companies running the hacked Web sites did not take the necessary steps to secure their computer systems, and thus all the personal information and credit card numbers that resided on them. This was a harsh lesson of poor security that affected many of these companies in more ways than one. Not only were reputations damaged, but in many cases, the hacker organizations blackmailed the companies into “buying” security services that would fix their weak security problems.
This example demonstrates how hackers will target company databases. After the credit card information is obtained, it can be sold in the black market, traded across the Internet, publicly posted, or used for blackmail. The problem is that this type of activity is more common than most people realize. Many companies do not turn to law enforcement after they have been hacked for fear of media exposure and the negative effect on business. There is also a problem when the hackers are overseas because tracking them down and prosecuting them can be difficult or impossible. Such was the case with Babygear.com in September 2000, when its site was broken into by a hacker in Yugoslavia. The hacker grabbed credit card numbers stored in an unencrypted database.
Most people do not even know that their credit card numbers are floating around on the Internet. It typically takes a series of suspicious transactions on a credit card bill to alert someone to credit card fraud. The notice might come in other forms as well. If the credit card company gets wind of the Web site break-in, it might initiate a call to customers with the jeopardized accounts.
The rash of online credit card theft and fraud has raised security concerns to a whole new level. Many e-commerce sites across the Internet are doing more to stay ahead of the risks and protect the consumer as well as the company from unwanted exposure. Although e-commerce has created a whole new world of business for companies and consumers alike, there is great determination to keep Internet shopping safe and beneficial.
Internet shopping can save some people a lot of time and money, and the benefits are more than enough for most people to risk the dangers. In fact, Internet shopping is for the most part safe, having come a long way in the past few years. Many popular e-commerce sites have gone to great lengths to add security measures that make shopping very safe for online consumers. It is important, however, that consumers understand these measures, so they can be conscious of when the security is in place and when it is not. In general, the following traditional security measures can make shopping safe for online consumers:
Transactions are encrypted with SSL.
Consumer information is kept private or anonymous.
Credit card and other sensitive information is not sent through e-mail.
Many credit card companies have taken steps to ensure security of credit card numbers and individual transactions. This has created a new generation of electronic money and several means for using it to shop online. This chapter more closely examines some of the latest options for secure online shopping available to consumers. Internet-based companies have emerged to address the needs for consumer privacy and anonymity, and credit card companies have created new means of making secure online payments.
Online Payment Systems
Several companies have risen to facilitate the secure and sometimes anonymous exchange of money online. Some of these companies are Citi Platinum Select, CyberCash, eCharge, iPin, MilliCent, PayPal, Qpass, RocketCash, and WISP. The following sections discuss a few of these companies and their payment systems. Some of these online payment systems offer different levels of security through anonymity, fraud protection, and insurance. Most of the emerging e-commerce payment solutions try to minimize security risk to private data that would compromise an individual's privacy.
eCharge
eCharge is like an online credit card. Instead of carrying around a plastic credit card, you use its service as online credit. eCharge exercises security throughout its own corporate networks and throughout its payment systems. It offers the eCharge Net Account in two methods. You can use it like a credit card, purchasing on credit and paying later. Or you can use it like a debit card, where you simply add money to the account whenever you want and use it until it runs out.
The catch is that the Web site you are shopping at must have support for the eCharge payment system. Most likely, you will see this option under a heading such as Choose Payment Method, where you would also find credit cards and checks. The great thing is that, if the Web site does support eCharge, you do not have to enter any personal information such as name and address, so you get a certain level of online anonymity by using eCharge.
hyperWALLET
hyperWALLET.com is like your wallet on the Internet. When you go to the bank or ATM to take out some cash, you put that cash into your wallet until you need to spend it.
When you get a hyperWALLET ID, you go to your participating online bank to transfer money into your hyperWALLET. Within two days, you can then use the cash to “beam” anyone with an e-mail address to pay for anything as long as that person is also enabled with hyperWALLET. The key to the security of the system is the minimal amount of private information required to open a wallet—just an e-mail address and a password. The only possibly unsecure information required is your mother's maiden name, which can lead to identity theft if other security measures fail.
PayPal
PayPal (http://www.pay-pal-infocenter.com/) allows both businesses and individuals to send and request money, as well as sell and shop for goods. To send money, the buyer gives PayPal the seller's e-mail address and payment amount. When the seller gets an e-mail with the subject “You've Got Cash!”, she is given a link to www.PayPal.com.
The request money can be used for auction payments and donations for charity. If you are an online merchant, you can send a bill to the buyer through PayPal and have the customer pay you by sending the money through PayPal. Then, you can ship the goods with payment in full.
PayPal uses encryption to encode credit card information into what is called cipher text, or unreadable text. A secret key converts the plain text of any sensitive information into indecipherable strings of numbers or characters. (See Chapter 12, “Securing Your Standalone PC: Viruses, Chat, and Encryption,” for a more thorough discussion of encryption.) Encryption provides a secure communication channel even if a user's computer is not secure. Only the holder of a corresponding PayPal key can decipher or decrypt the cipher text.
PayPal.com has both a Buyer Protection Guarantee and Seller Protection Guarantee. If a buyer does not receive goods purchased from a verified seller, she is entitled to a full refund and protected for up to $5,000 per year for fraudulent transactions. If a verified seller finds himself accepting an order from either a stolen credit card or false claims of non-shipment, he is not held liable for charge backs.
A verified member is one who has added and confirmed a bank account at PayPal.com. PayPal.com claims the verification process to be secure and easy for the online merchant to have additional proof of a user's identity in addition to authentication methods.
PayPal.com suggests additional measures for merchants to prevent fraud, including telephoning the buyer. PayPal advises not shipping to post office boxes; being wary of requests for expensive fast delivery; and checking for authenticity of the buyer's mailing address, ZIP code, and phone number.
Verisign/Cybercash
The Verisign company is being called an Internet trust services provider. This is because Verisign offers a full circle of security services focused on Internet authentication and payment services. Verisign's payment services are targeted primarily at online merchants by offering SSL and certificates for encryption and authentication and full payment processing systems run by Verisign. An online merchant could enable her Web site just by connecting to Verisign's system.
Recently, Verisign acquired Cybercash, which offered merchant and reseller services similar to Verisign's. Cybercash had full payment systems already built and secured that online merchants could just connect to and use as their own, and the company offered sophisticated payment systems that could get an e-commerce business processing online transactions in no time.
Disposable Credit Cards and Debit Cards
Many credit card companies offer disposable credit cards to pay for small purchases. These cards are similar to prepaid phone cards that can be bought at a convenience store. Disposable credit cards are not connected with your personal information, offering you a certain level of anonymity while shopping. You buy them without registering any personal information and use them as long as they have a cash value.
Debit cards are similar to bank debit or ATM cards. With a debit card, you put money into an account and shop with the debit card using money from that account. You can add money to the account at any time. Typically, debit cards do not offer complete anonymity because you set up an account using personal information.
MasterCard ecount
MasterCard offers a debit card to consumers, called ecount. Although this does not provide anonymity for the online shopper, it does provide a secure payment method. There is no chance of credit card fraud, and the value of the card is only as much as you put toward it.
Visa Cash
Visa Cash is a chip-based card that can be used in the brick-and-mortar world or on the Internet. Visa Cash cards can be disposable or reloadable, offering anonymity to the consumer. Disposable cards get assigned a predetermined value, and when that value is used, the card is discarded. However, new cards can be purchased. Reloadable cards do not have predefined values and can be reloaded at special terminals and ATMs. Used up that $100? Just slip the card into your ATM and reload it.
InternetCash
As ofMarch 2001, people can buy InternetCash cards at convenience stores, at retail outlets, or on the Internet at http://www.internetcash.com. Similar to phone cards, these are available in various denominations up to $100. When you log on to www.internetcash.com, you activate your card and create a personal PIN—the site doesn't ask for any private information about you.
American Express
Following American Express and its launch of the disposable credit card in 2000, MBNA Corporation—which includes MBNA American Bank—announced similar services using software by Orbiscom Technology. Similar to the American Express disposable credit card, the bank software creates disposable credit card numbers.
Similar to American Express's disposable card, online shoppers download software that generates a one-time-only number to use in shopping on a Web site. Only the customer and the bank know the actual credit card number, decreasing the likelihood of either misuse or fraud.
American Express initiated an online version of the disposable credit card number for its members to make a one-time purchase on the Internet. After installing software that only American Express card holders can download, the user makes purchases online when a Private Payments box pops up at the top of the screen asking for the customer's name and ID. The box then displays a one-time-use credit card number along with an expiration date.
Discover Card has also entered the disposable one-time-use credit card picture with a different twist: A user can create the number while on the e-tailer's Web site, and it can be used at that site one or more times.
Shop Smart
As with most online activities, security and privacy do not come from a single product. They come from having a knowledge of the threats and a sense of how to be safe.
There are a variety of ways you can get robbed online. Giving your money to shady companies or people, sending credit card payments through e-mail, and shopping at Web sites that have been hacked are just a few of the common things that lead to credit card fraud and robbery.
I know someone who was robbed while purchasing an auction item through Amazon.com. The buyer was purchasing a new Sony Playstation II from a seller whose profile was new to Amazon. After mailing the seller a check for $350, the buyer never heard anything or saw anything. Weeks passed, and the buyer's frustration turned into the realization that he had been robbed. Amazon.com was very responsive to the buyer's e-mails and concerns. Luckily, its policy covers theft through auctions on its Web site. If the buyer would have paid through the Amazon.com payment system, he would have been covered and reimbursed for the entire purchase amount. However, because he paid with a money order, Amazon.com paid up to only about $250.
Many of the threats associated with online shopping are the same as those associated with traditional shopping. Things such as credit card theft, buyer/seller disputes, and damaged product shipments can happen anywhere. If you decide not to shop online for these reasons, you are missing out on a whole new world of opportunity.
Online shopping has many benefits and can be lots of fun. As long as you make good decisions, your shopping experiences will be wonderful. This list of good practices will help you to make safe shopping decisions online:
Shop with merchants you trust.
Do research on the company and product before making any purchases.
Look for signs of security from the Web site, such as SSL encryption and privacy assisting payment methods.
Read the company's privacy and security policy.
Use a payment system you feel comfortable with, such as an online payment company or disposable credit card.
Keep a record of your transaction.
Never send payment information through unencrypted e-mail.