How to shop safely online (pandemic edition)

In a hurry? Please skim the bold text and be ready to note some actions!

My first online purchase a little over 25 years ago was for a CD. I don’t remember which one (honestly!), only that it was from a company called CDconnection and that I provided my bank card details over an unsecured Internet link.

Fortunately that purchase went without a hitch. Soon after, a technology known as SSL (now TLS) was adopted by online shops to encrypt your credit card number between your computer and theirs. To help the vast majority of people who don’t care for the technical details, web browsers show a padlock icon and add an “s” (for secure) into the address.

Alas my luck finally ran out this year. My card details were stolen during an online purchase and the first I knew about it was when thieves cleaned out my bank account just after payday. This is despite using a supposedly reputable high street retailer and following the advice you’ve probably seen before to “look for the padlock icon” (to me, it actually looks like a small handbag, but whatever).

Don’t trust “trusted brands”, don’t trust your bank and don’t trust yourself.

How can this happen?

As part of the answer, and before I treat you to some tips and actionable advice (yes, this article comes with homework), there are two fundamentals to keep in mind:

1. Security is never absolute. Think of your money being transported in an armoured truck under guard — and then left in an unlocked room when it gets to the bank. This applies to your sensitive data online: at some point, it has to be accessed and used, so it can never be completely hidden.
2. Online, security is not optional. There are hidden threats most of us wouldn’t have thought of. Even this lowly blog post should be sent to you over a trusted connection (check for the handbag — sorry padlock! — icon). Otherwise, someone could tamper with the links.

In my situation both retailer and bank — names and details omitted owing to ongoing legal action — dropped the ball.

The retailer’s website was hacked and malware installed that captures the card details of every customer transaction. Many weeks passed after they discovered the breach before they notified me, during which time a batch of fraudulent transactions were presented to and accepted by my bank.

Like most of us, my online shopping increased markedly with the onset of the pandemic and I received a text from my bank asking to confirm some “unusual” transactions that were actually genuine. Rather alarmingly, at one point my bank suggested they had dropped the fraud protection on my card for two weeks since I had confirmed these transactions. The fraud took place within this time.

I did get my money back, but only after an agonising weekend of waiting to get a temporary refund and a further ten anxious weeks before the case was resolved in my favour.

The following advice doesn’t guarantee that you won’t suffer a data breach or fraud, but should help you to limit the risk of it happening, and the damage if it does.

Don’t trust “trusted brands”

I have already blogged about how little care organisations take with your personal data. Since suffering from bank card fraud I’ve been especially vigilant and further issues with security and compliance come to light every week. You would recognise and probably trust many of the names involved, yet based on my (updated) analysis, around 1 in 25 websites have had a data breach resulting in spam or phishing.

Online retailers have had to make rapid adjustments during the pandemic, with a real risk that security is being neglected.

So, starting with email, accounts and passwords:

• Limit how many websites you do business with. It’s like rolling two dice: if you do it often enough you’ll get two .s, except the odds are bit worse than that with online shopping.
• Avoid creating accounts. Many shops want you to set up an account with a password, but in most cases you’ll have real trouble deleting it later. Use the guest checkout option or shop elsewhere. You’ll want to make a few exceptions for shops you regularly use — a reasonable, calculated risk.
• Use a password manager such 1Password. Each site should have its own unique password. Yes, this one is actual work (sorry!), but data breaches can take years to manifest themselves. You’ll appreciate this when you see your password within the text of a spam email.
• Protect your email account. Use a strong password and two-factor authentication. Actually you should protect everything, but start here because email is key to accessing your other accounts. This is because most websites let you set a new password by sending a link to your inbox.

Why 1Password? It is among the most secure and easy to use password managers. Data is encrypted locally so even if 1Password’s servers get hacked, they can’t see the data. For this reason, choose a long, secure password for 1Password itself.

And for online payments:

• Get an account with Revolut. It’s easy to top up, and you get a disposable card number for every transaction that works only once.
• Don’t let online shops store your card number, no matter how big and trustworthy the brand.
• An exception to the above: for the likes of Spotify and Netflix, get a separate card and only top it up enough for the monthly fees. Get another for online groceries, as they make two or more transactions per order.
• Use the card protection facilities in your app (even some high street banks are starting to offer this). Freeze your card when it’s not used and set transaction and spending limits. If your bank doesn’t offer this, find a better bank.

Revolut is best for creating a few virtual, reusable cards with a monthly spending limit on each but you can also open an account with TransferWise, Monzo or Starling (the last two are current accounts and will show on your credit file). Only Revolut provides disposable, one-time cards.

Some people prefer to use PayPal. I don’t have much love for this company thanks to questionable GDPR compliance, high fees and tales of woe from users of eBay, but the principle is sound. Top up with small amounts and use it for some of your online shopping. Don’t link your bank card to PayPal; if your account is breached they could charge your card for the fraudulent transactions. If that happens, regulations and responsibility are a grey area compared with the protection you’ll get with a direct card payment.

Don’t trust your bank

Banks are highly regulated and usually secure, however their processes do slip up sometimes. I have noticed a disturbing trend towards dropping any security measures that cost them money, such as activating new cards.

• If your bank calls, phone them back. Criminals fake the number that pops up on your phone and pretend to be from your bank. Hang up, call your voicemail or similar to make sure your line is clear, or use another phone. Call the bank using the number on the back of your card.
• Don’t let your bank reassure you. To save costs and reduce inbound calls, banks will sometimes send a vague text “there was a problem with your card and we are sending you a new one”. Assume they have been alerted to potential fraud and block your card immediately.
• If your bank asks you to confirm suspicious transactions, stop using that card. Even if the transactions are genuine, confirming them could prompt the bank to lift the security protection for a while. Block the card, then either confirm the transactions or request a new card. Use another card for a few weeks.
• If you get a new card, use it immediately or block the old one. Banks will often let your old card work until you get the new one. It is a shaky assumption that you’ll actually do this during lockdown, so be proactive.

Banks make it hard for us to be vigilant when calling us. Thanks to data protection, they can’t tell you anything personal to verify themselves, but will immediately launch into asking you security questions. Don’t accept this. The only option is to communicate with the bank over a secure channel, such as a call from you to them, or messaging within the app.

Don’t trust yourself

(But don’t blame yourself either.)

Finally, remember that often the weak link in the chain of security sits between the chair and the screen. Even though we are all aware of the various scams, we only need to drop our guard for a moment. It’s fine to accept that at some point you will probably make a mistake.

Some things to be aware of:

• Phishing is increasingly convincing. You can no longer rely on typos and poor design. For example the email address I provided to eBay has been compromised and I receive near perfect looking scam emails with a valid digital signature whenever I list items for sale. Only the domain isn’t quite right. Companies often outsource emailing and use a different domain so this could be overlooked, but question it anyway.
• Always log in separately. Banks are not your friend here! One of them sends me part of my postcode to “verify” the email. That’s not good enough — such data is being stolen all the time. Always open up a new browser tab and log into the website there.
• Do not use your voice as a password. Actually, any “password” that can’t be changed is a security risk. This includes the politically questionable use of your mother’s maiden name (take your business elsewhere if they insist on doing this, or make one up and store it in your password manager).
• Avoid providing your date of birth. See above: a “password” that cannot be changed is not secure. Inventing one can have consequences though; if it’s for financial, aviation or medical services they probably need it.
• Security of everything matters. I used to separate “high value” and “low value” accounts, but this is dangerous. Do take extra care with sensitive sites such as banking and healthcare, but you need to protect the “low value” accounts as well. They probably include data such as your name, address and email. It’s when those details get stolen that your high value assets will come under attack — often with you as the conduit.

Enjoy shopping online, but remember it’s like driving — it’s safer if you slow down a bit!

There’s plenty more you can do to protect yourself. Keep installing those updates and invest in a good virus checker. However I have tried to include a few things that might not be obvious. I hope it was useful!