Tricky Shopping: When Extra Safety Measure Becomes Security Breach
What can happen when you send your banking information to the support department after the transaction, to “secure your payment?” Nothing good, as a friend of mine recently discovered while shopping online. This is a complicated story we both tried to untangle to send out a warning about extra safety measures that may become a security breach.
It started with a couple of perfumes my tech-savvy friend wanted to buy online. He found a reputable US-based website that he already knew and made the purchase. Because the online shop didn’t take orders abroad and he wasn’t a US resident, he gave the address of a US-based friend who could have taken the perfumes.
In the meantime, the support department sent him an e-mail, allegedly to secure the transaction. He verified the origin of the e-mail to make sure it wasn’t a phishing attempt and he saw it came from the shop where he bought the perfumes. It didn’t seem strange, as online shops use different methods to prevent foreign scammers from shopping in the US with international cards.
The e-mail contained a document to be signed and filled with details such as his US address, the last four digits of the credit card number, the expiration date, and the Card Verification Value number.
When my friend discovered his bank account was empty, this transaction started to smell more like ID theft than jasmine and musk.
The bank helped him retrieve information about the fraudulent transaction he didn’t make. He soon discovered almost 200 dollars were used by cyber-crooks to make payments on his behalf on people search engines.
These tools are used for identity theft and scams, as social engineers can find a lot of personal details about the people they target: phone numbers, email addresses, street names, court and property records, and other private information such as marital status. In this case, scammers used the search engine to gather information on 300 people, many of them members of the same family.
My friend knew he wasn’t a victim of a Trojan attack that pilfered his banking details because scammers gave his US address when buying background reports on the people search engine. He had only given this address once, when buying the perfumes.
In theory, the Payment Card Industry Data Security Standard prevents the CVV’s storage after a transaction, together with other sensitive authorization data. In practice, human leak may be the only explanation for such security breaches.
HotForSecurity contacted the perfume shop, but they didn’t answer our request. We have also sent e-mails to various online retailers to enquire about their security. While most didn’t comment, others said the security measures they take for international card holders are “confidential.”
My friend’s online shopping experience is not the only one with problems. Fortunately, his had a happy end, as he got his money back due to good collaboration with his bank. He is also now wearing one of those fine perfumes. Though he didn’t give up online shopping because of a single bad experience, he did learn to be more careful.
Here are some tips and tricks that you might find useful when shopping on the Internet:
1. Be careful with fake shops, online stores and bogus payment services. Some scammers go so far as to create a good-looking website from scratch and register it for a longer period to fool users into believing that they are authentic.
2. Check your financial information regularly, and especially before and after an online transaction, to see if anything is out of place.
3. Avoid shopping from a Wi-Fi hotspot. A Bitdefender study revealed 85% of people choose to connect to a free Wi-Fi, despite clear warnings that their data can be viewed and accessed by a third party.
4. Keep your antivirus up-to-date to block live fraudulent and phishing web sites that try to steal your personal information. Don’t hesitate to use extra-features in your security solution. Bitdefender Wallet, for instance, offers secure password management and remembers login credentials. For a private online banking and shopping experience, our users are also protected by Bitdefender Safepay, a free desktop app that features a secure, hacker-proof browser.
5. Before shopping online, make sure you enter the web page manually in the browser to avoid giving sensitive information to copycat sites. Check that the address starts with “https://” instead of “http.”
6. When the transaction is complete and you still receive e-mails from the online shop or support department, ask for extra information about their alleged security measure.
7. Don’t give away your PIN instead of your CVV number. The Card Verification Value represents a 3 or 4 digit number on the back of your credit or debit card. Most online merchants request it to be sure you are the authentic account holder.
8. If you are still worried about your money while on-line, you can also check this HotForSecurity article.