Home
Products
Download
Ordering
Support
About Shareware
About KMR Consulting
Contacting Us
Links
Logo

Credit Cards, the Internet, and PayPal

It is interesting that people who are nervous about sending their credit card numbers over the Internet will gladly charge something in a store and sign their name on an electronic screen. (Think of the possibility for fraud: the store has your credit card number AND an electronic version of your signature! In principle, they could use these to create any number of fake transactions and charge them to your account.)

So is it safe to use your credit card to order merchandise over the Internet or not? Here is some information you may find useful.

Credit card risks

Sending your credit card number over the Internet exposes you to three types of risks.

  1. Someone who is watching Internet traffic may see your account number as it goes by and use it to buy stuff for themselves.
  2. You don't really know who you're sending your account number to.
  3. Someone might break into my computer and steal your credit card number.

Let's look at each of these risks more closely.

Risk 1: Internet security

This problem is eliminated by using what is called a secure server. Before entering your credit card number, check the web address for the page to ensure that it starts with https:. Many web browsers also show a little padlock symbol ( or ) when this is true. This indicates that you're connected to a secure web site--your browser encrypts your account number (and everything else) before sending it, so even if someone is able to view Internet traffic, the account number is indecipherable.

The real danger of buying things with a credit card over the Internet is actually ...

Risk 2: Verifying authenticity

If you go to a store, you can be reasonably sure that the company is legitimate. The expense of the building, the inventory you can see and touch, the people working there, the fact that they were there last month and the year before; these are all indications that the company is for real. You feel comfortable handing your credit card to the clerk in the store because you expect that employees of a real company will behave ethically.

But suppose you get a catalog in the mail from some outfit you've never heard of. Can you really be sure that the company exists? You can call their 800 number (if they have one), but that doesn't prove anything--a rip-off artist will tell you exactly what you want to hear, whether or not it is the truth. The catalog itself is the only evidence you have that the company is legitimate, so sending your credit card number to a mail order firm involves more risk than shopping at a store.

Internet stores are even riskier than mail order companies. It is easy (and cheap) to set up an Internet site that offers goods for sale. Rip-off artists can create a web site that looks just as real, and offers just as many products, as legitimate businesses. You can't tell whether the company is for real just by looking at their web site--everything you see might be made up.

Knowing this, why would anyone order anything over the Internet? The fact is that the vast majority of businesses are legitimate. Nevertheless, you can reduce the odds of being victimized by verifying the company independently before placing an order. (This applies to mail-order catalog companies, too.) Asking the company itself for references doesn't prove anything--the "references" may be part of the scam. Instead, call the Better Business Bureau and the Attorney General of the state in which the business resides to see if anyone has complained about it.

So is KMR Consulting (and this web site) for real? The answer is yes, but you shouldn't believe it just because this web page says so. Verify it for yourself: call the Colorado Attorney General (720-508-6000) and ask if anyone has complained about us. Colorado also has a "Consumer Complaint Line" (800-222-4444) you can call and ask the same question. Call the Better Business Bureau in Northern Colorado (800-564-0371) and ask them. Go to www.whois.net and you can look up my domain name "kmrconsulting.com" and see that it was established on 12/3/1998 (though I have been in business since 1994).

If you're still nervous about placing an order from me, consider this: you already have the product! A huckster after an easy buck is going to offer a product that doesn't exist, hoping to entice you to send money. With shareware companies, you know the product exists because you can download it and try it. This is pretty convincing evidence that the company is for real; much more convincing than seeing slick pictures of products in a catalog.

Risk 3: My computer security

In January of 2000 someone broke into a computer at an on-line company and stole hundreds of thousands of credit card numbers. This made big news, partly because the crook tried to extort money from the credit card companies. In the years since, similar breakins have happened again and again.

This cannot happen to KMR Consulting because your credit card number isn't on my computer. Our payment processor, Paddle, handles the transaction through their secure web site and I never even see your credit card information. Crooks aren't tempted to break into my computer because what they want simply isn't there.

By the way, if you want to see whether your computer is vulnerable to Internet hackers, I highly recommend visiting Gibson Research Corporation's web site. Click the "Shields UP!" logo for a free analysis of your system.

Wait a minute--I'm sure I heard that there was some problem with PayPal. Could your payment processor also be vulnerable?

You're thinking of something called phishing (pronounced "fishing"). Phishing is where a hacker sends you an email that looks like it came from your bank (or your brokerage company, your credit card company, etc.) claiming that there is a problem with your account and asking you to log on to fix it. The email includes a link--clicking this takes you to a web page that looks exactly like your bank's login page, but it isn't. When you enter your account name and password, it goes directly to the hacker who then signs on to your account and drains it. Basically, any account that contains money and can be accessed over the Internet is a target for phishing attacks.

How can I protect myself against phishing?

It is extremely important to be able to recognize phishing emails so you won't be victimized by them.

Fortunately, this is easy to do. Watch out for email that:

  • claims to come from your bank, credit card company, etc.
  • may include official-looking logos and other graphics from this company.
  • may contain grammatical errors or misspelled words (look closely!).
  • you may have gotten several identical or nearly identical copies of.
  • states that there is some problem with your account, or that you must change your password, or some other reason to get you to log into your account.
  • includes a link to click that will take you to your account.

Now here's the important part:

  • If you click the link, the URL in your browser's address bar is different than what the link said.

NEVER, EVER CLICK THE LINK in such an email message! It will not take you to your account! The page you'll see may look identical to the legitimate login page, but if you enter your account and password you'll be sending it directly to a hacker.

Banks and credit card companies never send emails like this! If you think the email might be legitimate, call the company and ask to speak with a representative. But be sure to use the phone number printed on your statement or your credit card, not a phone number from the suspicious email itself.

What should I do if I think I've been phished?

Suppose you get one of these emails and, without thinking, you click on the link and enter your account and password. What should you do?

  1. DO THESE STEPS IMMEDIATELY--DO NOT WAIT!
  2. Quit your browser, and then start it up again.
  3. Go to the web site for the company mentioned in the email, but type the web link (URL) directly into your browser--do not use the link in the email.
  4. Log onto your account and change the password.
  5. Call the company in question, speak with a person, and tell them what has happened. They may give you additional steps you can follow to protect your account.

Was this web page helpful to you? Did you find what you were looking for? Give us your feedback.
This web site and all contents Copyright © 1999-2022 KMR Consulting