The costs of running this huge site are paid for by ads. Please consider registering and becoming a Supporting Member for an ad-free experience. Thanks, ECF team.

Online shopping 101- the basics on how it works and how you can protect yourself.

Discussion in 'The ECF Library' started by oldsoldier, Jul 17, 2012.

Thread Status:
Not open for further replies.
Image has been removed.
URL has been removed.
Email address has been removed.
Media has been removed.
  1. oldsoldier

    oldsoldier Retired ECF Forum Manager Verified Member ECF Veteran

    Dec 17, 2010
    Lurking in the shadows
    This thread is intended to educate our members on how your credit or debit card is processed and how you can protect yourself from fraud. Much of the information here is basic but we have also received input from several sources, including our ECF Suppliers. Please take the time to read it all because it is an important subject and ECF is attempting to address the subject as a whole here, instead of just bits an pieces of the process.

    Lets start off with a flow chart to show the transaction cycle assuming that you are ordering from a supplier that has a properly configured shopping cart on a secure (https:// ) connection:


    As you can see at no time does the supplier have your full credit card information as can be seen by these sanitized screenshots provided by several of our suppliers. As you can see though each is different due to the processor and cart they have something in common, only the last four of your credit card are actually given to the vendor, this is so they can help you identify which card you used.



    More screenshots in link form:
  2. oldsoldier

    oldsoldier Retired ECF Forum Manager Verified Member ECF Veteran

    Dec 17, 2010
    Lurking in the shadows
    Preventing credit card fraud

    ECF has no specific knowledge of consumer-side credit card security so we asked people with some knowledge of this area to contribute to an advice page. There are some very good tips, listed below, and our advice is to carefully read them and follow at least one of them.

    Compromised vendor sites
    It is impossible to say how and why any particular credit card fraud event happened, since some card fraud is probably the result of simple computer generation of card numbers. However, when the card requires the 3-digit security code in order to work, and it has only been used once, then there is a reasonable chance that something associated with the online store visited may be implicated in the event; although the problem might be a keylogger on your PC.

    The fact is that online stores can be vulnerable to exploits in several ways, and this is mainly the responsibility of the website hosting service, not the vendor - vendors are not experts in server security and online sales security. The hosts should be, but frequently are not. There are specialist ecommerce hosting services who do have expertise in this area, and who should be used by vendors. Unfortunately they are not the cheapest hosts - you get what you pay for.

    Secure your PC
    It's true that having a secure PC is also important. You should use a good anti-malware app and firewall that are proven in benchmark testing to score very highly, and ABSOLUTELY NOT base your choice on advertising or image. Good software is often available free, only missing the support option and extra widgets that most people don't need anyway. For example Avast and AVG score very well as an anti-malware choice, and Online Armor is a real firewall that actually works in both directions. A one-way firewall is not as good because it cannot stop the malware 'phoning home' with your data. These apps are all free; or you can upgrade and get support plus extra bells and whistles.

    The drawback to good security is that it involves extra work and hassle. But it's your credit card, and your choice. Just please don't blame everyone else until you have locked down your own system. Spyware is a major industry and they want YOUR data, off YOUR PC.

    For more information consult the community's expert resources, for example at Gizmo's Freeware (basic security software and advice) and Wilders Security Forums (detailed advice). Of course, if you can instruct someone in the detail of running HijackThis tests, interpret the results, and remove their rootkits, then you won't need any up-to-date advice on this subject. Most other people do.

    You and your credit cards
    Staying safe involves some hassle - because that is the definition of security. Use one or more of the tips below and you can eliminate most or all card fraud. The fact is, things can very difficult indeed for online ecig vendors due to the fact that very few merchant partners* will accept them because of the issues (association with tobacco, which is blocked by some of the major processors; and the volume of chargebacks, many fraudulent). Some of the partners they have to use may not be the most efficient in the business.
    * The companies that act as middlemen between the vendor and the banks - 'checkout processors' if you like.

    Security tips
    The advice that ECF has been given is that you should NOT use a card for online purchases that is associated with your main bank account. Instead, you should use one of the options below:

    - Use a one-time prepaid card.
    - Use a pre-pay/pre-load card, and only load it when you are about to buy.
    - Use a Paypal virtual one-time card number.
    - Get a bank account with a card that allows you to generate a 'virtual card number' - this is a card number that can only be used for a single purchase and is useless after that.
    - Have a separate bank account just for online purchases. This is easier to check out for fraudulent activity.

    - Use a solid credit card company who are known to be strong on security. Cheap or minor-name cards may not be so good for the back-up you need.
    - Always read your CC bill very carefully, and check ALL the items.
    - Check your CC bill online regularly, if that service is available to you.
    - Watch out for a small test purchase on your card. Fraudsters often test it out with a small buy that can be hard to spot in your bill - $9 for a book, or $14 for flowers? Call your CC company and check it out.
    - Go to your card provider's website and sign up for the email alerts. You get an email on every use of the card. It adds to email volume - but you'll see a fraudulent use immediately.

    Wilders Security Forums - Powered by vBulletin

    Please use specialist ecommerce hosting - these are the only people who really qualify for your online store's hosting account. Security is the main thing you pay your hosts for, and many of them simply don't measure up. Ecommerce hosting protects you and your customers.

    This is not referring to hosted ecommerce by the way - a proper ecommerce host supports your choice of ecommerce app, has a heavily-firewalled checkout area for your use, updates its servers daily, and scans them for malware regularly. They actually know how to set up PHP and MySQL correctly. Fraud involving sites on such hosts is virtually unknown.

    We came across a server running PHP3 not too long ago, and it was a malware farm. Hosts cause exploits - don't use cheap hosting as it can work out expensive. Don't try and host your own site as you are just contributing to the problem.

    for vendors:
    Computer Security Guide
    SEO Hosting - 3
    Choosing Ecommerce Software
  3. oldsoldier

    oldsoldier Retired ECF Forum Manager Verified Member ECF Veteran

    Dec 17, 2010
    Lurking in the shadows
    Additional credit card security concerns:

    RFID skimming:
    The new RFID enabled credit cards can be queried over a wireless connection to complete a transaction. As any other new technology the fraudsters will find a way to exploit this. In theory a fraudster could walk in a crowd and skim your information from your RFID enabled credit card. Suggested protection against this possibility is the aluminum credit card wallet.

    Physical skimmers attached to ATMs
    There have been cases where a false front was attached to a functioning ATM to read your card when it is put into the slot and steal your information. There is another case where a completely fake ATM was placed and silently gathered all of your information, including the pin number when the user keyed it in. The "ATM" then showed an out of order/out of money message and gave back the card with the victims being none the wiser. Carefully inspect any ATMs or gas pumps you might use your card in. These skimmers are usually attached with double sided tape so they can be quickly and easily retrieved.

    Breach of bank and processing center security:
    As much as the credit Card companies wish to hide it, they themselves have been breached as well as some of the credit card processors. Here is an example:

    Manual Skimming (new take on the old keep your carbons cautions)
    In the old days we used to keep our carbons, but believe it or not this simple mode of theft still occurs. Any time you hand your credit card over to a waiter/server to pay your bill, or hand your card to a gas station attendant as security for a fill-up you risk the oldest and simplest method of credit card fraud. It only takes a moment to copy down your card number and CVV code. Consider this the next time you go out to dinner, run a bar tab, or fill up your tank.

    Phone sales
    Do I need to even go there? :) I would consider very carefully the implications before I made a credit card order for ANYTHING over the phone.
  4. oldsoldier

    oldsoldier Retired ECF Forum Manager Verified Member ECF Veteran

    Dec 17, 2010
    Lurking in the shadows
    Comments from some of our suppliers:

    This supplier went in great detail to explain just what they can and cannot do:

    Another supplier perspective. By the way this supplier has had numerous PCI compliance scans and comes up clean.

    And here is a quote from a supplier discussion thread that shows that our suppliers are not naive. There is a spirited discussion going on among the ECF suppliers right now because this is a subject near and dear to their hearts - putting food on the family dinner table. Even though they are rivals, no supplier wants another to go down in flames and drag the rest in their wake. Trust me on this one -- our suppliers have enough issues in the trade without getting a bad rap for security issues.

  5. oldsoldier

    oldsoldier Retired ECF Forum Manager Verified Member ECF Veteran

    Dec 17, 2010
    Lurking in the shadows
    Some final thoughts and a TLDR; summary:

    Just because you used your credit card online does not mean that a fraudulent charge is the result of an online transaction. There are many other ways that a credit card can be compromised, even a card that was just activated and has never been used either physically or online.

    Yes it is possible that a supplier may have a misconfiguration on their server or compromised cart. This is much less likely if the cart is hosted by a reputable e-commerce host. When you are shopping online always insist that your personal information be transmitted over a SSL ( https:// ) connection. If your browser shows a warning that the page is only partially encrypted I would pass. It may be something as simple as a dropped "s" on an image link, but why take the risk? ALL ECF registered suppliers and Forum Suppliers are required to have secure online payment methods, be it PayPal for those that are allowed by PayPal's TOS or some other form of secure payment processing. I have personally rejected some applications when asked to review a site for Misty for just this reason.

    I would also pass on any site that has a "broken" ssl certificate. Sorry folks - if a business wants to be successful they need to pony up for a SSL certificate that matches their domain name :)
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice