Following the Web Shopping risk context, this post will describe how the identified threats can be addressed.
- Use case - web shopping
- Addressing the threats - web shop legitimacy, payment process and information handling - current post
- Scenario example - buying an ebook reader from a shady web shop
Questions that you need to ask yourself when web shopping :
1. Is this web shop legitimate and trustworthy ?
2. Is the payment process clear, legitimate and trustworthy ?
3. Is my information handled properly ?
Further below, we will look into how these questions can be answered. This requires time on the user side, but it is always good to be safe than sorry. A couple of minutes invested in researching a web shop can save many headaches afterwards.
1. Verify if web shop is legitimate and trustworthy
A web shop can be fake and created only for the purpose of fraud. Other can just be unprofessional and any user might be reluctant to trust information and money to the owner of such a web shop.
There are several indicators that can lead us to understand if a web shop is legitimate or not.
- Physical owner and/or company information - name, VAT number, address , telephone number
Legit web shops are most likely a registered company in a certain country. Depending on the legislation of the country, web shops might be required to display information about themselves publicly on their home page or any other page on the web shop.
Missing or ambiguous information about the legal entity or the owner is a clear bad indicator.
- Domain information - domain age, registrar name and organization, address, telephone number
A domain name is the address where the web shop is reachable (for the popular Amazon, the domain name used by the German customers is "Amazon.de"). Domain name information (known as WHOIS) is publicly available and can be used to see when the domain has been registered, who is the one that registered it and which organization is it linked to.
Is the domain registered a week ago, but the web shop claims it has been active for 3 years ? Does the domain information coincide with the information on the web shop ?
One website that can give you such information is Whois.is.
- Customer and 3rd party reviews - social media and review websites
There are specialized websites that create a platform for users to register reviews on services online. These are debatable on how trustworthy they are, as a web shop can employ people to give a good review. On the flip-side, a web shop can employ people to give bad reviews to their competition.
Another viable source of reviews is customer review on the web shops social media pages, like Facebook, LinkedIn, Google+ or Twitter.
- Secure connection - HTTPS and green "Secure" marker
There is a lot of information flowing around on the internet. One thing that users must pay attention to, especially when transmiting information such as personal and sensitive information, financial information or credentials is a secure connection. Without a secure connection to the web shop or website where the information is being transmitted to, the information is highly likely to be intercepted by adversaries.
A secure connection can be observed in the URL bar of your browser, like in the example below.
Here, Amazon.de has a secure connection directly from the home page. Ebay.co.uk does not have a secure connection on the home page, but it has when signing in to your account (hence signin.ebay.co.uk)
- Text - bad spelling and grammar, misleading/ambiguous formulation
Spelling and grammar mistakes are as "human" as they can be , even for professional web shops. A certain wording or formulation might always slip. This is more an indicator of how professional the web shop really is. On the other hand, spelling mistakes are a common indicator for phishing websites and emails.
Ambiguous formulation is also an indicator on how trustworthy a web shop is. If information is not CLEARLY presented to the user and leaves room for interpretation, the user can have unexpected surprises, like paying a different amount than expected.
2. Verify if payment options are legitimate and mentioned upfront
Legit and trustworthy web shops will clearly state what kind of payment methods they have and what are the costs associated with using their service (like delivery, VAT)
This is usually seen via a :
- graphic element - an image on the web shop depicting the methods
Bad indicators include
- Handling credit/debit card payments directly and not via an authorized payment processor. Depending on its size and revenue, a web shop might choose to become an authorized payment processor or not. The decision is usually the later, because it is expensive and cumbersome to provide secure and trustworthy payment processing services, reason why it is "being left to the experts".
- ambiguous formulation regarding costs, such as VAT, currency exchange, delivery - pay close attention to the text before purchasing and greater attention to the small print.
3. Understand how your information is being processed
Depending on the legislation under which the web shop company is created, the owner might be required to mention upfront how the user information is being processed. Regardless of the legislation or country, this is a very good indicator of how professional and trustworthy a web shop is.
If the web shop cannot answer the following question, it is clearly a bad indicator.
- What information is collected ?
- For which reason ?
- How is this information protected ?
- Who is this information shared with ?
Since the risk context for web shopping has been built and we've managed to understand how we address the threats related to web shopping, it is time to move to an appropriate example of a suspicious web shop.