Safer Online Holiday Shopping

Nov. 16, 2004 — -- The good news for Internet shopping sites: U.S. consumers will spend more than $152 billion online this year -- a 25 percent increase over last year. The bad news: Fast-moving fraudsters are aggressively seeking to steal a bigger portion of that large sales figure by targeting online shoppers directly.

"Cybercrime used to be about hacking into servers of e-commerce sites and financial institutions," says Avivah Litan, vice president and research director of payments and security practices at Gartner Inc., a market research firm in Stamford, Conn. But now it "has moved to the end user: consumers."

Case in point: The rise of online "phish" or bogus e-mails that con Web surfers out of their personal information by masquerading as an official missive from a bank, online shopping site or credit card issuer.

"Fifty-seven million online adults said they received one of these phishing attacks last year," says Litan. "And about 3 percent recall responding to such e-mails and giving away information."

Such high-tech trickery has become an increasing part of the banking industry's larger concern: identity theft. According to a recent Federal Trade Commission report, ID theft already accounts for about $60 billion in losses annually. But by Gartner's reckoning, approximately $1.2 billion of those losses will come from phishes and other online scams.

In attempts to thwart the tide of Net losses, financial institutions are trying everything from increasing consumer awareness of Web scams to closer scrutiny of individual online transactions. Some banks and credit card issuers are even offering downloadable software designed to protect their members' security and privacy while shopping and banking online.

Seeking Out Spyware

Last week, Citigroup announced it has made available online a suite of security programs from Webroot Software in Boulder, Colo. The programs will scour a member's computer for any hidden viruses and so-called "spyware," programs that clandestinely record data about a Web surfer as he or she cruises the Net.

Internet security experts have become increasingly worried about spyware because many consumers still aren't aware of the need to protect themselves from the potential online privacy threat.

"Viruses get a lot of press, but spyware is the highest-grade threat out there currently," says Richard Stiennon, vice president of threat research at Webroot, an anti-spyware software company. Based on an online audit conducted with a leading U.S. Internet service provider, Stiennon says an average personal computer is infected with about 26 pieces of spyware, ranging from programs that pop up additional online ads to programs that record a Web surfer's key strokes -- such as when they type in a credit card account number and password.

While offering online security and anti-spyware programs could help protect consumers' computers, other banks and issuers are pursuing additional means to secure online transactions.

Throw-Away Account Numbers

Several banks, including Discover Financial Services, which issues the Discover credit card, are trying to revive a security measure called "controlled payment numbers."

These schemes use software to create virtual credit card numbers that are linked back to a user's real credit card account. The numbers are accepted by any online merchant as a regular credit card account and are typically good for only a single purchase or limited use on a single Web site.

"It's a stand-in number and a single-use number," says Steve Furman, director of marketing for e-commerce at Discover Financial Services. "If [thieves] hack into a merchant's server -- and they would really have to work on it to get in -- they get a number that's no longer valid."

Furman won't say how many Discover card members have enrolled in its DeskShop controlled payment system. But he says there was a "significant increase" in sign-ups last month.

"For the month of October, it just makes sense as we draw closer to the holiday shopping season," says Furman. "People are thinking about security, they're asking themselves what can I do to further protect myself from online fraud?"

And while the banking industry rushes to add more layers of protection to online transactions, analysts such as Gartner's Litan worry that Net fraud may already have gotten the upper hand.

She notes that a recent Gartner survey found that 73 percent of merchants are now reviewing online purchases for signs of fraud manually. But the growth in the number of purchases means that more cases of fraud are likely to get through despite attempts at closer scrutiny.

"Fraud detection systems and credit card companies aren't keeping up to the threat," says Litan. "Phones, ATMs, bank transfer systems, automated clearing houses, debit cards ... you have to protect all of these services. There is so much information on all of us online and the crooks can get to all of it."

How to Protect Yourself Online

While no single solution can guarantee complete protection against online fraud, Web shoppers can take certain steps to help minimize risk. Here are a few common but often-neglected tips:

Use online security software and keep it up to date.

Antivirus and anti-spyware programs will keep hidden and malicious programs from spying what you do online. Firewall programs will keep an eye out if for programs that try to access the Internet -- say, to send information to a hacker -- without your knowledge.

Be careful with your passwords.

Do not use the same password for every online account. Use so-called "strong" passwords which contain both letters and numbers in a random order and change them often -- at least once every two to three months.

Know your online sites.

When shopping for holiday gifts online, stick with well-known merchants. Make sure you understand how each merchant handles billing disputes and what actions they will take to safeguard your online purchases.

Be suspicious.

Remember that very few -- if any -- legitimate online companies will ask for personally identifiable information such as your account number, ZIP code and Social Security number via e-mail. Never click on any Web links sent in an e-mail but enter a Web site such as eBay by manually entering the address -- www.ebay.com -- in your browser. And remember: if an e-mailed offer sounds too good to be true, it probably is.

Shop only from your home computer.

Public computers or those at your workplace may store your information and actions as you surf the Web. Also, don't use wireless Internet connections since your data can be captured by hackers as it travels through the airwaves.

Never use a debit card to shop online.

Debit cards are typically linked directly to your checking account and offer no protection against online fraud. If a hacker gets your debit card number and drains the account of funds, you are usually liable for the entire amount. Most credit cards, typically, have zero liability -- provided you report the fraud as soon as possible.

Check your credit card bills and report frequently.

If you have secure access to your credit card account online, check it often for suspicious activity. Be suspicious of seemingly insignificant charges as well, since hackers and thieves will sometimes test a stolen credit card account with a small purchase before charging large orders. A periodic review of your credit report will help ensure that no new accounts have been opened in your name without your knowledge. You are eligible for one free report from each of the three major credit bureaus -- Equifax, Experian and Trans Union -- annually.