08.20.08
You Can Only Know So Many, So Be Choosy
I am “the tech guy” at work, so I get asked pretty regularly how someone can know whether an online merchant is trustworthy. And honestly, I have found that you cannot know that any particular merchant is trustworthy in the absence of someone you trust reporting their experiences with a company.
First, let me tell you what you should not trust, or at least not very much.
- If the site is encrypted and “secure”, all that means is that it will not be easy for someone to steal your information as it transfers to the site–it says nothing about what happens once the information gets there.
- Those seals of approval that say a site is “hacker-proof” mean nothing, because online vandals could suddenly find an undiscovered flaw at any time.
- The green highlighting on the address bar on certain encrypted sites is also deceptive. It means that the site owner went through some additional identity verification. But all identity tells you is whom you are dealing with. It says nothing about whether that individual or organization is honest or deceptive, nor does it tell you how well the site is safeguarded against tricks that could leave you unintentionally sending your information to some organized crime ring.
- Likewise, when an encrypted site doesn’t use a security certificate vendor that your browser company approves of, you’ll get warnings that the certificate is invalid or could not be verified. Sometimes invalid is invalid–perhaps the certificate is expired or revoked–and sometimes invalid is quite valid, such as https://mail.yahoo.com/, which gives an error because the certificate is for https://login.yahoo.com/. Sometimes, you will get an error because the site’s owner signed the site’s certificate themselves. This is similar to people who are born in certain areas or time periods when reliable records are not available, using witness testimony, family Bibles, and church records to verify their identities. (If you don’t see it yet, all that a state issued identification card does is say that the state agrees that the witnesses [such as the doctor that signed your birth certificate] are reliable. Similarly, a certificate signed by one of the major certificate companies merely says that they say your site’s identification documents are reliable based on the testimony of the site owner.)
But this is not intended to scare you. I just do not want you to be deceived that just because your address bar turns gold or green that you can trust that site with your money or your private information.
In a way, it is similar to conducting business over the telephone. Unless you have personally met someone and spoken with them long enough to reliably recognize the person’s voice, conducting any financial transaction over the telephone is inherently dangerous. You really have no way to know whom you are talking to. And so, you should be at least as careful about whom you give financial or personal information to when you are on a telephone call as you are on the Web.
Which brings me to the point. I do not do business with unknown parties without some kind of personal recommendation. I do not buy a lot of things online, because there are very few organizations that I trust with my information. I do not buy anything over the phone for the same reason. In general, I walk into a retail location to purchase whatever I am getting. If I’m in an area long enough, I get to have a feeling about which of the locally-owned business are worthy of trust. Sometimes, I misjudge, as will you. Which why I try to err on the side of caution.
You can only know a certain number of companies, as to whether they are reliable or trustworthy. For others, you can either throw caution to the wind or you can choose to avoid them. We all do both, based on some inner (and probably unconscious) self-preservation system. We do, however, have to choose where the balance lies. In non-personal, electronic transactions, we have no way to “sense” where the balance should be. We have to think about things and try to overrule our emotions in this area.
With online transactions, though, we have a kind of trusted recommender. You do not have to give your credit card information directly to Joe’s Fertilizer Factory–you can conduct the transaction using PayPal, Google’s Checkout, or one of several other payment intermediaries. Many of these have anti-fraud protections built into the service. I recommend that you look for PayPal or Checkout on every site you choose to do business with. In this way, you can have a small number of trusted partners who help you to do business with hundreds of other businesses.
If you operate an online business and you are not using PayPal and Checkout, why not? You are losing out on potential sales. Because both vendors have the trust of the general public, they tend to calm prepurchase anxiety. Also, the offer some protection to your business–no more worries about fraulent credit purchases.
