/ Shopping

Are you shopping online safely?

The Christmas shopping season starts in earnest on Black Friday this week. At this time of year it’s more important than ever to stay safe online – are you shopping securely?

I try to avoid doing anything about Christmas until after my birthday, which is at the beginning of December, but it’s hard to ignore with decorations going up and the increasing clamour of adverts everywhere urging us to get on with our shopping and planning.

Black Friday is looming and retailers hope that the price cuts on offer will encourage all of us to break out the plastic and start shopping.

Like many, I do as much of my Christmas shopping online as possible – but it’s also a busy time of year for those whose intentions are less honourable. Scammers and hackers love the busy end-of-year shopping season, so I take extra care as I’m looking for gifts for my family.

We gathered a collection of tips to help you stay safe as you shop online for the December issue of Which? Computing, offering advice that ranges how to look after your passwords, how to check how long a website has been online and how to spot a phishing scam.

Be alert to the padlock

My top tip for online shopping is to be alert to the padlock icon on websites. We’ve all learned to look out for it as a confirmation that the site is ‘secure’, but many people don’t realise what that actually means.

The padlock means that all the pages on the website use https to connect – in other words, that the data you exchange with the site is encrypted, including not only your login and password, and your payment and address information, but also your ordinary browsing.

It’s important to know if a website is properly encrypted, but it’s also important to remember that the padlock doesn’t guarantee that the shop is legitimate. It doesn’t guarantee that your order will turn up, or that you’ll get what you’ve ordered rather than a cheap fake.

Encrypted websites

Hackers and scammers can and do set up properly encrypted websites – it’s straightforward to do and it helps convince their victims that they’re on a safe website when of course it’s nothing of the kind.

We’ve written more about https and the padlock on our Helpdesk website. Don’t be lulled into a false sense of security by the padlock icon!

How do you stay safe when you’re shopping online – have you got any top tips for staying safe – or indeed for getting the best bargains? Do you worry about using your cards online, and have you been a victim of a scam?

Or are you one of the brave folk who wrap up warm and head out to the High Street? Let us know what your safer shopping strategies are in the comments.


This comment was removed at the request of the user

I am satisfied that using a credit card to make a purchase by telephone is fairly safe if use of the keypad to enter the codes is enabled, but paying with a credit card on a speech-only method is risky. I am surprised more companies don not have keypad data-entry systems for taking payments by phone.

I don’t bank online either but do quite a lot of shopping there always using a credit card.

I would like to know why some suppliers insist on you opening an account and paying through PayPal when you don’t need credit. Is PayPal a safer method of payment than using the normal procedure?

I do try to stick with the tried and tested and well known suppliers and familiar brands where possible.

PS: My Japanese tea ceremony lady has come out of hibernation again and Beryl has gone back into hiding behind the palm tree, which strangely coincides with Patrick Steens return from Singapore!

This comment was removed at the request of the user

Thanks Duncan, that was most helpful and informative.

I have had 2 disputes raised with Paypal and both times they sided with the seller. I did win both eventually, but now would only use Paypal as a last resort.

I only had one issue with a seller on PayPal, and was eventually refunded in full but I agree; I don’t like using them and always attempt to avoid them.

My tips for staying safe when shopping online:

If the seller is unknown, check them out. Be extremely wary of any seller not giving full contact info. If the only way to contact the seller is by filling in an online form, then look elsewhere.

Search for the company, what do others have to say about it.

Search for the address and postcode. Put in double quotes for an exact match “XY12 3YZ”.

Check out the address on Google maps. Has the seller got a street presence or are they using a virtual office or a street number that doesn’t exist?

Check the phone number. Putting the number in double quotes and moving spaces around can get different results. 01234567890, “01234 567890” +441234567890 or change + 441234 to 01234

Sometimes you find the seller has other websites with different names, selling the same stuff at different prices. Landline area codes give an indication of where they are, mobile phones could be anywhere.

Check the VAT number that will give you the company name registered to it.

Check out the company for people, accounts, how long it has been in business, how many times it has changed name, is it in trouble?

Check the website.

Check out product reviews preferably on more than one website. I always go for the negative reviews first, and bear in mind they could be fake. Negative reviews can have a habit of being removed or buried with ‘good’ reviews.

Ask the seller a question by phone or email. ‘Is it definitely in stock?’, ‘How tall or heavy is it?’ How do they respond?

Is the item you are looking for a commonly faked item? Is it worth taking a chance or for an item like batteries, would it be safer to pay more and buy from a reputable company?

Not sure about a brand name? Research it and do a reverse image search on the product. Also flip the image horizontally and search again.

Never let the seller retain your payment card for next time.

I always try and shop on a what I call a ‘clean’ computer. If my PC hasn’t been rebooted for a week and I’ve been all over the place, then I clear temporary files and cookies and do a reboot before purchasing.

This may seem over-the-top and I rarely go to these extremes, but if you are handing over a large sum of money to somewhere you just found on the internet, you might want some reassurances you are likely to receive your goods.

Thanks alfa, those all sound like sensible precautions.

Excellent, Alpha. W? could use that list and feature it on the site alongside the original article.

Thanks for these alfa, all good tips.

My own personal one is to always check the social media of a retailer if you’re not 100% sure – how are they handling complaints? Are they replying to customers? Is the account verified? You can learn a lot from the way a business conducts itself in public.

…………and a definitive thumbs up from me alpha!

Up to now, I’ve always safely shopped online.

That said, I do as much shopping as possible in real shops (“r-world”) so I don’t do very much online shopping.

The one time our credit card was used fraudulently was through an insider’ at a company with which we’d shopped a week earlier. A bit inconvenient, of course, but using credit cards at least you’re covered for any losses through outright fraud.

As we have been discussing PayPal, I thought I would share a disconcerting email I have received from them.

The credit card registered with them is expiring at the end of this month and I was not going to update it.

The email is entitled
We’ve updated your card’s expiry date

The body is addressed to me by my full name and goes on to say:

Your card is updated and ready for use.
We took care of the details so you don’t have to.

We’ve updated the expiry date for your Visa x-nnnn. We did this to make sure the card is ready to be used when you need it.

You can log in to PayPal to see the updates but you don’t need to do anything else.
Here’s some additional information:

• If this card was your preferred way to pay online, nothing will have changed. You can always change this preference in your account settings.
• If you had pre-approved payments set up with the old card, those payments will now be made with the updated card.

Thanks for using PayPal.

Nothing in the email suggests this is a scam and the last 4 digits I have replaced with nnnn are correct.

But you have to ask, how did they obtain my new expiry date? And do they have the right to update it?

alfa – are you saying that you card issuer has re-issued the card with a new expiry date and its existing number, and that PayPal have either been notified of this, or have discovered it off their own bat?

I have re-read your comment, Alfa, and realised I had misinterpreted it.

I see now that this is not about a credit card issued by PayPal but a credit card from a different card issuer that you have registered with PayPal for payments. As you say, how did they get hold of your new expiry date? Presumably they would not have any reason to know your new three-digit security code as that should be encrypted and only used during the payment process for reconciliation with the card issuer.

If I were you I would de-register the card with PayPal.

I am suspicious of any auto-renewals and dislike continuing payment authorities.

PayPal have ‘discovered’ the expiry date for themselves from the card issued by my bank.

There is a chance that all cards from that source have the same length of time added to them until the next expiry date I suppose.

I need to log into PayPal and look at my account. I think the last time I used PP was over 3 years ago and I will probably have to go through the rigmarole of forgotten passwords.

There is no login link from the email which you would expect to find if it was a scam.

I will also check with my bank and hear what they have to say about it.

The three-digit security code is a good point John. It has changed so how would PayPal know what it is? Unless PayPal don’t actually check security codes.

I have just done a quick research on the card security code.

The card verification code was designed to prevent card-not-present fraud (usually via online purchases) by requesting customers to provide an extra verification code apart from the card’s number, holder and expiry date,” Liviu Arsene, senior e-threat analyst at anti-virus software firm Bitdefender, said in response to emailed questions.

The code is sent to your bank along with your card number, expiry date and address details when you make a purchase. If all of this information is correct, and assuming you have sufficient funds in your account to cover the transaction cost, your bank will authorise payment via its payment network.

Retailers are not allowed to store CSCs on their systems, which means cybercriminals who hack into company databases and steal payment information cannot access them. In theory, this makes it harder for thieves to use your card, even if they’ve stolen other personal information. CSCs are also never transmitted during physical “card present” purchases, making it difficult for card skimmers to collect them.

So I can only assume they guessed the new expiry date. I still need to follow this up though.

I think the CVC system is a good security feature so long as –
(a) the card-holder never writes the number down [and especially not in proximity to the card number],
(b) the card never falls into the hands of a third party [as in a restaurant],
(c) the CVC is encrypted in any on-line order so is not visible to any employee of the company fulfilling the order or by any other party, and
(d) the CVC is never given when making a telephone payment – in my experience it is usually requested but I don’t know why they need it for telephone ordering because they already have plenty of other personal information [like name and delivery address] for authenticating the order, and in any case – unlike with an instant or immediate service – there is always a fulfilment period during which time the payment transaction can be verified and confirmed.

The issue of a new CVC on renewal of the card is also an added protection but I would prefer shorter validity periods as well. I think some of my cards are valid for four years or longer.

I assume that the CVC’s are not incorporated into the chip on the credit card.

The absence of the log-in link in your e-mail is a good sign of authenticity and protection. It is not unknown for e-mails to be forwarded to other people either unintentionally, or on purpose but carelessly.

I suspect that a certain amount of credit card fraud is facilitated by corrupt employees in call-centres or customer service roles who can acquire full card details including the CVC by writing down the information before typing it into the computer. I have no idea whether there are any checks to prevent this.

When I first received a credit card [an unsolicited “Access” card in about 1973] there were virtually no personal computers and all goods ordered by telephone using a card had to be delivered to the billing address for that card, so half these problems did not arise.

I have called my bank and apparently some companies do automatically update your card details for you. Amazon is another one that does it.

I forgot to ask about the CVC. Paypal do not know the new code so maybe I would get asked for it the first it was used.

I suppose they would only need the code the first time the card was used to validate it. There again, wouldn’t it be needed for every transaction?

They recommend deleting the card from my PayPal account.

I believe the CVC is the only thing that has to entered manually for every purchase the remainder of the personal data being stored if the payment card has been registered [although the option not to register a card should also be available]. Many people also enable their computer to store their log-in details and password. Those who do that should definitely have a separate password for every account.

Firstly I’d add my voice to those reluctant to use Paypal. I’ve only ever used it/them about twice and very many years ago – but I’ve had a plethora of obviously scam emails relating to ‘my recent transaction’. I don’t even bother reading them now but those that I did were incredibly convincing – and had I used Paypal more recently I’ve no doubt I could have been duped into clicking on a link or something equally as dangerous.
The one transaction I had with a dodgy retailer (goods not delivered) was covered by my credit card provider as I was able to provide order details, email trails, etc.

Anyway, the main reason for joining the thread – and as it has come up elsewhere – is really to warn members that even supposedly legitimate suppliers are clearly not above ripping customers off – particularly in relation to auto renewals/continuing payment authorities (CPA). I’ve recently had an horrific experience with Digital River (DR – Kaspersky) whereby I cancelled an order they had raised via auto renewal which I didn’t even realise I had. I simultaneously cancelled the order and CPA. Both actions were completed only after the card provider gave me advice re how to do it as DR make it almost impossible. Having completed these actions and being in receipt of confirmation of both some days later I had an email from them confirming me of the renewal of my order! I emailed to complain, etc – and received an email explaining it had been an error caused by ‘confusion’.. We then got into a trail of me refusing to accept their apology and their ‘confusion’ excuse (this is after all supposed to be a company with some of the most advanced software systems known to man) and each time they responded to say the renewal was down to ‘confusion’. I cut the trail after three further emails but had I continued I’m sure I’d still be receiving their cut and paste response. So, be warned and please be vigilant re what you’re being charged for. I’ve absolutely no doubt that most legitimate companies wouldn’t indulge in such disgraceful practices – but equally certain that a very small minority clearly do.

This comment was removed at the request of the user

Amazon has the habit of retaining your credit card details after a purchase as they claim probably rightly that it makes further purchases easier to make; however it is better to elect not have the details retained so even if one’s identity is at risk your credit card details will not be shown.,