With regular reports on hacked businesses, database breaches, Internet vulnerabilities, and online credit card theft, internet users are rightly worried about making online purchases of fear that their personal information may be compromised by attackers. But where does legitimate worry end and outright paranoia begin? In this article, I will try to allay some of that anxiety and provide users with knowledge on how to shop safely online.
It’s a big scary canvas
In a previous two-part series on this blog, we detailed the general overview of the web’s ecommerce environment and explained why some websites are more prone to credit card theft than others.
E-commerce websites can be grouped into two main categories: e-commerce websites operated by dedicated companies and independent websites operated by the site administrators themselves. The first category includes larger and well-known platforms like Amazon, Shopify, Etsy, and others. The latter includes all the websites where the store has created their own e-commerce website, usually on shared or VPS hosting. It is in this latter category of independent websites that the overwhelming majority of credit card theft occurs. You can check out the series of articles I linked to above for more background.
If you’re nervous about putting your credit card information on a checkout page, you don’t have to worry if they are using a large, well-known platform like Shopify (assuming your computer / browser is not infected – make sure you are using an antivirus software!). If you’re looking to be safe in a family-friendly ecommerce store, let’s explore a few red flags you can be wary of.
Credit card and online security companies take credit card fraud very seriously. They have dedicated teams of people working full time to make sure their customers are as safe as possible from threats. Credit card companies will collect data from “common points of purchaseâFor known fraud cases and often contact the administrator of the website in question to inform them of the threat. In severe cases, website administrators can be fined several thousand dollars for letting their websites be attacked. Taking website security seriously is of the utmost importance if you are operating such a store.
Authorities such as Google will maintain a block list of websites that are known distributors of malware or that contain active threats loaded from malicious domains. Websites that violate Google’s security policies will quickly find themselves blocked.
If you see such a warning when trying to visit any website or checkout page, I would advise against proceeding. There are many other vendors (including ourselves) that maintain a list of known attack websites. You can always connect the e-commerce store in question to a website such as VirusTotal to see if it is being reported by vendors.
It should be mentioned that some providers are much more reputable than others. Just because a vendor reports the site does not necessarily mean they are infected. Some blocklist warnings will also be left from a previous infection that has already been resolved, so this is not a panacea, just something to be wary of!
Security applications that actively monitor and protect your computer against malware and other threats also often intercept suspicious traffic occurring in your web browser.
Different antivirus programs work in different ways, but they all try to protect you as much as possible. With the recent increase in web-based anti-virus and credit card theft programs, anti-virus programs have actively improved their signatures and the detection of these threats.
If you receive a warning / notification from your antivirus program, you should not proceed with the purchase and it is advisable to notify the website owner of the warning.
Pro Tip: Providing a helpful screenshot when reporting issues is always recommended!
Poorly maintained websites
Most often (but not always), the websites that tend to be affected the most by credit card theft malware tend to be the ones that aren’t properly maintained. While it’s not always possible to tell from the outside, sometimes you can! Our SiteCheck tool can identify websites that are running outdated versions of WordPress or other CMS platforms. Other tools such as MageReport (specific to Magento sites) will also attempt to determine if the website is missing any security patches:
Websites that lack security patches or use outdated CMS installations should be avoided as a precaution.
If you want to dig a little deeper, you can also put on your security analyst hat and use some of the same tools we use to identify threats on e-commerce websites. Two of these tools that I would recommend are NoScript (for FireFox) and ScriptSafe (for Chrome).
When you visit an eCommerce website, you can check to see if there are any resources being loaded from suspicious domains.
Here is an example of a known credit card exfiltration domain that throws several warnings:
You can also run a who is order on a domain if you are not sure. Malicious domains usually have a short lifecycle, so a recent registration date is a red flag:
$ whoisÂ cdn-bootstrapcdn[.]comÂ Â Â Â Â Domain Name: CDN-BOOTSTRAPCDN[.]COM Â Â Registry Domain ID: 2616864123_DOMAIN_COM-VRSN Â Â Registrar WHOIS Server: whois.namesilo.com Â Â Registrar URL: http://www.namesilo.com Â Â Updated Date: 2021-09-17T19:20:07Z Â Â Creation Date: 2021-06-02T20:48:51Z Â Â Registry Expiry Date: 2022-06-02T20:48:51Z
Better safe than sorry
For the average internet user, there really is no way to know for sure whether a website can safely enter your credit card information. Although users should be wary, this is not necessarily a reason to close themselves off from the world of e-commerce altogether.
Do your best to be cautious. Avoid websites that can be considered poorly maintained or that are blocked by reputable providers.
Credit card companies will do their best to block suspicious transactions, but be aware that once a credit card number is stolen, it is usually only a matter of days before it fails. be offered for sale on the black market. In the final analysis, your best bet is to regularly check your credit card statement for transactions you haven’t made yourself and to contact your credit card company immediately if you see anything suspicious.
If you are an e-commerce website owner, consider signing up for our website security services to protect your website from attackers and credit cards.