Skip to content
Thoughtful, detailed coverage of everything Apple for 33 years
and the TidBITS Content Network for Apple professionals

Security Tips For Safe Online Holiday Shopping

The annual American tradition of Black Friday shopping madness, with its irresistible deals and steep discounts for those willing to brave the crowds of the local shopping malls, has come and gone, but the rest of the mad shopping season is still going strong. These days, however, thanks to the wonder of the Internet, we can all experience the hustle and bustle of the mall from the comfort of our own homes. And to help keep your shopping experience authentic, there’s no shortage of cheats and thieves ready to yank your painstakingly chosen gifts right out of the virtual trunk of your Web browser, along with your credit card number.

In the spirit of safe and happy holidays, TidBITS presents our top tips for safe online shopping. Some of these tips also apply to the real world for those of you who just can’t resist the mall. (For your Windows-using friends and family I have a non-Mac version of this article available at my security blog).

Buy Safely With New Payment Options — Consumers have a number of relatively new options to protect their credit cards and bank accounts when shopping online. I recommend you use a dedicated credit card, temporary credit card number, or PayPal account for holiday shopping.

The most basic option is to pick your credit card with the lowest limit and use it exclusively for holiday shopping. Choose one you can monitor online, and check the activity at least weekly through the holidays. Also make sure your chosen card isn’t also a debit card, since debit cards don’t have the same fraud protections as credit cards, and you may be responsible for fraudulent charges. While you can always dispute a credit card charge, only some banks, on some accounts, allow you to dispute debit card charges (even if your card has a Visa or MasterCard logo on it).

To keep your card statement simple, turn off any automatic payments so you can dispute any spurious charges before making a payment. Keep tracking activity at least monthly after the holidays are over, and consider canceling the card if you notice any unusual charges that you can’t account for, even if they are low dollar amounts (a technique bad guys use to test for valid cards and people who aren’t paying attention). Save all email receipts for online purchases in a mail folder, since they’re extremely helpful when trying to remember what you might have ordered for $25.92 on November 30th.

I recommend you restrict your credit card use to major online retailers, and for smaller shops instead use either a PayPal debit account or temporary credit card. While you might get a better deal from, many smaller retailers don’t have security as strong as their bigger brethren. Those hosted or selling through a major service are usually safe, but few consumers really want to check the pedigree for specialty shops.

One approach is to create a dedicated PayPal account that’s not linked to any of your bank accounts or credit cards. You can pre-fund it via bank transfer with as much cash as you think you need and use it for online payments where you’re a bit dubious about the retailer. In the absolute worst case, you would lose only what’s in that account, and you can easily cancel it anytime.

Another option, depending on your credit card company, is a temporary credit card number for online shopping. These are disposable card numbers you generate yourself using your card issuer’s Web site, and they can’t be used again or leveraged to run up your account. Charges still appear on the same bill, and are tied to your main credit card account. Check with your credit card company to see if they offer this service, but most of the major card issuers do. I like temporary credit card numbers better than account passwords (such as Verified by Visa and Mastercard SecureCode) since they work everywhere, and you don’t have to worry about anyone sniffing them. Two examples are ShopSafe by Bank of America, and Virtual Account Numbers from Citibank.

Avoid Email Fraud — In the security industry we always see a rise in online fraud during the holidays, but there seems to be a larger spike this year as the bad guys try to take advantage of the economic downturn.

The first rule of Internet security applies here: if an email message relates to anything financial, don’t click links in it. Period. And if the message is a retail offer, be very cautious. It doesn’t matter if your best friend has seemingly sent you a really good deal in email. It doesn’t matter if it’s your favorite retailer and you’ve always gotten email offers from them. No special offers. No eBay member-to-member email messages. No “fraud alerts” to check your account.

Attackers are increasingly refining their phishing attacks, some of which are very hard to distinguish from legitimate email messages. When you see an interesting offer in email, and it’s a business you want to deal with, just open your Web browser, type in the company’s URL manually, and browse to the item, offer, or account area. Email is the single biggest source of online fraud and this year will be no different.

I also recommend you use an email account with a service provider that offers spam filtering (it’s built into MobileMe, Gmail, Yahoo! Mail, and Hotmail). These block most spam and phishing attempts before the messages even hit your inbox. If you have email accounts with providers that don’t filter, you should also look at C-Command Software’s excellent SpamSieve. Even though all my email accounts are filtered by my service providers and Apple Mail has decent filtering too, I still use SpamSieve to catch those last stragglers. Despite multiple public
email addresses, I see only about one to three junk messages per day on even my most-attacked accounts.

Protect Your Web Browser — Caution in email is great, but the primary avenue of attack is through your Web browser. You can reduce your vulnerability with some easy steps.

First, make sure your Web browser is updated to the latest version and turn on the highest security settings. For Safari 3.2, the two main security options in Preferences are Block Pop-up Windows and the new Warn When Visiting A Fraudulent Website. (For more information on how this works, see my article “Are Safari’s New Anti-Phishing Features Useful?” 2008-11-18).

Over the past few months, we’ve seen significant updates of all the major Web browsers to include enhanced security features. Since the Safari update last week, all major browsers now include features to help detect fraudulent sites – if you see such a warning, quit the browser immediately and don’t go back to that site.

All these browsers also prompt you before installing any software when you visit a site; when shopping, never allow the site to install anything. Either it’s a fraud or they don’t deserve your business. Pay particular attention to plug-ins purportedly for watching video or playing free games unless you know you can trust the site (both types of plug-ins are recent vectors for Mac trojans). Most browsers now enable security features by default, so I won’t provide detailed instructions here.

You can also install the NoScript plug-in for Firefox. This is a free plug-in that blocks anything from running in your browser that you don’t manually allow (like JavaScript, Flash, and so on). You won’t need it if you just stick with major sites like, but if you use Google to help you find a too-good-to-be-true deal on a Drink-With-Me Elmo doll, you shouldn’t be surfing the Internet without it. If you don’t want NoScript bothering you all the time, at least use it during your holiday shopping and turn it off later.

These simple steps won’t stop all fraud, but will significantly reduce both the chance that you’ll be a victim and the damage if you are. Good luck, and safe shopping!

Subscribe today so you don’t miss any TidBITS articles!

Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For over 33 years, we’ve published professional, member-supported tech journalism that makes you smarter.

Registration confirmation will be emailed to you.

This site is protected by reCAPTCHA. The Google Privacy Policy and Terms of Service apply.