Online shopping 101- the basics on how it works and how you can protect yourself.

[oldsoldier]

This thread is intended to educate our members on how your credit or debit card is processed and how you can protect yourself from fraud. Much of the information here is basic but we have also received input from several sources, including our ECF Suppliers. Please take the time to read it all because it is an important subject and ECF is attempting to address the subject as a whole here, instead of just bits an pieces of the process.

Lets start off with a flow chart to show the transaction cycle assuming that you are ordering from a supplier that has a properly configured shopping cart on a secure (https:// ) connection:



As you can see at no time does the supplier have your full credit card information as can be seen by these sanitized screenshots provided by several of our suppliers. As you can see though each is different due to the processor and cart they have something in common, only the last four of your credit card are actually given to the vendor, this is so they can help you identify which card you used.





More screenshots in link form:
http://imgur.com/9fvim
http://imgur.com/AvVHU
http://imgur.com/HXxeR
http://imgur.com/qrEx0

[oldsoldier]

Preventing credit card fraud

ECF has no specific knowledge of consumer-side credit card security so we asked people with some knowledge of this area to contribute to an advice page. There are some very good tips, listed below, and our advice is to carefully read them and follow at least one of them.


Compromised vendor sites
It is impossible to say how and why any particular credit card fraud event happened, since some card fraud is probably the result of simple computer generation of card numbers. However, when the card requires the 3-digit security code in order to work, and it has only been used once, then there is a reasonable chance that something associated with the online store visited may be implicated in the event; although the problem might be a keylogger on your PC.

The fact is that online stores can be vulnerable to exploits in several ways, and this is mainly the responsibility of the website hosting service, not the vendor - vendors are not experts in server security and online sales security. The hosts should be, but frequently are not. There are specialist ecommerce hosting services who do have expertise in this area, and who should be used by vendors. Unfortunately they are not the cheapest hosts - you get what you pay for.


Secure your PC
It's true that having a secure PC is also important. You should use a good anti-malware app and firewall that are proven in benchmark testing to score very highly, and ABSOLUTELY NOT base your choice on advertising or image. Good software is often available free, only missing the support option and extra widgets that most people don't need anyway. For example Avast and AVG score very well as an anti-malware choice, and Online Armor is a real firewall that actually works in both directions. A one-way firewall is not as good because it cannot stop the malware 'phoning home' with your data. These apps are all free; or you can upgrade and get support plus extra bells and whistles.

The drawback to good security is that it involves extra work and hassle. But it's your credit card, and your choice. Just please don't blame everyone else until you have locked down your own system. Spyware is a major industry and they want YOUR data, off YOUR PC.

For more information consult the community's expert resources, for example at Gizmo's Freeware (basic security software and advice) and Wilders Security Forums (detailed advice). Of course, if you can instruct someone in the detail of running HijackThis tests, interpret the results, and remove their rootkits, then you won't need any up-to-date advice on this subject. Most other people do.


You and your credit cards
Staying safe involves some hassle - because that is the definition of security. Use one or more of the tips below and you can eliminate most or all card fraud. The fact is, things can very difficult indeed for online ecig vendors due to the fact that very few merchant partners* will accept them because of the issues (association with tobacco, which is blocked by some of the major processors; and the volume of chargebacks, many fraudulent). Some of the partners they have to use may not be the most efficient in the business.
* The companies that act as middlemen between the vendor and the banks - 'checkout processors' if you like.


Security tips
The advice that ECF has been given is that you should NOT use a card for online purchases that is associated with your main bank account. Instead, you should use one of the options below:

- Use a one-time prepaid card.
- Use a pre-pay/pre-load card, and only load it when you are about to buy.
- Use a Paypal virtual one-time card number.
- Get a bank account with a card that allows you to generate a 'virtual card number' - this is a card number that can only be used for a single purchase and is useless after that.
- Have a separate bank account just for online purchases. This is easier to check out for fraudulent activity.

Also:
- Use a solid credit card company who are known to be strong on security. Cheap or minor-name cards may not be so good for the back-up you need.
- Always read your CC bill very carefully, and check ALL the items.
- Check your CC bill online regularly, if that service is available to you.
- Watch out for a small test purchase on your card. Fraudsters often test it out with a small buy that can be hard to spot in your bill - $9 for a book, or $14 for flowers? Call your CC company and check it out.
- Go to your card provider's website and sign up for the email alerts. You get an email on every use of the card. It adds to email volume - but you'll see a fraudulent use immediately.


Resources
http://www.techsupportalert.com/pc/security-tools.html
Wilders Security Forums - Powered by vBulletin


----------------------------------------
Vendors
Please use specialist ecommerce hosting - these are the only people who really qualify for your online store's hosting account. Security is the main thing you pay your hosts for, and many of them simply don't measure up. Ecommerce hosting protects you and your customers.

This is not referring to hosted ecommerce by the way - a proper ecommerce host supports your choice of ecommerce app, has a heavily-firewalled checkout area for your use, updates its servers daily, and scans them for malware regularly. They actually know how to set up PHP and MySQL correctly. Fraud involving sites on such hosts is virtually unknown.

We came across a server running PHP3 not too long ago, and it was a malware farm. Hosts cause exploits - don't use cheap hosting as it can work out expensive. Don't try and host your own site as you are just contributing to the problem.


for vendors:
Computer Security Guide
SEO Hosting - 3
Choosing Ecommerce Software

[oldsoldier]

Additional credit card security concerns:

RFID skimming:
The new RFID enabled credit cards can be queried over a wireless connection to complete a transaction. As any other new technology the fraudsters will find a way to exploit this. In theory a fraudster could walk in a crowd and skim your information from your RFID enabled credit card. Suggested protection against this possibility is the aluminum credit card wallet.

Physical skimmers attached to ATMs:
There have been cases where a false front was attached to a functioning ATM to read your card when it is put into the slot and steal your information. There is another case where a completely fake ATM was placed and silently gathered all of your information, including the pin number when the user keyed it in. The "ATM" then showed an out of order/out of money message and gave back the card with the victims being none the wiser. Carefully inspect any ATMs or gas pumps you might use your card in. These skimmers are usually attached with double sided tape so they can be quickly and easily retrieved.

Breach of bank and processing center security:
As much as the credit Card companies wish to hide it, they themselves have been breached as well as some of the credit card processors. Here is an example:
http://moneyland.time.com/2012/03/30...e-data-breach/

Manual Skimming (new take on the old keep your carbons cautions)
In the old days we used to keep our carbons, but believe it or not this simple mode of theft still occurs. Any time you hand your credit card over to a waiter/server to pay your bill, or hand your card to a gas station attendant as security for a fill-up you risk the oldest and simplest method of credit card fraud. It only takes a moment to copy down your card number and CVV code. Consider this the next time you go out to dinner, run a bar tab, or fill up your tank.

Phone sales:
Do I need to even go there? I would consider very carefully the implications before I made a credit card order for ANYTHING over the phone.

[oldsoldier]

Comments from some of our suppliers:

One of the things many ecig customers don't understand is the damage that CC fraud does to the supplier. We are rated by the CC processors on return rates. I had an issue just this year where I got an order from Malaysia (first warning sign). I had just talked to another supplier who actually shipped an order to this same person. Even though I didn't even ship the order, the processor hit me with a return and wanted to drop my account because this was my first business using CC processing. After I submitted the facts, they changed their minds. Moral of the story is, we are more concerned about, and take extra measures to prevent, CC fraud more then the customer knows.

This supplier went in great detail to explain just what they can and cannot do:

We use BigCommerce (webstore platform) and Authorize.net to process transactions. When a customer orders on our store, the last part of the process is to input their card info, which is immediately processed by Authorize.net. We do not store any credit card information, and Authorize.net does not store any information on our behalf on their servers[snipped for brevity] Although Authorize.net does offer that service (storing customer info on their servers) we do not use it because I personally do not allow any site to store my card info. [bold added by admin for emphasis!]

When the payment is “authorized and captured”, it is then processed as an order by our site. The ‘captured’ mark lets us know their payment has been taken and we can fill the order.

We also receive an email from Authorize.net telling us the payment has been authorized and captured. All this email tells us is the customers name and address, order number and amount, authorization code and transaction ID and if the address and cvv code match the card they entered. They never transmit any card info via email, not even the last 4 digits or exp date.

We can log into our merchant account on Authorize.net if we need to, but even then the only information we can get is the last four digits of the CC number, customer’s name and amount of the transaction. Basically the only thing you can do is issue a refund-you cannot charge the card again or get the card number, so 99 out of 100 times a merchant will not even bother to look at the transaction on Authorize.net. Authorize.net also does automatic settlements or “batches” every day at 3pm or whenever the merchant sets it up to. The merchant receives an email settlement report with total transactions for the day.

Another supplier perspective. By the way this supplier has had numerous PCI compliance scans and comes up clean.

As a company, we make a lot of online purchases and as a result, we have to
replace our cards about twice a year. There's just no way to pin down where
and how but it happens to us also.

If the people ever saw how many declined transactions we get per day from
first time users using stolen credit cards they would be amazed, It's pretty
widespread. Fortunately most get declined but some go through and we end up
eating those charges along with the cost of items we've shipped.

And here is a quote from a supplier discussion thread that shows that our suppliers are not naive. There is a spirited discussion going on among the ECF suppliers right now because this is a subject near and dear to their hearts - putting food on the family dinner table. Even though they are rivals, no supplier wants another to go down in flames and drag the rest in their wake. Trust me on this one -- our suppliers have enough issues in the trade without getting a bad rap for security issues.

A lot of people aren't as informed as the ones that remain here today. Yes, the ones that remain. The last big blowup over stolen credit cards resulted in quite a few vendors going away a couple years ago. Probably a coincidence though.

You would be surprised how many people have their cart's admin area in a folder named admin.

Guess what that means? The very next time a new exploit comes up, you're target #1. Why? Because they don't have to figure out where your admin tools are to run the exploit. They're in /admin.

[oldsoldier]

Some final thoughts and a TLDR; summary:

Just because you used your credit card online does not mean that a fraudulent charge is the result of an online transaction. There are many other ways that a credit card can be compromised, even a card that was just activated and has never been used either physically or online.

Yes it is possible that a supplier may have a misconfiguration on their server or compromised cart. This is much less likely if the cart is hosted by a reputable e-commerce host. When you are shopping online always insist that your personal information be transmitted over a SSL ( https:// ) connection. If your browser shows a warning that the page is only partially encrypted I would pass. It may be something as simple as a dropped "s" on an image link, but why take the risk? ALL ECF registered suppliers and Forum Suppliers are required to have secure online payment methods, be it PayPal for those that are allowed by PayPal's TOS or some other form of secure payment processing. I have personally rejected some applications when asked to review a site for Misty for just this reason.

I would also pass on any site that has a "broken" ssl certificate. Sorry folks - if a business wants to be successful they need to pony up for a SSL certificate that matches their domain name