Network News

X My Profile
View More Activity

Eight tips for safe online shopping

Shopping online is a great way to save time and money, but those efficiencies quickly vanish for people who lack basic online shopping smarts. Take a few minutes to review these safe shopping tips: They may just save you a world of headache and financial pain.

1. Shop with a credit card, not a debit card. The banks are pushing more consumers toward debit cards with a bevy of awards programs because they can charge merchants higher fees than on credit card-based transactions, said Avivah Litan, a fraud analyst with Gartner Inc. But if your debit card number gets stolen, it might be somewhat more complicated to sort things out, especially if fraud causes overdrafts and bounced checks.

2. Keep track of your receipts. Some experts advise online shoppers to print out all receipts. That's fine, but a simpler and more "green" alternative to this important tip is to simply take a screen shot of your order details, or save the page itself as an HTML file.

3. Shop from a locked-down PC. One piece of advice you almost always see in these Black Monday online shopping tips is to make sure you're running up-to-date anti-virus software. That's fine advice, of course, but if you're just now getting around to taking it, you might want to think twice about shopping online at all with that computer: It may already have a keystroke-logging virus on it. The best piece of advice: Use a Mac, or if you have more than one computer in the home, avoid shopping on the household's communal computer.

4. Look for the SSL sign/padlock in the browser's address bar. If you don't see this conspicuously on the page asking you to enter your personal and financial details, run away. This is the hallmark of one of thousands of fly-by-night consumer electronics shops on the Web. These phantom storefronts often rip off entire display pages from legitimate stores and are here today, gone tomorrow.

5. Avoid bargain-basement shopping online. There's nothing wrong with wanting the best price, but be aware that last year we saw plenty of phantom stores pop up around the holidays, advertising prices way below name-brand stores. If you're the type of shopper who buys from the cheapest online store regardless of whether you've ever bought anything from the site before, consider using comparison-shopping sites such as and

6. Double-check those shipping policies. Make sure you understand the shipping and return policies before you click that "buy" button. Look for stores that offer a shipping date guarantee, and make sure the items you want are actually in stock.

For the skittish: AVG published a guide last week that urges consumers who are uncomfortable with entering their credit card details online to consider using an "e-card" solution that gives you the ability to create a temporary card number to be used just once. Other security tips I've seen advise online shoppers who are worried about fraud to consider a pre-paid credit card to protect against having their real credit card number stolen.

Most of the e-card solutions I've tried -- Citibank's, for example -- are difficult to find and not very easy to use. As a consumer, if someone steals your credit card number and uses it to make fraudulent purchases, your liability is limited to $50, and most banks will waive that amount, provided you report any unauthorized charges within two days of noticing them. On the other hand, getting a new credit card as a result of fraud can be disruptive and time-consuming as well, particularly if you have multiple recurring bills set up to use the old credit card number.

If you don't feel comfortable using credit or debit cards, many sites let you pay using "BillMeLater".

7. Read the fine print. CNET's Dennis O'Reilly has a good tip in his safe online shopping summary: "Just as you can find your browser sporting a new toolbar if you rush through an update of your media player or PDF reader, being in a hurry when you make a Web purchase can cause you to 'sign up' for unwanted offers."

8. Shopping online at work could be hazardous to your career. The Monday after Thanksgiving is often referred to as "Cyber Monday" because many shoppers use the day to buy stuff online that they poked at and played with in stores over the previous weekend. But you might want to think twice about online shopping while at work.

Jackie Ford at writes: "Regardless of how you're paid, you're probably an at-will employee -- which means you can be fired at any time for any reason, or even for no reason at all. By surfing when you should be working, you may be making yourself the perfect nominee for the next round of down-sizing."

By Brian Krebs  |  November 29, 2009; 9:15 PM ET
Categories:  Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Spam 'Godfather' gets 51 months in prison
Next: Hackers attempt to take $1.3 million from D.C. firm



Any negatives on the new Droid with Verizon?

I see that $199 [online with instant rebate of $100, i.e., $299-$100=$199] seems to be the best price for the unit so far.

Posted by: | November 30, 2009 9:32 AM | Report abuse


Question #2. I have a Blackberry Storm 9530 that just had a 1 hour installation of a major software upgrade last week.

Does that mean that I now have a 9550 Storm 2 ???

Posted by: | November 30, 2009 9:48 AM | Report abuse

For those who aren't petrified of changing networking settings, using OpenDNS adds an additional layer of address filtering and protection for you. It is simple to set up, they provide all the instructions and, it's free for home use.

Posted by: giff | November 30, 2009 9:48 AM | Report abuse


WHY in the world would I want to change my default DNS nameservers from those of my ISP (in my case, COMCAST) to the freebee ones of OpenDNS? With my ISP, should there problems -- hacking or otherwise -- I at least have some level of legal recourse. With OpenDNS, I would have none.

Posted by: db16 | November 30, 2009 9:59 AM | Report abuse

I think you'll find your advice regarding the security of the Mac misplaced.... Linux is by far the safest OS out there. But everything else is sound advice, shame my mother doesn't read stuff like this.

Posted by: rossp1 | November 30, 2009 10:03 AM | Report abuse

Posted by: DFelipe | November 30, 2009 10:06 AM | Report abuse

It's unlikely that you would have legal recourse against your ISP's DNS unless you could prove malicious DNS configuration. Effectively, they are just acting as a "Common carrier" and passing along DNS information compiled from around the internet.

Posted by: moike | November 30, 2009 10:21 AM | Report abuse


Well, uhh, YEAH, the way DNS works is the information "compiled" is part of the global dynamic distributed DNS database, and it works quite well, all things considered. However, it is also well known to be inherently insecure, and so it is expected that "common carrier" DNS nameservers that we depend on will be patched with the latest security upgrades, etc., to thwart hackers and their malicious exploits.

All I am saying is: If I suffer financial losses because my bank's web site is being spoofed in conjunction with malicious DNS cache poisioning, and I can show that my ISP's DNS nameservers did not incorporate the latest security patches that they should have, I may have some level of legal recourse. That would not hold true if I just up and decide to change the DNS nameservers that I depend on to those of OpenDNS.

Posted by: db16 | November 30, 2009 11:09 AM | Report abuse

Boy, that first tip makes a lot of sense and I'm slightly embarrassed I didn't realize that on my own. Thanks for the list, I just started shopping (and probably shouldn't, per the final tip...)

Posted by: AndyatCPR | November 30, 2009 11:54 AM | Report abuse


If you believe that your optimal security profile involves improving your odds of winning a lawsuit after the hack, rather than preventing the hack from happening... well good luck with that!

Posted by: conspirator5 | November 30, 2009 1:57 PM | Report abuse


Common sense says that everything boils down to COST, RISK and PERFORMANCE ... including security. My "optimal" security profile might suggest that I never do any on-line banking at all. For some, that might be acceptable ... for me, it is not.

Recovery of losses in the event that your house is robbed fits right in with locking your house in the first place. Using a credit card rather than a debit card generally gives much better and more certain recovery of losses in the event of fraudulent charges. Etc., etc.

OpenDNS may indeed offer more security in guarding against anti-phishing web sites than my ISP ... but, it is a freebee and effectively "use at your own risk" for which I probably have no legal recourse in the event of a security compromise. Not so with an ISP that you pay for their services -- including DNS.

To summarize: Re-setting your DNS nameservers from those of your ISP to someone else's is not to be taken lightly. You may do so and possibly get better security than you do from your ISP. But it will come at a price.

Posted by: db16 | November 30, 2009 2:54 PM | Report abuse

What no suggestion for Windows systems to use Firefox or another browser rather than Internet Explorer ?

That seems like a obvious suggestion. Well at least to me.

Lots of people still continue to use that Microsoft product.

Posted by: rhenley2 | November 30, 2009 4:31 PM | Report abuse

Perhaps I'm missing something here..why have you not suggested PayPal..I use it all the time and on the one occasion I had an issue with a supplier..PayPal resolved the issue on my behalf. (I do live in Australia, but order world-wide)

Posted by: feathers16 | November 30, 2009 4:44 PM | Report abuse

You should know that OpenDNS was one of the few that was immune (I believe) to the vulnerability that the world learned of last year that lead to DNS poisoning.

That having been said you might want to have you ISP's DNS scanned at GRC the makers of ShieldsUp to see if it can hold par or its still unpatched.

Posted by: dward__ | November 30, 2009 4:45 PM | Report abuse

rossip 1 at 10:03 am. Your link to a March 2009 article about the now extinct Safari security hole is sooooo outdated. Try to keep up. This Safari security booboo was taken care of over 2 months ago.

Posted by: jerryball | November 30, 2009 5:20 PM | Report abuse

Brian as an alternative (for Windows users) to doing online shopping on a Mac - which for many would involve not inconsiderable expense - one could install a Wubi version of Ubuntu on one's Windows box at the cost of perhaps 15 - 20 minutes of download/installation time (one doesn't even need a to burn a CD) and then do one's shopping from this OS....


Posted by: mhenriday | November 30, 2009 5:24 PM | Report abuse

A bit more to add about #5 - Avoid bargain-basement shopping online. In additional to possibly losing your money and never seeing a product, it is easy enough to given up financial information to scammers.

On top of that, if the events of Halloween is any indication, the act of searching for bargain-basement shops could be dangerous enough on its own:
There are groups of black hats out there who are optimizing search engine results so that it redirects to a malicious site (containing say FakeAV) rather than a shop.

I wouldn't be surprised if we hear about people getting themselves infected on this Cyber Monday.

With regards to the OpenDNS discussion above, I think it all depends on the individual's comfort level. OpenDNS does provide enhanced functions such as blocking access to malicious and phishing URLs. For some people, that is reason enough to use OpenDNS instead of the local ISP's DNS. That said, a number of AV products out there also provide similar function and it would be up to an individual to decide what solution is best for them.

Savio Lau, SophosLabs Canada

Posted by: saviolau | November 30, 2009 5:32 PM | Report abuse

another tip, although not for safe shopping (even though it is safe) is to use online coupons. You can save even more at all types of stores like AT&T, Dell, HP, Target, Best Buy, Amazon, Old Navy and thousands more by using coupons supplied at sites like

Posted by: tightill | November 30, 2009 7:33 PM | Report abuse

Your strategy is otherwise known as "Security by 'In Lawyers we Trust'". I'd personally rather have the average corporate user on OpenDNS to prevent problems rather than trying to collect for damages afterward.

Posted by: moike | November 30, 2009 10:17 PM | Report abuse

I save receipts and many other pages by "printing" the page with CutePDF Writer. A great way to save paper and ink.

Posted by: txJosh16 | November 30, 2009 11:02 PM | Report abuse

"I only do business with the people I do business with" In other words, I stick to places that I have a long-term relationship with such as Amazon, Costco, Newegg, Tiger Direct, Apple, etc. Have done business with these people for years without a hitch and, usually, big savings (except for Apple). Learned my lesson dealing with unknowns when I had issues with the gray market camera clowns in the NY area. What a hassle.

Posted by: Calabrese99 | December 1, 2009 5:57 AM | Report abuse


I don't believe that security is an all black-or-white issue ... you cannot afford to have EVERYTHING in either the PREVENTION or RECOVERY baskets ... you need to have something in both. If everything is geared towards prevention, and prevention fails, that is not a good plan.

An example would be the LoJack Car Security System for Stolen Vehicle Recovery. You can lock your car, you can even put on a steering wheel club ... those are all excellent PREVENTION methods. But, if prevention fails, LoJack can be utilized for recovery.

This is why security best practices always emphasize "defense-in-depth" ... you can't just focus on one aspect, and believe that because you have safeguarded one crucial area that you are actually safe. It might be circumvented in spite of the safeguards ... and so you need other areas of support, to include recovery and minimization of your losses.

I said it before and I will say it again: Changing the default DNS nameservers from that of your ISP to OpenDNS is not something to just do as part of someone else's one-size-fits-all PC Security Checklist. It is something that one should do only after careful consideration of ALL of the pros and cons. Personally, I would not do it.

Posted by: db16 | December 1, 2009 10:34 AM | Report abuse

@feathers16: That's a good point about Paypal. I've been reminding consumers about paying for gifts via Paypal in my online travels for VeriSign (Paypal, like Amazon, uses extended validation ssl, which is a great way to discern legit sites from malignant ones). Really, if you're buying off craigslist or ebay (or any smaller site) there's no other way to go.

Posted by: josephadeo | December 1, 2009 2:17 PM | Report abuse

The suggestion about looking for the SSL padlock icon is VERY unclear.

A padlock in the "chrome" of the browser -- the frame around the outside -- is generated by the browser. That is the icon you should be looking for. In Firefox, it's at the bottom right. (It's unfortunate that Firefox doesn't follow the pattern of its cousin Seamonkey and display a padlock there for ALL sites -- with the padlock unlocked if the site is insecure.)

A padlock in the area where you type the URL or in the area where web pages are displayed is meaningless. In fact, a padlock "favicon" (the little picture next to the URL in the address bar that can be dragged onto your desktop to create a shortcut) is a big red flag. Scammers use them to fool people into thinking a site is secure. There isn't a lot of reason for a site to have a padlock there if they aren't trying to scam people. See for an example.

Posted by: AlphaCentauri | December 1, 2009 7:32 PM | Report abuse

Key Scrambler Personal is a free download that protects you from keyloggers:

Posted by: Ricardo3 | December 1, 2009 10:59 PM | Report abuse

I use a separate, low-limit credit card for on-line transactions only. The other credit card is for my recurring payments and brick store purchases.

Posted by: WashingtonDame | December 1, 2009 11:05 PM | Report abuse

@db16: You wrote "Changing the default DNS nameservers from that of your ISP to OpenDNS is not something to just do as part of someone else's one-size-fits-all PC Security Checklist. It is something that one should do only after careful consideration of ALL of the pros and cons."

I'm curious what you would see as the cons of using OpenDNS -- you mentioned "lack of legal resource", but can you enumerate others?

Posted by: DaveL60 | December 2, 2009 11:10 AM | Report abuse

Terrific.Thank you very much but I´d need 4 lawyers to understand all that.Huxley "Brave new world" is already with us.Uncle Twain-twenty

Posted by: justdiogo | December 2, 2009 1:40 PM | Report abuse


Firstly, understand what DNS does ... it is effectively the "white pages" of the Internet, translating hostnames such as into the IP (Internet Protocol) addresses that are then utilized for network access. This information is provided by your designated ("recursive") DNS NAMESERVER that your PC ("resolver") first issues queries to prior to initiating network access. IF, for whatever reason, your designated DNS nameserver is giving out an IP address other than what it should be, THAT is where you will attempt a network connection. THUS, if I can create a "look alike" banking web site just like Bank Of America's, AND I can get your DNS nameserver to return the IP address of my spoofing web site, that gives me a big leg up on stealing your passwords and other valuable on-line banking information.

For the sake of argument, let's say that OpenDNS nameservers are more secure than those of my ISP. They purport to be available, at no charge, to anyone and everyone. From a pure security PREVENTION point of view, it is a no-brainer to go ahead and use them instead of my ISP's, because they are more secure.

Security is more than mere PREVENTION ... it is also concerned with minimization of loss and recovery, in the event that prevention is defeated. With freebee services that you have no contract with and no commitment from, you have no standing if that prevention step is defeated. With your ISP, you clearly have a lot of standing.

There are indeed other cons ... If you experience problems using the Internet, chances are your ISP might be inclined to take a "hands off" attitude if you are utilizing "foreign" nameservers. In an extreme case, the ISP might even take the position that your problems are possibly due to a compromise of your PC due to the fact that you are not using the ISP's nameservers. Etc.

Everyone has to make their own decisions on how to best achieve what they feel is an acceptable level of security yet still be able to use the Internet for what they want to do. In this "Security Fix" column, there is always a lot of discussion regarding this machine over than machine, this browser over that browser, etc.

But when you start monkeying with your DNS, you had better be sure of what you are doing ... and be prepared to deal with the potential consequences.

Posted by: db16 | December 2, 2009 2:04 PM | Report abuse

The notion that DNS settings could have some legal bearing on liability is just silly. DNS is inherently insecure. That's why we have SSL/TLS, which is a little bit secure.

As for the article, it misses the most obvious security tip for online shopping: use single-use credit card numbers, if your credit card company provides them. If your card information is stolen or misused you can shut down just that one number without affecting the others. Some credit card companys additionally allow specifying a spending limit for each single-use number, which you can set a little higher than the purchase you're making. If someone acquires or attempts to misuse the number, there's no credit available.

Posted by: notindc1 | December 2, 2009 8:37 PM | Report abuse

RE: re-directing your DNS queries to "public" nameservers

On a side note, GOOGLE now offers freebee DNS name resolution services ...

Posted by: db16 | December 3, 2009 4:54 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company