Avoiding Identity Theft: 10 Tips for Online Holiday Shoppers

computer keyboard with a 2015 key and a gift key.
(Image credit: Tatiana Popova / Shutterstock.com)

Shopping online this holiday season could leave you with your identity stolen, or at least an expensive surprise when a thief charges a ticket to Fiji on your credit card. Swearing off online shopping isn't necessary, though. You just need some simple steps to protect yourself from online fraud, which ticks up this time of year as more people shop.

"There's always a big spike [in fraud] around the holidays," Paige Hanson, chief of identity education at LifeLock, an identity-protection services firm, told Live Science.

And online seems the place to be for fraudsters: Chris Uriarte, chief strategy and payments officer at Vesta, a fraud-detection firm, said more fraud has moved online because U.S. credit card companies have switched from magnetic strips to chip-equipped cards. [7 Ways to Lock Down Your Online Privacy]

"It used to be you could counterfeit them by copying the magnetic strip," Uriarte said. "You could get a machine online to do it for $50." The chips make counterfeiting cards much harder, Uriarte said. This situation gives more incentive for online fraud, which doesn't require the physical card.

Stealing identities and taking others' credit cards are the most common types of fraud. The U.S. Department of Justice, via its Bureau of Justice Statistics, reported that in 2014 some 17.6 million people experienced some form of identity theft, and that most of that involved bank accounts (38 percent of the time) or credit card accounts (42 percent).

Two out of three identity theft victims lost money, either directly or indirectly (as when a fraudster opens up an account I their name). The average amount lost was $1,341, with a median of $300. The Department of Justice report notes that most people find out about fraud when their financial institution calls.

Scams called "fast fraud," which take advantage of shoppers' desire for speedy delivery, may drive a larger portion of fraudulent transactions, according to a report by Vesta.  When Amazon wants to deliver something in hours, there may not be time to vet the accounts or check that someone actually ordered something, the report said. Meanwhile, the fraudster gets the goods delivered, and sells them on the secondary market.

So here are a few common-sense tips to make your online shopping a little safer:

1. Strong passwords and phrases

Using a hack-free password may sound elementary. Many people, however, continue to use passwords that are too easy for attackers to figure out. According to security firm SplashData, which makes password-management software, the most popular passwords in 2014 were "123456," "password" and "12345." Guessing those requires no knowledge on the part of the hacker. [The 10 Best Mobile Password Managers]

Hackers guess most passwords, in fact, using dictionary attacks and "rainbow tables." A dictionary attack just uses words from the dictionary (ordered by how commonly they occur as passwords). A rainbow table is a dictionary that's been "hashed," the words run through an algorithm to scramble them. The hacker uses the table of words to guess a password. (Brute-force attacks, which go through the entire set of possibilities on the keyboard, are a lot more sophisticated than what the average thief will try.)

To make a strong password, use some special characters, numbers or, better yet, a phrase. Phrases like "Iamthegr8est" are harder for a dictionary attack to break. Also, using different passwords for different sites is never a bad idea. For some people, this can be daunting, but there are apps that exist to manage the passwords, and as an added bonus, they can generate random passwords that no hacker is likely to hit upon. Morgan Slain, CEO of SplashData, noted that one should never assume the data on any site is safe. "Any site will be hacked," Slain said. So don't leave all of your accounts open to a single password, he said.

2. Two keys

Hanson noted another good thing to have is 2-factor authentication. This is when a site sends a text to your phone to verify that it is in fact you logging in, on the assumption that a fraudster is less likely to have both a computer and your phone at once.

3. Beware of free Wi-Fi

Sometimes you're sitting in the coffee shop, and you think, "Now would be a good time to get that gift for someone." Don't do it. Unsecured Wi-Fi networks are vulnerable to people listening in. A fraudster can just let his or her computer gather up all the data flying around the room, and sort out the usernames and passwords later. If you're going to shop online, do it from a password-protected network. "A lot of people connect to Wi-Fi and don't think anything of it," Hanson said. "Every single thing that you type is vulnerable." [11 Cool Christmas Gifts for Geeks]

4. Don't be phish bait

Most people think they aren't vulnerable to phishing scams since they'd never get fooled into believing some Nigerian prince needs their help to move money. But sometimes an email can look like it's from a trusted company or bank. Many people don't check before they click the links, or they send back whatever information the institution asks for without first requesting more detail, said Hanson. "Sometimes you get an email that says 'we'd like to expedite something, click here,'" she said. Remember that emails from major retailers or banks never ask for personal information or passwords. And when in doubt, call.

5. False friends

Scammers often take advantage of the clumsy typing skills of the average person, or the fact that few people pay close attention to the Web address of a site they are shopping on. For example, Amazon's Amazon Payments site is hosted only on certain domains— and no others. If you see an email or are directed to a website where the Web address looks close, but doesn't match, then it's likely a fraud, and your information could be at risk.

6. Look for the lock

On browsers such as Firefox and Safari, there's a small lock icon next to the site address, and the "https" on the address bar. The lock shows whether the connection to the site is encrypted. If you don't see the lock, it's probably not a good idea to send any credit card information over that link.

7. Credit cards, not debit cards

Sometimes it may seem like a good idea to use a debit card, because the money comes right out of an account and keeps you honest — no running up huge debts. However, credit and debit cards have different rules. Generally, it's easier to get your money back (called a charge-back) from a credit card if you get scammed and a thief uses the card. It tends to be harder to do the same on debit cards, if they offer such protection at all.Uriarte noted that most credit cardsoffer some way to dispute and resolve fraudulent charges, and the actual customer liability for those is zero.

Slain suggested another strategy: Use gift cards. That way, you need not enter your personal information on a site, and you know that there's a preset amount of money on the card. "Most of the time, we think of them as gifts for other people," he said. "But they are really good for this."

8. Speaking of gift cards

Uriarte noted, however, that gift cards aren't a panacea. There's an active online market for fake cards. A customer will see a deal on old gift cards for major retailers, and buy the cards, only to find that they are fake and a scammer has made off with the money. Though the secondary market for gift cards is legitimate, it's probably a good idea to either buy gift cards directly from the retailer or to verify that the seller is legit. Lack of a contact info and no presence online other than the selling site are reasons to be suspicious. 

9. Check your statements

Checking your bank statements more often is never a bad idea, but doing so during the shopping season is even more important, Slain noted. That way, it's easier to spot transactions that aren't yours. Even better, sign up for the alerts that the credit card company will send, either by email or to your phone, whenever a purchase is made. This is a good way to guard against the fraud that happens when thieves buy blocks of credit card numbers online, because the only way to know if yours is among them is when it is used. This way you'd know when that happens and can call the credit card issuer right away.

10. Prepare your phone

Many mobile devices have passwords stored in the apps that allow for in-app purchases. So it's a good idea to opt in to services that let you wipe your phone remotely. That way, you can delete any information you don't want left out in the open.

Follow us @livescience, Facebook & Google+. Original article on Live Science.

Jesse Emspak
Live Science Contributor
Jesse Emspak is a contributing writer for Live Science, Space.com and Toms Guide. He focuses on physics, human health and general science. Jesse has a Master of Arts from the University of California, Berkeley School of Journalism, and a Bachelor of Arts from the University of Rochester. Jesse spent years covering finance and cut his teeth at local newspapers, working local politics and police beats. Jesse likes to stay active and holds a third degree black belt in Karate, which just means he now knows how much he has to learn.