Shopping online or via an app is convenient, but it can put your credit or debit card at risk. Here are ways to stay safe
What’s worse than realizing you maxed out a credit or debit card? Discovering someone else has done it for you.
Mobile apps and online shopping accounts have become popular, and many offer rewards programs for customers. However, shopping via apps or online accounts often means you are storing card data with third parties.
And unfortunately, as we get more technologically advanced, so do criminals, says Eva Velasquez, president and CEO of the Identity Theft Resource Center.
“Thieves are always going to find the most clever way to monetize our data and our information,” she says.
Here are six things you can do to protect your cards when shopping electronically.
No. 1: Do not choose auto-reload
Some merchants offer a feature called auto-reload that allows you to link a gift card or online or app shopping account to a credit card or debit card.
When money on that gift card or in that shopping account drops below a pre-selected limit, new funds are automatically added and charged to the linked payment card.
Therefore, a thief who hacks you could repeatedly reload the gift card or shopping account and shop until your card is maxed out or your debit card hits zero, says Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse.
With auto-reload, you are giving up some security in order to have greater convenience, says John Breyault, vice president of public policy for the National Consumers League.
To protect yourself, do not choose auto-reload. If you already have it activated, disable it. If you insist on keeping it, ask some questions:
- Does the merchant institute auto-reload limits, such as limiting the overall number of transactions allowed, the number of transactions that can be made within a given time period and the dollar amounts that can be charged?
- If you turn auto-reload off, can anyone who accesses your shopping account simply switch it back on?
- What’s the company’s policy (and track record) with auto-reload fraud?
No. 2: Keep passwords fresh, complex
When you register at a site, do not recycle a username and password from another account, says Breyault. If you do use the same info for multiple sites, a person who hacks you will have the “keys” to other online accounts.
Criminals buy and trade names and passwords, then try them at various popular sites, says Ben Johnson, chief security strategist for Bit9 + Carbon Black, a tech security firm.
Another important way to protect yourself is to use passwords that are lengthy. “I wouldn’t use anything less than a six- or eight-digit password,” says Breyault.
Want to frustrate hackers? Skip the easy-to-remember combos like “1234” or “password.” Also avoid using details that are easy to guess, such as your birthday, or a favorite pet or college team name. Instead, opt for a string of seemingly unrelated letters and numbers, says Breyault.
One cheap but memorable solution: Use the first letters of a book title, song lyric or favorite quote, with a few numbers and capital letters thrown in.
You can also employ technology and buy a password manager, says JD Sherry, CEO of Cavirin Systems, which handles security and compliance for cloud and data centers. “I don’t even know my passwords, they’re so complex,” Sherry says.
And, for the love of security, change those passwords once in a while. Johnson says experts generally recommend switching every 90 days. However, most consumers can get by with every six months, every year, or when there’s a problem with a site or app, he adds.
No. 3: Investigate security first
Anytime consumers consider storing card information on a site or in an app, they “should at least think about it in the (same) terms that they would to protect their bank account,” says Eddie Schwartz, chair of the cybersecurity task force for the Information Systems Audit and Control Association, and president and chief operating officer of WhiteOps, a company that specializes in digital fraud protection.
Johnson agrees: “If you’re not comfortable or can’t figure out how they’re protecting your data and your account, you’ve got to walk,” he says.
Look for protective features, such as:
- Lockouts. This feature prevents people from accessing your account if they log in from a different device. It also locks a person out after a certain number of failed login attempts. These tools seem simple, but they hit crooks where they hurt most: the wallet. Locking a thief out after a few failed attempts “even for half an hour changes the economics,” says Johnson, making it harder for the crook to grab your account information or access linked cards.
- Multilevel authentication. With this feature, a simple name and password alone are not enough to get anyone — including you — into the account. Instead, you will need at least one more piece of information that will come from a different source. A common option for this extra information is a one-time code the site sends to your phone.
- Notifications and alerts. If an app or online account offers security notifications, “turn them on,” says Schwartz. While sometimes annoying, an alert that someone just used your account to spend a bundle will “wake you up,” he says. “It’s in real time, and you’ll pay attention,” Schwartz adds.
No. 4: Say yes to credit cards, no to debit cards
If you are going to store card information on an app or site, make it a credit card, not a debit card, says Breyault. “The protections are better,” he says. “And you’re unlikely to miss a (mortgage or bill) payment because someone has drained your credit card.”
With a credit card, the Fair Credit Billing Act limits your financial losses to $50. Many cards exceed federal laws and waive your liability altogether.
By contrast, you can be liable for up to $500 — or even the total amount of your loss — with a debit card, depending on when you report the fraudulent activity.
Select a credit card with a good record of fighting fraud and granting chargebacks, says Velasquez. Those terms and conditions are what sets them apart, but nobody really drills down and reads them,” she says. “So know the parameters of your credit card.” Use any security tools and alerts the card offers, such as alerts for each online transaction, she says.
If you don’t have a credit card and want to shop with apps and online accounts, you can often link to one of the retailer’s own gift cards, says Velasquez.
By linking to a gift card instead of a debit card, you limit potential losses to the balance on the gift card, instead of to the balance of your checking account.
No. 5: Watch those linked cards
If you link a card to an electronic shopping account, keep an eye on the card.
“Pay close attention to your statements,” says Breyault. “If you see unusual activity, question it right away.” Quickly report such activity to your card issuer. Do not rely on a retailer to do it for you.
If you believe you have been hacked or had your financial data compromised, consider helping others by filing a complaint with the National Consumers League and/or the Federal Trade Commission, says Breyault. These organizations “will share their complaint with a network of law enforcement agencies,” he explains.
No. 6: Amp up your security
Johnson says many of today’s phones have virtually become a “point-of-sale system.” If your phone is now your wallet, start treating it like a wallet. “You have to be careful about mobile malware and unauthorized access to your phone,” Johnson says.
For starters, put a password on your phone, says Velasquez: “If it’s lost or stolen, someone can’t just hit a button and use these apps to make various charges.”
Install anti-virus and anti-malware programs for your phone, she says. Some of these programs even feature the ability to assign different security levels to different apps, she says. Also install such software on your home computer.
See related: 4 ways to evaluate mobile shopping app privacy, security, Online shopping options offer credit card safety, 8 tips to keep your cards safe while shopping online