Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Online Shopping: Just How Safe Is It?

As you might expect, I get many questions from users concerned about online security. With regular news of identity theft, credit card fraud, and database hacking, many are understandably concerned about the security of their own information online, particularly when it comes to online shopping.

Some are so concerned, they actively avoid online shopping for fear of having their payment information stolen.

In my opinion, they should be more concerned about the security of their information offline.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

There are very few risks that are unique to shopping online. Most of the risks apply equally well to shopping in person. Major data breaches, for example: large companies capture data regardless of how you shopped. Basic security is necessary in all cases, but there’s a strong argument that shopping online is more secure than its in-person counterpart.

Online shopping is ubiquitous

Using a Credit Card OnlineMost of us now take online shopping for granted. Some may even wonder why this article is needed at all.

The fact is, there are still many people who are afraid to shop at online merchants — even well-known, reputable ones.

Why? They’re convinced that the internet is full of hackers waiting to steal their credit card information as it goes by during an online transaction.

And yet, they’re quite willing to give the same payment information — along with an image of their signature, no less — to a stranger at a restaurant or a grumpy clerk in a retail store.

Risk versus risk

As I wrote in another article, “Most people have an overinflated sense of risk when it comes to threats they don’t understand.”

We’re most comfortable with black and white absolutes: yes or no, safe or unsafe. Unfortunately, the world isn’t black or white.

It’s important to realize there are risks, both online and off.

Unique risks online are few

There are very few risks unique to using your credit card online.

Yes, online shopping security issues do exist. Your device could have malware in the form of a keylogger, which records everything you type. And, while it’s extremely rare, your connection to an online merchant could be intercepted by someone watching and recording your payment information.1

Much more common, however, are things that apply regardless of how you use your credit card. The news reports we hear are major breaches at retailers and banks, where it doesn’t matter if you used your card online or in person. Most of those break-ins are caught and dealt with so quickly that if you or I are affected, it’s only to the extent that we might unexpectedly get a replacement credit card.

Offline risk is more common

I believe individual theft occurs more frequently offline.

  • A clerk might make a copy of your card and signature.
  • A dumpster diver could grab bank statements out of your trash.
  • Someone might steal your new credit card out of your mailbox.
  • You use your card at a cash machine or a store’s point-of-sale terminal, but a thief has hidden a “card skimmer” on the reader that steals your card’s information as you use it.

These offline methods are all much more common than individual online theft.

And even though we seem to hear about online theft on a semi-regular basis, there’s a strong argument saying they’re still fairly rare occurrences compared to the millions of cardholders and millions of transactions that happen every day.

Good sense implies good security

The fact is, regardless of where you use it, using your credit card represents risk. (But then, so does getting out of bed in the morning.)

Online or off:

  • Shop with merchants you know and trust.
  • Watch for things out of place, be it something odd about the card reader in a store or a missing https padlock on a website.
  • Beware of phishing and other attempts to fool you into giving your personal information to those who would abuse it.
  • Contact your credit card company whenever you think something may have happened.

My take is simple: shop online. I believe it to be safer than many in-person transactions.

Don’t let unfounded fear stop you from enjoying the convenience. I know I don’t.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio

Play

Footnotes & references

1: Even over https connections, though that’s significantly rarer.

31 comments on “Online Shopping: Just How Safe Is It?”

  1. Let me start by saying thanks for a great piece.
    I totally agree with what you said.

    In fact, I feel more secure giving my info to Amazon or Newegg or Sears or any of the many places I shop online than I do giving it to someone who looks like a crackhead in a dimly lit restaurant.

    Thanks again Leo and keep up the good work.

    Reply
  2. Shopping online is relatively safe, but there are still a lot of risks. Leo, check out buysafeshopping.com, where every every seller has passed a business inspection process; agreed to allow buysafe to monitor their performance in every transaction with buyers; and paid for a surety bond from Liberty Mutual to guarantee each bonded transaction up to $25K. It’s the only way to shop safe online!

    Reply
  3. hello sir,
    i have a question, how about someone just use my credit card information to shop online, to buy gadgets. can i be able to trace the person who use it and where he/she address it for delivery? thanks

    No. This is something you should leave to the appropriate authorities.

    Leo
    09-Mar-2012
    Reply
    • I take your question a little differently that Leo. You can do some checking to see if it is someone you recognize, THEN give that information to the authorities for follow up.

      Reply
  4. Leo, what do you think of these new services that offer mobile devices and apps that enable small businesses to process credit card transactions on their smartphone? How safe is this for the consumer?

    The concept concerns me so I’d be very interested to read your thoughts.

    I don’t have any direct experience but everything I’ve heard about them is good. Certainly it need be no riskier than handing your credit card to a clerk in a store.

    Leo
    27-Nov-2012
    Reply
  5. Here is my comment about online ordering versus ordering over the phone.
    Years ago I was uncomfortable putting out my credit card information over the Internet. So I called the 800 number to place a phone order with a customer service representative. After she was done taking my order, I asked her a question. I asked her what did she do with the information that I just gave her about my name, address, telephone number and credit card information. She answered by saying that she entered everything into her computer so the information could be processed and sent over the Internet. From that time on, I have just placed my orders through the Internet since it was done by the customer service representative anyway. In the 15 years that I have been doing this using various credit cards, I’ve yet to have a problem with someone stealing my information.

    Reply
    • “Online Shopping – Just how safe is it?” Probably safer than in a shop.
      I’d trust the online ordering much more than giving my credit card number over the phone. Online ordering from a legitimate company uses strong encryption and other safeguards to protect your credit card. I’ve had my credit card compromised twice. I think it was at a gas station (not at the pump) and a restaurant. In any case both charges were reversed with 5 minute phone calls. And I had 2 forged checks, from a checking account I never even had checks printed for. I figured they just made up a number which happened to be mine. The name wasn’t mine. Again resolved with a short phone call. I don’t know if it’s the law or Bank of America policy, but they resolve fraud issue quickly. I’m sure they’d do the same for online fraud except as I said, I’ve never had a problem when online shopping. If you have any doubts about using a credit or debit card online, PayPal is a safe option.

      Reply
      • Years ago, I too had the bothersome experience of a bogus credit card transaction (two simultaneous transactions, actually — both originating in South Africa, of all places). The name was unknown, and the charges were a lot more than my credit line, for all the difference that made. The card’s fraud department noticed the transactions first, and then alerted me. Not that this was any big favor — the instant I noticed them, I’d’ve called the company myself! One phone call and an affidavit later — less than a week all told — and I was good to go once more.

        Credit card companies really do tend to step up for their customers in cases such as this. So: Use you card sensibly, and you can use it without fear. :)

        Reply
  6. I only saw the ‘https’ mentioned in footnote/reference #1. I think its more important than that. I have seen small hotel sites in other countries without it, just a http://www._____.com. I place a bigger weight on the https secure sites personally.

    Reply
  7. One GREAT tool I’ve used for almost 10 years now is Citi’s “Virtual Account Numbers” (VANs). VANs are an online system that allows you to create credit card numbers to be used for a specific vendor. You can specify the dollar limit, and the expiration date (from 1-12 months from the current month). For one-time uses, you just create a VAN for the exact amount you want the vendor to have, if the vendor tries to charge more than your specified amount, the system rejects it (just as though you gave them an invalid number). This keeps vendors from adding on additional charges (like higher S/H than originally specified) without your explicit approval.

    For vendors with recurring charges (like phone bills, common online merchants that you buy from frequently, etc.), you create a VAN with the latest expiration date (12 months from creation) and keep at least a 1 cent balance in the VAN (so the first time you use it, you approve an amount 1 cent more than you are going to charge). That 1 cent balance keeps the card active. Then when you want to charge something to that same vendor, just ‘reload’ the VAN with the new amount (again with 1 cent more), and charge it. This allows you to keep credit card numbers on file with the vendor (just like a normal credit card), but they can’t charge against it until you put in the the money. Also, once a vendor uses a specific VAN, only that vendor can reuse it. So if you accidentally give an existing VAN to the wrong vendor, they won’t be able to charge against it. For subscription type services, you don’t have to worry about your card being charged in future months/years without you explicitly putting more money into the account.

    You can also use this system for vendors you pay over the phone (I use one for my dentist). You give them the VAN over the phone, just like you would your actual card number, and they charge against it. Even if they write the number down on a stray piece of paper, and someone goes through the trash, the number will be useless because only the original vendor can reuse it, and if it’s only for a one-time use, there won’t be any more money in the VAN account anyway.

    As far as I know, only Citi currently offers this option (and not with all of their cards, so make sure you ask). Citi has both MasterCard and Visa (my VAN is with their MasterCard, I don’t know if they also provide it with their Visa accounts). Discover and American Express used to offer similar services, but they dropped them years ago. If anyone knows of another credit card company that provides a similar service, post it here (and say what you like and/or don’t like about it).

    As I said, I’ve used this for almost 10 years, and it has really helped me feel much more comfortable giving out my credit card number (which is always just a VAN) either online or on the phone.

    Reply
    • Thanks for the heads up on that. I have a Citi card and following up on your suggestion I activated the service. I don’t have a problem with most legitimate e-merchants, but it sounds great for those services which offer a free service but ask for a credit card number to “verify”, or even a subscription service which automatically renews if you forget to cancel.

      Reply
      • I use a velocity credit card and what I like is every transaction that is made either by card or over the phone within seconds of the transaction I get an SMS telling me all the details of the transaction, even when I’m overseas and a priority number to contact if I don’t recognise the transaction.

        Reply
  8. I’ve used eBay with Paypal about 11 years with nary a hitch. I rarely shop with online merchants that don’t take Paypal, that require a credit card number, but all the ones I regularly use and really need do take Paypal. My credit card has been compromised twice in 3 years just from using it at local stores, so I don’t use it at such places anymore except for a couple that I have reason to trust. I use cash only for most groceries and for all restaurants, and *never* give my card to a server that carries it out of my sight to process. All this works well for me and I actually get most things online instead of going out and looking all over town for something, a real advantage due to advanced age and the accompanying decreasing vitality.

    Reply
  9. Not an advertisement at all, I have used an Amex Serve card for all online purchases for the past 2.5 yrs. In NY they charge no fees, no minimum balance and when I got it the card was even free. There are fees in other states and not sure if the card is free anymore, but it a very simple way to limit any financial exposures you may feel you might have shopping online. You can set up sub accounts, attach it to a checking account etc. I just usually just stop at CVS and add cash and it is instantly in the account. Like I said not an ad, just my personal experience with some thing that works for me.

    Reply
  10. To what Bill said. I too have been using Paypal for over 10 years and have not had a single issue that was not resolved. In fact I use the above
    mentioned Amex Serve card as my payment card for Ebay.

    Reply
  11. My online rule is only purchase from someone who you know you can walk into their office (might be on the other side of the country, but there is a legitimate office you can go to).

    Some of the offline retailers bother me … even big name trusted retailers (Home Depot is only one example; there are others). You return a product and they don’t ask for your credit card to reverse the charge. Why? They kept it on file. Then what happens? Someone hacks their servers and steals customers’ credit cards.

    Reply
  12. Have been doing business with Amazon for years and have never had an issue despite receiving notices from Google about “Amazon hackings”.

    Reply
  13. Never had a credit card problem either online or offline. Did use a debit card at only two locations, and someone used my debit number to pay their utilities. The bank caught it and reversed it immediately.

    Reply
  14. Another argument is, in my country, the law mandates that fraudulent, online credit card expenses be recredited to you. You just need to ask.

    On top of this, where I live, Visa sells a cheap virtual credit card number service, which is tied to your plastic card account. You can also buy a credit card with an embedded, physical TOTP generator, in the shape of a small screen : the code changes periodically, and you input this instead of the fixed, CCV number.

    And to add to all that, most Visa transactions mandate a 2FA verification system : I use a voice message to my landline, which gives out a verification code.

    So yes, it’s quite likely that buying online is actually safer than using your credit card at a physical shop.

    Reply
  15. Thanks for all the great articles.
    Signatures. I am still laughing at your mention of a “signature” in a store. I have been using credit cards since 1962. The last time anyone looked at my “signature” was about 40 years ago. It is a good thing, since my “signature” on checkout screens never looks like the one on the back of the credit card.

    Reply
  16. Paypal ? I have a Paypal account for selling things. The last time I used it to buy something, the merchant never sent it. Paypal would not let me dispute the charge.

    Reply
  17. My solution is 3 credit cards and old fashioned cash.
    Cash for restaurants.
    One card for recurring utility bills only.
    One for online use only.
    One for offline store only.
    I get a replacement credit card every two or three years because of fraudulent charges. If it is the offline card, I do not have to change anything. If it is the online card, I do not have to change the auto pay information for the utility bills. It is never the utility bill card.

    Reply
    • “..One card for recurring utility bills only.
      One for online use only.
      One for offline store only… “

      One Card to rule them all, one Card to find them…

      (Sorry — couldn’t help myself!). :o

      Reply
  18. I have shopped online for years without a problem. Only yesterday, however, I received one of those misdirected emails from Synchrony Bank the subject line of which was “A trial deposit has been successfully made to your.” The subject line was unfinished and there was no message. This smelled of a scam. An online search for Synchrony Bank quickly revealed that the fault lay with Synchrony and that there was no need to worry. Once Chase even called me about a fraudulent charge very soon after it was made. I shop and use credit cards online with complete confidence.

    Reply
  19. I have used my AT&T Visa account since May of 2014 for all my online purchases. This account allows me to generate a virtual (different) account number for each purchase. I have to logon – userID and very complex (13 characters) password. Each number I use has a price limit I set (usually $5 or $10) over the amount I will charge and the shortest time limit I am allowed to set (2 months). Two months later the virtual account expires. I think this is the safest way to shop on line.

    Reply
  20. Something many people don’t know: If your credit or debit card is lost or compromised your liability is zero as long as you report it in a timely manner. Most credit card companies keep a pretty good watch on transactions, looking for something unusual. It’s to their advantage since they have to eat fraudulent charges. For instance I once got a call from Visa saying they’d noticed that I’d bought dinner in a local Georgia restaurant within an hour of using the same card to buy gas in Chicago. They’d already cancelled the card, ordered a replacement, and refused the Chicago transaction (of course they knew I live in Georgia).

    Both my credit card and my bank send me a text on any transaction over $1. When I use the card in a local merchant I get the text within less than a minute.

    One thing to be aware of. If your credit card is compromised and the bank disputes it, by law you don’t have to pay the disputed balance until it’s resolved. This is also true of a debit card. However a compromised debit card can empty your bank account overnight and it could take weeks to get it fixed and reimbursed. In the meantime checks and billpay are bouncing. That’s the reason why I don’t use my debit card except to get cash back from a single trusted merchant.

    Rather than using the debit card I just pay off the full balance on my credit card monthly or more often, so there’s no interest charge. It’s a “Cash Back” card so I get a bonus at the end of the year and pay zero interest. Win-Win

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.