How do I make sure a Web site is safe when I shop online?

The padlock in the browser bar and a secure site address (https://) means you have a secure connection. It could easily be a secure connection to a rogue Web site set up by a fraudster. Can you tell the difference? Ultimately, you are responsible for making sure you are connected to a safe Web site. Here are some tips to help you.

Situation #1: An online retailer you know by name.

1. Here, your priority is making sure you are really at the online store of a retailer you know. That’s not as easy as it sounds.

2. When it comes time to pay, look in the address bar for https:// instead of http:// to make sure you have a secure connection. Never enter credit card information unless you see https://. But that’s not all.

3. You must also verify you are at the legitimate site. Click on the padlock (typically on the right side of the address bar, sometimes at the bottom of the window frame) and read the short security message inside. Look for the Web site owner, and the name of the document issuer. Make sure the Web site owner’s company name is the one you know. If not, don’t buy!

4. Sometimes the browser address bar will turn green or red. Newer versions of browsers look for a more secure version of the security document in the padlock. If you see the green bar it means it is more likely they are who they say they are. If you see the red address bar, stop! Something is wrong and you are not at a trusted site.

5. Here is the last part: Can you trust the author of the security document in the padlock? You must make sure that organization, the Certificate Authority (CA), is someone you trust. You are taking their word that the security document is valid and the site is operated by whom they say it is. So you better know who that trusted third party is that signs the padlock! Unfortunately, it is possible for criminals to make or obtain their own padlocks and security documents. So it’s up to you to study the padlock security document and decide whom you trust to confirm the site is legit. Examples of popular CAs include VeriSign, GlobalSign, Thawte and Geotrust. The problem is, whom else can you trust? Valicert? Azeribaijainicert?
Sound complicated? Well, yes it is. That’s why most people probably don’t bother. Unfortunately, it gets worse.

Situation #2: A retailer you don’t know.

This is a very different story. The vast majority of retailers on the Internet are honest. But how willing are you to roll the dice? Further, how honest are all their employees? Their Web site designers? And how good is their Web site security?

1. At a minimum, look carefully at the security indicators above. The problem is, now you are dealing with a retailer you never heard of.

2. In this case, you may want to use a free third party payment tool like PayPal, an eBay company. PayPal protects you by allowing you to pay retailers through a PayPal account linked to your credit card or checking account, instead of giving your account information directly to a retail Web site you never heard of. PayPal also offers an optional personal security device, a very safe way to protect you when paying online. Unfortunately, some online retailers do not accept PayPal or other third party payment tools like Google Checkout or BillMeLater. See, “What Internet payment services are there other than PayPal?”

3. If that’s not an option, consider checking out the retailer at an Internet trust organization. This is a company that verifies that a Web site has met certain standards on privacy and other criteria. The North American Better Business Bureau has alliance partners around the world like Eurochambres (the European Chamber of Commerce), Electronic Commerce Promotion Council of Japan,, and the Romanian BBB in Bucharest. The BBB Online Web site, for example, has a good tool for you to enter an online store’s name and check them out. You can also file complaints about sites. BBB Online tracks the retailer’s responses and rates their efforts to respond to customer issues. Web sites approved by Internet trust organizations are able to display that organization’s privacy certification seals, although some unscrupulous Web sites might display the trust logos fraudulently. This should give you an indication that the retailer is established and trustworthy.

Daunting, eh? Fortunately for you, credit card issuers largely give you a free pass, penalizing the retailers for any online fraud losses instead. Not much motivation for you to be safer when you pay online. Still, even if we do not incur a direct cost for the losses, more and more often we have to deal with the lost time and inconvenience of replacing credit cards due to online fraud or data breaches.

Is there a better way? The safest way to pay online is with some sort of personal digital security device to prove it is really you making the purchase. This could be a smart bankcard you put into a small USB reader when you pay online. Or it could be a token that generates a different password you must enter on the keyboard for every online payment transaction. This makes online payment much more secure, like when you make an ATM withdrawal, because it requires both a card and a PIN code. Bankers call this “two-factor” authentication. One factor is something you know, the PIN, and the second factor is something you have, the card or token.

Here is an example of how leading U.K. bank Barclays used smart bankcards to stop online fraud.