Some Quick Advice For Safe Online Shopping

Some friends of mine recently asked me for some advice after they realized they may have made some unsafe purchases. I figured I would post a few tips for those of us who can feel intimidated or anxious whenever we hear about the latest data breach.

Some Quick Advice For Safe Online Shopping
Photo by FLY:D / Unsplash

Some friends of mine recently asked me for some advice after they realized they may have made some unsafe purchases on a certain online retailer who will remain nameless because I don't want to deal with a potential libel suit. At any rate I figured I would post a few tips for those of us who can feel intimidated or anxious whenever we hear about the latest data breach.

Always Ensure Purchases Are Made Via HTTPS

Ensuring purchases are made over a secure connection is easily the most basic way to keep yourself safe | Photo by Towfiqu barbhuiya / Unsplash

This is a pretty basic one. It almost doesn't need to be said, since technologies like Let's Encrypt have made what used to be an expensive, time-consuming exercise for folks who want to host a website, into a painless, free, one-step process. With that said though, it means that there is absolutely NO reason for vendors to not properly secure their platforms. Always check the URL in your browser to ensure it begins with https:// and not http://. With that said, even though the site owner might have done their due diligence, there may be situations where the secure connection BECOMES insecure, and on that note...

Stay Off Of Public Wi-Fi

Do you like pineapples? I like pineapples. Funny thing about pineapples: you ever eat too much and it starts to burn the roof of your mouth? Yeah, you'd think that's because they're acidic, but it's not actually acid; it's an enzyme in the pineapple juice that's actually attacking the soft tissue of your palate. You're eating the pineapple, and it's eating you right back.

So what does this have to do with public wifi? This.

Fun fact about the Wi-Fi Pineapple: Its creator, Darren Kitchen of Hak5, originally prototyped it as a hacked wifi router which he stuffed inside a REAL pineapple.

This is the Pineapple, from Hak5. A company which sells cybersecurity tools for penetration testers (har har, laugh at the word "penetration", don't gimme that look. I know you're doing it). Pentesters are ethical hackers who are employed by companies to find security flaws by using the same methodologies and tools a real threat actor would use. The way the Pineapple works, is it finds an open wifi hotspot to connect to, it then connects to the hotspot, and waits for targets. It will attempt to hijack the connection of any connecting device, forcing that device to connect to it instead of the hotspot. It then acts as a man-in-the-middle, watching your traffic and using whatever payloads its operator has loaded onto it to capture, manipulate, and analyze your data. Wanna impersonate someone on Facebook? The Pineapple will help you do that. Wanna hijack an online transaction? Depending on how well-secured the vendor's website is, the Pineapple can help with that too.

So how do you solve a problem like the pineapple? Short answer, stay off public wifi when possible. Also, disable network auto-discovery on your devices; a popular attack vector for the Pineapple is to listen for any devices attempting to connect to the last network they connected to. Once it finds a device doing this, it copies the SSID (the name of the hotspot) that the device previously connected to, and says "yes, I'm that network, connect to me".

Additionally, you could use a VPN (Virtual Private Network). But...well, let's dive into why off-the-shelf VPN providers aren't always a great solution.

Off-The-Shelf VPNs Aren't Bulletproof

As a cybersecurity professional, it's been interesting watching the proliferation of these subscription-based VPN services over the past few years. It seems like out of nowhere, every YouTuber on the platform has been approached by NordVPN, Surfshark, et al. to advertise their services, sometimes to hilarious effect. On the surface they seem great. They'll keep you safe, AND let you watch geofenced Netflix content! But will they? Honestly?

Off-The-Shelf VPN services are a dime-a-dozen these days, but they aren't always all they're cracked up to be.

I could write an entire article on these things, and go completely nerd-mode over WHY these subscription-based VPNs aren't always all they're cracked up to be. I could rank them in terms of efficacy, transparency, etc. (In fact I may just do both of those things, watch this space.) But instead, I'll say this: Implicitly trusting that these things will protect you against devices like the Hak5 Pineapple isn't a good idea. Many of these services aren't even VPNs (not in the in the traditional sense anyway), and don't even encrypt your traffic.

So what's the alternative? You can roll-your-own VPN, and it's actually easier to do than you might think. Many home routers come with support for popular open-source VPN server software like OpenVPN out-of-the-box (TP-Link's Archer series of routers are especially good for this). There are other ways to spin up your own VPN, but I'll leave those for further articles here since they can get a fair bit technical.

The easier alternative, if you have a decent enough mobile data plan, is to tether your laptop, tablet, etc. to your phone's hotspot, and simply don't let your phone connect to free public wi-fi.

It's important to note however, that some public wi-fi hotspots are better than others, and DO implement their own (albeit often basic) countermeasures for attack vectors presented by devices such as the Pineapple, but rather than trusting that the hotspot is secure, it's better to just avoid using it when possible.

Use Prepaid or "Virtual" Credit Cards

There's this really great service that I really wish financial regulators here in Canada would clue into, it's called Privacy.com. The service basically allows you to create "virtual" credit cards which are backed by your actual credit card. The advantage here is that these cards are temporary, and can be created and destroyed on a whim. You can also pre-load them with however much money you want. Your kid wants to buy stuff online? Provision a card number via Privacy, load the card, boom. They can buy all the Fortnite bux they want (is that a thing? Do kids still like Fortnite? I'm old.) as long as they have enough pre-loaded funds on the card.

Don't let little Jimmy use your REAL card to pay for all those Fortnite skins, give him a prepaid card instead. | Photo by Alex Haney / Unsplash

If you're not a US resident however, your best bet would be to get one of those Vanilla Pre-Paid cards from Visa or MasterCard. They work with most things online, and you'll only have problems if the purchase you're making requires pre-authorization.

Don't Use Debit

The nice thing about credit cards is that most credit card companies can spot fraud pretty quickly. Debit cards are linked to your bank, and while banks are also pretty good at fraud analysis, they sometimes aren't so great at getting your money back if fraud DOES happen. Credit Card issuers on the other hand, tend to be much better at this.

Some Payment Processors Are Better Than Others

Back in the long-long ago, when the Internet was still a new thing that Matthew Perry and Jennifer Aniston were making pack-in promotional videos about for Microsoft, the only real third-party payment processor for online transactions was PayPal. They're the OGs. That doesn't necessarily make them the easiest to deal with however. I've heard more than a few horror stories from friends and family who, either as sellers or buyers, have had to contend with fraudulent transactions, only to have PayPal refuse to refund them. Beyond my own second-hand experiences, a quick Google will tell you the same. So what's the alternative?

Well, as a seller, thankfully these days we have platforms like Etsy and Shopify, who offer their own payment processing platforms, and additionally support for other platforms such as Square, Clover, and Stripe. Each of these services have different pricing models, so you'll have to do your homework and decide which works best for you.

As a consumer however, the best advice I can offer is that you should prefer vendors who use these PayPal alternatives, and otherwise use prepaid credit cards for purchases from any vendor that isn't Amazon.

How to receive payments for your online store (ecommerce)
As PayPal alternatives go (at least for vendors), Shopify's "Shop Pay" platform is easily top-of-the-pile | Photo by Roberto Cortese / Unsplash

If a Deal Seems Too Good To Be True, It Probably Is

AliExpress shopping on my iPhone
AliExpress is full of wild deals, but sellers on the platform aren't always properly vetted | Photo by CardMapr.nl / Unsplash

Amazon is easily the most trusted online retailer in the world, and with good reason. They've put in the work, certainly. But what about competing platforms like AliExpress, Wish, Wayfair, or more recently Temu? Well, honestly, Caviat Emptor. We all know how much of a meme Wish.com has become. Hell, the company itself has fully, inexplicably embraced their scamminess. Even Amazon, however, is not without its issues. In fact, a couple years back, Amazon found itself among other retail platforms involved in so-called "brushing" scams. Without going into too much detail, these sort of scams are typically limited to third-party sellers on Amazon, but are more prevalent on its competitors' platforms, as those platforms have a much larger focus on small, third-party resellers. Thus, the strategy here is simply to avoid third-party sellers when possible.

Summary

eCommerce platforms have come a long way since the early days of the web. But as a consumer, they can still present a modicum of risk. There are plenty more ways to stay safe while making purchases online, but the ones listed here are certainly a good start. At the end of the day, it's important to remember, that if something seems too good to be true, more often than not, it is.