Shopping online does carry some risk, but so does shopping at brick-and-mortar stores. At least online shoppers don't need to worry about fender-benders in the parking lot, pick pockets at the mall, or getting the flu from all those fellow shoppers.
But the nice thing about shopping online is that by following some basic guidelines you can be reasonably sure you'll have a safe experience.
Secure your PC: The first thing you need to do is be sure your computer is secure. Trend Micro's education director David Perry, says that "bad guys these days are operating by planting a keylogger on your system that listens in, surreptitiously waiting for you to use your credit card or your bank password so that they can steal your money." So, even if you're dealing with a legitimate merchant, you're at risk if your computer is infected. Your best protection from these attacks is to keep your operating system and browsers updated and use a good and up-to-date security program. If you're getting or giving a Netbook or other PC for the holidays, make sure that security software is installed right away. Most security companies offer a free-trial version that will tide you over for a month or so, but be sure to subscribe so you get ongoing protection.
Click with care: You're going to be getting a lot of offers via e-mail this holiday season. While they might be legitimate, there is the possibility of some offers coming from criminals trying to trick you into giving your password to a rogue site or visiting a site that can put malicious software on your computer. Your best protection is to not click on any links--even if the message looks legitimate--but to type in the merchant's URL manually.
Know the merchant: : If you're not familiar with the merchant, do a little research like typing its name (and perhaps the word "scam") into a search engine to see if there are any reports of scams. Look for user reviews on sites like Eopinions.com. Look for seller ratings if you locate the merchant through a shopping search engine like Google Shopping . Google doesn't certify the integrity of the sites that come up in its searches, but if you see lots of seller ratings that are mostly positive, that's a pretty good sign. You're generally pretty safe with sellers that are affiliated with shopping aggregators like Amazon.com, Yahoo Shopping, Retrevo or BizRate. Microsoft's new Bing search engine offers a cash-back program with affiliated merchants.
Look for trust seals, but verify they're legitimate
(Credit: BBBOnline)It's a good idea to look for seals of approval from Truste or Better Business Bureau Online, but remember that a seal is only a graphic. It can be counterfeit. To be sure, visit the certifying agency's site to look up the merchant.
When you're about to enter your credit card, make sure you're on a "secure "site. The URL should have an https at the beginning (s for "security") and there should be a small gold lock in the lower right corner of the browser. This isn't an iron-clad guarantee, but still worth looking for.
If you're still not sure, look for a phone number and call them. Aside from eliminating the chance of a keylogger grabbing your information, you may get a little more assurance talking to a human being.
Pay by credit card: Credit cards offer you an extra level of protection including the right to "charge back" if you feel you're a victim of fraud. The credit company will investigate your claim and permanently remove the charge if fraud can be proven.
Also some credit card companies offer extra protections including extended warranties and protection against loss or theft. Federal law limits your liability for misuse of a credit card to $50 but many credit card companies will waive that limit. Unless you're very sure about the merchant, don't provide them with a checking account number and never disclose your social security number to online merchants.
It's also a good idea to check your online credit card statement frequently. Most credit card companies will display recent charges online within a few days of the actual transaction. While you're on your credit card company's site, check your interest rate. Credit card companies have been known to "adjust" rates (usually upward) for a variety of reasons.
Know the real price: Be sure you understand the actual cost of the item, including shipping, handling, and sales tax. That can have an enormous impact on the final price. Many merchants are offering free shipping during the holidays and some merchants that have both online physical stores will let you pick up the item in the store for free. In most states if you do business with a merchant that has a physical presence in your state, the merchant is required to collect state sales taxes. Although it's tough to enforce, some states expect you to self-report all of your online purchases and pay sales taxes when you file your state income tax return.
Happy returns: Be sure you understand the merchant's return policies including the deadline for returns and what documentation you'll need. In most cases, they won't refund the shipping charges and you'll have to pay to ship it back. Always keep your packing until you're sure you're not going to return it.
Read the privacy policy: The policy, according to the American Bar Association's Safeshopping.org, should disclose "what information the seller is gathering about you, how the seller will use this information; and whether and how you can "opt out" of these practices."
Enjoy the holidays: By paying attention to these tips, the odds of your being victimized by online fraud are pretty low --another good reason to be cheerful during the holiday season.
Max Ray Vision, formerly Max Butler.
(Credit: Santa Clara County Sheriff)Max Ray Vision, aka "Iceman," pleaded guilty on Monday to two counts of wire fraud stemming from the theft of nearly 2 million credit card numbers and $86 million in alleged fraudulent purchases.
Vision faces up to 60 years in prison when he is sentenced in October in federal court in Pittsburgh, according to federal public defender Michael Novara.
Vision was arrested in September 2007 and accused of operating an underground forum called "Carders Market" where cybercriminals bought and sold stolen credit card numbers and other data. He was targeted as part of a sting operation in which FBI agent J. Keith Mularski spent two years undercover infiltrating a group of cyberscammers who bought and sold stolen credit card numbers on a rival site called "Dark Market."
In an interview with CNET News in May, Mularski talked about Vision, whose last name used to be Butler:
There are a lot of guys who I think their curiosity just got the best of them and it led them down a dark path. One of the guys, Max Butler, who ran our rival site called Carders Market and used the hacker name "Iceman," was arrested in San Francisco. He was very intelligent. He could have been an excellent security expert.
Vision had worked as a security consultant before being arrested.
In a statement to the court, Novara said:
"Max has always preferred using his extraordinary computer skills--his computer vision--for the good of society and the cyberworld, and he hopes that he will be given the opportunity in the future to once again don the white hat."
More records were breached in 2008 than in the previous four years combined as a result of a few large breaches involving payment cards, according to a report released on Wednesday.
Last year, 295 million records were compromised and there were 90 confirmed breaches, the Verizon Business 2009 Data Breach Investigations Report (PDF) found.
The top five breaches accounted for 93 percent of total records compromised and as a percentage of caseload, 80 percent were payment card breaches while payment card data represented 98 percent of all records compromised last year.
PIN data was increasingly targeted in 2008 in attacks in which magnetic-stripe data and PIN data was used for identity fraud. For example, criminals used the data to make ATM withdrawals from victim's accounts.
PIN data stolen in a breach at payment processor RBS WorldPay was used to clone cards and withdraw millions of dollars from victim bank accounts last year. Meanwhile, payment processor Heartland had a huge data breach of its own last year that it reported in January and there have been reports of another breach at an unidentified institution.
More than three-fourths of organizations suffering payment card breaches were found to be not compliant with PCI data security standards or had never been audited. The typical organization had met less than a third of the requirements in the standards, the report found.
This chart shows threat categories by percent of breaches (black) and records (red).
(Credit: Verizon)Of the total breaches, 75 percent came from external sources, 39 percent involved multiple parties, 32 percent involved business partners and in 20 percent of the cases insiders were implicated. Three-fourths of the breaches were undiscovered and uncontained for weeks or months.
As far as types of breaches, 64 percent resulted from malicious hacking, 38 percent used malware, 22 percent involved privileged misuse, and 9 percent used physical attacks such as equipment theft or tampering.
In about four of 10 hacking-related breaches, an attacker gained unauthorized access to the victim via one of the many types of remote access and management software, typically provisioned to third-parties for remote administration.
During 2008, malware was involved in more than one-third of the cases investigated and contributed to nine out of 10 of all records breached.
"Malware is now an essential component to nearly all large-scale data breach scenarios," the report said. "Hacking gets the criminal in the door, but malware gets him the data."
Updated at 9 p.m. PDT with more details from a Symantec representative.
Symantec is investigating allegations that a call center in India leaked credit card numbers of its customers to someone who then sold them to BBC News reporters posing as criminals.
The security company has informed U.K. privacy authorities and attorneys general and officials in eight U.S. states and Puerto Rico of the allegations that three U.K. customers had credit card information leaked and that about 200 U.S. customers may have been affected because of interactions with the call center, Symantec spokesman Cris Paden said Tuesday.
"We nailed it down to one agent at the call center" who handled the Symantec customers, he said. That agent was put on administrative leave pending the outcome of the investigation, Paden added.
In addition to Puerto Rico, the states contacted were New Hampshire, Maryland, New Jersey, Maine, Massachusetts, New York, Virginia, and North Carolina, Paden said.
It was unclear exactly how the data of the three U.K. customers got from the call center into the hands of the man who the BBC News said sold the credit card numbers. Nor was it clear whether any data from the U.S. customers was leaked. Paden said there is no evidence that any U.S. data was exposed.
In a letter to New Hampshire Attorney General Kelly Ayotte dated March 24, the security vendor said it is "investigating a potential security incident involving a small number of customers' credit card information."
The letter said Symantec was sending a notice to a customer in New Hampshire who may have been affected by the alleged incident, even though the company does not believe a security breach, as defined by New Hampshire statue, had occurred.
The company added that even though it has no evidence that credit card information of any U.S. resident was actually compromised, it is offering its customers one year of identity protection services through Debix as a precautionary measure and reviewing its "security processes and third-party vendor protocols."
The BBC News reported on March 19 that undercover reporters posing as fraudsters had gone to Delhi to buy 50 credit card numbers, at $10 a card, from a man who claimed to have gotten them from a call center. They filmed the interaction. The man denied any wrongdoing, the BBC said.
When the reporters contacted some of the card owners, three of them said that they had bought Norton software from Symantec over the phone using their credit cards.
Symantec has set up an e-mail address for customers who want more information: global_purchase_query@symantec.com.
The BBC recently got flak for purchasing a botnet and using it in some tests to show the dangers that Web surfers face.
The IDG News Service is believed to be first to report on the Symantec letters.
Updated April 1to clarify which media outlet is believed to have first reported the news.
Credit card information of 19,000 British Web surfers was exposed on Google search before being removed, according to a report this weekend.
It is unclear exactly when and for how long the information was available to Google searchers, although most of the cards had been canceled, The Telegraph reported the UK payments association APACS as saying. Visible were names, addresses, and credit card data for thousands of people.
Originally, the data was posted on an unsecured server in Vietnam used by criminal gangs that was closed in February, the newspaper said. However, the "cached" version of it on Google remained.
Google offers tools that allow webmasters to make sure content is not cached or is removed. Apparently, whoever leaked the data didn't use those tools.
"Please keep in mind that search engines are a reflection of the content and information that is available on the Internet. Search engines such as Google do not own this content, and do not have the ability to remove content directly from the Internet," a Google spokesman said in a statement.
Another U.S. payment processor has suffered a database breach that exposed credit card and debit card information, according to several credit unions. The name of the payment processor has not been released and it is unclear how many consumers are affected.
Blog site DataBreaches.net has been tracking the reports here and here.
Community Bankers Association said in a statement on its site two weeks ago that Visa announced that an unnamed processor reported a data breach and that the name of the processor was being withheld pending completing of a forensic investigation.
The breach appears to have affected fewer account holders than were affected by a breach reported by Heartland Payment Systems last month, but represents a "significant number nonetheless," the statement said. "According to VISA officials, the breach affected all card brands. Evidence indicates that the account number, PAN and expiration dates were stolen."
The Tuscaloosa Virginia Credit Union posted a statement on its site that said malicious software was placed on the processor's system but there is no evidence that accounts were viewed or data taken by hackers.
The Pennsylvania Credit Union Association also issued a statement, as did the Alabama Credit Union, which said it was limiting Visa ATM and debit card purchases to $99 per day as a result of the breach.
Credit card and debit card users are encouraged to monitor their statements carefully.
The incident is the latest in a string of breaches at payment processors, including one at RBS WorldPay last year that enabled scammers to clone cards and withdraw millions of dollars from bank accounts.
Inside Contactless offers a MicroPass technology that can be embedded in stickers that are affixed to mobile phones so they can be used to make payments or access transit systems and buildings.
(Credit: Inside Contactless)I admit it; I've been put off by the term "contactless payments." But it's an emerging area that deserves some attention.
If you are in Asia, you know what I'm talking about. People there have been making payments with their mobile phones using what's called "near-field communications." Just wave the handset in front of a reader and voila, the transaction is done.
In the U.S., we've had RFID technology embedded in cards. But the long-term goal is to eliminate the need to carry credit cards, building access badges and transit cards and just turn the phone into an all-in-one device.
Well, while the mobile phone has turned into an entertainment device over the last few years, it hasn't become the payment and access device in the U.S. that was envisioned when contactless payment strategies were born back in 2005 and earlier.
And now, with the economic downturn, the near-field communications industry is likely to take even longer to take off. Broad adoption of near-field communications will take longer than expected now, as long as three to four years, predicts Shyam Krishnan, an industry analyst at Frost & Sullivan.
So, a French company called Inside Contactless has come up with an interim solution that will let people turn their phones into credit cards and transit cards. Inside's MicroPass technology will be embedded into a sticker that can then be affixed to a phone, wallet, or anything else.
The company, which entered the U.S. bank card market with a microprocessor-based chip in 2005 and is backed by Nokia, Motorola and Samsung, recently announced that Colorado Plastics will be producing stickers using the MicroPass technology.
Soon, we may see people waving their mobile phones, iPods, ID badges, or wallets in front of readers to get on the subway or buy coffee at Starbucks.
"It's a cool way to pay; convenient," said Charles Walton, executive vice president of the payments business at Inside. "It turns the phone into a super wallet."
"It's a card in a different format," said Jonathan Collins, principal analyst in ABI Research's RFID and contactless group. "We've had American Express fobs, but they didn't prove to be overly popular. Stickers are more useful."
The MicroPass technology should fare better with regard to security scrutiny than the much-maligned NXP Mifare Classic RFID chip, which has been found to have severe flaws and can be cloned.
"We're using a microprocessor with open-standard security techniques, not a fixed memory, proprietary security scheme" like Mifare Classic, Walton said. The applications implemented using MicroPass "cannot be cloned in that way."
Adoption will depend on how quickly banks, retailers and phone companies can agree on standards and implementation, as well as on whether people are ready to merge their phone and their wallet.
"There has to be a benefit for the end user," Krishnan said. "It all boils down to its convenience, at the end of the day."
I'd be interested in hearing reader thoughts on whether this technology would be useful.
One of the hackers accused of involvement in the massive data breach targeted at T.J. Maxx's parent company, arguably the largest security breach worldwide, reportedly pleaded guilty on Thursday.
Damon Patrick Toey pleaded guilty to wire fraud, credit card fraud, and aggravated identity theft, and will be released subject to electronic monitoring, according to a report on the Wall Street Journal's Web site. Eleven defendants total are facing charges in federal court in Boston.
TJX Companies, the parent company of T.J. Maxx and Marshall's, said in March 2007 that 45.7 million accounts were compromised over nearly a two-year period. The company said--and federal investigators subsequently confirmed--that it believed the hackers gained access to millions of credit card and debit card numbers through inadequately protected Wi-Fi networks, and then put the numbers up for sale.
The 11 defendants were formally charged last month, including three from the U.S., one from Estonia, three from the Ukraine, two from the People's Republic of China, and one from Belarus. One used an alias and his whereabouts are unknown.
SAN FRANCISCO--The media are responsible, in part, for the lack of greater adoption of mobile payment systems in the United States, a panel of payment leaders said here Thursday at the fall 2008 CTIA.
"I think the media, because they don't understand the technology, and consumers, because they don't understand the technology, have created a hysteria around this," said Barry McCarthy, president of Mobile Solutions for First Data. "I think it's entirely unfounded."
Contactless payment systems use near field communication (NFC), an extension of the ISO 14443 proximity-card standard that allows mobile devices to use short-range high-frequency wireless communication between devices. A consumer might, for example, hold an NFC-enabled mobile device near an NFC-enabled point of sale (POS) to wirelessly debit a person's bank account to complete a sales transaction. Or a person might hold an NFC-enabled mobile device near a smart tag embedded in a poster to gain additional information about a product or a service.
In SouthEast Asia and Europe, mobile devices are already being used as electronic wallets. Adoption of mobile payments in the United States has so far been hampered, other members of panel agreed, by a lack of retail adoption. They did, however, cite increasing use with public transit systems and within Quick Service Restaurants.
"I don't think it's necessarily about people being concerned about security as it is understanding just exactly what it is, how it works, and the security that is present there," McCarthy said. "(Security is) an excuse that a merchant might throw out" not to adopt contactless POS equipment today.
James Anderson, a vice president at MasterCard Worldwide, said his company had surveyed consumers on this topic for a few years and found that the security of the new contactless cards was not an issue with consumers in part because of the brand associated with the card, what he called the "brand promise." Anderson said any controversy around security is just "our good friends in the media needing things to write about."
Spencer White, director of Mobile Financial Services for AT&T, argued that NFC was more secure than magnetic stripe cards. He said handling the physical credit card can expose the account number, but mobile NFC exchanges can be secured with one-time token exchanges or PIN codes. "We believe that we can demonstrate, that we can communicate quite effectively that mobile is a more secure solution in general," White said.
White cited two recent test cases in which AT&T equipped customers with NFC-payment-system-enabled mobile phones, and after a short expose they tended to feel more secure by using it. "Mobile has a great story to tell around security, but it's a story that has to be told. It's not intuitive," White said.
Howard Gefen, director of External Payment Services for Amazon.com, agreed. "There's a lot of uncertainty around a new payment system. Customers don't always know what's going to happen so they focus on the unknown, and security is an easy one to go wrong," he said. Gefen said that Amazon's mobile service includes the ability to get callbacks as confirmation, but that after a few purchases, most consumers were confident enough to start turning off that feature.
The panelists agreed that the brand promise would be the primary driving force. For example, knowing that MasterCard, AT&T, and Amazon all guaranteed the user's purchase would be secure tended to win over reluctant customers in the end.
If you've used a credit card reader in Ireland recently you may want to call your credit card company and monitor your account.
Scammers posing as bank workers replaced credit card readers in retail stores in northeast Ireland with fake readers that captured the data on as many as 10,000 credit and debit cards, according to an IDG News Service report.
The Bank of Ireland shut down some cards and limited overseas withdrawals, while Ireland's National Police Service launched an investigation.
Criminals can make clone cards with the data they get off the magnetic stripe from the cards that pass through the dummy readers.
- prev
- 1
- next
