I just had a very nice chat on the phone with a man whose first attempt at online shopping seemed to have resulted in a fraudster using his card to buy mobile phone top-ups. I don’t understand why he called us (it wasn’t one of my web shops), but I hope I did the right thing by directing him back to his credit card company’s fraud department.
While I was talking to him, I was checking the shop he had problems with. I wouldn’t have bought from it. Here’s how I checked it:-
1. Check the Page
Open the front page of the site in one browser window and then use another window to get to a page that ought to be secure (the payment/checkout page is my usual one). Look at them both. Do either of them show any logos from well-known payment (Barclays, RBS, Protx, …) or security-checking services (thawte – who else?)? That’s not entirely reliable, but it’s usually a good sign because those companies attack people using their marks without permission.
Look at the payment/checkout page – does the address in the address bar start “https”? If so, is the padlock in the browser status bar (usually bottom right) closed? That usually means it’s encrypted with a Secure Sockets Layer (SSL) certificate.
2. Check the Certificate
Open the certificate details. In Firefox-based browsers, double-click the padlock, then click the “View Certificate” button. Then pick “Subject” in the second list box. Usually, it looks like this:-
Basic Certificate Screenshot
in that case, as long as the “CN” (common name) is the webserver you thought you were using and the “O” (organisation) and country code (C) make sense, then there’s nothing wrong.
Some shops now use Extended Validation certificates and give a bit more information. Here’s one from a train company:-
Extended Validation Screenshot
In addition to the CN and O, it shows Organisational Unit (OU), Location (L), State (ST) and also other address parts and company number that Firefox doesn’t display neatly. This is a bit more reassuring, but also a lot more expensive for the shop owner (around 20 times more, last I checked), so I don’t blame shops for not using them.
3. Check the Registrations
By this point, the payment processing and actual transaction are looking pretty good. Finally, I check the recipient. Find the business details on the web shop. Does it include a geographic address? If it contains a company registration number, look it up on the Companies House website.
Then I find the business details on the domain names – you can use CoolWhois to look up domain names. If any of the addresses or numbers don’t match (Website, SSL Certificate, Whois), then I call them to ask why their website says they’re based in Bristol but their domain name is registered to Bolton. If they don’t answer messages, or – worse – the domain name says “Non-trading Individual” and the address has been omitted from the public listing, I give up on them and look for another shop. There’s no point securely paying someone that you can never reach if there’s a problem.
4. Buy Stuff and Check the Statements
All being well, I then buy stuff and check my credit card statement each month before I pay it. I think any web shop owner (or webmaster – I help some people with this sort of thing) should be taking care of the basics above. Do your shops measure up?
Despite the above checks, I can only remember not buying something online once in the last year. A couple of times, I’ve worked through the above steps and it’s changed which shop I bought from – and I’m pretty sure it saved me from losing £400 on one purchase.