Online Credit Card Security, Part 3: Final

OK . . . now your chosen purchase site has passed the SSL test (Part 1) and trust concerns (Part 2).  But there’s one last final check (Malware presence) and one final thing you can do to protect your credit card account number and identity.  We’ll discuss those two things here and then wrap it all up with a summary.

These articles are lengthy, but a lot of it is explanations.  The distillation of the due diligence needed, the actual work you need to do for a comfort level about using a site, is maybe a half hour, probably a little less.  That’s not bad when you consider the days, weeks, maybe even months of time and headaches you’ll be saving yourself if you don’t do the necessary due diligence and have to straighten out a mess.  And when weighed against the potential for trouble, adequate due diligence comes out much lighter:

A caution here that I’ve mentioned in another part:  DON’T create a monster and then have to feed it.  What I mean is that you needn’t make this a BIG project.  If the effort starts consuming more than a half hour, you probably ought to drop that site and move on to the next.  You’re not trying to scrutinize this site for inclusion into the “Ten Most Squeaky Clean Sites” list . . . just do enough so you reach that “comfort level” where you’re confident that using this site is not going to compromise your credit card account number.

So let’s do the malware/malicious code checks.

There are a gazillion FREE tools for this, so I’m just going to give you two that scan several checkers at a time . . . enough to be reasonably sure there is not any hidden malware/malicious code on the site.  Any more than that and this will turn into that “monster project” I spoke of above.  (“Geeezzz, now lemme try this one, and this one, and this one . . .”)

Common sense security best practice should prevail.

(A good article that expands on this concept can be found at http://www.bbc.co.uk/news/uk-politics-16839217 )

The first malware/malicious code checker is Sucuri Site Check:  http://sitecheck.sucuri.net/scanner/

Just for kicks, let’s scan this site here and see what the results are (as if I didn’t already know! ~sarcasm~): That was the “Sitecheck Results” tab.  And then if we click on the “Balcklisting status” tab, we get:

And in addition to malware/malicious code, Sucuri checks the site software too:

The owner of that blog (not davescomputertips) needs to update their WordPress . . . that is a security flaw.

Next and for the second check we have “VirusTotal”:  https://www.virustotal.com/

Now there’s a little nuance to this.  VirusTotal will check single files OR it will check entire URL’s (web pages).  The default for VirusTotal is to check single files, so you’re going to want to change it to check URL’s, so click on the “scan URL” link:

So the scan results:

There are safety and trust link checkers like McAfee’s Site Advisor, Norton Safe Web, WOT . . . and a host of others.  But some can give false positives and one uses the surfing public and I’m not so sure I place that much faith in the unwashed masses (don’t get me wrong, I use a trust link checker myself but don’t take it as gospel . . . it’s just a heads-up for me to look further.  The mistake that a lot of novices make is using these things as a “cast in stone” indication.  They are NOT.  They are NOT a substitute for your antivirus program.  They are best used as a guide.  Doing the legwork yourself, for both trust and safety . . . by making the checks listed in these articles . . . is the most reliable way to do things.)

That’s it for malware/malicious code checks.

(As I just said, there are a gazillion of these tools, but these two . . . which check a lot of other scanners . . . are sufficient for your purposes.  You may have some favorites . . . I know I do . . . but I recommend using these two for what I’m discussing here about “comfort level” for purchases.)

Now we come to the final barrier you’re going to use to protect your credit card account number.  It’s called a “Virtual Account Number” (though some credit card vendor’s call it by other names . . . for example, Bank of America calls theirs “ShopSafe”, Discover’s is called “Secure Online Account Number”, and Citi’s is called “Virtual Account Number”, but the concept is the same for all of them.)

Virtual Account Numbers are not a panacea, but when combined with the security mechanisms explained in Parts 1 and 2, they will definitely reduce your risk . . . that “layered security” I’ve been speaking of.

The idea of a virtual account number is to give the user a temporary account number that IS NOT the actual account number, but IS linked to it.  If it’s stolen it will be essentially useless to the thief, and no one will have your actual account number.

These virtual numbers are for online purchases ONLY . . . a brick and mortar clerk is likely to say, “Huh?”  or “Sorry, Mr. Jamieson, this number is not valid.  I need to see your card.”

In fact, that’s one of the cautions of using a virtual account number online.  If the purchase you are making is going to be delivered to a brick and mortar store for pickup, you’re going to run into trouble.  That’s because the brick and mortar clerk is going to want to see your card for the pickup.  Obviously the number you used for the purchase is NOT going to match the number on your card, and the brick and mortar clerk is likely to get apoplectic or otherwise throw a fit.  “Manager to Household Goods . . .”:

Virtual account numbers, despite their advantages, fly under most peoples radar and are not well known . . . except the thief hates them.

Purchasing theater tickets that are going to be picked up at a ticket window presents the same problem.  The ticket person is likely NOT to give you the tickets once they see that your card number is different.

Last year Discover stopped offering virtual account numbers, but there was such a clamor from outraged customers they started offering them again. Discover pretty much did an “about-face” on that one.

Some virtual account numbers have a one-time only use that goes with them, so in that case the thief is just flat out of luck even if he/she is able to steal it . . . if he/she tries to use it, it will be no good.

Other virtual account numbers have a spending limit (one you designate) and/or a time limit.

And some are only good at a particular vendor (one you choose.)

But they are all temporary in one fashion or another, plus they are not your real account number.

This reminds me . . . disable your pop-up blocker.  Most of these virtual account number generators pop up in a small window in the upper left.  If you have your pop-up blocker enabled, most times these things won’t work.

Plus, there’s an issue sometimes with the browser you’re using.  A lot of them say they’ll only work with IE, but I’ve used FireFox and they’ve worked just fine.  I’ve never tried them with Chrome, Opera, Safari, or any of the others.  I’m sure there’s provisions for Apple MAC users too.

I’m going to go through with screen shots how to get a Bank of America Master Charge virtual account number.  I’ve chosen Bank of America because the navigation to get to the “ShopSafe” page is pretty obscure and not necessarily intuitively obvious and I want to show how to get there.

But they all have the navigation path to their virtual account numbers buried in some fashion, and it’s not always clear how to get there.  If you’re lucky, the link to it may be on page footers but it’s not always labeled as you think it would be.

You would think that they would have a link labeled “Virtual Account Numbers” but very often it’s buried in something like “Online Purchases” or “Customer Service” or “Account Activity” or “Security Center” or something like that.

In fact I had forgotten how to get to the BOA “ShopSafe” area, so I Googled “ShopSafe” and went from there.

OK, the BOA virtual account number.  Obviously you have to log in to your CC vendor.  Once there:

Notice that nowhere does it say anything about “ShopSafe”.  Perhaps “Security Center” is a little intuitive, but what drove me to Google was that I was down in the footer searching all over the place for “ShopSafe”.  I never thought it was right under my nose at the top under another label.  I’ve used it before, but not very often (I don’t make many on line purchases.)

Anyway, clicking on that link will take you to:

Here you can see that you’re on the “Security Center” page (#1).  But there’s still nothing about “ShopSafe” ’till you expand “Transaction Security” (#2).  Finally, there’s a link that includes the term “ShopSafe” (#3).

Sheeesh, hardly what I would call “obvious” . . . more like “buried”.

So clicking on the “Learn about ShopSafe” link (Still not that exact . . . I want to USE ShopSafe, not “learn” about it.  But by this time I’ll take anything that has the term “ShopSafe” in it . . . as I said, don’t expect to necessarily see the word “virtual”.)

And then I finally get to:

I have no interest in the “Test Drive” . . . I just want to use the darn thing, so I launch it (#2).

Now I’m finally where I want to be:

So now we’re finally going to generate a virtual number:

Here, you can see that BOA uses the “Maximum spending amount” and a time limit for use (2 months is their minimum) mechanism.

Fill in the “spending amount” and time limit (if you want more than 2 months) fields and press “Create Number”.

It grinds and moans and finally you get your virtual account number:

It gives you not only a number, but also an expiration date, the name that’s to be used for this card, AND the secret handshake (the CVC2 number, sometimes called a “CVN” number.)  All are fields that vendors ask for, so you might want to copy them down if your not on the vendor’s site and aren’t going to use it right away . . . or print the thing out if you can.

Once you close that pop-up window, it’s gone and is often hard, if not impossible, to get back.

Of course, you can always generate another number, but if you keep doing that pretty soon you’ll defeat the whole purpose of having a virtual number.  Best to keep a record of it somewhere.

Alright, let’s wrap this whole thing up.  Here’s that half hour or less worth of work you will want to do:

1.  Verify SSL (Part 1)
2.  Determine trust level (Part 2)
3.  Scan for malware/malicious code (Part 3)
4.  Use virtual account number (Part 3)

I can’t stress this enough.   DON’T make a big project out of this.  If it takes more than half an hour, move on.  After all, there are plenty of places you can get that replacement kitchen faucet (something I DID purchase on line one time, mostly because the price at the local hardware store was outrageous.)

BTW, I DID have a CC number stolen one time years ago.  Somebody in the UK (and I live in the US) used it to purchase over $750 dollars worth of clothing.  Fortunately, I check my statements religiously right away (something you also need to do, and something I didn’t really discuss in these articles but IS essential) and reported the charges to the CC fraud department right away.  An affidavit later and the charges were forgiven.

And I’m a security fanatic, so if it happened to me it can happen to someone who doesn’t go crazy over security like I do.  As I said, there is no such thing as 100% security, but at least you can minimize your risk.