Online Shopping Security 101
***This is a legacy document and as such may contain out-of-date or incorrect information. The vaping world has moved on a huge amount in a very short space of time, and these articles were written to the best of our knowledge at the time, but we can no longer stand by their accuracy!***
This online shopping security 101 is designed to educate our members on how your credit or debit card is processed and how you can protect yourself from fraud. Much of the information here is basic but we have also received input from several sources, including our ECF Suppliers. Please take the time to read it all because it is an important subject and ECF is attempting to address the subject as a whole here, instead of just bits an pieces of the process. Please also note that ECF has no specific knowledge of consumer-side security issues; this article contains a number of excellent tips which have been provided by contacts of ours with security knowledge.
Lets start off with a flow chart to show the transaction cycle assuming that you are ordering from a supplier that has a properly configured shopping cart on a secure (https:// ) connection:
As you can see at no time does the supplier have your full credit card information as can be seen by these sanitized screenshots provided by several of our suppliers. As you can see though each is different due to the processor and cart they have something in common, only the last four of your credit card are actually given to the vendor, this is so they can help you identify which card you used.
Preventing Credit Card Fraud
Compromised vendor sites
It is impossible to say how and why any particular credit card fraud event happened, since some card fraud is probably the result of simple computer generation of card numbers. However, when the card requires the 3-digit security code in order to work, and it has only been used once, then there is a reasonable chance that something associated with the online store visited may be implicated in the event; although the problem might be a keylogger on your PC.
The fact is that online stores can be vulnerable to exploits in several ways, and this is mainly the responsibility of the website hosting service, not the vendor - vendors are not experts in server security and online sales security. The hosts should be, but frequently are not. There are specialist ecommerce hosting services who do have expertise in this area, and who should be used by vendors. Unfortunately they are not the cheapest hosts - you get what you pay for.
Secure your PC
It's true that having a secure PC is also important. You should use a good anti-malware app and firewall that are proven in benchmark testing to score very highly, and ABSOLUTELY NOT base your choice on advertising or image. Good software is often available free, only missing the support option and extra widgets that most people don't need anyway. For example Avast and AVG score very well as an anti-malware choice, and Online Armor is a real firewall that actually works in both directions. A one-way firewall is not as good because it cannot stop the malware 'phoning home' with your data. These apps are all free; or you can upgrade and get support plus extra bells and whistles.
The drawback to good security is that it involves extra work and hassle. But it's your credit card, and your choice. Just please don't blame everyone else until you have locked down your own system. Spyware is a major industry and they want YOUR data, off YOUR PC.
For more information consult the community's expert resources, for example at Gizmo's Freeware (basic security software and advice) and Wilders Security Forums (detailed advice). Of course, if you can instruct someone in the detail of running HijackThis tests, interpret the results, and remove their rootkits, then you won't need any up-to-date advice on this subject. Most other people do.
You and your credit cards
Staying safe involves some hassle - because that is the definition of security. Use one or more of the tips below and you can eliminate most or all card fraud. The fact is, things can very difficult indeed for online ecig vendors due to the fact that very few merchant partners* will accept them because of the issues (association with tobacco, which is blocked by some of the major processors; and the volume of chargebacks, many fraudulent). Some of the partners they have to use may not be the most efficient in the business. * The companies that act as middlemen between the vendor and the banks - 'checkout processors' if you like.
The advice that ECF has been given is that you should NOT use a card for online purchases that is associated with your main bank account. Instead, you should use one of the options below:
- Use a one-time prepaid card.
- Use a pre-pay/pre-load card, and only load it when you are about to buy.
- Use a Paypal virtual one-time card number.
- Get a bank account with a card that allows you to generate a 'virtual card number'
- this is a card number that can only be used for a single purchase and is useless after that.
- Have a separate bank account just for online purchases. This is easier to check out for fraudulent activity.
- Use a solid credit card company who are known to be strong on security. Cheap or minor-name cards may not be so good for the back-up you need. - Always read your CC bill very carefully, and check ALL the items.
- Check your CC bill online regularly, if that service is available to you.
- Watch out for a small test purchase on your card. Fraudsters often test it out with a small buy that can be hard to spot in your bill
- $9 for a book, or $14 for flowers? Call your CC company and check it out.
Notes for Vendors Please use specialist ecommerce hosting - these are the only people who really qualify for your online store's hosting account. Security is the main thing you pay your hosts for, and many of them simply don't measure up. Ecommerce hosting protects you and your customers.
This is not referring to hosted ecommerce by the way - a proper ecommerce host supports your choice of ecommerce app, has a heavily-firewalled checkout area for your use, updates its servers daily, and scans them for malware regularly. They actually know how to set up PHP and MySQL correctly. Fraud involving sites on such hosts is virtually unknown.
We came across a server running PHP3 not too long ago, and it was a malware farm. Hosts cause exploits - don't use cheap hosting as it can work out expensive. Don't try and host your own site as you are just contributing to the problem.