Will buying online ever be secure again?

[Jeff7]

Maybe I should have bought something less suspicious, like cocaine.

I tried to buy a tablet from TigerDirect, after mine partially crapped out.
(It's a few years old and a bit sluggish, but then the cooling fans started to die. They're sealed-bearing fans, so they can't even be oiled. And I'm traveling for work next week, and don't want to be without a computer, nor do I want an ancient loaner from work.
TigerDirect was the only place that had the one I wanted in stock and ready to go. Fujitsu themselves wouldn't have even shipped it until after I fly out.


- Order tablet.
- Do the "verified by Visa" thing.
- Card company puts a hold on the charge the next day and calls for verification. There wasn't much time spent holding though, so that was nice.
- Verified, charge goes through.
- TigerDirect emails that the order is on hold and that they need verification.
- Call, on hold for several minutes, then they take the order information. Put on hold for another 5 minutes.
- Told that I need to call them back on the number I used on the order.
- That number is a Skype number. 1) I'm at work at the moment. (On lunch now, if you must know.) I don't exactly keep a headset with me. 2) Most of the time when I make a call with Skype, it shows up as 000-000-0000 in California, or just "unknown number." It's set to identify itself as the right number, but it doesn't always seem to work. 3) By the time I get home tonight, their office will be closed. 4) I'm not exactly a Luddite, but I don't have a smartphone, only a basic flip-phone. I didn't give my cell# because a) The thing generally notifies me anywhere from 1 minute to 2 days after the call is made. That's been the case with Tracfone, AT&T, and Virgin Mobile. b) I never carry it with me, c) It's not the number on the card account, d) I don't know of a smartphone that can hold a charge for several days.

I paid for next-day delivery so I could have time to get it all nice and properly configured and loaded with my applications before leaving.

I remember when you could buy a thing and it would get delivered to you and that was about it. Based on how many people are twiddling with their phones while driving though, I guess they're just as addictive as heroin, and so the purchase of these things must be closely monitored. That, and it seems like credit cards just need to be issued monthly. I went through three new cards last year alone. Home Depot breach and Target, so the cards were just replaced en masse, and someone swiped my number somehow and used it to buy a bunch of shoes.

Can I submit a retinal scan already and be done with it? Then hope no one steals one of my eyes and goes on a shopping spree.


</tepid vent>

 

[ImpulsE69]

Ordering online has never been secure. What gives you the impression it ever was?

With more people comes more people getting taken advantage of. It's the same concept as Windows viruses vs Apple/Linux. The bigger the mark, the better odds there's a payoff.

 

[lxskllr]

I'd like to see gpg get more use. Sign and/or encrypt your order using a pre-validated identity. It could be made more idiotproof for "end users", but it's doable if people start taking initiative for their own security.

 

[Ketchup]

I haven't encountered an e-tailer doing verification on something like this. The bank, sure. I suppose they don't want to lose merchandise because of the bank reimbursing for fraud, then the bank going after the e-tailer.

BUT...

You are the customer. They are supposedly trying to sell you something. If they aren't trusting the security of the transaction, they should be talking to the bank, not making you do it.

 

[Ichinisan]

Lots of scammers use Skype. You shouldn't have even considered using a Skype phone number for that. I'm sure that was the root of all your problems.

Use the number Visa already has associated with your card.

 

[Jeff7]

Ordering online has never been secure. What gives you the impression it ever was?

With more people comes more people getting taken advantage of. It's the same concept as Windows viruses vs Apple/Linux. The bigger the mark, the better odds there's a payoff.

Yeah...and I guess you've got people who aren't computer nerds doing the shopping, like it would have been during the early days. Ahh, those golden early days of eBay, when you could snag five keyboards for 1 cent each, or a big box of heatsinks for $5. Back when auction sniping at the last second was a skill, not a program to do it automatically.

My passwords are rather difficult, and they're stored in a thoroughly-encrypted container.
(Granted, a complex password does jack shit if it's stored in plain text on the allegedly secure ecommerce server.)

So you've got plenty of password reuse, and lots of "12345" or "password1" out in the wild.
That, or the "social engineering" thing. Encryption won't do much good if you only have to weasel your way past a CSR who doesn't give a damn anymore.

Lots of scammers use Skype. You shouldn't have even considered using a Skype phone number for that.

I'd have to get a landline then, or else blow away money for a smartphone that may or may not ring when I get a call.
Like the other numbers, the landline would get little use, hence why I don't want to incur that monthly expense.
They probably wouldn't have any idea that it's a Skype number though, if the caller ID thing works properly.

I haven't encountered an e-tailer doing verification on something like this. The bank, sure. I suppose they don't want to lose merchandise because of the bank reimbursing for fraud, then the bank going after the e-tailer.

BUT...

You are the customer. They are supposedly trying to sell you something. If they aren't trusting the security of the transaction, they should be talking to the bank, not making you do it.

Yes, you would think so. Visa was eventually ok that I am in fact me. I guess that's not enough.
Or maybe I did accidentally order the tablet that's stuffed with expensive heroin. That might be what the -002 at the end of the part# means.

I'd like to see gpg get more use. Sign and/or encrypt your order using a pre-validated identity. It could be made more idiotproof for "end users", but it's doable if people start taking initiative for their own security.

"Password? Can't I just use 'qw' for my password? I don't like typing, and those keys are right next to each other."

Or their unprotected and unencrypted phone gets stolen, along with all their credentials.

 

[lxskllr]

Password? Can't I just use 'qw' for my password? I don't like typing, and those keys are right next to each other."

Or their unprotected and unencrypted phone gets stolen, along with all their credentials.

That's why they have revocation certificates. You can't completely fix stupid, but education goes a long way. This stuff should be taught in school whether you're in cs or not. Leaving your house key stuck in the lock is considered unacceptable most places around the country. Digital security should be just as obvious.

 

[Markbnj]

It's a war/race, always has been. I imagine that the reaction of society to the threat of online criminals (real and imaginary) will be the same as the reaction to the threat of terror (real and imaginary): less freedom, more control.

 

[FelixDeCat]

tl; dr

 

[Red Squirrel]

Online shopping will be secure when laws change to hold companies liable for securing their shit, but right now nobody is really held liable but the hackers, and the damages are written off by insurance. The only thing stopping people from hacking is the fear of going to jail. The ones that really know what they're doing just make sure to never get caught.

 

[ninaholic37]

I never really buy anything expensive (over $20-30) online, and I'll usually only order something if I can use my Paypal account. I'll check out things locally online and then go meet the people selling them usually. There was a story of a guy who was chopped into pieces doing that but I think he was selling a truck.

 

[Markbnj]

Ordering online has never been secure. What gives you the impression it ever was?

It's probably more secure than physically walking into a store and handing a stranger your card and a copy of your signature. And since the card associations protect cardholders from the bulk of the risk it's really never bothered me.

 

[mikeford]

Don't order using Skype, your cell, your friends cell, a pay phone, etc.

Use the same number, ideally home number you use to talk to visa etc.

Buy lots of stuff, don't break a pattern.

OTOH I keep waiting for some massive foul up shutting down ecommerce and billions sent to Russia or China.

 

[Jeff7]

That's why they have revocation certificates. You can't completely fix stupid, but education goes a long way. This stuff should be taught in school whether you're in cs or not. Leaving your house key stuck in the lock is considered unacceptable most places around the country. Digital security should be just as obvious.

Quite a few people leave doors unlocked.
Others leave their car unlocked, with wallets and such easily visible.
There's also a prevalent mindset of "If you're doing nothing wrong, what do you have to hide?" I'd guess that most of those people wouldn't want to share the time and dates that their teenage daughter is alone, or information about how often they have to see a doctor for their severe hemorrhoids.

Online shopping will be secure when laws change to hold companies liable for securing their shit, but right now nobody is really held liable but the hackers, and the damages are written off by insurance. The only thing stopping people from hacking is the fear of going to jail. The ones that really know what they're doing just make sure to never get caught.

Some of these people could be behind eight proxies though.

Don't order using Skype, your cell, your friends cell, a pay phone, etc.

Use the same number, ideally home number you use to talk to visa etc.

I can't say I've ever had to do this kind of verification to buy something online. Treasury Direct is the closest I've come, with their 2-factor authentication thing and the onscreen keyboard for entering passwords (no keyboard entry is permitted).
Visa was fine with me calling from Skype, so I'm hopeful that TD will be as well. It's just annoying now, since I paid for next-day shipment too.

Buy lots of stuff, don't break a pattern.

OTOH I keep waiting for some massive foul up shutting down ecommerce and billions sent to Russia or China.

I do get plenty of things online, though I don't think I'll be buying new tablets on a regular basis.

 

[stlc8tr]

TigerDirect is a PITA to deal with. I think their anti-fraud measures are a bit over the top. I've had two orders held up because of their verification BS.

If their prices weren't so good, I would never deal with them again.

 

[Naer]

Never had a problem ordering online

 

[Jeff7]

Good old Skype. They had to call me back to verify.
Skype never rang, and it only just notified me that they left a message.

AT&T, Virgin Mobile, Tracfone, and Skype: All of them have had this problem. Sometimes it rings right away like it should, sometimes it notifies me the minute after the person hangs up, and sometimes it waits a day or so before popping up any notification.

I'd gladly have bought direct from Fujitsu if only they'd be able to ship their own products in less than a week.

 

[trmiv]

Some companies are just a pain. Amazon is always super easy. A few months ago I tried to buy a smartwatch from AT&T's website. I thought it went through, but then I get an email the next day saying "sorry, we cancelled your order because we can't verify your identity." Huh? So I called and they actually wanted me to drive to an AT&T store, show two forms of ID and then I'd be authorized to use a credit card to purchase from their website. Never heard of anything like that before. I told them just forget it and purchased the watch elsewhere.

 

[Svnla]

I purchased many items from TD before, especially their FAR items and had no problem at all, well, some orders did get cancel later when they ran out of stock after TD accept my orders.

 

[Ketchup]

I purchased many items from TD before...

I suspect this is the key here. Buying something for the first time from a particular company, and it of a different type for that card, can throw up red flags for both. The lack of initiative on the part of TD, however, would make me cancel my order.

 

[CPA]

Amazon

 

[CoPhotoGuy]

I tried to buy a tablet from TigerDirect

I found your problem.

 

[Jeff7]

Amazon

Tried there first. The Expedited option might have arrived on time. Or it could have arrived as late as the day after I leave.
Next time I'll have my tablet die, and subsequently be found to be unrepairable in a short amount of time, at a more convenient time.
(It sounded like it was just old fan bearings, a simple thing to fix, so I didn't see it as being very urgent. I haven't ever encountered computer fans with fully sealed bearings like this.)

I found your problem.

I know they used to have a....."reputation" shall we say.
For some reason, I had the impression that they'd cleaned up their act at some point. Guess not.