ONLINE SHOPPING

Give Credit Where Credit is Due...

The Annoyance:

The idea of typing my credit card number onto a web page gives me the willies. I feel like I'm inviting people to rip me off.

The Fix:

It shouldn't. Though e-commerce sites do occasionally get hacked (and shady sites might steal your data, see Table 3-2), using a credit card actually offers you some protection if you get ripped off. Thanks to the Fair Credit Reporting Act, if someone steals your credit card information to make purchases, you're only liable for $50 of the total even then, many banks and merchants will credit the entire amount when online fraud is involved, provided you catch the mistake in time.

But you'll want to make sure the site is legitimate (see Table 3-2) and that it uses Secure Socket Layer encryption to protect your credit info as it zips through cyberspace. Even then, you'll need to monitor your account carefully to make sure nobody's "cramming" your card adding bogus extra charges to the account. Most banks put a limit (like a couple of months) on how long after the initial purchase you can dispute a charge, so examine your monthly statements or check your account more often online. An alternative is to get a separate credit card with a low limit and use it exclusively for online purchases. If crammers do max out the account, you'll be less exposed.

Whatever you do, don't ever send a check or cash to a web site, unless you don't care about losing money. (And if that's how you feel, could you send me some, too?)

...But Don't Take Undue Credit

The Annoyance:

Sorry, I'm not convinced. I'm still afraid somebody's going to hack into that e-commerce site and rip off my Visa number.

The Fix:

Technically, your card number can be stolen even when shopping at secure sites. For example, someone could install a keystroke logger on your computer. Worse, the e-commerce site could be hacked. Over the last few years, attackers have stolen customer data from such high-profile sites as CD Universe, Egghead Software, and Playboy's online store.

The solution: get a disposable credit card number. Citibank (http://www.citibank.com/us/cards/tour/cb/shp_van.htm) and Discover (http://www2.discovercard.com/deskshop) offer credit card numbers that are good for a single transaction, so even if the number is stolen it won't do thieves much good. Another alternative: online merchants such as Amazon let you place your order online, then provide your credit card number over the phone. If you're still allergic to using plastic online, sign up for a PayPal account (http://www.paypal.com) assuming the e-commerce site you're shopping at accepts such payments. PayPal acts as the middle man: you put money in your PayPal account, the seller contacts PayPal to get paid, and your credit card information never changes hands (provided, of course, you haven't fallen for a PayPal phisher attack see "Don't Bank on It").

They Know When You've Been Shopping

The Annoyance:

When I visit Amazon.com, it says "Hello Bob!" (Which happens to be my name.) This creeps me out. How does it know me? Do all web sites know who I am?

The Fix:

Not exactly. Amazon knows you because at some time in the past you registered with the site most likely when you bought something. The site then deposited a small text file called a cookie on your computer's hard disk. Cookies work like a kind of ID tag. Every time you visit the site, it looks for the cookie, reads the text string inside, and then uses it to call up your record in Amazon's database. The site then loads pages containing your preferences, billing address (if you've provided that), new products that you might be interested in buying (based on past purchases), and that friendly greeting at the top of the screen. This is Amazon's attempt to act like the neighborhood merchant who has known you for the last 15 years.

But most web sites are limited in the amount of information they can glean from a simple visit. They can tell what browser you're using and your IP address, but little else. If you've never registered for the site and/or don't let your browser accept cookies, it won't know who you are.

You Are What You Buy

The Annoyance:

Now that Amazon knows me, it automatically signs me in whenever I visit it. Now I'm worried somebody else can go in and see stuff I've bought or worse, buy stuff under my name. Can they?

The Fix:

First the good news. Anybody trying to use your Amazon account needs to know your password before they can click the "Place your order" or "1-Click Shopping" buttons. But if they do guess it, and you've told Amazon to store your billing information, they can shop 'til the cows come home. (For more on choosing good passwords, see the Chapter 2 sidebar "Pick a Peck of Passwords.")

The bad news is that people can learn a ton about you just by looking at the home page Amazon creates every time you visit (see Figure 3-10). For example, Amazon provides personal recommendations based on what you've bought in the past a pretty fair indication of you and your interests. Worse, Amazon has added a feature that can tell you why it's recommending these items, even if you merely looked at an item

annoyances 3-10. Amazon makes recommendations based on what you bought-or even thought about buying-which anyone can look at on your PC when logged onto Amazon's home page (so be careful what you buy there).

but never completed the purchase. All perfectly harmless, until your spouse visits Amazon on your home PC and discovers you purchased intimate gifts for someone else, or your boss notices Amazon's home page open on your computer and sees you've been shopping for books on how to change careers. Suddenly those groovy personalization features don't seem so helpful.

Your options? You can tell your browser to reject all cookies so Amazon remembers nothing about you, but that means retyping your shipping and billing information with every order a bit drastic, in my opinion. To temporarily suppress Amazon's personalized greetings, you'll need to formally sign out after every session (that's especially important if you use a public or shared Internet terminal to shop).

Unfortunately, Amazon buries the sign-out button under a maze of pages. You'll have to click Help in the upper right corner, scroll down to the Privacy & Security area and click More, then click "Signing out." Then, redundantly, click the yellow "Sign out" button. The next time you (or anyone else using your computer) visits Amazon, it will greet you with a generic home page. To see the friendly, personalized site of old, click the "personalized recommendations" link at the top of the page to log in under your own name and password. If you leave the site (instead of formally signing out) and return the next day, Amazon will "recognize" you, with all that personal information there for snoops to relish. So don't forget to sign out at the end of every session.

Would You Like Spam with That?

The Annoyance:

I just bought something from an online store, and now they're spamming me on a regular basis.

The Fix:

What you're describing may look, smell, and taste like spam, but technically it's not. Because you purchased an item from the site, you now have a pre-existing business relationship a big fat exemption under most anti-spam laws. The solution is simple: If the biz is legit, there should be a valid unsubscribe link in any marketing message they send you. (And if the business isn't legit, you've got bigger problems than spam.) You may also be able to change your marketing preferences by visiting your account page on the site.

For example, on Amazon.com you'd click the Your Account button, log in, scroll down to the Account Settings area and click the "Update your communication preferences" link and pick the kinds of messages you want to receive. At the very least, check the "Send me only those messages relate to my orders, listings, and bids" box, then click the Set options button.

Most stores provide the skinny on how to opt out of obnoxious marketing in their privacy policies. But the next time you buy something, the store may feel free to send you more mail until you tell them to take another hike.

99.44% Hacker Safe

The Annoyance:

I visited an online store that had a logo claiming it was "hacker safe." Is it really safer to shop there than at online stores that don't have this logo?

The Fix:

All that logo really means is that they pay another company a few hundred dollars a month to look for common site vulnerabilities. That's probably safer than a store that doesn't test anything, but it's no guarantee the site can't be hacked. Such logos tend to boost the site's sales (which is why they pay the money) but may also attract more attention from hackers who want to prove them wrong one reason why the companies that put the most effort into securing their systems rarely advertise that fact. If the CIA can't create a site that's hack-proof, what chance does bobs-discount-electronics.com have?

The big danger from hackers (or crackers, who are hackers with criminal intent) is they could steal your personal information stored on the site's servers and sell it to the highest bidder, max out your credit limit, or use the data to open accounts in your name, essentially stealing your identity. Not pretty. But if someone's going to steal your ID, they're far more likely to do it by stealing your purse or riffling your postal mail than filching it online, so the odds are in your favor. Your best defense against bogus charges and identity theft is to keep a close eye on your accounts and to order credit reports at least annually, so you can see if anyone out there is pretending to be you (see Chapter 2, "Check Your Reports" for more details on how to contact credit reporting agencies.)

Hate having to give a login name and password to access certain sites (like http://www.nytimes.com)? BugMeNot (http://www.bugmenot.com) lists working logins and passwords for more than 13,000 web sites, all contributed by other people who hate compulsory web registration as much as you do.